codacy recommended updates

dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -37,6 +37,11 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
      * The unique instance of this class
      */
     private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
+    /**
+     * Ant tasks have the log method we actually want to call. So we hang onto
+     * the task as a delegate
+     */
+    private Task task = null;
 
     /**
      * Return the singleton of this class.
@@ -47,12 +52,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
         return SINGLETON;
     }
 
-    /**
-     * Ant tasks have the log method we actually want to call. So we hang onto
-     * the task as a delegate
-     */
-    private Task task = null;
-
     /**
      * Set the Task which will this is to log through.
      *

dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java

@@ -17,17 +17,14 @@
  */
 package org.owasp.dependencycheck;
 
-import org.owasp.dependencycheck.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import org.apache.commons.cli.ParseException;
-import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Assert;
-import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.utils.Settings;
@@ -48,14 +45,6 @@ public class CliParserTest {
         Settings.cleanup(true);
     }
 
-    @Before
-    public void setUp() throws Exception {
-    }
-
-    @After
-    public void tearDown() throws Exception {
-    }
-
     /**
      * Test of parse method, of class CliParser.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -63,6 +63,7 @@ import org.slf4j.LoggerFactory;
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {
 
+    //<editor-fold defaultstate="collapsed" desc="private fields">
     /**
      * System specific new line character.
      */
@@ -75,6 +76,141 @@ public class DependencyCheckScanAgent {
      * The application name for the report.
      */
     private String applicationName = "Dependency-Check";
+    /**
+     * The pre-determined dependencies to scan
+     */
+    private List<Dependency> dependencies;
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+    /**
+     * Specifies the destination directory for the generated Dependency-Check
+     * report.
+     */
+    private String reportOutputDirectory;
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified
+     * level is identified. The default is 11 which means since the CVSS scores
+     * are 0-10, by default the build will never fail and the CVSS score is set
+     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
+     * anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
+     * recommended that this be turned to false. Default is true.
+     */
+    private boolean autoUpdate = true;
+    /**
+     * flag indicating whether or not to generate a report of findings.
+     */
+    private boolean generateReport = true;
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This
+     * configuration option has no affect if using this within the Site plugin
+     * unless the externalReport is set to true. Default is HTML.
+     */
+    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
+    /**
+     * The Proxy Server.
+     */
+    private String proxyServer;
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+    /**
+     * Whether or not the Maven Central analyzer is enabled.
+     */
+    private boolean centralAnalyzerEnabled = true;
+    /**
+     * The URL of Maven Central.
+     */
+    private String centralUrl;
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a
+     * comma-separated list of file extensions to treat like ZIP files.
+     */
+    private String zipExtensions;
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="getters/setters">
 
     /**
      * Get the value of applicationName.
@@ -94,11 +230,6 @@ public class DependencyCheckScanAgent {
         this.applicationName = applicationName;
     }
 
-    /**
-     * The pre-determined dependencies to scan
-     */
-    private List<Dependency> dependencies;
-
     /**
      * Returns a list of pre-determined dependencies.
      *
@@ -117,11 +248,6 @@ public class DependencyCheckScanAgent {
         this.dependencies = dependencies;
     }
 
-    /**
-     * The location of the data directory that contains
-     */
-    private String dataDirectory = null;
-
     /**
      * Get the value of dataDirectory.
      *
@@ -140,12 +266,6 @@ public class DependencyCheckScanAgent {
         this.dataDirectory = dataDirectory;
     }
 
-    /**
-     * Specifies the destination directory for the generated Dependency-Check
-     * report.
-     */
-    private String reportOutputDirectory;
-
     /**
      * Get the value of reportOutputDirectory.
      *
@@ -164,15 +284,6 @@ public class DependencyCheckScanAgent {
         this.reportOutputDirectory = reportOutputDirectory;
     }
 
-    /**
-     * Specifies if the build should be failed if a CVSS score above a specified
-     * level is identified. The default is 11 which means since the CVSS scores
-     * are 0-10, by default the build will never fail and the CVSS score is set
-     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
-     * anything above 10 will not cause the build to fail.
-     */
-    private float failBuildOnCVSS = 11;
-
     /**
      * Get the value of failBuildOnCVSS.
      *
@@ -191,12 +302,6 @@ public class DependencyCheckScanAgent {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
 
-    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
-     * recommended that this be turned to false. Default is true.
-     */
-    private boolean autoUpdate = true;
-
     /**
      * Get the value of autoUpdate.
      *
@@ -215,11 +320,6 @@ public class DependencyCheckScanAgent {
         this.autoUpdate = autoUpdate;
     }
 
-    /**
-     * flag indicating whether or not to generate a report of findings.
-     */
-    private boolean generateReport = true;
-
     /**
      * Get the value of generateReport.
      *
@@ -238,13 +338,6 @@ public class DependencyCheckScanAgent {
         this.generateReport = generateReport;
     }
 
