github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-15 00:03:43 +01:00
Code Issues Packages Projects Releases Wiki Activity

codacy recommended updates

Browse Source
This commit is contained in:
Jeremy Long
2017-02-17 19:03:53 -05:00
parent 0d72471502
commit 3577949425
25 changed files with 493 additions and 508 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
View File

@@ -37,6 +37,11 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
* The unique instance of this class
*/
private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
/**
* Ant tasks have the log method we actually want to call. So we hang onto
* the task as a delegate
*/
private Task task = null;
/**
* Return the singleton of this class.
@@ -47,12 +52,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
return SINGLETON;
}
/**
* Ant tasks have the log method we actually want to call. So we hang onto
* the task as a delegate
*/
private Task task = null;
/**
* Set the Task which will this is to log through.
*

11
dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java
View File

@@ -17,17 +17,14 @@
*/
package org.owasp.dependencycheck;
import org.owasp.dependencycheck.CliParser;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.PrintStream;
import org.apache.commons.cli.ParseException;
import org.junit.After;
import org.junit.AfterClass;
import org.junit.Assert;
import org.junit.Before;
import org.junit.BeforeClass;
import org.junit.Test;
import org.owasp.dependencycheck.utils.Settings;
@@ -48,14 +45,6 @@ public class CliParserTest {
Settings.cleanup(true);
}
@Before
public void setUp() throws Exception {
}
@After
public void tearDown() throws Exception {
}
/**
* Test of parse method, of class CliParser.
*

