checkstyle/pmd/findbugs correction(s)

2026-03-22 09:09:31 +01:00 · 2016-05-15 07:22:52 -04:00
parent 6790727260
commit 353b17690f
12 changed files with 197 additions and 134 deletions
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
@@ -86,8 +86,8 @@ public class Check extends Update {
    }
    /**
-     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
+     * Returns the path. If the path has not been initialized yet, this class is
-     * object.
+     * synchronized, and will instantiate the path object.
     *
     * @return the path
     */
@@ -109,7 +109,8 @@ public class Check extends Update {
    }
    /**
-     * Add a reference to a Path, FileSet, DirSet, or FileList defined elsewhere.
+     * Add a reference to a Path, FileSet, DirSet, or FileList defined
     * elsewhere.
     *
     * @param r the reference to a path, fileset, dirset or filelist.
     */
@@ -121,7 +122,8 @@ public class Check extends Update {
    }
    /**
-     * If this is a reference, this method will add the referenced resource collection to the collection of paths.
+     * If this is a reference, this method will add the referenced resource
     * collection to the collection of paths.
     *
     * @throws BuildException if the reference is not to a resource collection
     */
@@ -196,7 +198,8 @@ public class Check extends Update {
    }
    /**
-     * Specifies the destination directory for the generated Dependency-Check report.
+     * Specifies the destination directory for the generated Dependency-Check
     * report.
     */
    private String reportOutputDirectory = ".";
@@ -218,9 +221,11 @@ public class Check extends Update {
        this.reportOutputDirectory = reportOutputDirectory;
    }
    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
+     * Specifies if the build should be failed if a CVSS score above a specified
-     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
+     * level is identified. The default is 11 which means since the CVSS scores
-     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     * are 0-10, by default the build will never fail and the CVSS score is set
     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
     * anything above 10 will not cause the build to fail.
     */
    private float failBuildOnCVSS = 11;
@@ -242,8 +247,8 @@ public class Check extends Update {
        this.failBuildOnCVSS = failBuildOnCVSS;
    }
    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
-     * is true.
+     * recommended that this be turned to false. Default is true.
     */
    private Boolean autoUpdate;
@@ -295,7 +300,8 @@ public class Check extends Update {
    }
    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML.
+     * The report format to be generated (HTML, XML, VULN, ALL). Default is
     * HTML.
     */
    private String reportFormat = "HTML";
@@ -383,7 +389,7 @@ public class Check extends Update {
    public void setEnableExperimental(Boolean enableExperimental) {
        this.enableExperimental = enableExperimental;
    }
-    
+
    /**
     * Whether or not the Jar Analyzer is enabled.
     */
@@ -644,7 +650,8 @@ public class Check extends Update {
    /**
     * Set the value of pyDistributionAnalyzerEnabled.
     *
-     * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled
+     * @param pyDistributionAnalyzerEnabled new value of
     * pyDistributionAnalyzerEnabled
     */
    public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
        this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
@@ -697,7 +704,8 @@ public class Check extends Update {
    }
    /**
-     * The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
+     * The URL of a Nexus server's REST API end point
     * (http://domain/nexus/service/local).
     */
    private String nexusUrl;
@@ -742,8 +750,8 @@ public class Check extends Update {
    }
    /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
+     * Additional ZIP File extensions to add analyze. This should be a
-     * files.
+     * comma-separated list of file extensions to treat like ZIP files.
     */
    private String zipExtensions;
@@ -853,7 +861,8 @@ public class Check extends Update {
    }
    /**
-     * Validate the configuration to ensure the parameters have been properly configured/initialized.
+     * Validate the configuration to ensure the parameters have been properly
     * configured/initialized.
     *
     * @throws BuildException if the task was not configured correctly.
     */
@@ -867,8 +876,9 @@ public class Check extends Update {
    }
    /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
+     * Takes the properties supplied and updates the dependency-check settings.
-     * required to change the proxy server, port, and connection timeout.
+     * Additionally, this sets the system properties required to change the
     * proxy server, port, and connection timeout.
     *
     * @throws BuildException thrown when an invalid setting is configured.
     */
@@ -899,11 +909,12 @@ public class Check extends Update {
    }
    /**
-     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * Checks to see if a vulnerability has been identified with a CVSS score
-     * configuration.