-    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This
-     * configuration option has no affect if using this within the Site plugin
-     * unless the externalReport is set to true. Default is HTML.
-     */
-    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
-
     /**
      * Get the value of reportFormat.
      *
@@ -263,11 +356,6 @@ public class DependencyCheckScanAgent {
         this.reportFormat = reportFormat;
     }
 
-    /**
-     * The Proxy Server.
-     */
-    private String proxyServer;
-
     /**
      * Get the value of proxyServer.
      *
@@ -311,11 +399,6 @@ public class DependencyCheckScanAgent {
         this.proxyServer = proxyUrl;
     }
 
-    /**
-     * The Proxy Port.
-     */
-    private String proxyPort;
-
     /**
      * Get the value of proxyPort.
      *
@@ -334,11 +417,6 @@ public class DependencyCheckScanAgent {
         this.proxyPort = proxyPort;
     }
 
-    /**
-     * The Proxy username.
-     */
-    private String proxyUsername;
-
     /**
      * Get the value of proxyUsername.
      *
@@ -357,11 +435,6 @@ public class DependencyCheckScanAgent {
         this.proxyUsername = proxyUsername;
     }
 
-    /**
-     * The Proxy password.
-     */
-    private String proxyPassword;
-
     /**
      * Get the value of proxyPassword.
      *
@@ -380,11 +453,6 @@ public class DependencyCheckScanAgent {
         this.proxyPassword = proxyPassword;
     }
 
-    /**
-     * The Connection Timeout.
-     */
-    private String connectionTimeout;
-
     /**
      * Get the value of connectionTimeout.
      *
@@ -403,11 +471,6 @@ public class DependencyCheckScanAgent {
         this.connectionTimeout = connectionTimeout;
     }
 
-    /**
-     * The file path used for verbose logging.
-     */
-    private String logFile = null;
-
     /**
      * Get the value of logFile.
      *
@@ -426,11 +489,6 @@ public class DependencyCheckScanAgent {
         this.logFile = logFile;
     }
 
-    /**
-     * The path to the suppression file.
-     */
-    private String suppressionFile;
-
     /**
      * Get the value of suppressionFile.
      *
@@ -449,11 +507,6 @@ public class DependencyCheckScanAgent {
         this.suppressionFile = suppressionFile;
     }
 
-    /**
-     * flag indicating whether or not to show a summary of findings.
-     */
-    private boolean showSummary = true;
-
     /**
      * Get the value of showSummary.
      *
@@ -472,11 +525,6 @@ public class DependencyCheckScanAgent {
         this.showSummary = showSummary;
     }
 
-    /**
-     * Whether or not the Maven Central analyzer is enabled.
-     */
-    private boolean centralAnalyzerEnabled = true;
-
     /**
      * Get the value of centralAnalyzerEnabled.
      *
@@ -495,11 +543,6 @@ public class DependencyCheckScanAgent {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
-    /**
-     * The URL of Maven Central.
-     */
-    private String centralUrl;
-
     /**
      * Get the value of centralUrl.
      *
@@ -518,11 +561,6 @@ public class DependencyCheckScanAgent {
         this.centralUrl = centralUrl;
     }
 
-    /**
-     * Whether or not the nexus analyzer is enabled.
-     */
-    private boolean nexusAnalyzerEnabled = true;
-
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
@@ -541,11 +579,6 @@ public class DependencyCheckScanAgent {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
-    /**
-     * The URL of the Nexus server.
-     */
-    private String nexusUrl;
-
     /**
      * Get the value of nexusUrl.
      *
@@ -564,11 +597,6 @@ public class DependencyCheckScanAgent {
         this.nexusUrl = nexusUrl;
     }
 
-    /**
-     * Whether or not the defined proxy should be used when connecting to Nexus.
-     */
-    private boolean nexusUsesProxy = true;
-
     /**
      * Get the value of nexusUsesProxy.
      *
@@ -587,11 +615,6 @@ public class DependencyCheckScanAgent {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
-    /**
-     * The database driver name; such as org.h2.Driver.
-     */
-    private String databaseDriverName;
-
     /**
      * Get the value of databaseDriverName.
      *
@@ -610,11 +633,6 @@ public class DependencyCheckScanAgent {
         this.databaseDriverName = databaseDriverName;
     }
 
-    /**
-     * The path to the database driver JAR file if it is not on the class path.
-     */
-    private String databaseDriverPath;
-
     /**
      * Get the value of databaseDriverPath.
      *
@@ -633,11 +651,6 @@ public class DependencyCheckScanAgent {
         this.databaseDriverPath = databaseDriverPath;
     }
 
-    /**
-     * The database connection string.
-     */
-    private String connectionString;
-
     /**
      * Get the value of connectionString.
      *
@@ -656,11 +669,6 @@ public class DependencyCheckScanAgent {
         this.connectionString = connectionString;
     }
 