302
dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
View File

@@ -63,6 +63,7 @@ import org.slf4j.LoggerFactory;
@SuppressWarnings("unused")
public class DependencyCheckScanAgent {
//<editor-fold defaultstate="collapsed" desc="private fields">
/**
* System specific new line character.
*/
@@ -75,6 +76,141 @@ public class DependencyCheckScanAgent {
* The application name for the report.
*/
private String applicationName = "Dependency-Check";
/**
* The pre-determined dependencies to scan
*/
private List<Dependency> dependencies;
/**
* The location of the data directory that contains
*/
private String dataDirectory = null;
/**
* Specifies the destination directory for the generated Dependency-Check
* report.
*/
private String reportOutputDirectory;
/**
* Specifies if the build should be failed if a CVSS score above a specified
* level is identified. The default is 11 which means since the CVSS scores
* are 0-10, by default the build will never fail and the CVSS score is set
* to 11. The valid range for the fail build on CVSS is 0 to 11, where
* anything above 10 will not cause the build to fail.
*/
private float failBuildOnCVSS = 11;
/**
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
* recommended that this be turned to false. Default is true.
*/
private boolean autoUpdate = true;
/**
* flag indicating whether or not to generate a report of findings.
*/
private boolean generateReport = true;
/**
* The report format to be generated (HTML, XML, VULN, ALL). This
* configuration option has no affect if using this within the Site plugin
* unless the externalReport is set to true. Default is HTML.
*/
private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
/**
* The Proxy Server.
*/
private String proxyServer;
/**
* The Proxy Port.
*/
private String proxyPort;
/**
* The Proxy username.
*/
private String proxyUsername;
/**
* The Proxy password.
*/
private String proxyPassword;
/**
* The Connection Timeout.
*/
private String connectionTimeout;
/**
* The file path used for verbose logging.
*/
private String logFile = null;
/**
* flag indicating whether or not to show a summary of findings.
*/
private boolean showSummary = true;
/**
* The path to the suppression file.
*/
private String suppressionFile;
/**
* The password to use when connecting to the database.
*/
private String databasePassword;
/**
* Whether or not the Maven Central analyzer is enabled.
*/
private boolean centralAnalyzerEnabled = true;
/**
* The URL of Maven Central.
*/
private String centralUrl;
/**
* Whether or not the nexus analyzer is enabled.
*/
private boolean nexusAnalyzerEnabled = true;
/**
* The URL of the Nexus server.
*/
private String nexusUrl;
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
private boolean nexusUsesProxy = true;
/**
* The database driver name; such as org.h2.Driver.
*/
private String databaseDriverName;
/**
* The path to the database driver JAR file if it is not on the class path.
*/
private String databaseDriverPath;
/**
* The database connection string.
*/
private String connectionString;
/**
* The user name for connecting to the database.
*/
private String databaseUser;
/**
* Additional ZIP File extensions to add analyze. This should be a
* comma-separated list of file extensions to treat like ZIP files.
*/
private String zipExtensions;
/**
* The url for the modified NVD CVE (1.2 schema).
*/
private String cveUrl12Modified;
/**
* The url for the modified NVD CVE (2.0 schema).
*/
private String cveUrl20Modified;
/**
* Base Data Mirror URL for CVE 1.2.
*/
private String cveUrl12Base;
/**
* Data Mirror URL for CVE 2.0.
*/
private String cveUrl20Base;
/**
* The path to Mono for .NET assembly analysis on non-windows systems.
*/
private String pathToMono;
//</editor-fold>
//<editor-fold defaultstate="collapsed" desc="getters/setters">
/**
* Get the value of applicationName.
@@ -94,11 +230,6 @@ public class DependencyCheckScanAgent {
this.applicationName = applicationName;
}
/**
* The pre-determined dependencies to scan
*/
private List<Dependency> dependencies;
/**
* Returns a list of pre-determined dependencies.
*
@@ -117,11 +248,6 @@ public class DependencyCheckScanAgent {
this.dependencies = dependencies;
}
/**
* The location of the data directory that contains
*/
private String dataDirectory = null;
/**
* Get the value of dataDirectory.
*
@@ -140,12 +266,6 @@ public class DependencyCheckScanAgent {
this.dataDirectory = dataDirectory;
}
/**
* Specifies the destination directory for the generated Dependency-Check
* report.
*/
private String reportOutputDirectory;
/**
* Get the value of reportOutputDirectory.
*
@@ -164,15 +284,6 @@ public class DependencyCheckScanAgent {
this.reportOutputDirectory = reportOutputDirectory;
}
/**
* Specifies if the build should be failed if a CVSS score above a specified
* level is identified. The default is 11 which means since the CVSS scores
* are 0-10, by default the build will never fail and the CVSS score is set
* to 11. The valid range for the fail build on CVSS is 0 to 11, where
* anything above 10 will not cause the build to fail.
*/
private float failBuildOnCVSS = 11;
/**
* Get the value of failBuildOnCVSS.
*
@@ -191,12 +302,6 @@ public class DependencyCheckScanAgent {
this.failBuildOnCVSS = failBuildOnCVSS;
}
/**
* Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
* recommended that this be turned to false. Default is true.
*/
private boolean autoUpdate = true;
/**
* Get the value of autoUpdate.
*
@@ -215,11 +320,6 @@ public class DependencyCheckScanAgent {
this.autoUpdate = autoUpdate;
}
/**
* flag indicating whether or not to generate a report of findings.
*/
private boolean generateReport = true;
/**
* Get the value of generateReport.
*
@@ -238,13 +338,6 @@ public class DependencyCheckScanAgent {
this.generateReport = generateReport;
}
/**
* The report format to be generated (HTML, XML, VULN, ALL). This
* configuration option has no affect if using this within the Site plugin
* unless the externalReport is set to true. Default is HTML.
*/
private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
/**
* Get the value of reportFormat.
*
@@ -263,11 +356,6 @@ public class DependencyCheckScanAgent {
this.reportFormat = reportFormat;
}
/**
* The Proxy Server.
*/
private String proxyServer;
/**
* Get the value of proxyServer.
*
@@ -311,11 +399,6 @@ public class DependencyCheckScanAgent {
this.proxyServer = proxyUrl;
}
/**
* The Proxy Port.
*/
private String proxyPort;
/**
* Get the value of proxyPort.
*
@@ -334,11 +417,6 @@ public class DependencyCheckScanAgent {
this.proxyPort = proxyPort;
}
/**
* The Proxy username.
*/
private String proxyUsername;
/**
* Get the value of proxyUsername.
*
@@ -357,11 +435,6 @@ public class DependencyCheckScanAgent {
this.proxyUsername = proxyUsername;
}
/**
* The Proxy password.
*/
private String proxyPassword;
/**
* Get the value of proxyPassword.
*
@@ -380,11 +453,6 @@ public class DependencyCheckScanAgent {
this.proxyPassword = proxyPassword;
}
/**
* The Connection Timeout.
*/
private String connectionTimeout;
/**
* Get the value of connectionTimeout.
*
@@ -403,11 +471,6 @@ public class DependencyCheckScanAgent {
this.connectionTimeout = connectionTimeout;
}
/**
* The file path used for verbose logging.
*/
private String logFile = null;
/**
* Get the value of logFile.
*
@@ -426,11 +489,6 @@ public class DependencyCheckScanAgent {
this.logFile = logFile;
}
/**
* The path to the suppression file.
*/
private String suppressionFile;
/**
* Get the value of suppressionFile.
*
@@ -449,11 +507,6 @@ public class DependencyCheckScanAgent {
this.suppressionFile = suppressionFile;
}
/**
* flag indicating whether or not to show a summary of findings.
*/
private boolean showSummary = true;
/**
* Get the value of showSummary.
*
@@ -472,11 +525,6 @@ public class DependencyCheckScanAgent {
this.showSummary = showSummary;
}
/**
* Whether or not the Maven Central analyzer is enabled.
*/
private boolean centralAnalyzerEnabled = true;
/**
* Get the value of centralAnalyzerEnabled.
*
@@ -495,11 +543,6 @@ public class DependencyCheckScanAgent {
this.centralAnalyzerEnabled = centralAnalyzerEnabled;
}
/**
* The URL of Maven Central.
*/
private String centralUrl;
/**
* Get the value of centralUrl.
*
@@ -518,11 +561,6 @@ public class DependencyCheckScanAgent {
this.centralUrl = centralUrl;
}
/**
* Whether or not the nexus analyzer is enabled.
*/
private boolean nexusAnalyzerEnabled = true;
/**
* Get the value of nexusAnalyzerEnabled.
*
@@ -541,11 +579,6 @@ public class DependencyCheckScanAgent {
this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
}
/**
* The URL of the Nexus server.
*/
private String nexusUrl;
/**
* Get the value of nexusUrl.
*
@@ -564,11 +597,6 @@ public class DependencyCheckScanAgent {
this.nexusUrl = nexusUrl;
}
/**
* Whether or not the defined proxy should be used when connecting to Nexus.
*/
private boolean nexusUsesProxy = true;
/**
* Get the value of nexusUsesProxy.
*
@@ -587,11 +615,6 @@ public class DependencyCheckScanAgent {
this.nexusUsesProxy = nexusUsesProxy;
}
/**
* The database driver name; such as org.h2.Driver.
*/
private String databaseDriverName;
/**
* Get the value of databaseDriverName.
*
@@ -610,11 +633,6 @@ public class DependencyCheckScanAgent {
this.databaseDriverName = databaseDriverName;
}
/**
* The path to the database driver JAR file if it is not on the class path.
*/
private String databaseDriverPath;
/**
* Get the value of databaseDriverPath.
*
@@ -633,11 +651,6 @@ public class DependencyCheckScanAgent {
this.databaseDriverPath = databaseDriverPath;
}
/**
* The database connection string.
*/
private String connectionString;
/**
* Get the value of connectionString.
*
@@ -656,11 +669,6 @@ public class DependencyCheckScanAgent {
this.connectionString = connectionString;
}
/**
* The user name for connecting to the database.
*/
private String databaseUser;
/**
* Get the value of databaseUser.
*
@@ -679,11 +687,6 @@ public class DependencyCheckScanAgent {
this.databaseUser = databaseUser;
}
/**
* The password to use when connecting to the database.
*/
private String databasePassword;
/**
* Get the value of databasePassword.
*
@@ -702,12 +705,6 @@ public class DependencyCheckScanAgent {
this.databasePassword = databasePassword;
}
/**
* Additional ZIP File extensions to add analyze. This should be a
* comma-separated list of file extensions to treat like ZIP files.
*/
private String zipExtensions;
/**
* Get the value of zipExtensions.
*
@@ -726,11 +723,6 @@ public class DependencyCheckScanAgent {
this.zipExtensions = zipExtensions;
}
/**
* The url for the modified NVD CVE (1.2 schema).
*/
private String cveUrl12Modified;
/**
* Get the value of cveUrl12Modified.
*
@@ -749,11 +741,6 @@ public class DependencyCheckScanAgent {
this.cveUrl12Modified = cveUrl12Modified;
}
/**
* The url for the modified NVD CVE (2.0 schema).
*/
private String cveUrl20Modified;
/**
* Get the value of cveUrl20Modified.
*
@@ -772,11 +759,6 @@ public class DependencyCheckScanAgent {
this.cveUrl20Modified = cveUrl20Modified;
}
/**
* Base Data Mirror URL for CVE 1.2.
*/
private String cveUrl12Base;
/**
* Get the value of cveUrl12Base.
*
@@ -795,11 +777,6 @@ public class DependencyCheckScanAgent {
this.cveUrl12Base = cveUrl12Base;
}
/**
* Data Mirror URL for CVE 2.0.
*/
private String cveUrl20Base;
/**
* Get the value of cveUrl20Base.
*
@@ -818,11 +795,6 @@ public class DependencyCheckScanAgent {
this.cveUrl20Base = cveUrl20Base;
}
/**
* The path to Mono for .NET assembly analysis on non-windows systems.
*/
private String pathToMono;
/**
* Get the value of pathToMono.
*
@@ -840,6 +812,7 @@ public class DependencyCheckScanAgent {
public void setPathToMono(String pathToMono) {
this.pathToMono = pathToMono;
}
//</editor-fold>
/**
* Executes the Dependency-Check on the dependent libraries.
@@ -1044,5 +1017,4 @@ public class DependencyCheckScanAgent {
summary.toString());
}
}
}

