diff --git a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java index 3c96bb5b4..70423496b 100644 --- a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java @@ -37,6 +37,11 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { * The unique instance of this class */ private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder(); + /** + * Ant tasks have the log method we actually want to call. So we hang onto + * the task as a delegate + */ + private Task task = null; /** * Return the singleton of this class. @@ -47,12 +52,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { return SINGLETON; } - /** - * Ant tasks have the log method we actually want to call. So we hang onto - * the task as a delegate - */ - private Task task = null; - /** * Set the Task which will this is to log through. * diff --git a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java index 91252289a..c564d7c79 100644 --- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java +++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java @@ -17,17 +17,14 @@ */ package org.owasp.dependencycheck; -import org.owasp.dependencycheck.CliParser; import java.io.ByteArrayOutputStream; import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.io.PrintStream; import org.apache.commons.cli.ParseException; -import org.junit.After; import org.junit.AfterClass; import org.junit.Assert; -import org.junit.Before; import org.junit.BeforeClass; import org.junit.Test; import org.owasp.dependencycheck.utils.Settings; @@ -48,14 +45,6 @@ public class CliParserTest { Settings.cleanup(true); } - @Before - public void setUp() throws Exception { - } - - @After - public void tearDown() throws Exception { - } - /** * Test of parse method, of class CliParser. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java index 635c2646a..dbd540061 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java @@ -63,6 +63,7 @@ import org.slf4j.LoggerFactory; @SuppressWarnings("unused") public class DependencyCheckScanAgent { + // /** * System specific new line character. */ @@ -75,6 +76,141 @@ public class DependencyCheckScanAgent { * The application name for the report. */ private String applicationName = "Dependency-Check"; + /** + * The pre-determined dependencies to scan + */ + private List dependencies; + /** + * The location of the data directory that contains + */ + private String dataDirectory = null; + /** + * Specifies the destination directory for the generated Dependency-Check + * report. + */ + private String reportOutputDirectory; + /** + * Specifies if the build should be failed if a CVSS score above a specified + * level is identified. The default is 11 which means since the CVSS scores + * are 0-10, by default the build will never fail and the CVSS score is set + * to 11. The valid range for the fail build on CVSS is 0 to 11, where + * anything above 10 will not cause the build to fail. + */ + private float failBuildOnCVSS = 11; + /** + * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not + * recommended that this be turned to false. Default is true. + */ + private boolean autoUpdate = true; + /** + * flag indicating whether or not to generate a report of findings. + */ + private boolean generateReport = true; + /** + * The report format to be generated (HTML, XML, VULN, ALL). This + * configuration option has no affect if using this within the Site plugin + * unless the externalReport is set to true. Default is HTML. + */ + private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML; + /** + * The Proxy Server. + */ + private String proxyServer; + /** + * The Proxy Port. + */ + private String proxyPort; + /** + * The Proxy username. + */ + private String proxyUsername; + /** + * The Proxy password. + */ + private String proxyPassword; + /** + * The Connection Timeout. + */ + private String connectionTimeout; + /** + * The file path used for verbose logging. + */ + private String logFile = null; + /** + * flag indicating whether or not to show a summary of findings. + */ + private boolean showSummary = true; + /** + * The path to the suppression file. + */ + private String suppressionFile; + /** + * The password to use when connecting to the database. + */ + private String databasePassword; + /** + * Whether or not the Maven Central analyzer is enabled. + */ + private boolean centralAnalyzerEnabled = true; + /** + * The URL of Maven Central. + */ + private String centralUrl; + /** + * Whether or not the nexus analyzer is enabled. + */ + private boolean nexusAnalyzerEnabled = true; + /** + * The URL of the Nexus server. + */ + private String nexusUrl; + /** + * Whether or not the defined proxy should be used when connecting to Nexus. + */ + private boolean nexusUsesProxy = true; + /** + * The database driver name; such as org.h2.Driver. + */ + private String databaseDriverName; + /** + * The path to the database driver JAR file if it is not on the class path. + */ + private String databaseDriverPath; + /** + * The database connection string. + */ + private String connectionString; + /** + * The user name for connecting to the database. + */ + private String databaseUser; + /** + * Additional ZIP File extensions to add analyze. This should be a + * comma-separated list of file extensions to treat like ZIP files. + */ + private String zipExtensions; + /** + * The url for the modified NVD CVE (1.2 schema). + */ + private String cveUrl12Modified; + /** + * The url for the modified NVD CVE (2.0 schema). + */ + private String cveUrl20Modified; + /** + * Base Data Mirror URL for CVE 1.2. + */ + private String cveUrl12Base; + /** + * Data Mirror URL for CVE 2.0. + */ + private String cveUrl20Base; + /** + * The path to Mono for .NET assembly analysis on non-windows systems. + */ + private String pathToMono; + // + // /** * Get the value of applicationName. @@ -94,11 +230,6 @@ public class DependencyCheckScanAgent { this.applicationName = applicationName; } - /** - * The pre-determined dependencies to scan - */ - private List dependencies; - /** * Returns a list of pre-determined dependencies. * @@ -117,11 +248,6 @@ public class DependencyCheckScanAgent { this.dependencies = dependencies; } - /** - * The location of the data directory that contains - */ - private String dataDirectory = null; - /** * Get the value of dataDirectory. * @@ -140,12 +266,6 @@ public class DependencyCheckScanAgent { this.dataDirectory = dataDirectory; } - /** - * Specifies the destination directory for the generated Dependency-Check - * report. - */ - private String reportOutputDirectory; - /** * Get the value of reportOutputDirectory. * @@ -164,15 +284,6 @@ public class DependencyCheckScanAgent { this.reportOutputDirectory = reportOutputDirectory; } - /** - * Specifies if the build should be failed if a CVSS score above a specified - * level is identified. The default is 11 which means since the CVSS scores - * are 0-10, by default the build will never fail and the CVSS score is set - * to 11. The valid range for the fail build on CVSS is 0 to 11, where - * anything above 10 will not cause the build to fail. - */ - private float failBuildOnCVSS = 11; - /** * Get the value of failBuildOnCVSS. * @@ -191,12 +302,6 @@ public class DependencyCheckScanAgent { this.failBuildOnCVSS = failBuildOnCVSS; } - /** - * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not - * recommended that this be turned to false. Default is true. - */ - private boolean autoUpdate = true; - /** * Get the value of autoUpdate. * @@ -215,11 +320,6 @@ public class DependencyCheckScanAgent { this.autoUpdate = autoUpdate; } - /** - * flag indicating whether or not to generate a report of findings. - */ - private boolean generateReport = true; - /** * Get the value of generateReport. * @@ -238,13 +338,6 @@ public class DependencyCheckScanAgent { this.generateReport = generateReport; } - /** - * The report format to be generated (HTML, XML, VULN, ALL). This - * configuration option has no affect if using this within the Site plugin - * unless the externalReport is set to true. Default is HTML. - */ - private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML; - /** * Get the value of reportFormat. * @@ -263,11 +356,6 @@ public class DependencyCheckScanAgent { this.reportFormat = reportFormat; } - /** - * The Proxy Server. - */ - private String proxyServer; - /** * Get the value of proxyServer. * @@ -311,11 +399,6 @@ public class DependencyCheckScanAgent { this.proxyServer = proxyUrl; } - /** - * The Proxy Port. - */ - private String proxyPort; - /** * Get the value of proxyPort. * @@ -334,11 +417,6 @@ public class DependencyCheckScanAgent { this.proxyPort = proxyPort; } - /** - * The Proxy username. - */ - private String proxyUsername; - /** * Get the value of proxyUsername. * @@ -357,11 +435,6 @@ public class DependencyCheckScanAgent { this.proxyUsername = proxyUsername; } - /** - * The Proxy password. - */ - private String proxyPassword; - /** * Get the value of proxyPassword. * @@ -380,11 +453,6 @@ public class DependencyCheckScanAgent { this.proxyPassword = proxyPassword; } - /** - * The Connection Timeout. - */ - private String connectionTimeout; - /** * Get the value of connectionTimeout. * @@ -403,11 +471,6 @@ public class DependencyCheckScanAgent { this.connectionTimeout = connectionTimeout; } - /** - * The file path used for verbose logging. - */ - private String logFile = null; - /** * Get the value of logFile. * @@ -426,11 +489,6 @@ public class DependencyCheckScanAgent { this.logFile = logFile; } - /** - * The path to the suppression file. - */ - private String suppressionFile; - /** * Get the value of suppressionFile. * @@ -449,11 +507,6 @@ public class DependencyCheckScanAgent { this.suppressionFile = suppressionFile; } - /** - * flag indicating whether or not to show a summary of findings. - */ - private boolean showSummary = true; - /** * Get the value of showSummary. * @@ -472,11 +525,6 @@ public class DependencyCheckScanAgent { this.showSummary = showSummary; } - /** - * Whether or not the Maven Central analyzer is enabled. - */ - private boolean centralAnalyzerEnabled = true; - /** * Get the value of centralAnalyzerEnabled. * @@ -495,11 +543,6 @@ public class DependencyCheckScanAgent { this.centralAnalyzerEnabled = centralAnalyzerEnabled; } - /** - * The URL of Maven Central. - */ - private String centralUrl; - /** * Get the value of centralUrl. * @@ -518,11 +561,6 @@ public class DependencyCheckScanAgent { this.centralUrl = centralUrl; } - /** - * Whether or not the nexus analyzer is enabled. - */ - private boolean nexusAnalyzerEnabled = true; - /** * Get the value of nexusAnalyzerEnabled. * @@ -541,11 +579,6 @@ public class DependencyCheckScanAgent { this.nexusAnalyzerEnabled = nexusAnalyzerEnabled; } - /** - * The URL of the Nexus server. - */ - private String nexusUrl; - /** * Get the value of nexusUrl. * @@ -564,11 +597,6 @@ public class DependencyCheckScanAgent { this.nexusUrl = nexusUrl; } - /** - * Whether or not the defined proxy should be used when connecting to Nexus. - */ - private boolean nexusUsesProxy = true; - /** * Get the value of nexusUsesProxy. * @@ -587,11 +615,6 @@ public class DependencyCheckScanAgent { this.nexusUsesProxy = nexusUsesProxy; } - /** - * The database driver name; such as org.h2.Driver. - */ - private String databaseDriverName; - /** * Get the value of databaseDriverName. * @@ -610,11 +633,6 @@ public class DependencyCheckScanAgent { this.databaseDriverName = databaseDriverName; } - /** - * The path to the database driver JAR file if it is not on the class path. - */ - private String databaseDriverPath; - /** * Get the value of databaseDriverPath. * @@ -633,11 +651,6 @@ public class DependencyCheckScanAgent { this.databaseDriverPath = databaseDriverPath; } - /** - * The database connection string. - */ - private String connectionString; - /** * Get the value of connectionString. * @@ -656,11 +669,6 @@ public class DependencyCheckScanAgent { this.connectionString = connectionString; } - /** - * The user name for connecting to the database. - */ - private String databaseUser; - /** * Get the value of databaseUser. * @@ -679,11 +687,6 @@ public class DependencyCheckScanAgent { this.databaseUser = databaseUser; } - /** - * The password to use when connecting to the database. - */ - private String databasePassword; - /** * Get the value of databasePassword. * @@ -702,12 +705,6 @@ public class DependencyCheckScanAgent { this.databasePassword = databasePassword; } - /** - * Additional ZIP File extensions to add analyze. This should be a - * comma-separated list of file extensions to treat like ZIP files. - */ - private String zipExtensions; - /** * Get the value of zipExtensions. * @@ -726,11 +723,6 @@ public class DependencyCheckScanAgent { this.zipExtensions = zipExtensions; } - /** - * The url for the modified NVD CVE (1.2 schema). - */ - private String cveUrl12Modified; - /** * Get the value of cveUrl12Modified. * @@ -749,11 +741,6 @@ public class DependencyCheckScanAgent { this.cveUrl12Modified = cveUrl12Modified; } - /** - * The url for the modified NVD CVE (2.0 schema). - */ - private String cveUrl20Modified; - /** * Get the value of cveUrl20Modified. * @@ -772,11 +759,6 @@ public class DependencyCheckScanAgent { this.cveUrl20Modified = cveUrl20Modified; } - /** - * Base Data Mirror URL for CVE 1.2. - */ - private String cveUrl12Base; - /** * Get the value of cveUrl12Base. * @@ -795,11 +777,6 @@ public class DependencyCheckScanAgent { this.cveUrl12Base = cveUrl12Base; } - /** - * Data Mirror URL for CVE 2.0. - */ - private String cveUrl20Base; - /** * Get the value of cveUrl20Base. * @@ -818,11 +795,6 @@ public class DependencyCheckScanAgent { this.cveUrl20Base = cveUrl20Base; } - /** - * The path to Mono for .NET assembly analysis on non-windows systems. - */ - private String pathToMono; - /** * Get the value of pathToMono. * @@ -840,6 +812,7 @@ public class DependencyCheckScanAgent { public void setPathToMono(String pathToMono) { this.pathToMono = pathToMono; } + // /** * Executes the Dependency-Check on the dependent libraries. @@ -1044,5 +1017,4 @@ public class DependencyCheckScanAgent { summary.toString()); } } - } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java index 5ec83de53..d2ead390a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java @@ -82,7 +82,8 @@ public abstract class AbstractAnalyzer implements Analyzer { protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException; /** - * Initializes a given Analyzer. This will be skipped if the analyzer is disabled. + * Initializes a given Analyzer. This will be skipped if the analyzer is + * disabled. * * @throws InitializationException thrown if there is an exception */ @@ -90,14 +91,15 @@ public abstract class AbstractAnalyzer implements Analyzer { } /** - * Closes a given Analyzer. This will be skipped if the analyzer is disabled. + * Closes a given Analyzer. This will be skipped if the analyzer is + * disabled. * * @throws Exception thrown if there is an exception */ protected void closeAnalyzer() throws Exception { + // Intentionally empty, analyzer will override this if they must close a resource. } - /** * Analyzes a given dependency. If the dependency is an archive, such as a * WAR or EAR, the contents are extracted, scanned, and added to the list of @@ -148,7 +150,6 @@ public abstract class AbstractAnalyzer implements Analyzer { } } - /** * The default is to support parallel processing. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index 473a90164..4298ec5ff 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -105,14 +105,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * in {@link #extractFiles(File, File, Engine)}. */ private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2"); - - /** - * Detects files with extensions to remove from the engine's collection of - * dependencies. - */ - private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2") - .build(); - static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); if (additionalZipExt != null) { @@ -122,21 +114,28 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { EXTENSIONS.addAll(ZIPPABLES); } + /** + * Detects files with extensions to remove from the engine's collection of + * dependencies. + */ + private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance() + .addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build(); + /** * The file filter used to filter supported files. */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); - @Override - protected FileFilter getFileFilter() { - return FILTER; - } - /** * Detects files with .zip extension. */ private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build(); + @Override + protected FileFilter getFileFilter() { + return FILTER; + } + /** * Returns the name of the analyzer. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index 6b7cd57ce..39316c29f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -599,11 +599,10 @@ public class CPEAnalyzer extends AbstractAnalyzer { } } } - if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) { - if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) { - bestGuess = evVer; - bestGuessConf = conf; - } + if ((bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) + && bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) { + bestGuess = evVer; + bestGuessConf = conf; } } } @@ -613,10 +612,12 @@ public class CPEAnalyzer extends AbstractAnalyzer { final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product); url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8")); } - if (bestGuessConf == null) { + if (bestGuessConf + == null) { bestGuessConf = Confidence.LOW; } final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf); + collected.add(match); Collections.sort(collected); @@ -648,6 +649,7 @@ public class CPEAnalyzer extends AbstractAnalyzer { @Override protected String getAnalyzerEnabledSettingKey() { return Settings.KEYS.ANALYZER_CPE_ENABLED; + } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index 6312ac14e..1b9dbe43f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -39,7 +39,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; /** - * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime. + * This analyzer attempts to remove some well known false positives - + * specifically regarding the java runtime. * * @author Jeremy Long */ @@ -84,6 +85,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } + /** *

* Returns the setting key to determine if the analyzer is enabled.

@@ -97,11 +99,13 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { // /** - * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics. + * Analyzes the dependencies and removes bad/incorrect CPE associations + * based on various heuristics. * * @param dependency the dependency to analyze. * @param engine the engine that is scanning the dependencies - * @throws AnalysisException is thrown if there is an error reading the JAR file. + * @throws AnalysisException is thrown if there is an error reading the JAR + * file. */ @Override protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException { @@ -117,22 +121,23 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { /** * Removes inaccurate matches on springframework CPEs. * - * @param dependency the dependency to test for and remove known inaccurate CPE matches + * @param dependency the dependency to test for and remove known inaccurate + * CPE matches */ private void removeBadSpringMatches(Dependency dependency) { String mustContain = null; for (Identifier i : dependency.getIdentifiers()) { - if ("maven".contains(i.getType())) { - if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) { - final int endPoint = i.getValue().indexOf(':', 19); - if (endPoint >= 0) { - mustContain = i.getValue().substring(19, endPoint).toLowerCase(); - break; - } + if ("maven".contains(i.getType()) + && i.getValue() != null && i.getValue().startsWith("org.springframework.")) { + final int endPoint = i.getValue().indexOf(':', 19); + if (endPoint >= 0) { + mustContain = i.getValue().substring(19, endPoint).toLowerCase(); + break; } } } - if (mustContain != null) { + if (mustContain + != null) { final Iterator itr = dependency.getIdentifiers().iterator(); while (itr.hasNext()) { final Identifier i = itr.next(); @@ -149,7 +154,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { /** *

- * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.