-    /**
-     * The user name for connecting to the database.
-     */
-    private String databaseUser;
-
     /**
      * Get the value of databaseUser.
      *
@@ -679,11 +687,6 @@ public class DependencyCheckScanAgent {
         this.databaseUser = databaseUser;
     }
 
-    /**
-     * The password to use when connecting to the database.
-     */
-    private String databasePassword;
-
     /**
      * Get the value of databasePassword.
      *
@@ -702,12 +705,6 @@ public class DependencyCheckScanAgent {
         this.databasePassword = databasePassword;
     }
 
-    /**
-     * Additional ZIP File extensions to add analyze. This should be a
-     * comma-separated list of file extensions to treat like ZIP files.
-     */
-    private String zipExtensions;
-
     /**
      * Get the value of zipExtensions.
      *
@@ -726,11 +723,6 @@ public class DependencyCheckScanAgent {
         this.zipExtensions = zipExtensions;
     }
 
-    /**
-     * The url for the modified NVD CVE (1.2 schema).
-     */
-    private String cveUrl12Modified;
-
     /**
      * Get the value of cveUrl12Modified.
      *
@@ -749,11 +741,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl12Modified = cveUrl12Modified;
     }
 
-    /**
-     * The url for the modified NVD CVE (2.0 schema).
-     */
-    private String cveUrl20Modified;
-
     /**
      * Get the value of cveUrl20Modified.
      *
@@ -772,11 +759,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl20Modified = cveUrl20Modified;
     }
 
-    /**
-     * Base Data Mirror URL for CVE 1.2.
-     */
-    private String cveUrl12Base;
-
     /**
      * Get the value of cveUrl12Base.
      *
@@ -795,11 +777,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl12Base = cveUrl12Base;
     }
 
-    /**
-     * Data Mirror URL for CVE 2.0.
-     */
-    private String cveUrl20Base;
-
     /**
      * Get the value of cveUrl20Base.
      *
@@ -818,11 +795,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl20Base = cveUrl20Base;
     }
 
-    /**
-     * The path to Mono for .NET assembly analysis on non-windows systems.
-     */
-    private String pathToMono;
-
     /**
      * Get the value of pathToMono.
      *
@@ -840,6 +812,7 @@ public class DependencyCheckScanAgent {
     public void setPathToMono(String pathToMono) {
         this.pathToMono = pathToMono;
     }
+    //</editor-fold>
 
     /**
      * Executes the Dependency-Check on the dependent libraries.
@@ -1044,5 +1017,4 @@ public class DependencyCheckScanAgent {
                     summary.toString());
         }
     }
-
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -82,7 +82,8 @@ public abstract class AbstractAnalyzer implements Analyzer {
     protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException;
 
     /**
-     * Initializes a given Analyzer. This will be skipped if the analyzer is disabled.
+     * Initializes a given Analyzer. This will be skipped if the analyzer is
+     * disabled.
      *
      * @throws InitializationException thrown if there is an exception
      */
@@ -90,14 +91,15 @@ public abstract class AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * Closes a given Analyzer. This will be skipped if the analyzer is disabled.
+     * Closes a given Analyzer. This will be skipped if the analyzer is
+     * disabled.
      *
      * @throws Exception thrown if there is an exception
      */
     protected void closeAnalyzer() throws Exception {
+        // Intentionally empty, analyzer will override this if they must close a resource.
     }
 
-
     /**
      * Analyzes a given dependency. If the dependency is an archive, such as a
      * WAR or EAR, the contents are extracted, scanned, and added to the list of
@@ -148,7 +150,6 @@ public abstract class AbstractAnalyzer implements Analyzer {
         }
     }
 
-
     /**
      * The default is to support parallel processing.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -105,14 +105,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * in {@link #extractFiles(File, File, Engine)}.
      */
     private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
-
-    /**
-     * Detects files with extensions to remove from the engine's collection of
-     * dependencies.
-     */
-    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2")
-            .build();
-
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
@@ -122,21 +114,28 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         EXTENSIONS.addAll(ZIPPABLES);
     }
 
+    /**
+     * Detects files with extensions to remove from the engine's collection of
+     * dependencies.
+     */
+    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance()
+            .addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
+
     /**
      * The file filter used to filter supported files.
      */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
 
-    @Override
-    protected FileFilter getFileFilter() {
-        return FILTER;
-    }
-
     /**
      * Detects files with .zip extension.
      */
     private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
 
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
     /**
      * Returns the name of the analyzer.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -599,24 +599,25 @@ public class CPEAnalyzer extends AbstractAnalyzer {
                         }
                     }
                 }
-                if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                if ((bestGuessConf == null || bestGuessConf.compareTo(conf) > 0)
-                    if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
+                        && bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
                     bestGuess = evVer;
                     bestGuessConf = conf;
                 }
             }
         }
-        }
         final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
         String url = null;
         if (hasBroadMatch) { //if we have a broad match we can add the URL to the best guess.
             final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
             url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
         }
-        if (bestGuessConf == null) {
+        if (bestGuessConf
+                == null) {
             bestGuessConf = Confidence.LOW;
         }
         final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf);
+
         collected.add(match);
 