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
View File

@@ -82,7 +82,8 @@ public abstract class AbstractAnalyzer implements Analyzer {
protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException;
/**
* Initializes a given Analyzer. This will be skipped if the analyzer is disabled.
* Initializes a given Analyzer. This will be skipped if the analyzer is
* disabled.
*
* @throws InitializationException thrown if there is an exception
*/
@@ -90,14 +91,15 @@ public abstract class AbstractAnalyzer implements Analyzer {
}
/**
* Closes a given Analyzer. This will be skipped if the analyzer is disabled.
* Closes a given Analyzer. This will be skipped if the analyzer is
* disabled.
*
* @throws Exception thrown if there is an exception
*/
protected void closeAnalyzer() throws Exception {
// Intentionally empty, analyzer will override this if they must close a resource.
}
/**
* Analyzes a given dependency. If the dependency is an archive, such as a
* WAR or EAR, the contents are extracted, scanned, and added to the list of
@@ -148,7 +150,6 @@ public abstract class AbstractAnalyzer implements Analyzer {
}
}
/**
* The default is to support parallel processing.
*

25
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -105,14 +105,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
* in {@link #extractFiles(File, File, Engine)}.
*/
private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
/**
* Detects files with extensions to remove from the engine's collection of
* dependencies.
*/
private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2")
.build();
static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
if (additionalZipExt != null) {
@@ -122,21 +114,28 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
EXTENSIONS.addAll(ZIPPABLES);
}
/**
* Detects files with extensions to remove from the engine's collection of
* dependencies.
*/
private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance()
.addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
/**
* The file filter used to filter supported files.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
@Override
protected FileFilter getFileFilter() {
return FILTER;
}
/**
* Detects files with .zip extension.
*/
private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
@Override
protected FileFilter getFileFilter() {
return FILTER;
}
/**
* Returns the name of the analyzer.
*

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
View File

@@ -599,11 +599,10 @@ public class CPEAnalyzer extends AbstractAnalyzer {
}
}
}
if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
bestGuess = evVer;
bestGuessConf = conf;
}
if ((bestGuessConf == null || bestGuessConf.compareTo(conf) > 0)
&& bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
bestGuess = evVer;
bestGuessConf = conf;
}
}
}
@@ -613,10 +612,12 @@ public class CPEAnalyzer extends AbstractAnalyzer {
final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
}
if (bestGuessConf == null) {
if (bestGuessConf
== null) {
bestGuessConf = Confidence.LOW;
}
final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf);
collected.add(match);
Collections.sort(collected);
@@ -648,6 +649,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_CPE_ENABLED;
}
/**