+     * that is above the threshold set in the configuration.
     *
     * @param dependencies the list of dependency objects
-     * @throws BuildException thrown if a CVSS score is found that is higher then the threshold set
+     * @throws BuildException thrown if a CVSS score is found that is higher
     * then the threshold set
     */
    private void checkForFailure(List<Dependency> dependencies) throws BuildException {
        final StringBuilder ids = new StringBuilder();
@@ -927,7 +938,8 @@ public class Check extends Update {
    }
    /**
-     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their
     * associated CPE and CVE entries.
     *
     * @param dependencies a list of dependency objects
     */
@@ -967,7 +979,8 @@ public class Check extends Update {
    }
    /**
-     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", etc..
+     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
     * etc..
     */
    public static class ReportFormats extends EnumeratedAttribute {
--- a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
+++ b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
@@ -23,16 +23,18 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 /**
- * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of
- * returned by this class.
+ * org.slf4j.ILoggerFactory is performed using information returned by this
 * class.
 *
 * @author colezlaw
 */
 //CSOFF: FinalClass
 public class StaticLoggerBinder implements LoggerFactoryBinder {
 //CSON: FinalClass
    /**
     * The unique instance of this class
     *
     */
    private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
@@ -46,7 +48,8 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
    }
    /**
-     * Ant tasks have the log method we actually want to call. So we hang onto the task as a delegate
+     * Ant tasks have the log method we actually want to call. So we hang onto
     * the task as a delegate
     */
    private Task task = null;
@@ -61,16 +64,24 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
    }
    /**
-     * Declare the version of the SLF4J API this implementation is compiled against. The value of this filed is usually modified
+     * Declare the version of the SLF4J API this implementation is compiled
-     * with each release.
+     * against. The value of this filed is usually modified with each release.
     */
    // to avoid constant folding by the compiler, this field must *not* be final
    //CSOFF: StaticVariableName
    //CSOFF: VisibilityModifier
    public static String REQUESTED_API_VERSION = "1.7.12"; // final
-
+    //CSON: VisibilityModifier
    //CSON: StaticVariableName
    /**
     * The logger factory class string.
     */
    private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName();
    /**
-     * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object
+     * The ILoggerFactory instance returned by the {@link #getLoggerFactory}
     * method should always be the smae object
     */
    private ILoggerFactory loggerFactory;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -24,7 +24,6 @@ import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.suppression.SuppressionParseException;
 import org.owasp.dependencycheck.suppression.SuppressionParser;
@@ -38,7 +37,8 @@ import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 /**
- * Abstract base suppression analyzer that contains methods for parsing the suppression xml file.
+ * Abstract base suppression analyzer that contains methods for parsing the
 * suppression xml file.
 *
 * @author Jeremy Long
 */
@@ -173,7 +173,8 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     *
     * @param message the exception message
     * @param exception the cause of the exception
-     * @throws SuppressionParseException throws the generated SuppressionParseException
+     * @throws SuppressionParseException throws the generated
     * SuppressionParseException
     */
    private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
        LOGGER.warn(message);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
@@ -57,7 +57,7 @@ public class AnalyzerService {
     * @return a list of Analyzers.
     */
    public List<Analyzer> getAnalyzers() {
-        List<Analyzer> analyzers = new ArrayList<Analyzer>();
+        final List<Analyzer> analyzers = new ArrayList<Analyzer>();
        final Iterator<Analyzer> iterator = service.iterator();
        boolean experimentalEnabled = false;
        try {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -67,11 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
    }
    //</editor-fold>
-    // Python init files
+    /**
     * Python init files
     */
    private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
        "__init__.py",
        "__init__.pyc",
-        "__init__.pyo"
+        "__init__.pyo",
    });
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -60,7 +60,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
- * Used to load a JAR file and collect information that can be used to determine the associated CPE.
+ * Used to load a JAR file and collect information that can be used to determine
 * the associated CPE.
 *
 * @author Jeremy Long
 */
@@ -72,7 +73,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(JarAnalyzer.class);
    /**
-     * The count of directories created during analysis. This is used for creating temporary directories.
+     * The count of directories created during analysis. This is used for
     * creating temporary directories.