         Collections.sort(collected);
@@ -648,6 +649,7 @@ public class CPEAnalyzer extends AbstractAnalyzer {
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_CPE_ENABLED;
+
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -39,7 +39,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
+ * This analyzer attempts to remove some well known false positives -
+ * specifically regarding the java runtime.
  *
  * @author Jeremy Long
  */
@@ -84,6 +85,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+
     /**
      * <p>
      * Returns the setting key to determine if the analyzer is enabled.</p>
@@ -97,11 +99,13 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     //</editor-fold>
 
     /**
-     * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
+     * Analyzes the dependencies and removes bad/incorrect CPE associations
+     * based on various heuristics.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
      */
     @Override
     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
@@ -117,13 +121,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     /**
      * Removes inaccurate matches on springframework CPEs.
      *
-     * @param dependency the dependency to test for and remove known inaccurate CPE matches
+     * @param dependency the dependency to test for and remove known inaccurate
+     * CPE matches
      */
     private void removeBadSpringMatches(Dependency dependency) {
         String mustContain = null;
         for (Identifier i : dependency.getIdentifiers()) {
-            if ("maven".contains(i.getType())) {
+            if ("maven".contains(i.getType())
-                if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
+                    && i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
                 final int endPoint = i.getValue().indexOf(':', 19);
                 if (endPoint >= 0) {
                     mustContain = i.getValue().substring(19, endPoint).toLowerCase();
@@ -131,8 +136,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                 }
             }
         }
-        }
+        if (mustContain
-        if (mustContain != null) {
+                != null) {
             final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
             while (itr.hasNext()) {
                 final Identifier i = itr.next();
@@ -149,7 +154,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     /**
      * <p>
-     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
+     * Intended to remove spurious CPE entries. By spurious we mean duplicate,
+     * less specific CPE entries.</p>
      * <p>
      * Example:</p>
      * <code>
@@ -200,8 +206,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                             if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) {
                                 dependency.getIdentifiers().remove(currentId);
                             }
-                        } else {
+                        } else if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
-                            if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
                             dependency.getIdentifiers().remove(nextId);
                         }
                     }
@@ -209,9 +214,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
             }
         }
     }
-    }
     /**
-     * Regex to identify core java libraries and a few other commonly misidentified ones.
+     * Regex to identify core java libraries and a few other commonly
+     * misidentified ones.
      */
     public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
             + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
@@ -226,12 +231,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
     /**
-     * Regex to identify core jsf java library files. This is currently incomplete.
+     * Regex to identify core jsf java library files. This is currently
+     * incomplete.
      */
     public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
 
     /**
-     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
+     * Removes any CPE entries for the JDK/JRE unless the filename ends with
+     * rt.jar
      *
      * @param dependency the dependency to remove JRE CPEs from
      */
@@ -275,8 +282,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific problems
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these
-     * identified when testing this on a LARGE volume of jar files.
+     * are hard-coded patches for specific problems identified when testing this
+     * on a LARGE volume of jar files.
      *
      * @param dependency the dependency to analyze
      */
@@ -351,7 +359,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
+     * Removes CPE matches for the wrong version of a dependency. Currently,
+     * this only covers Axis 1 & 2.
      *
      * @param dependency the dependency to analyze
      */
@@ -384,8 +393,10 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and changes in
+     * There are some known CPE entries, specifically regarding sun and oracle
-     * product names, that based on given evidence we can add the related CPE entries to ensure a complete list of CVE entries.
+     * products due to the acquisition and changes in product names, that based
+     * on given evidence we can add the related CPE entries to ensure a complete
+     * list of CVE entries.
      *
      * @param dependency the dependency being analyzed
      */
@@ -422,8 +433,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM entries or
+     * Removes duplicate entries identified that are contained within JAR files.
-     * other types of files (such as DLLs and EXEs) being contained within the JAR.
+     * These occasionally crop up due to POM entries or other types of files
+     * (such as DLLs and EXEs) being contained within the JAR.
      *
      * @param dependency the dependency that might be a duplicate
      * @param engine the engine used to scan all dependencies
@@ -462,7 +474,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Retrieves a given dependency, based on a given path, from a list of dependencies.
+     * Retrieves a given dependency, based on a given path, from a list of
+     * dependencies.
      *
      * @param dependencyPath the path of the dependency to return
      * @param dependencies the collection of dependencies to search
@@ -478,7 +491,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Takes a full CPE and returns the CPE trimmed to include only vendor and product.
+     * Takes a full CPE and returns the CPE trimmed to include only vendor and
+     * product.
      *
      * @param value the CPE value to trim
      * @return a CPE value that only includes the vendor and product