72
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -39,7 +39,8 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
* This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
* This analyzer attempts to remove some well known false positives -
* specifically regarding the java runtime.
*
* @author Jeremy Long
*/
@@ -84,6 +85,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}
/**
* <p>
* Returns the setting key to determine if the analyzer is enabled.</p>
@@ -97,11 +99,13 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
//</editor-fold>
/**
* Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
* Analyzes the dependencies and removes bad/incorrect CPE associations
* based on various heuristics.
*
* @param dependency the dependency to analyze.
* @param engine the engine that is scanning the dependencies
* @throws AnalysisException is thrown if there is an error reading the JAR file.
* @throws AnalysisException is thrown if there is an error reading the JAR
* file.
*/
@Override
protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
@@ -117,22 +121,23 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
/**
* Removes inaccurate matches on springframework CPEs.
*
* @param dependency the dependency to test for and remove known inaccurate CPE matches
* @param dependency the dependency to test for and remove known inaccurate
* CPE matches
*/
private void removeBadSpringMatches(Dependency dependency) {
String mustContain = null;
for (Identifier i : dependency.getIdentifiers()) {
if ("maven".contains(i.getType())) {
if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
final int endPoint = i.getValue().indexOf(':', 19);
if (endPoint >= 0) {
mustContain = i.getValue().substring(19, endPoint).toLowerCase();
break;
}
if ("maven".contains(i.getType())
&& i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
final int endPoint = i.getValue().indexOf(':', 19);
if (endPoint >= 0) {
mustContain = i.getValue().substring(19, endPoint).toLowerCase();
break;
}
}
}
if (mustContain != null) {
if (mustContain
!= null) {
final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
while (itr.hasNext()) {
final Identifier i = itr.next();
@@ -149,7 +154,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
/**
* <p>
* Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
* Intended to remove spurious CPE entries. By spurious we mean duplicate,
* less specific CPE entries.</p>
* <p>
* Example:</p>
* <code>
@@ -200,10 +206,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) {
dependency.getIdentifiers().remove(currentId);
}
} else {
if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
dependency.getIdentifiers().remove(nextId);
}
} else if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
dependency.getIdentifiers().remove(nextId);
}
}
}
@@ -211,7 +215,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
}
/**
* Regex to identify core java libraries and a few other commonly misidentified ones.
* Regex to identify core java libraries and a few other commonly
* misidentified ones.
*/
public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+ "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
@@ -226,12 +231,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/
public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
/**
* Regex to identify core jsf java library files. This is currently incomplete.
* Regex to identify core jsf java library files. This is currently
* incomplete.
*/
public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
/**
* Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
* Removes any CPE entries for the JDK/JRE unless the filename ends with
* rt.jar
*
* @param dependency the dependency to remove JRE CPEs from
*/
@@ -275,8 +282,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
/**
* Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific problems
* identified when testing this on a LARGE volume of jar files.
* Removes bad CPE matches for a dependency. Unfortunately, right now these
* are hard-coded patches for specific problems identified when testing this
* on a LARGE volume of jar files.
*
* @param dependency the dependency to analyze
*/
@@ -351,7 +359,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
/**
* Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
* Removes CPE matches for the wrong version of a dependency. Currently,
* this only covers Axis 1 & 2.
*
* @param dependency the dependency to analyze
*/
@@ -384,8 +393,10 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
/**
* There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and changes in
* product names, that based on given evidence we can add the related CPE entries to ensure a complete list of CVE entries.
* There are some known CPE entries, specifically regarding sun and oracle
* products due to the acquisition and changes in product names, that based
* on given evidence we can add the related CPE entries to ensure a complete
* list of CVE entries.
*
* @param dependency the dependency being analyzed
*/
@@ -422,8 +433,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
/**
* Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM entries or
* other types of files (such as DLLs and EXEs) being contained within the JAR.
* Removes duplicate entries identified that are contained within JAR files.
* These occasionally crop up due to POM entries or other types of files
* (such as DLLs and EXEs) being contained within the JAR.
*
* @param dependency the dependency that might be a duplicate
* @param engine the engine used to scan all dependencies
@@ -462,7 +474,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
/**
* Retrieves a given dependency, based on a given path, from a list of dependencies.
* Retrieves a given dependency, based on a given path, from a list of
* dependencies.
*
* @param dependencyPath the path of the dependency to return
* @param dependencies the collection of dependencies to search
@@ -478,7 +491,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
}
/**
* Takes a full CPE and returns the CPE trimmed to include only vendor and product.
* Takes a full CPE and returns the CPE trimmed to include only vendor and
* product.
*
* @param value the CPE value to trim
* @return a CPE value that only includes the vendor and product

6
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
View File

@@ -373,10 +373,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
+ "Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 "
+ " indicates unknown). See link below for full details. *** ");
}
} else if (appendToDescription) {
if (null != vulnerability) {
vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
}
} else if (appendToDescription && null != vulnerability) {
vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
}
}
}

38
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
View File

@@ -62,21 +62,6 @@ public final class CpeMemoryIndex {
* singleton instance.
*/
private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex();
/**
* private constructor for singleton.
*/
private CpeMemoryIndex() {
}
/**
* Gets the singleton instance of the CpeMemoryIndex.
*
* @return the instance of the CpeMemoryIndex
*/
public static CpeMemoryIndex getInstance() {
return INSTANCE;
}
/**
* The in memory Lucene index.
*/
@@ -105,6 +90,25 @@ public final class CpeMemoryIndex {
* The search field analyzer for the vendor field.
*/
private SearchFieldAnalyzer vendorFieldAnalyzer;
/**
* A flag indicating whether or not the index is open.
*/
private boolean openState = false;
/**
* private constructor for singleton.
*/
private CpeMemoryIndex() {
}
/**
* Gets the singleton instance of the CpeMemoryIndex.
*
* @return the instance of the CpeMemoryIndex
*/
public static CpeMemoryIndex getInstance() {
return INSTANCE;
}
/**
* Creates and loads data into an in memory index.
@@ -129,10 +133,6 @@ public final class CpeMemoryIndex {
}
}
}
/**
* A flag indicating whether or not the index is open.
*/
private boolean openState = false;
/**
* returns whether or not the index is open.