     */
    private static int dirCount = 0;
    /**
@@ -80,7 +82,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     */
    private static final String NEWLINE = System.getProperty("line.separator");
    /**
-     * A list of values in the manifest to ignore as they only result in false positives.
+     * A list of values in the manifest to ignore as they only result in false
     * positives.
     */
    private static final Set<String> IGNORE_VALUES = newHashSet(
            "Sun Java System Application Server");
@@ -123,7 +126,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            "ipojo-extension",
            "eclipse-sourcereferences");
    /**
-     * Deprecated Jar manifest attribute, that is, nonetheless, useful for analysis.
+     * Deprecated Jar manifest attribute, that is, nonetheless, useful for
     * analysis.
     */
    @SuppressWarnings("deprecation")
    private static final String IMPLEMENTATION_VENDOR_ID = Attributes.Name.IMPLEMENTATION_VENDOR_ID
@@ -203,7 +207,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    //</editor-fold>
    /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
@@ -213,12 +218,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE
+     * Loads a specified JAR file and collects information from the manifest and
-     * information.
+     * checksums to identify the correct CPE information.
     *
     * @param dependency the dependency to analyze.
     * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR
     * file.
     */
    @Override
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
@@ -242,13 +248,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will
+     * Attempts to find a pom.xml within the JAR file. If found it extracts
-     * attempt to interpolate the strings contained within the pom.properties if one exists.
+     * information and adds it to the evidence. This will attempt to interpolate
     * the strings contained within the pom.properties if one exists.
     *
     * @param dependency the dependency being analyzed
     * @param classes a collection of class name information
     * @param engine the analysis engine, used to add additional dependencies
-     * @throws AnalysisException is thrown if there is an exception parsing the pom
+     * @throws AnalysisException is thrown if there is an exception parsing the
     * pom
     * @return whether or not evidence was added to the dependency
     */
    protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
@@ -329,12 +337,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Given a path to a pom.xml within a JarFile, this method attempts to load a sibling pom.properties if one exists.
+     * Given a path to a pom.xml within a JarFile, this method attempts to load
     * a sibling pom.properties if one exists.
     *
     * @param path the path to the pom.xml within the JarFile
     * @param jar the JarFile to load the pom.properties from
     * @return a Properties object or null if no pom.properties was found
-     * @throws IOException thrown if there is an exception reading the pom.properties
+     * @throws IOException thrown if there is an exception reading the
     * pom.properties
     */
    private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
        Properties pomProperties = null;
@@ -361,7 +371,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Searches a JarFile for pom.xml entries and returns a listing of these entries.
+     * Searches a JarFile for pom.xml entries and returns a listing of these
     * entries.
     *
     * @param jar the JarFile to search
     * @return a list of pom.xml entries
@@ -388,8 +399,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @param jar the jar file to extract the pom from
     * @param dependency the dependency being analyzed
     * @return returns the POM object
-     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
+     * @throws AnalysisException is thrown if there is an exception extracting
-     * {@link org.owasp.dependencycheck.xml.pom.Model} object
+     * or parsing the POM {@link org.owasp.dependencycheck.xml.pom.Model} object
     */
    private Model extractPom(String path, JarFile jar, Dependency dependency) throws AnalysisException {
        InputStream input = null;
@@ -447,9 +458,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     *
     * @param dependency the dependency to set data on
     * @param pom the information from the pom
-     * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR
+     * @param classes a collection of ClassNameInformation - containing data
-     * file being analyzed
+     * about the fully qualified class names within the JAR file being analyzed
-     * @return true if there was evidence within the pom that we could use; otherwise false
+     * @return true if there was evidence within the pom that we could use;
     * otherwise false
     */
    public static boolean setPomEvidence(Dependency dependency, Model pom, List<ClassNameInformation> classes) {
        boolean foundSomething = false;
@@ -571,12 +583,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or
+     * Analyzes the path information of the classes contained within the
-     * product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
+     * JarAnalyzer to try and determine possible vendor or product names. If any
     * are found they are stored in the packageVendor and packageProduct
     * hashSets.
     *
     * @param classNames a list of class names
     * @param dependency a dependency to analyze
-     * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
+     * @param addPackagesAsEvidence a flag indicating whether or not package
     * names should be added as evidence.