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -373,13 +373,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                             + "Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 "
                             + " indicates unknown). See link below for full details. *** ");
                 }
-            } else if (appendToDescription) {
+            } else if (appendToDescription && null != vulnerability) {
-                if (null != vulnerability) {
                 vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
             }
         }
     }
-    }
 
     /**
      * Sets the vulnerability name.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -62,21 +62,6 @@ public final class CpeMemoryIndex {
      * singleton instance.
      */
     private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex();
-
-    /**
-     * private constructor for singleton.
-     */
-    private CpeMemoryIndex() {
-    }
-
-    /**
-     * Gets the singleton instance of the CpeMemoryIndex.
-     *
-     * @return the instance of the CpeMemoryIndex
-     */
-    public static CpeMemoryIndex getInstance() {
-        return INSTANCE;
-    }
     /**
      * The in memory Lucene index.
      */
@@ -105,6 +90,25 @@ public final class CpeMemoryIndex {
      * The search field analyzer for the vendor field.
      */
     private SearchFieldAnalyzer vendorFieldAnalyzer;
+    /**
+     * A flag indicating whether or not the index is open.
+     */
+    private boolean openState = false;
+
+    /**
+     * private constructor for singleton.
+     */
+    private CpeMemoryIndex() {
+    }
+
+    /**
+     * Gets the singleton instance of the CpeMemoryIndex.
+     *
+     * @return the instance of the CpeMemoryIndex
+     */
+    public static CpeMemoryIndex getInstance() {
+        return INSTANCE;
+    }
 
     /**
      * Creates and loads data into an in memory index.
@@ -129,10 +133,6 @@ public final class CpeMemoryIndex {
             }
         }
     }
-    /**
-     * A flag indicating whether or not the index is open.
-     */
-    private boolean openState = false;
 
     /**
      * returns whether or not the index is open.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -46,6 +46,30 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
      * The Logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(DownloadTask.class);
+    /**
+     * The CVE DB to use when processing the files.
+     */
+    private final CveDB cveDB;
+    /**
+     * The processor service to pass the results of the download to.
+     */
+    private final ExecutorService processorService;
+    /**
+     * The NVD CVE Meta Data.
+     */
+    private NvdCveInfo nvdCveInfo;
+    /**
+     * A reference to the global settings object.
+     */
+    private final Settings settings;
+    /**
+     * a file.
+     */
+    private File first;
+    /**
+     * a file.
+     */
+    private File second;
 
     /**
      * Simple constructor for the callable download task.
@@ -77,22 +101,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         this.second = file2;
 
     }
-    /**
-     * The CVE DB to use when processing the files.
-     */
-    private final CveDB cveDB;
-    /**
-     * The processor service to pass the results of the download to.
-     */
-    private final ExecutorService processorService;
-    /**
-     * The NVD CVE Meta Data.
-     */
-    private NvdCveInfo nvdCveInfo;
-    /**
-     * A reference to the global settings object.
-     */
-    private final Settings settings;
 
     /**
      * Get the value of nvdCveInfo.
@@ -111,10 +119,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setNvdCveInfo(NvdCveInfo nvdCveInfo) {
         this.nvdCveInfo = nvdCveInfo;
     }
-    /**
-     * a file.
-     */
-    private File first;
 
     /**
      * Get the value of first.
@@ -133,10 +137,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setFirst(File first) {
         this.first = first;
     }
-    /**
-     * a file.
-     */
-    private File second;
 
     /**
      * Get the value of second.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java

@@ -73,6 +73,20 @@ public class NvdCve20Handler extends DefaultHandler {
      */
     private int totalNumberOfEntries;
 
+    /**
+     * The total number of application entries parsed.
+     */
+    private int totalNumberOfApplicationEntries;
+    /**
+     * the cve database.
+     */
+    private CveDB cveDB;
+
+    /**
+     * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries.
+     */
+    private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
+
     /**
      * Get the value of totalNumberOfEntries.
      *
@@ -81,10 +95,6 @@ public class NvdCve20Handler extends DefaultHandler {
     public int getTotalNumberOfEntries() {
         return totalNumberOfEntries;
     }
-    /**
-     * The total number of application entries parsed.
-     */
-    private int totalNumberOfApplicationEntries;
     
     /**
      * Get the value of totalNumberOfApplicationEntries.
@@ -218,10 +228,6 @@ public class NvdCve20Handler extends DefaultHandler {
             nodeText = null;
         }
     }
-    /**
-     * the cve database.
-     */
-    private CveDB cveDB;
 