48
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
View File

@@ -46,6 +46,30 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
* The Logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(DownloadTask.class);
/**
* The CVE DB to use when processing the files.
*/
private final CveDB cveDB;
/**
* The processor service to pass the results of the download to.
*/
private final ExecutorService processorService;
/**
* The NVD CVE Meta Data.
*/
private NvdCveInfo nvdCveInfo;
/**
* A reference to the global settings object.
*/
private final Settings settings;
/**
* a file.
*/
private File first;
/**
* a file.
*/
private File second;
/**
* Simple constructor for the callable download task.
@@ -77,22 +101,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
this.second = file2;
}
/**
* The CVE DB to use when processing the files.
*/
private final CveDB cveDB;
/**
* The processor service to pass the results of the download to.
*/
private final ExecutorService processorService;
/**
* The NVD CVE Meta Data.
*/
private NvdCveInfo nvdCveInfo;
/**
* A reference to the global settings object.
*/
private final Settings settings;
/**
* Get the value of nvdCveInfo.
@@ -111,10 +119,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
public void setNvdCveInfo(NvdCveInfo nvdCveInfo) {
this.nvdCveInfo = nvdCveInfo;
}
/**
* a file.
*/
private File first;
/**
* Get the value of first.
@@ -133,10 +137,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
public void setFirst(File first) {
this.first = first;
}
/**
* a file.
*/
private File second;
/**
* Get the value of second.

29
dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java
View File

@@ -73,6 +73,20 @@ public class NvdCve20Handler extends DefaultHandler {
*/
private int totalNumberOfEntries;
/**
* The total number of application entries parsed.
*/
private int totalNumberOfApplicationEntries;
/**
* the cve database.
*/
private CveDB cveDB;
/**
* A list of CVE entries and associated VulnerableSoftware entries that contain previous entries.
*/
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
/**
* Get the value of totalNumberOfEntries.
*
@@ -81,11 +95,7 @@ public class NvdCve20Handler extends DefaultHandler {
public int getTotalNumberOfEntries() {
return totalNumberOfEntries;
}
/**
* The total number of application entries parsed.
*/
private int totalNumberOfApplicationEntries;
/**
* Get the value of totalNumberOfApplicationEntries.
*
@@ -218,10 +228,6 @@ public class NvdCve20Handler extends DefaultHandler {
nodeText = null;
}
}
/**
* the cve database.
*/
private CveDB cveDB;
/**
* Sets the cveDB.
@@ -231,11 +237,6 @@ public class NvdCve20Handler extends DefaultHandler {
public void setCveDB(CveDB db) {
cveDB = db;
}
/**
* A list of CVE entries and associated VulnerableSoftware entries that contain previous entries.
*/
private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
/**
* Sets the prevVersionVulnMap.
*

119
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -73,30 +73,10 @@ public class Dependency implements Serializable, Comparable<Dependency> {
* The file name of the dependency.
*/
private String fileName;
/**
* The package path.
*/
private String packagePath;
/**
* Returns the package path.
*
* @return the package path
*/
public String getPackagePath() {
return packagePath;
}
/**
* Sets the package path.
*
* @param packagePath the package path
*/
public void setPackagePath(String packagePath) {
this.packagePath = packagePath;
}
/**
* The md5 hash of the dependency.
*/
@@ -121,6 +101,60 @@ public class Dependency implements Serializable, Comparable<Dependency> {
* A collection of version evidence.
*/
private final EvidenceCollection versionEvidence;
/**
* The file name to display in reports.
*/
private String displayName = null;
/**
* A set of identifiers that have been suppressed.
*/
private Set<Identifier> suppressedIdentifiers;
/**
* A set of vulnerabilities that have been suppressed.
*/
private SortedSet<Vulnerability> suppressedVulnerabilities;
/**
* The description of the JAR file.
*/
private String description;
/**
* The license that this dependency uses.
*/
private String license;
/**
* A list of vulnerabilities for this dependency.
*/
private SortedSet<Vulnerability> vulnerabilities;
/**
* A collection of related dependencies.
*/
private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
/**
* A list of projects that reference this dependency.
*/
private Set<String> projectReferences = new HashSet<String>();
/**
* A list of available versions.
*/
private List<String> availableVersions = new ArrayList<String>();
/**
* Returns the package path.
*
* @return the package path
*/
public String getPackagePath() {
return packagePath;
}
/**
* Sets the package path.
*
* @param packagePath the package path
*/
public void setPackagePath(String packagePath) {
this.packagePath = packagePath;
}
/**
* Constructs a new Dependency object.
@@ -222,11 +256,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.filePath = filePath;
}
/**
* The file name to display in reports.
*/
private String displayName = null;
/**
* Sets the file name to display in reports.
*
@@ -392,11 +421,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.identifiers.add(identifier);
}
/**
* A set of identifiers that have been suppressed.
*/
private Set<Identifier> suppressedIdentifiers;
/**
* Get the value of suppressedIdentifiers.
*
@@ -424,11 +448,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.suppressedIdentifiers.add(identifier);
}
/**
* A set of vulnerabilities that have been suppressed.
*/
private SortedSet<Vulnerability> suppressedVulnerabilities;
/**
* Get the value of suppressedVulnerabilities.
*
@@ -510,11 +529,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
return this.versionEvidence;
}
/**
* The description of the JAR file.
*/
private String description;
/**
* Get the value of description.
*
@@ -533,11 +547,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.description = description;
}
/**
* The license that this dependency uses.
*/
private String license;
/**
* Get the value of license.
*
@@ -556,11 +565,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.license = license;
}
/**
* A list of vulnerabilities for this dependency.
*/
private SortedSet<Vulnerability> vulnerabilities;
/**
* Get the list of vulnerabilities.
*
@@ -610,11 +614,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
this.vulnerabilities.add(vulnerability);
}
/**
* A collection of related dependencies.
*/
private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
/**
* Get the value of {@link #relatedDependencies}. This field is used to
* collect other dependencies which really represent the same dependency,
@@ -626,11 +625,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
return relatedDependencies;
}
/**
* A list of projects that reference this dependency.
*/
private Set<String> projectReferences = new HashSet<String>();
/**
* Get the value of projectReferences.
*
@@ -698,11 +692,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
}
}
/**
* A list of available versions.
*/
private List<String> availableVersions = new ArrayList<String>();
/**
* Get the value of availableVersions.
*