     */
    protected void analyzePackageNames(List<ClassNameInformation> classNames,
            Dependency dependency, boolean addPackagesAsEvidence) {
@@ -611,11 +626,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * <p>
-     * Reads the manifest from the JAR file and collects the entries. Some vendorKey entries are:</p>
+     * Reads the manifest from the JAR file and collects the entries. Some
     * vendorKey entries are:</p>
     * <ul><li>Implementation Title</li>
     * <li>Implementation Version</li> <li>Implementation Vendor</li>
-     * <li>Implementation VendorId</li> <li>Bundle Name</li> <li>Bundle Version</li> <li>Bundle Vendor</li> <li>Bundle
+     * <li>Implementation VendorId</li> <li>Bundle Name</li> <li>Bundle
-     * Description</li> <li>Main Class</li> </ul>
+     * Version</li> <li>Bundle Vendor</li> <li>Bundle Description</li> <li>Main
     * Class</li> </ul>
     * However, all but a handful of specific entries are read in.
     *
     * @param dependency A reference to the dependency
@@ -623,7 +640,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @return whether evidence was identified parsing the manifest
     * @throws IOException if there is an issue reading the JAR file
     */
-    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
+    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) 
            throws IOException {
        boolean foundSomething = false;
        JarFile jar = null;
        try {
@@ -748,21 +766,19 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                            addMatchingValues(classInformation, value, productEvidence);
                        } else if (key.contains("license")) {
                            addLicense(dependency, value);
                        } else if (key.contains("description")) {
                            addDescription(dependency, value, "manifest", key);
                        } else {
-                            if (key.contains("description")) {
+                            productEvidence.addEvidence(source, key, value, Confidence.LOW);
-                                addDescription(dependency, value, "manifest", key);
+                            vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
-                            } else {
+                            addMatchingValues(classInformation, value, vendorEvidence);
-                                productEvidence.addEvidence(source, key, value, Confidence.LOW);
+                            addMatchingValues(classInformation, value, productEvidence);
-                                vendorEvidence.addEvidence(source, key, value, Confidence.LOW);
+                            if (value.matches(".*\\d.*")) {
-                                addMatchingValues(classInformation, value, vendorEvidence);
+                                final StringTokenizer tokenizer = new StringTokenizer(value, " ");
-                                addMatchingValues(classInformation, value, productEvidence);
+                                while (tokenizer.hasMoreElements()) {
-                                if (value.matches(".*\\d.*")) {
+                                    final String s = tokenizer.nextToken();
-                                    final StringTokenizer tokenizer = new StringTokenizer(value, " ");
+                                    if (s.matches("^[0-9.]+$")) {
-                                    while (tokenizer.hasMoreElements()) {
+                                        versionEvidence.addEvidence(source, key, s, Confidence.LOW);
                                        final String s = tokenizer.nextToken();
                                        if (s.matches("^[0-9.]+$")) {
                                            versionEvidence.addEvidence(source, key, s, Confidence.LOW);
                                        }
                                    }
                                }
                            }
@@ -810,15 +826,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters,
+     * Adds a description to the given dependency. If the description contains
-     * then the description used will be trimmed to that position:
+     * one of the following strings beyond 100 characters, then the description
-     * <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses "</li></ul>
+     * used will be trimmed to that position:
     * <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses
     * "</li></ul>
     *
     * @param dependency a dependency
     * @param description the description
     * @param source the source of the evidence
     * @param key the "name" of the evidence
-     * @return if the description is trimmed, the trimmed version is returned; otherwise the original description is returned
+     * @return if the description is trimmed, the trimmed version is returned;
     * otherwise the original description is returned
     */
    public static String addDescription(Dependency dependency, String description, String source, String key) {
        if (dependency.getDescription() == null) {
@@ -889,7 +908,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Initializes the JarAnalyzer.
     *
-     * @throws Exception is thrown if there is an exception creating a temporary directory
+     * @throws Exception is thrown if there is an exception creating a temporary
     * directory
     */
    @Override
    public void initializeFileTypeAnalyzer() throws Exception {
@@ -920,11 +940,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Determines if the key value pair from the manifest is for an "import" type entry for package names.