     /**
      * Sets the cveDB.
@@ -231,11 +237,6 @@ public class NvdCve20Handler extends DefaultHandler {
     public void setCveDB(CveDB db) {
         cveDB = db;
     }
-    /**
-     * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries.
-     */
-    private Map<String, List<VulnerableSoftware>> prevVersionVulnMap;
-
     /**
      * Sets the prevVersionVulnMap.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -73,30 +73,10 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * The file name of the dependency.
      */
     private String fileName;
-
     /**
      * The package path.
      */
     private String packagePath;
-
-    /**
-     * Returns the package path.
-     *
-     * @return the package path
-     */
-    public String getPackagePath() {
-        return packagePath;
-    }
-
-    /**
-     * Sets the package path.
-     *
-     * @param packagePath the package path
-     */
-    public void setPackagePath(String packagePath) {
-        this.packagePath = packagePath;
-    }
-
     /**
      * The md5 hash of the dependency.
      */
@@ -121,6 +101,60 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * A collection of version evidence.
      */
     private final EvidenceCollection versionEvidence;
+    /**
+     * The file name to display in reports.
+     */
+    private String displayName = null;
+    /**
+     * A set of identifiers that have been suppressed.
+     */
+    private Set<Identifier> suppressedIdentifiers;
+    /**
+     * A set of vulnerabilities that have been suppressed.
+     */
+    private SortedSet<Vulnerability> suppressedVulnerabilities;
+    /**
+     * The description of the JAR file.
+     */
+    private String description;
+    /**
+     * The license that this dependency uses.
+     */
+    private String license;
+    /**
+     * A list of vulnerabilities for this dependency.
+     */
+    private SortedSet<Vulnerability> vulnerabilities;
+    /**
+     * A collection of related dependencies.
+     */
+    private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
+    /**
+     * A list of projects that reference this dependency.
+     */
+    private Set<String> projectReferences = new HashSet<String>();
+    /**
+     * A list of available versions.
+     */
+    private List<String> availableVersions = new ArrayList<String>();
+
+    /**
+     * Returns the package path.
+     *
+     * @return the package path
+     */
+    public String getPackagePath() {
+        return packagePath;
+    }
+
+    /**
+     * Sets the package path.
+     *
+     * @param packagePath the package path
+     */
+    public void setPackagePath(String packagePath) {
+        this.packagePath = packagePath;
+    }
 
     /**
      * Constructs a new Dependency object.
@@ -222,11 +256,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.filePath = filePath;
     }
 
-    /**
-     * The file name to display in reports.
-     */
-    private String displayName = null;
-
     /**
      * Sets the file name to display in reports.
      *
@@ -392,11 +421,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.identifiers.add(identifier);
     }
 
-    /**
-     * A set of identifiers that have been suppressed.
-     */
-    private Set<Identifier> suppressedIdentifiers;
-
     /**
      * Get the value of suppressedIdentifiers.
      *
@@ -424,11 +448,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.suppressedIdentifiers.add(identifier);
     }
 
-    /**
-     * A set of vulnerabilities that have been suppressed.
-     */
-    private SortedSet<Vulnerability> suppressedVulnerabilities;
-
     /**
      * Get the value of suppressedVulnerabilities.
      *
@@ -510,11 +529,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         return this.versionEvidence;
     }
 
-    /**
-     * The description of the JAR file.
-     */
-    private String description;
-
     /**
      * Get the value of description.
      *
@@ -533,11 +547,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.description = description;
     }
 
-    /**
-     * The license that this dependency uses.
-     */
-    private String license;
-
     /**
      * Get the value of license.
      *
@@ -556,11 +565,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.license = license;
     }
 
-    /**
-     * A list of vulnerabilities for this dependency.
-     */
-    private SortedSet<Vulnerability> vulnerabilities;
-
     /**
      * Get the list of vulnerabilities.
      *
@@ -610,11 +614,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         this.vulnerabilities.add(vulnerability);
     }
 
-    /**
-     * A collection of related dependencies.
-     */
-    private Set<Dependency> relatedDependencies = new TreeSet<Dependency>();
-
     /**
      * Get the value of {@link #relatedDependencies}. This field is used to
      * collect other dependencies which really represent the same dependency,
@@ -626,11 +625,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         return relatedDependencies;
     }
 
-    /**
-     * A list of projects that reference this dependency.
-     */
-    private Set<String> projectReferences = new HashSet<String>();
-
     /**
      * Get the value of projectReferences.
      *
@@ -698,11 +692,6 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         }
     }
 