78
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
View File

@@ -48,7 +48,17 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(EvidenceCollection.class);
/**
* Used to iterate over highest confidence evidence contained in the collection.
* A collection of evidence.
*/
private final Set<Evidence> list;
/**
* A collection of strings used to adjust Lucene's term weighting.
*/
private final Set<String> weightedStrings;
/**
* Used to iterate over highest confidence evidence contained in the
* collection.
*/
private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() {
@Override
@@ -57,7 +67,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
};
/**
* Used to iterate over high confidence evidence contained in the collection.
* Used to iterate over high confidence evidence contained in the
* collection.
*/
private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
@Override
@@ -66,7 +77,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
};
/**
* Used to iterate over medium confidence evidence contained in the collection.
* Used to iterate over medium confidence evidence contained in the
* collection.
*/
private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
@Override
@@ -84,7 +96,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
};
/**
* Used to iterate over evidence that has was used (aka read) from the collection.
* Used to iterate over evidence that has was used (aka read) from the
* collection.
*/
private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
@Override
@@ -96,7 +109,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
/**
* Used to iterate over evidence of the specified confidence.
*
* @param confidence the confidence level for the evidence to be iterated over.
* @param confidence the confidence level for the evidence to be iterated
* over.
* @return Iterable&lt;Evidence&gt; an iterable collection of evidence
*/
public final Iterable<Evidence> iterator(Confidence confidence) {
@@ -110,14 +124,6 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
}
}
/**
* A collection of evidence.
*/
private final Set<Evidence> list;
/**
* A collection of strings used to adjust Lucene's term weighting.
*/
private final Set<String> weightedStrings;
/**
* Creates a new EvidenceCollection.
@@ -137,7 +143,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Creates an Evidence object from the parameters and adds the resulting object to the collection.
* Creates an Evidence object from the parameters and adds the resulting
* object to the collection.
*
* @param source the source of the Evidence.
* @param name the name of the Evidence.
@@ -150,12 +157,16 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way
* of combining evidence from multiple sources to boost the confidence of the given evidence.
* Adds term to the weighting collection. The terms added here are used
* later to boost the score of other terms. This is a way of combining
* evidence from multiple sources to boost the confidence of the given
* evidence.
*
* Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package
* names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the
* Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted
* Example: The term 'Apache' is found in the manifest of a JAR and is added
* to the Collection. When we parse the package names within the JAR file we
* may add these package names to the "weighted" strings collection to boost
* the score in the Lucene query. That way when we construct the Lucene
* query we find the term Apache in the collection AND in the weighted
* strings; as such, we will boost the confidence of the term Apache.
*
* @param str to add to the weighting collection.
@@ -165,8 +176,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
* location.
* Returns a set of Weightings - a list of terms that are believed to be of
* higher confidence when also found in another location.
*
* @return Set&lt;String&gt;
*/
@@ -255,7 +266,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Used to determine if a given version was used (aka read) from the EvidenceCollection.
* Used to determine if a given version was used (aka read) from the
* EvidenceCollection.
*
* @param version the version to search for within the collected evidence.
* @return whether or not the string was used.
@@ -275,7 +287,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Returns whether or not the collection contains evidence of a specified Confidence.
* Returns whether or not the collection contains evidence of a specified
* Confidence.
*
* @param confidence A Confidence value.
* @return boolean.
@@ -290,7 +303,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Merges multiple EvidenceCollections together, only merging evidence that was used, into a new EvidenceCollection.
* Merges multiple EvidenceCollections together, only merging evidence that
* was used, into a new EvidenceCollection.
*
* @param ec One or more EvidenceCollections.
* @return a new EvidenceCollection containing the used evidence.
@@ -323,10 +337,12 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
}
/**
* Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence.
* Merges multiple EvidenceCollections together; flattening all of the
* evidence items by removing the confidence.
*
* @param ec One or more EvidenceCollections
* @return new set of evidence resulting from merging the evidence in the collections
* @return new set of evidence resulting from merging the evidence in the
* collections
*/
public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
final Set<Evidence> ret = new TreeSet<Evidence>();
@@ -367,11 +383,13 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
/**
* <p>
* Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the
* protocol, the sub-domain of 'www', and the file extension of the path.</p>
* Takes a string that may contain a fully qualified domain and it will
* return the string having removed the query string, the protocol, the
* sub-domain of 'www', and the file extension of the path.</p>
* <p>
* This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc.
* may produce false positives.
* This is useful for checking if the evidence contains a specific string.
* The presence of the protocol, file extension, etc. may produce false
* positives.
*
* <p>
* Example, given the following input:</p>