+     * Determines if the key value pair from the manifest is for an "import"
     * type entry for package names.
     *
     * @param key the key from the manifest
     * @param value the value from the manifest
-     * @return true or false depending on if it is believed the entry is an "import" entry
+     * @return true or false depending on if it is believed the entry is an
     * "import" entry
     */
    private boolean isImportPackage(String key, String value) {
        final Pattern packageRx = Pattern.compile("^([a-zA-Z0-9_#\\$\\*\\.]+\\s*[,;]\\s*)+([a-zA-Z0-9_#\\$\\*\\.]+\\s*)?$");
@@ -933,8 +955,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This
+     * Cycles through an enumeration of JarEntries, contained within the
-     * does not include core Java package names (i.e. java.* or javax.*).
+     * dependency, and returns a list of the class names. This does not include
     * core Java package names (i.e. java.* or javax.*).
     *
     * @param dependency the dependency being analyzed
     * @return an list of fully qualified class names
@@ -970,12 +993,16 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and product.
+     * Cycles through the list of class names and places the package levels 0-3
-     * This is helpful when analyzing vendor/product as many times this is included in the package name.
+     * into the provided maps for vendor and product. This is helpful when
     * analyzing vendor/product as many times this is included in the package
     * name.
     *
     * @param classNames a list of class names
-     * @param vendor HashMap of possible vendor names from package names (e.g. owasp)
+     * @param vendor HashMap of possible vendor names from package names (e.g.
-     * @param product HashMap of possible product names from package names (e.g. dependencycheck)
+     * owasp)
     * @param product HashMap of possible product names from package names (e.g.
     * dependencycheck)
     */
    private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
            Map<String, Integer> vendor, Map<String, Integer> product) {
@@ -1002,8 +1029,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists in the
+     * Adds an entry to the specified collection and sets the Integer (e.g. the
-     * collection then the Integer is incremented by 1.
+     * count) to 1. If the entry already exists in the collection then the
     * Integer is incremented by 1.
     *
     * @param collection a collection of strings and their occurrence count
     * @param key the key to add to the collection
@@ -1017,9 +1045,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Cycles through the collection of class name information to see if parts of the package names are contained in the provided
+     * Cycles through the collection of class name information to see if parts
-     * value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the
+     * of the package names are contained in the provided value. If found, it
-     * value.
+     * will be added as the HIGHEST confidence evidence because we have more
     * then one source corroborating the value.
     *
     * @param classes a collection of class name information
     * @param value the value to check to see if it contains a package name
@@ -1042,7 +1071,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Simple check to see if the attribute from a manifest is just a package name.
+     * Simple check to see if the attribute from a manifest is just a package
     * name.
     *
     * @param key the key of the value to check
     * @param value the value to check
@@ -1056,7 +1086,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }
    /**
-     * Extracts the license information from the pom and adds it to the dependency.
+     * Extracts the license information from the pom and adds it to the
     * dependency.
     *
     * @param pom the pom object
     * @param dependency the dependency to add license information too
@@ -1103,9 +1134,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
        /**
         * <p>
-         * Stores information about a given class name. This class will keep the fully qualified class name and a list of the
+         * Stores information about a given class name. This class will keep the
-         * important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a
+         * fully qualified class name and a list of the important parts of the
-         * leading "org" or "com". Example:</p>
+         * package structure. Up to the first four levels of the package
         * structure are stored, excluding a leading "org" or "com".
         * Example:</p>
         * <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
         * System.out.println(obj.getName());
         * for (String p : obj.getPackageStructure())
@@ -1164,7 +1197,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            this.name = name;
        }
        /**
-         * Up to the first four levels of the package structure, excluding a leading "org" or "com".
+         * Up to the first four levels of the package structure, excluding a
         * leading "org" or "com".