+ * Intended to remove spurious CPE entries. By spurious we mean duplicate, + * less specific CPE entries.

*

* Example:

* @@ -200,10 +206,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) { dependency.getIdentifiers().remove(currentId); } - } else { - if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) { - dependency.getIdentifiers().remove(nextId); - } + } else if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) { + dependency.getIdentifiers().remove(nextId); } } } @@ -211,7 +215,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } } /** - * Regex to identify core java libraries and a few other commonly misidentified ones. + * Regex to identify core java libraries and a few other commonly + * misidentified ones. */ public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|" + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|" @@ -226,12 +231,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { */ public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$"); /** - * Regex to identify core jsf java library files. This is currently incomplete. + * Regex to identify core jsf java library files. This is currently + * incomplete. */ public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$"); /** - * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar + * Removes any CPE entries for the JDK/JRE unless the filename ends with + * rt.jar * * @param dependency the dependency to remove JRE CPEs from */ @@ -275,8 +282,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } /** - * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific problems - * identified when testing this on a LARGE volume of jar files. + * Removes bad CPE matches for a dependency. Unfortunately, right now these + * are hard-coded patches for specific problems identified when testing this + * on a LARGE volume of jar files. * * @param dependency the dependency to analyze */ @@ -351,7 +359,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } /** - * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2. + * Removes CPE matches for the wrong version of a dependency. Currently, + * this only covers Axis 1 & 2. * * @param dependency the dependency to analyze */ @@ -384,8 +393,10 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } /** - * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and changes in - * product names, that based on given evidence we can add the related CPE entries to ensure a complete list of CVE entries. + * There are some known CPE entries, specifically regarding sun and oracle + * products due to the acquisition and changes in product names, that based + * on given evidence we can add the related CPE entries to ensure a complete + * list of CVE entries. * * @param dependency the dependency being analyzed */ @@ -422,8 +433,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } /** - * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM entries or - * other types of files (such as DLLs and EXEs) being contained within the JAR. + * Removes duplicate entries identified that are contained within JAR files. + * These occasionally crop up due to POM entries or other types of files + * (such as DLLs and EXEs) being contained within the JAR. * * @param dependency the dependency that might be a duplicate * @param engine the engine used to scan all dependencies @@ -462,7 +474,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } /** - * Retrieves a given dependency, based on a given path, from a list of dependencies. + * Retrieves a given dependency, based on a given path, from a list of + * dependencies. * * @param dependencyPath the path of the dependency to return * @param dependencies the collection of dependencies to search @@ -478,7 +491,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { } /** - * Takes a full CPE and returns the CPE trimmed to include only vendor and product. + * Takes a full CPE and returns the CPE trimmed to include only vendor and + * product. * * @param value the CPE value to trim * @return a CPE value that only includes the vendor and product diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 83b691e7c..ba47a5344 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -373,10 +373,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { + "Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 " + " indicates unknown). See link below for full details. *** "); } - } else if (appendToDescription) { - if (null != vulnerability) { - vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n"); - } + } else if (appendToDescription && null != vulnerability) { + vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n"); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java index d6677cd71..3100c5ebc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java @@ -62,21 +62,6 @@ public final class CpeMemoryIndex { * singleton instance. */ private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex(); - - /** - * private constructor for singleton. - */ - private CpeMemoryIndex() { - } - - /** - * Gets the singleton instance of the CpeMemoryIndex. - * - * @return the instance of the CpeMemoryIndex - */ - public static CpeMemoryIndex getInstance() { - return INSTANCE; - } /** * The in memory Lucene index. */ @@ -105,6 +90,25 @@ public final class CpeMemoryIndex { * The search field analyzer for the vendor field. */ private SearchFieldAnalyzer vendorFieldAnalyzer; + /** + * A flag indicating whether or not the index is open. + */ + private boolean openState = false; + + /** + * private constructor for singleton. + */ + private CpeMemoryIndex() { + } + + /** + * Gets the singleton instance of the CpeMemoryIndex. + * + * @return the instance of the CpeMemoryIndex + */ + public static CpeMemoryIndex getInstance() { + return INSTANCE; + } /** * Creates and loads data into an in memory index. @@ -129,10 +133,6 @@ public final class CpeMemoryIndex { } } } - /** - * A flag indicating whether or not the index is open. - */ - private boolean openState = false; /** * returns whether or not the index is open. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index 10d96b934..59eb331a4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -46,6 +46,30 @@ public class DownloadTask implements Callable> { * The Logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(DownloadTask.class); + /** + * The CVE DB to use when processing the files. + */ + private final CveDB cveDB; + /** + * The processor service to pass the results of the download to. + */ + private final ExecutorService processorService; + /** + * The NVD CVE Meta Data. + */ + private NvdCveInfo nvdCveInfo; + /** + * A reference to the global settings object. + */ + private final Settings settings; + /** + * a file. + */ + private File first; + /** + * a file. + */ + private File second; /** * Simple constructor for the callable download task. @@ -77,22 +101,6 @@ public class DownloadTask implements Callable> { this.second = file2; } - /** - * The CVE DB to use when processing the files. - */ - private final CveDB cveDB; - /** - * The processor service to pass the results of the download to. - */ - private final ExecutorService processorService; - /** - * The NVD CVE Meta Data. - */ - private NvdCveInfo nvdCveInfo; - /** - * A reference to the global settings object. - */ - private final Settings settings; /** * Get the value of nvdCveInfo. @@ -111,10 +119,6 @@ public class DownloadTask implements Callable> { public void setNvdCveInfo(NvdCveInfo nvdCveInfo) { this.nvdCveInfo = nvdCveInfo; } - /** - * a file. - */ - private File first; /** * Get the value of first. @@ -133,10 +137,6 @@ public class DownloadTask implements Callable> { public void setFirst(File first) { this.first = first; } - /** - * a file. - */ - private File second; /** * Get the value of second. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java index 25fc95f9b..e5d5ce0b8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java @@ -73,6 +73,20 @@ public class NvdCve20Handler extends DefaultHandler { */ private int totalNumberOfEntries; + /** + * The total number of application entries parsed. + */ + private int totalNumberOfApplicationEntries; + /** + * the cve database. + */ + private CveDB cveDB; + + /** + * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries. + */ + private Map> prevVersionVulnMap; + /** * Get the value of totalNumberOfEntries. * @@ -81,11 +95,7 @@ public class NvdCve20Handler extends DefaultHandler { public int getTotalNumberOfEntries() { return totalNumberOfEntries; } - /** - * The total number of application entries parsed. - */ - private int totalNumberOfApplicationEntries; - + /** * Get the value of totalNumberOfApplicationEntries. * @@ -218,10 +228,6 @@ public class NvdCve20Handler extends DefaultHandler { nodeText = null; } } - /** - * the cve database. - */ - private CveDB cveDB; /** * Sets the cveDB. @@ -231,11 +237,6 @@ public class NvdCve20Handler extends DefaultHandler { public void setCveDB(CveDB db) { cveDB = db; } - /** - * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries. - */ - private Map> prevVersionVulnMap; - /** * Sets the prevVersionVulnMap. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 1d9a597c8..fe442ee3a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -73,30 +73,10 @@ public class Dependency implements Serializable, Comparable { * The file name of the dependency. */ private String fileName; - /** * The package path. */ private String packagePath; - - /** - * Returns the package path. - * - * @return the package path - */ - public String getPackagePath() { - return packagePath; - } - - /** - * Sets the package path. - * - * @param packagePath the package path - */ - public void setPackagePath(String packagePath) { - this.packagePath = packagePath; - } - /** * The md5 hash of the dependency. */ @@ -121,6 +101,60 @@ public class Dependency implements Serializable, Comparable { * A collection of version evidence. */ private final EvidenceCollection versionEvidence; + /** + * The file name to display in reports. + */ + private String displayName = null; + /** + * A set of identifiers that have been suppressed. + */ + private Set suppressedIdentifiers; + /** + * A set of vulnerabilities that have been suppressed. + */ + private SortedSet suppressedVulnerabilities; + /** + * The description of the JAR file. + */ + private String description; + /** + * The license that this dependency uses. + */ + private String license; + /** + * A list of vulnerabilities for this dependency. + */ + private SortedSet vulnerabilities; + /** + * A collection of related dependencies. + */ + private Set relatedDependencies = new TreeSet(); + /** + * A list of projects that reference this dependency. + */ + private Set projectReferences = new HashSet(); + /** + * A list of available versions. + */ + private List availableVersions = new ArrayList(); + + /** + * Returns the package path. + * + * @return the package path + */ + public String getPackagePath() { + return packagePath; + } + + /** + * Sets the package path. + * + * @param packagePath the package path + */ + public void setPackagePath(String packagePath) { + this.packagePath = packagePath; + } /** * Constructs a new Dependency object. @@ -222,11 +256,6 @@ public class Dependency implements Serializable, Comparable { this.filePath = filePath; } - /** - * The file name to display in reports. - */ - private String displayName = null; - /** * Sets the file name to display in reports. * @@ -392,11 +421,6 @@ public class Dependency implements Serializable, Comparable { this.identifiers.add(identifier); } - /** - * A set of identifiers that have been suppressed. - */ - private Set suppressedIdentifiers; - /** * Get the value of suppressedIdentifiers. * @@ -424,11 +448,6 @@ public class Dependency implements Serializable, Comparable { this.suppressedIdentifiers.add(identifier); } - /** - * A set of vulnerabilities that have been suppressed. - */ - private SortedSet suppressedVulnerabilities; - /** * Get the value of suppressedVulnerabilities. * @@ -510,11 +529,6 @@ public class Dependency implements Serializable, Comparable { return this.versionEvidence; } - /** - * The description of the JAR file. - */ - private String description; - /** * Get the value of description. * @@ -533,11 +547,6 @@ public class Dependency implements Serializable, Comparable { this.description = description; } - /** - * The license that this dependency uses. - */ - private String license; - /** * Get the value of license. * @@ -556,11 +565,6 @@ public class Dependency implements Serializable, Comparable { this.license = license; } - /** - * A list of vulnerabilities for this dependency. - */ - private SortedSet vulnerabilities; - /** * Get the list of vulnerabilities. * @@ -610,11 +614,6 @@ public class Dependency implements Serializable, Comparable { this.vulnerabilities.add(vulnerability); } - /** - * A collection of related dependencies. - */ - private Set relatedDependencies = new TreeSet(); - /** * Get the value of {@link #relatedDependencies}. This field is used to * collect other dependencies which really represent the same dependency, @@ -626,11 +625,6 @@ public class Dependency implements Serializable, Comparable { return relatedDependencies; } - /** - * A list of projects that reference this dependency. - */ - private Set projectReferences = new HashSet(); - /** * Get the value of projectReferences. * @@ -698,11 +692,6 @@ public class Dependency implements Serializable, Comparable { } } - /** - * A list of available versions. - */ - private List availableVersions = new ArrayList(); - /** * Get the value of availableVersions. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index ef9d512f2..2590f0cbb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -48,7 +48,17 @@ public class EvidenceCollection implements Serializable, Iterable { */ private static final Logger LOGGER = LoggerFactory.getLogger(EvidenceCollection.class); /** - * Used to iterate over highest confidence evidence contained in the collection. + * A collection of evidence. + */ + private final Set list; + /** + * A collection of strings used to adjust Lucene's term weighting. + */ + private final Set weightedStrings; + + /** + * Used to iterate over highest confidence evidence contained in the + * collection. */ private static final Filter HIGHEST_CONFIDENCE = new Filter() { @Override @@ -57,7 +67,8 @@ public class EvidenceCollection implements Serializable, Iterable { } }; /** - * Used to iterate over high confidence evidence contained in the collection. + * Used to iterate over high confidence evidence contained in the + * collection. */ private static final Filter HIGH_CONFIDENCE = new Filter() { @Override @@ -66,7 +77,8 @@ public class EvidenceCollection implements Serializable, Iterable { } }; /** - * Used to iterate over medium confidence evidence contained in the collection. + * Used to iterate over medium confidence evidence contained in the + * collection. */ private static final Filter MEDIUM_CONFIDENCE = new Filter() { @Override @@ -84,7 +96,8 @@ public class EvidenceCollection implements Serializable, Iterable { } }; /** - * Used to iterate over evidence that has was used (aka read) from the collection. + * Used to iterate over evidence that has was used (aka read) from the + * collection. */ private static final Filter EVIDENCE_USED = new Filter() { @Override @@ -96,7 +109,8 @@ public class EvidenceCollection implements Serializable, Iterable { /** * Used to iterate over evidence of the specified confidence. * - * @param confidence the confidence level for the evidence to be iterated over. + * @param confidence the confidence level for the evidence to be iterated + * over. * @return Iterable<Evidence> an iterable collection of evidence */ public final Iterable iterator(Confidence confidence) { @@ -110,14 +124,6 @@ public class EvidenceCollection implements Serializable, Iterable { return EvidenceCollection.LOW_CONFIDENCE.filter(this.list); } } - /** - * A collection of evidence. - */ - private final Set list; - /** - * A collection of strings used to adjust Lucene's term weighting. - */ - private final Set weightedStrings; /** * Creates a new EvidenceCollection. @@ -137,7 +143,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Creates an Evidence object from the parameters and adds the resulting object to the collection. + * Creates an Evidence object from the parameters and adds the resulting + * object to the collection. * * @param source the source of the Evidence. * @param name the name of the Evidence. @@ -150,12 +157,16 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way - * of combining evidence from multiple sources to boost the confidence of the given evidence. + * Adds term to the weighting collection. The terms added here are used + * later to boost the score of other terms. This is a way of combining + * evidence from multiple sources to boost the confidence of the given + * evidence. * - * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package - * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the - * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted + * Example: The term 'Apache' is found in the manifest of a JAR and is added + * to the Collection. When we parse the package names within the JAR file we + * may add these package names to the "weighted" strings collection to boost + * the score in the Lucene query. That way when we construct the Lucene + * query we find the term Apache in the collection AND in the weighted * strings; as such, we will boost the confidence of the term Apache. * * @param str to add to the weighting collection. @@ -165,8 +176,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another - * location. + * Returns a set of Weightings - a list of terms that are believed to be of + * higher confidence when also found in another location. * * @return Set<String> */ @@ -255,7 +266,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Used to determine if a given version was used (aka read) from the EvidenceCollection. + * Used to determine if a given version was used (aka read) from the + * EvidenceCollection. * * @param version the version to search for within the collected evidence. * @return whether or not the string was used. @@ -275,7 +287,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Returns whether or not the collection contains evidence of a specified Confidence. + * Returns whether or not the collection contains evidence of a specified + * Confidence. * * @param confidence A Confidence value. * @return boolean. @@ -290,7 +303,8 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Merges multiple EvidenceCollections together, only merging evidence that was used, into a new EvidenceCollection. + * Merges multiple EvidenceCollections together, only merging evidence that + * was used, into a new EvidenceCollection. * * @param ec One or more EvidenceCollections. * @return a new EvidenceCollection containing the used evidence. @@ -323,10 +337,12 @@ public class EvidenceCollection implements Serializable, Iterable { } /** - * Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence. + * Merges multiple EvidenceCollections together; flattening all of the + * evidence items by removing the confidence. * * @param ec One or more EvidenceCollections - * @return new set of evidence resulting from merging the evidence in the collections + * @return new set of evidence resulting from merging the evidence in the + * collections */ public static Set mergeForDisplay(EvidenceCollection... ec) { final Set ret = new TreeSet(); @@ -367,11 +383,13 @@ public class EvidenceCollection implements Serializable, Iterable { /** *

- * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the - * protocol, the sub-domain of 'www', and the file extension of the path.

+ * Takes a string that may contain a fully qualified domain and it will + * return the string having removed the query string, the protocol, the + * sub-domain of 'www', and the file extension of the path.