108
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
View File

@@ -35,11 +35,64 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
* The serial version uid.
*/
private static final long serialVersionUID = 307319490326651052L;
/**
* The name of the vulnerability.
*/
private String name;
/**
* the description of the vulnerability.
*/
private String description;
/**
* References for this vulnerability.
*/
private Set<Reference> references = new HashSet<Reference>();
/**
* A set of vulnerable software.
*/
private Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
/**
* The CWE for the vulnerability.
*/
private String cwe;
/**
* CVSS Score.
*/
private float cvssScore;
/**
* CVSS Access Vector.
*/
private String cvssAccessVector;
/**
* CVSS Access Complexity.
*/
private String cvssAccessComplexity;
/**
* CVSS Authentication.
*/
private String cvssAuthentication;
/**
* CVSS Confidentiality Impact.
*/
private String cvssConfidentialityImpact;
/**
* CVSS Integrity Impact.
*/
private String cvssIntegrityImpact;
/**
* CVSS Availability Impact.
*/
private String cvssAvailabilityImpact;
/**
* The CPE id that caused this vulnerability to be flagged.
*/
private String matchedCPE;
/**
* Whether or not all previous versions were affected.
*/
private String matchedAllPreviousCPE;
/**
* Get the value of name.
@@ -58,10 +111,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setName(String name) {
this.name = name;
}
/**
* the description of the vulnerability.
*/
private String description;
/**
* Get the value of description.
@@ -80,10 +129,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setDescription(String description) {
this.description = description;
}
/**
* References for this vulnerability.
*/
private Set<Reference> references = new HashSet<Reference>();
/**
* Get the value of references.
@@ -126,10 +171,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
ref.setUrl(referenceUrl);
this.references.add(ref);
}
/**
* A set of vulnerable software.
*/
private Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
/**
* Get the value of vulnerableSoftware.
@@ -188,10 +229,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
}
return vulnerableSoftware.add(vulnSoftware);
}
/**
* The CWE for the vulnerability.
*/
private String cwe;
/**
* Get the value of cwe.
@@ -210,10 +247,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCwe(String cwe) {
this.cwe = cwe;
}
/**
* CVSS Score.
*/
private float cvssScore;
/**
* Get the value of cvssScore.
@@ -232,10 +265,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCvssScore(float cvssScore) {
this.cvssScore = cvssScore;
}
/**
* CVSS Access Vector.
*/
private String cvssAccessVector;
/**
* Get the value of cvssAccessVector.
@@ -254,10 +283,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCvssAccessVector(String cvssAccessVector) {
this.cvssAccessVector = cvssAccessVector;
}
/**
* CVSS Access Complexity.
*/
private String cvssAccessComplexity;
/**
* Get the value of cvssAccessComplexity.
@@ -276,10 +301,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCvssAccessComplexity(String cvssAccessComplexity) {
this.cvssAccessComplexity = cvssAccessComplexity;
}
/**
* CVSS Authentication.
*/
private String cvssAuthentication;
/**
* Get the value of cvssAuthentication.
@@ -298,10 +319,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCvssAuthentication(String cvssAuthentication) {
this.cvssAuthentication = cvssAuthentication;
}
/**
* CVSS Confidentiality Impact.
*/
private String cvssConfidentialityImpact;
/**
* Get the value of cvssConfidentialityImpact.
@@ -320,10 +337,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
this.cvssConfidentialityImpact = cvssConfidentialityImpact;
}
/**
* CVSS Integrity Impact.
*/
private String cvssIntegrityImpact;
/**
* Get the value of cvssIntegrityImpact.
@@ -342,10 +355,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
this.cvssIntegrityImpact = cvssIntegrityImpact;
}
/**
* CVSS Availability Impact.
*/
private String cvssAvailabilityImpact;
/**
* Get the value of cvssAvailabilityImpact.
@@ -420,15 +429,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
//return v.getName().compareTo(this.getName());
}
/**
* The CPE id that caused this vulnerability to be flagged.
*/
private String matchedCPE;
/**
* Whether or not all previous versions were affected.
*/
private String matchedAllPreviousCPE;
/**
* Sets the CPE that caused this vulnerability to be flagged.
*

32
dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java
View File

@@ -28,6 +28,19 @@ import java.util.List;
* @author Jeremy Long
*/
public class ExceptionCollection extends Exception {
/**
* The serial version uid.
*/
private static final long serialVersionUID = 1L;
/**
* A collection of exceptions.
*/
private List<Throwable> exceptions;
/**
* Flag indicating if a fatal exception occurred that would prevent the
* attempt at completing the analysis even if exceptions occurred.
*/
private boolean fatal = false;
/**
* Instantiates a new exception collection.
@@ -99,7 +112,7 @@ public class ExceptionCollection extends Exception {
*/
public ExceptionCollection(String msg, Throwable exception) {
super(msg);
this.exceptions = new ArrayList<Throwable>();
this.exceptions = new ArrayList<>();
this.exceptions.add(exception);
this.fatal = false;
}
@@ -109,17 +122,8 @@ public class ExceptionCollection extends Exception {
*/
public ExceptionCollection() {
super();
this.exceptions = new ArrayList<Throwable>();
this.exceptions = new ArrayList<>();
}
/**
* The serial version uid.
*/
private static final long serialVersionUID = 1L;
/**
* A collection of exceptions.
*/
private List<Throwable> exceptions;
/**
* Get the value of exceptions.
@@ -150,12 +154,6 @@ public class ExceptionCollection extends Exception {
this.fatal = fatal;
}
/**
* Flag indicating if a fatal exception occurred that would prevent the
* attempt at completing the analysis even if exceptions occurred.
*/
private boolean fatal = false;
/**
* Get the value of fatal.
*

16
dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java
View File

@@ -26,6 +26,14 @@ package org.owasp.dependencycheck.utils;
* @author Jeremy Long
*/
public class Pair<L, R> {
/**
* The left element of the pair.
*/
private L left = null;
/**
* The right element of the pair.
*/
private R right = null;
/**
* Constructs a new empty pair.
@@ -43,10 +51,6 @@ public class Pair<L, R> {
this.left = left;
this.right = right;
}
/**
* The left element of the pair.
*/
private L left = null;
/**
* Get the value of left.
@@ -65,10 +69,6 @@ public class Pair<L, R> {
public void setLeft(L left) {
this.left = left;
}
/**
* The right element of the pair.
*/
private R right = null;
/**
* Get the value of right.