-    /**
-     * A list of available versions.
-     */
-    private List<String> availableVersions = new ArrayList<String>();
-
     /**
      * Get the value of availableVersions.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -48,7 +48,17 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(EvidenceCollection.class);
     /**
-     * Used to iterate over highest confidence evidence contained in the collection.
+     * A collection of evidence.
+     */
+    private final Set<Evidence> list;
+    /**
+     * A collection of strings used to adjust Lucene's term weighting.
+     */
+    private final Set<String> weightedStrings;
+
+    /**
+     * Used to iterate over highest confidence evidence contained in the
+     * collection.
      */
     private static final Filter<Evidence> HIGHEST_CONFIDENCE = new Filter<Evidence>() {
         @Override
@@ -57,7 +67,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over high confidence evidence contained in the collection.
+     * Used to iterate over high confidence evidence contained in the
+     * collection.
      */
     private static final Filter<Evidence> HIGH_CONFIDENCE = new Filter<Evidence>() {
         @Override
@@ -66,7 +77,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over medium confidence evidence contained in the collection.
+     * Used to iterate over medium confidence evidence contained in the
+     * collection.
      */
     private static final Filter<Evidence> MEDIUM_CONFIDENCE = new Filter<Evidence>() {
         @Override
@@ -84,7 +96,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
         }
     };
     /**
-     * Used to iterate over evidence that has was used (aka read) from the collection.
+     * Used to iterate over evidence that has was used (aka read) from the
+     * collection.
      */
     private static final Filter<Evidence> EVIDENCE_USED = new Filter<Evidence>() {
         @Override
@@ -96,7 +109,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     /**
      * Used to iterate over evidence of the specified confidence.
      *
-     * @param confidence the confidence level for the evidence to be iterated over.
+     * @param confidence the confidence level for the evidence to be iterated
+     * over.
      * @return Iterable&lt;Evidence&gt; an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Confidence confidence) {
@@ -110,14 +124,6 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
             return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
         }
     }
-    /**
-     * A collection of evidence.
-     */
-    private final Set<Evidence> list;
-    /**
-     * A collection of strings used to adjust Lucene's term weighting.
-     */
-    private final Set<String> weightedStrings;
 
     /**
      * Creates a new EvidenceCollection.
@@ -137,7 +143,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Creates an Evidence object from the parameters and adds the resulting object to the collection.
+     * Creates an Evidence object from the parameters and adds the resulting
+     * object to the collection.
      *
      * @param source the source of the Evidence.
      * @param name the name of the Evidence.
@@ -150,12 +157,16 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Adds term to the weighting collection. The terms added here are used later to boost the score of other terms. This is a way
+     * Adds term to the weighting collection. The terms added here are used
-     * of combining evidence from multiple sources to boost the confidence of the given evidence.
+     * later to boost the score of other terms. This is a way of combining
+     * evidence from multiple sources to boost the confidence of the given
+     * evidence.
      *
-     * Example: The term 'Apache' is found in the manifest of a JAR and is added to the Collection. When we parse the package
+     * Example: The term 'Apache' is found in the manifest of a JAR and is added
-     * names within the JAR file we may add these package names to the "weighted" strings collection to boost the score in the
+     * to the Collection. When we parse the package names within the JAR file we
-     * Lucene query. That way when we construct the Lucene query we find the term Apache in the collection AND in the weighted
+     * may add these package names to the "weighted" strings collection to boost
+     * the score in the Lucene query. That way when we construct the Lucene
+     * query we find the term Apache in the collection AND in the weighted
      * strings; as such, we will boost the confidence of the term Apache.
      *
      * @param str to add to the weighting collection.
@@ -165,8 +176,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
+     * Returns a set of Weightings - a list of terms that are believed to be of
-     * location.
+     * higher confidence when also found in another location.
      *
      * @return Set&lt;String&gt;
      */
@@ -255,7 +266,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Used to determine if a given version was used (aka read) from the EvidenceCollection.
+     * Used to determine if a given version was used (aka read) from the
+     * EvidenceCollection.
      *
      * @param version the version to search for within the collected evidence.
      * @return whether or not the string was used.
@@ -275,7 +287,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Returns whether or not the collection contains evidence of a specified Confidence.
+     * Returns whether or not the collection contains evidence of a specified
+     * Confidence.
      *
      * @param confidence A Confidence value.
      * @return boolean.
@@ -290,7 +303,8 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Merges multiple EvidenceCollections together, only merging evidence that was used, into a new EvidenceCollection.
+     * Merges multiple EvidenceCollections together, only merging evidence that
+     * was used, into a new EvidenceCollection.
      *
      * @param ec One or more EvidenceCollections.
      * @return a new EvidenceCollection containing the used evidence.
@@ -323,10 +337,12 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     }
 
     /**
-     * Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence.
+     * Merges multiple EvidenceCollections together; flattening all of the
+     * evidence items by removing the confidence.
      *
      * @param ec One or more EvidenceCollections
-     * @return new set of evidence resulting from merging the evidence in the collections
+     * @return new set of evidence resulting from merging the evidence in the
+     * collections
      */
     public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
         final Set<Evidence> ret = new TreeSet<Evidence>();
@@ -367,11 +383,13 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
 