*

- * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc. - * may produce false positives. + * This is useful for checking if the evidence contains a specific string. + * The presence of the protocol, file extension, etc. may produce false + * positives. * *

* Example, given the following input:

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 340390055..aac408a02 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -35,11 +35,64 @@ public class Vulnerability implements Serializable, Comparable { * The serial version uid. */ private static final long serialVersionUID = 307319490326651052L; - /** * The name of the vulnerability. */ private String name; + /** + * the description of the vulnerability. + */ + private String description; + /** + * References for this vulnerability. + */ + private Set references = new HashSet(); + /** + * A set of vulnerable software. + */ + private Set vulnerableSoftware = new HashSet(); + /** + * The CWE for the vulnerability. + */ + private String cwe; + /** + * CVSS Score. + */ + private float cvssScore; + /** + * CVSS Access Vector. + */ + private String cvssAccessVector; + /** + * CVSS Access Complexity. + */ + private String cvssAccessComplexity; + + /** + * CVSS Authentication. + */ + private String cvssAuthentication; + /** + * CVSS Confidentiality Impact. + */ + private String cvssConfidentialityImpact; + /** + * CVSS Integrity Impact. + */ + private String cvssIntegrityImpact; + + /** + * CVSS Availability Impact. + */ + private String cvssAvailabilityImpact; + /** + * The CPE id that caused this vulnerability to be flagged. + */ + private String matchedCPE; + /** + * Whether or not all previous versions were affected. + */ + private String matchedAllPreviousCPE; /** * Get the value of name. @@ -58,10 +111,6 @@ public class Vulnerability implements Serializable, Comparable { public void setName(String name) { this.name = name; } - /** - * the description of the vulnerability. - */ - private String description; /** * Get the value of description. @@ -80,10 +129,6 @@ public class Vulnerability implements Serializable, Comparable { public void setDescription(String description) { this.description = description; } - /** - * References for this vulnerability. - */ - private Set references = new HashSet(); /** * Get the value of references. @@ -126,10 +171,6 @@ public class Vulnerability implements Serializable, Comparable { ref.setUrl(referenceUrl); this.references.add(ref); } - /** - * A set of vulnerable software. - */ - private Set vulnerableSoftware = new HashSet(); /** * Get the value of vulnerableSoftware. @@ -188,10 +229,6 @@ public class Vulnerability implements Serializable, Comparable { } return vulnerableSoftware.add(vulnSoftware); } - /** - * The CWE for the vulnerability. - */ - private String cwe; /** * Get the value of cwe. @@ -210,10 +247,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCwe(String cwe) { this.cwe = cwe; } - /** - * CVSS Score. - */ - private float cvssScore; /** * Get the value of cvssScore. @@ -232,10 +265,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCvssScore(float cvssScore) { this.cvssScore = cvssScore; } - /** - * CVSS Access Vector. - */ - private String cvssAccessVector; /** * Get the value of cvssAccessVector. @@ -254,10 +283,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCvssAccessVector(String cvssAccessVector) { this.cvssAccessVector = cvssAccessVector; } - /** - * CVSS Access Complexity. - */ - private String cvssAccessComplexity; /** * Get the value of cvssAccessComplexity. @@ -276,10 +301,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCvssAccessComplexity(String cvssAccessComplexity) { this.cvssAccessComplexity = cvssAccessComplexity; } - /** - * CVSS Authentication. - */ - private String cvssAuthentication; /** * Get the value of cvssAuthentication. @@ -298,10 +319,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCvssAuthentication(String cvssAuthentication) { this.cvssAuthentication = cvssAuthentication; } - /** - * CVSS Confidentiality Impact. - */ - private String cvssConfidentialityImpact; /** * Get the value of cvssConfidentialityImpact. @@ -320,10 +337,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) { this.cvssConfidentialityImpact = cvssConfidentialityImpact; } - /** - * CVSS Integrity Impact. - */ - private String cvssIntegrityImpact; /** * Get the value of cvssIntegrityImpact. @@ -342,10 +355,6 @@ public class Vulnerability implements Serializable, Comparable { public void setCvssIntegrityImpact(String cvssIntegrityImpact) { this.cvssIntegrityImpact = cvssIntegrityImpact; } - /** - * CVSS Availability Impact. - */ - private String cvssAvailabilityImpact; /** * Get the value of cvssAvailabilityImpact. @@ -420,15 +429,6 @@ public class Vulnerability implements Serializable, Comparable { //return v.getName().compareTo(this.getName()); } - /** - * The CPE id that caused this vulnerability to be flagged. - */ - private String matchedCPE; - /** - * Whether or not all previous versions were affected. - */ - private String matchedAllPreviousCPE; - /** * Sets the CPE that caused this vulnerability to be flagged. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java index 5587fcbde..de8dfbcd8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java @@ -28,6 +28,19 @@ import java.util.List; * @author Jeremy Long */ public class ExceptionCollection extends Exception { + /** + * The serial version uid. + */ + private static final long serialVersionUID = 1L; + /** + * A collection of exceptions. + */ + private List exceptions; + /** + * Flag indicating if a fatal exception occurred that would prevent the + * attempt at completing the analysis even if exceptions occurred. + */ + private boolean fatal = false; /** * Instantiates a new exception collection. @@ -99,7 +112,7 @@ public class ExceptionCollection extends Exception { */ public ExceptionCollection(String msg, Throwable exception) { super(msg); - this.exceptions = new ArrayList(); + this.exceptions = new ArrayList<>(); this.exceptions.add(exception); this.fatal = false; } @@ -109,17 +122,8 @@ public class ExceptionCollection extends Exception { */ public ExceptionCollection() { super(); - this.exceptions = new ArrayList(); + this.exceptions = new ArrayList<>(); } - /** - * The serial version uid. - */ - private static final long serialVersionUID = 1L; - - /** - * A collection of exceptions. - */ - private List exceptions; /** * Get the value of exceptions. @@ -150,12 +154,6 @@ public class ExceptionCollection extends Exception { this.fatal = fatal; } - /** - * Flag indicating if a fatal exception occurred that would prevent the - * attempt at completing the analysis even if exceptions occurred. - */ - private boolean fatal = false; - /** * Get the value of fatal. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java index 42f3b6237..49f42570e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java @@ -26,6 +26,14 @@ package org.owasp.dependencycheck.utils; * @author Jeremy Long */ public class Pair { + /** + * The left element of the pair. + */ + private L left = null; + /** + * The right element of the pair. + */ + private R right = null; /** * Constructs a new empty pair. @@ -43,10 +51,6 @@ public class Pair { this.left = left; this.right = right; } - /** - * The left element of the pair. - */ - private L left = null; /** * Get the value of left. @@ -65,10 +69,6 @@ public class Pair { public void setLeft(L left) { this.left = left; } - /** - * The right element of the pair. - */ - private R right = null; /** * Get the value of right. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/VendorDuplicatingHintRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/VendorDuplicatingHintRule.java index 51450fac3..c9a02a7bb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/VendorDuplicatingHintRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/VendorDuplicatingHintRule.java @@ -18,14 +18,24 @@ package org.owasp.dependencycheck.xml.hints; /** - * Used to duplicate vendor evidence within a collection. The intent is if any evidence - * is found in a collection that matches the value given the evidence will be - * duplicated and the value replaced with the value indicated. + * Used to duplicate vendor evidence within a collection. The intent is if any + * evidence is found in a collection that matches the value given the evidence + * will be duplicated and the value replaced with the value indicated. * * @author Jeremy Long */ public class VendorDuplicatingHintRule { + /** + * The evidence value to duplicate if found. + */ + private String value; + + /** + * The value to replace when duplicating the evidence. + */ + private String duplicate; + /** * Constructs a new duplicating rule. * @@ -37,11 +47,6 @@ public class VendorDuplicatingHintRule { this.duplicate = duplicate; } - /** - * The evidence value to duplicate if found. - */ - private String value; - /** * Get the value of value. * @@ -60,11 +65,6 @@ public class VendorDuplicatingHintRule { this.value = value; } - /** - * The value to replace when duplicating the evidence. - */ - private String duplicate; - /** * Get the value of duplicate. * diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index b07909653..6c7f5f314 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -65,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler { /** * A list of suppression rules. */ - private final List suppressionRules = new ArrayList(); - - /** - * Get the value of suppressionRules. - * - * @return the value of suppressionRules - */ - public List getSuppressionRules() { - return suppressionRules; - } + private final List suppressionRules = new ArrayList<>(); /** * The current rule being read. */ @@ -88,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler { */ private StringBuilder currentText; + /** + * Get the value of suppressionRules. + * + * @return the value of suppressionRules + */ + public List getSuppressionRules() { + return suppressionRules; + } + /** * Handles the start element event. * @@ -160,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler { } /** - * Processes field members that have been collected during the characters and startElement method to construct a - * PropertyType object. + * Processes field members that have been collected during the characters + * and startElement method to construct a PropertyType object. * * @return a PropertyType object */ diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java index 483302c3a..12fcd195f 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java @@ -41,7 +41,7 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase { @Test public void testSupportsExtensions() { ArchiveAnalyzer instance = new ArchiveAnalyzer(); - Set expResult = new HashSet(); + Set expResult = new HashSet<>(); expResult.add("zip"); expResult.add("war"); expResult.add("ear"); @@ -114,6 +114,8 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase { /** * Test of analyze method, of class ArchiveAnalyzer. + * + * @throws java.lang.Exception when an error occurs */ @Test public void testAnalyze() throws Exception { @@ -171,7 +173,7 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase { instance.close(); } } - + /** * Test of analyze method, of class ArchiveAnalyzer. */ diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java index f29914213..88a317e0a 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java @@ -17,6 +17,7 @@ */ package org.owasp.dependencycheck.data.nvdcve; +import java.sql.SQLException; import org.owasp.dependencycheck.BaseDBTestCase; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.dependency.VulnerableSoftware; @@ -31,6 +32,7 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.assertNotNull; import static org.junit.Assert.assertNull; import static org.junit.Assert.assertTrue; +import static org.junit.Assert.fail; /** * @@ -42,12 +44,14 @@ public class CveDBIntegrationTest extends BaseDBTestCase { * Pretty useless tests of open, commit, and close methods, of class CveDB. */ @Test - public void testOpen() throws Exception { + public void testOpen() { CveDB instance = null; try { instance = new CveDB(); instance.open(); instance.commit(); + } catch (DatabaseException | SQLException ex) { + fail(ex.getMessage()); } finally { if (instance != null) { instance.close(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java index 161be03b6..22979181d 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java @@ -131,7 +131,7 @@ public class DriverLoaderTest extends BaseTest { File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar"); assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile()); - Driver d = DriverLoader.load(className, driver.getAbsolutePath()); + DriverLoader.load(className, driver.getAbsolutePath()); } /** diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java index 2551a4624..347cec97b 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java @@ -36,9 +36,6 @@ import org.owasp.dependencycheck.utils.Settings; */ public class DownloadTaskTest extends BaseTest { - public DownloadTaskTest() { - } - /** * Test of call method, of class DownloadTask. */ diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java index 4df35bffd..762d7bed4 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java @@ -218,7 +218,7 @@ public class DependencyTest extends BaseTest { instance.getProductEvidence().addEvidence("used", "used", "used", Confidence.HIGH); instance.getProductEvidence().addEvidence("not", "not", "not", Confidence.MEDIUM); for (Evidence e : instance.getProductEvidence().iterator(Confidence.HIGH)) { - String use = e.getValue(); + e.getValue(); } EvidenceCollection result = instance.getEvidenceUsed(); diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java index a1d807c09..3edb28a01 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java @@ -71,9 +71,10 @@ public class ModelTest extends BaseTest { */ @Test public void testSetOrganization() { - String organization = ""; + String organization = "apache"; Model instance = new Model(); instance.setOrganization(organization); + assertEquals("apache", instance.getOrganization()); } /** @@ -188,9 +189,10 @@ public class ModelTest extends BaseTest { */ @Test public void testSetParentGroupId() { - String parentGroupId = ""; + String parentGroupId = "org.owasp"; Model instance = new Model(); instance.setParentGroupId(parentGroupId); + assertEquals("org.owasp", instance.getParentGroupId()); } /** diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java index 09d88c290..71f316b8f 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java @@ -40,6 +40,10 @@ public final class Checksum { * The logger. */ private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class); + /** + * Hex code characters used in getHex. + */ + private static final String HEXES = "0123456789abcdef"; /** * Private constructor for a utility class. @@ -120,10 +124,6 @@ public final class Checksum { final byte[] b = getChecksum("SHA1", file); return getHex(b); } - /** - * Hex code characters used in getHex. - */ - private static final String HEXES = "0123456789abcdef"; /** *