26
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/VendorDuplicatingHintRule.java
View File

@@ -18,14 +18,24 @@
package org.owasp.dependencycheck.xml.hints;
/**
* Used to duplicate vendor evidence within a collection. The intent is if any evidence
* is found in a collection that matches the value given the evidence will be
* duplicated and the value replaced with the value indicated.
* Used to duplicate vendor evidence within a collection. The intent is if any
* evidence is found in a collection that matches the value given the evidence
* will be duplicated and the value replaced with the value indicated.
*
* @author Jeremy Long
*/
public class VendorDuplicatingHintRule {
/**
* The evidence value to duplicate if found.
*/
private String value;
/**
* The value to replace when duplicating the evidence.
*/
private String duplicate;
/**
* Constructs a new duplicating rule.
*
@@ -37,11 +47,6 @@ public class VendorDuplicatingHintRule {
this.duplicate = duplicate;
}
/**
* The evidence value to duplicate if found.
*/
private String value;
/**
* Get the value of value.
*
@@ -60,11 +65,6 @@ public class VendorDuplicatingHintRule {
this.value = value;
}
/**
* The value to replace when duplicating the evidence.
*/
private String duplicate;
/**
* Get the value of duplicate.
*

24
dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java
View File

@@ -65,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
/**
* A list of suppression rules.
*/
private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
/**
* Get the value of suppressionRules.
*
* @return the value of suppressionRules
*/
public List<SuppressionRule> getSuppressionRules() {
return suppressionRules;
}
private final List<SuppressionRule> suppressionRules = new ArrayList<>();
/**
* The current rule being read.
*/
@@ -88,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler {
*/
private StringBuilder currentText;
/**
* Get the value of suppressionRules.
*
* @return the value of suppressionRules
*/
public List<SuppressionRule> getSuppressionRules() {
return suppressionRules;
}
/**
* Handles the start element event.
*
@@ -160,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler {
}
/**
* Processes field members that have been collected during the characters and startElement method to construct a
* PropertyType object.
* Processes field members that have been collected during the characters
* and startElement method to construct a PropertyType object.
*
* @return a PropertyType object
*/

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
View File

@@ -41,7 +41,7 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
@Test
public void testSupportsExtensions() {
ArchiveAnalyzer instance = new ArchiveAnalyzer();
Set<String> expResult = new HashSet<String>();
Set<String> expResult = new HashSet<>();
expResult.add("zip");
expResult.add("war");
expResult.add("ear");
@@ -114,6 +114,8 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
/**
* Test of analyze method, of class ArchiveAnalyzer.
*
* @throws java.lang.Exception when an error occurs
*/
@Test
public void testAnalyze() throws Exception {
@@ -171,7 +173,7 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
instance.close();
}
}
/**
* Test of analyze method, of class ArchiveAnalyzer.
*/

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
View File

@@ -17,6 +17,7 @@
*/
package org.owasp.dependencycheck.data.nvdcve;
import java.sql.SQLException;
import org.owasp.dependencycheck.BaseDBTestCase;
import org.owasp.dependencycheck.dependency.Vulnerability;
import org.owasp.dependencycheck.dependency.VulnerableSoftware;
@@ -31,6 +32,7 @@ import static org.junit.Assert.assertEquals;
import static org.junit.Assert.assertNotNull;
import static org.junit.Assert.assertNull;
import static org.junit.Assert.assertTrue;
import static org.junit.Assert.fail;
/**
*
@@ -42,12 +44,14 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
* Pretty useless tests of open, commit, and close methods, of class CveDB.
*/
@Test
public void testOpen() throws Exception {
public void testOpen() {
CveDB instance = null;
try {
instance = new CveDB();
instance.open();
instance.commit();
} catch (DatabaseException | SQLException ex) {
fail(ex.getMessage());
} finally {
if (instance != null) {
instance.close();

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java
View File

@@ -131,7 +131,7 @@ public class DriverLoaderTest extends BaseTest {
File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
Driver d = DriverLoader.load(className, driver.getAbsolutePath());
DriverLoader.load(className, driver.getAbsolutePath());
}
/**

3
dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java
View File

@@ -36,9 +36,6 @@ import org.owasp.dependencycheck.utils.Settings;
*/
public class DownloadTaskTest extends BaseTest {
public DownloadTaskTest() {
}
/**
* Test of call method, of class DownloadTask.
*/

2
dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
View File

@@ -218,7 +218,7 @@ public class DependencyTest extends BaseTest {
instance.getProductEvidence().addEvidence("used", "used", "used", Confidence.HIGH);
instance.getProductEvidence().addEvidence("not", "not", "not", Confidence.MEDIUM);
for (Evidence e : instance.getProductEvidence().iterator(Confidence.HIGH)) {
String use = e.getValue();
e.getValue();
}
EvidenceCollection result = instance.getEvidenceUsed();

6
dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java
View File

@@ -71,9 +71,10 @@ public class ModelTest extends BaseTest {
*/
@Test
public void testSetOrganization() {
String organization = "";
String organization = "apache";
Model instance = new Model();
instance.setOrganization(organization);
assertEquals("apache", instance.getOrganization());
}
/**
@@ -188,9 +189,10 @@ public class ModelTest extends BaseTest {
*/
@Test
public void testSetParentGroupId() {
String parentGroupId = "";
String parentGroupId = "org.owasp";
Model instance = new Model();
instance.setParentGroupId(parentGroupId);
assertEquals("org.owasp", instance.getParentGroupId());
}
/**

8
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
View File

@@ -40,6 +40,10 @@ public final class Checksum {
* The logger.
*/
private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class);
/**
* Hex code characters used in getHex.
*/
private static final String HEXES = "0123456789abcdef";
/**
* Private constructor for a utility class.
@@ -120,10 +124,6 @@ public final class Checksum {
final byte[] b = getChecksum("SHA1", file);
return getHex(b);
}
/**
* Hex code characters used in getHex.
*/
private static final String HEXES = "0123456789abcdef";
/**
* <p>