         */
        private final ArrayList<String> packageStructure = new ArrayList<String>();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -17,6 +17,15 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -30,9 +39,6 @@ import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.*;
 import java.util.*;
 import java.util.logging.Level;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 /**
@@ -62,10 +68,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
    public static final String ADVISORY = "Advisory: ";
    public static final String CRITICALITY = "Criticality: ";
-    public CveDB cvedb;
+    private CveDB cvedb;
-    //instance.open();
+    
    //Vulnerability result = instance.getVulnerability("CVE-2015-3225");
    /**
     * @return a filter that accepts files named Gemfile.lock
     */
@@ -237,7 +241,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
        } catch (IOException ioe) {
            LOGGER.warn("bundle-audit failure", ioe);
        } finally {
-            if (errReader!= null) {
+            if (errReader != null) {
                try {
                    errReader.close();
                } catch (IOException ioe) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
@@ -261,6 +261,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                try {
                    is.close();
                } catch (IOException ex) {
                    LOGGER.debug("Error closing stream", ex);
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
@@ -25,7 +25,6 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.Reader;
 import java.util.List;
 import java.util.logging.Level;
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
@@ -110,7 +109,8 @@ public class SuppressionParser {
     *
     * @param inputStream an InputStream containing suppression rues
     * @return a list of suppression rules
-     * @throws SuppressionParseException if the xml cannot be parsed
+     * @throws SuppressionParseException thrown if the xml cannot be parsed
     * @throws SAXException thrown if the xml cannot be parsed
     */
    public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException, SAXException {
        try {
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
@@ -59,7 +59,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
     */
    @Before
    public void setUp() throws Exception {
-    	Settings.initialize();
+        Settings.initialize();
        analyzer = new RubyBundleAuditAnalyzer();
        analyzer.setFilesMatched(true);
    }
@@ -71,7 +71,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
     */
    @After
    public void tearDown() throws Exception {
-    	Settings.cleanup();
+        Settings.cleanup();
        analyzer.close();
        analyzer = null;
    }
@@ -99,7 +99,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
     */
    @Test
    public void testAnalysis() throws AnalysisException, DatabaseException {
-    	try {
+        try {
            analyzer.initialize();
            final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
@@ -113,7 +113,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
            assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
            assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
        } catch (Exception e) {
            LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e);
            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
@@ -133,7 +132,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
            final Engine engine = new Engine();
            analyzer.analyze(result, engine);
            Dependency dependency = engine.getDependencies().get(0);
            Vulnerability vulnerability = dependency.getVulnerabilities().first();
            assertEquals(vulnerability.getCvssScore(), 5.0f, 0.0);
@@ -144,7 +142,6 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
        }
    }
    /**
     * Test when Ruby bundle-audit is not available on the system.
     *
@@ -152,19 +149,17 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
     */
    @Test
    public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
-    	//set a non-exist bundle-audit
+        //set a non-exist bundle-audit
        Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
        try {
            //initialize should fail.
-			analyzer.initialize();
+            analyzer.initialize();
-		} catch (Exception e) {
+        } catch (Exception e) {
-			//expected, so ignore.
+            //expected, so ignore.
-		}
+        } finally {
-        finally {
+            assertThat(analyzer.isEnabled(), is(false));
-	        assertThat(analyzer.isEnabled(), is(false));
+            LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
 			LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
        }
    }
 }
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -688,7 +688,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
            }
        }
        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        
+
        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
        if (externalReport != null) {
--- a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
+++ b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
@@ -23,8 +23,9 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 /**
- * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of
- * returned by this class.
+ * org.slf4j.ILoggerFactory is performed using information returned by this
 * class.
 *
 * @author colezlaw
 */
@@ -47,7 +48,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
    }
    /**
-     * Maven mojos have their own logger, so we'll use one of those
+     * Maven mojos have their own logger, so we'll use one of those.
     */
    private Log log = null;
@@ -62,8 +63,8 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
    }
    /**
-     * Declare the version of the SLF4J API this implementation is compiled against. The value of this filed is usually modified
+     * Declare the version of the SLF4J API this implementation is compiled
-     * with each release.
+     * against. The value of this filed is usually modified with each release.
     */
    // to avoid constant folding by the compiler, this field must *not* be final
    //CSOFF: StaticVariableName
@@ -78,7 +79,8 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
    private static final String LOGGER_FACTORY_CLASS = MavenLoggerFactory.class.getName();
    /**
-     * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the same object
+     * The ILoggerFactory instance returned by the {@link #getLoggerFactory}
     * method should always be the same object
     */
    private ILoggerFactory loggerFactory;