     /**
      * <p>
-     * Takes a string that may contain a fully qualified domain and it will return the string having removed the query string, the
+     * Takes a string that may contain a fully qualified domain and it will
-     * protocol, the sub-domain of 'www', and the file extension of the path.</p>
+     * return the string having removed the query string, the protocol, the
+     * sub-domain of 'www', and the file extension of the path.</p>
      * <p>
-     * This is useful for checking if the evidence contains a specific string. The presence of the protocol, file extension, etc.
+     * This is useful for checking if the evidence contains a specific string.
-     * may produce false positives.
+     * The presence of the protocol, file extension, etc. may produce false
+     * positives.
      *
      * <p>
      * Example, given the following input:</p>

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -35,11 +35,64 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
      * The serial version uid.
      */
     private static final long serialVersionUID = 307319490326651052L;
-
     /**
      * The name of the vulnerability.
      */
     private String name;
+    /**
+     * the description of the vulnerability.
+     */
+    private String description;
+    /**
+     * References for this vulnerability.
+     */
+    private Set<Reference> references = new HashSet<Reference>();
+    /**
+     * A set of vulnerable software.
+     */
+    private Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
+    /**
+     * The CWE for the vulnerability.
+     */
+    private String cwe;
+    /**
+     * CVSS Score.
+     */
+    private float cvssScore;
+    /**
+     * CVSS Access Vector.
+     */
+    private String cvssAccessVector;
+    /**
+     * CVSS Access Complexity.
+     */
+    private String cvssAccessComplexity;
+
+    /**
+     * CVSS Authentication.
+     */
+    private String cvssAuthentication;
+    /**
+     * CVSS Confidentiality Impact.
+     */
+    private String cvssConfidentialityImpact;
+    /**
+     * CVSS Integrity Impact.
+     */
+    private String cvssIntegrityImpact;
+
+    /**
+     * CVSS Availability Impact.
+     */
+    private String cvssAvailabilityImpact;
+    /**
+     * The CPE id that caused this vulnerability to be flagged.
+     */
+    private String matchedCPE;
+    /**
+     * Whether or not all previous versions were affected.
+     */
+    private String matchedAllPreviousCPE;
 
     /**
      * Get the value of name.
@@ -58,10 +111,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setName(String name) {
         this.name = name;
     }
-    /**
-     * the description of the vulnerability.
-     */
-    private String description;
 
     /**
      * Get the value of description.
@@ -80,10 +129,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setDescription(String description) {
         this.description = description;
     }
-    /**
-     * References for this vulnerability.
-     */
-    private Set<Reference> references = new HashSet<Reference>();
 
     /**
      * Get the value of references.
@@ -126,10 +171,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         ref.setUrl(referenceUrl);
         this.references.add(ref);
     }
-    /**
-     * A set of vulnerable software.
-     */
-    private Set<VulnerableSoftware> vulnerableSoftware = new HashSet<VulnerableSoftware>();
 
     /**
      * Get the value of vulnerableSoftware.
@@ -188,10 +229,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         }
         return vulnerableSoftware.add(vulnSoftware);
     }
-    /**
-     * The CWE for the vulnerability.
-     */
-    private String cwe;
 
     /**
      * Get the value of cwe.
@@ -210,10 +247,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCwe(String cwe) {
         this.cwe = cwe;
     }
-    /**
-     * CVSS Score.
-     */
-    private float cvssScore;
 
     /**
      * Get the value of cvssScore.
@@ -232,10 +265,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCvssScore(float cvssScore) {
         this.cvssScore = cvssScore;
     }
-    /**
-     * CVSS Access Vector.
-     */
-    private String cvssAccessVector;
 
     /**
      * Get the value of cvssAccessVector.
@@ -254,10 +283,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCvssAccessVector(String cvssAccessVector) {
         this.cvssAccessVector = cvssAccessVector;
     }
-    /**
-     * CVSS Access Complexity.
-     */
-    private String cvssAccessComplexity;
 
     /**
      * Get the value of cvssAccessComplexity.
@@ -276,10 +301,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCvssAccessComplexity(String cvssAccessComplexity) {
         this.cvssAccessComplexity = cvssAccessComplexity;
     }
-    /**
-     * CVSS Authentication.
-     */
-    private String cvssAuthentication;
 
     /**
      * Get the value of cvssAuthentication.
@@ -298,10 +319,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCvssAuthentication(String cvssAuthentication) {
         this.cvssAuthentication = cvssAuthentication;
     }
-    /**
-     * CVSS Confidentiality Impact.
-     */
-    private String cvssConfidentialityImpact;
 
     /**
      * Get the value of cvssConfidentialityImpact.
@@ -320,10 +337,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCvssConfidentialityImpact(String cvssConfidentialityImpact) {
         this.cvssConfidentialityImpact = cvssConfidentialityImpact;
     }
-    /**
-     * CVSS Integrity Impact.
-     */
-    private String cvssIntegrityImpact;
 
     /**
      * Get the value of cvssIntegrityImpact.
@@ -342,10 +355,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
     public void setCvssIntegrityImpact(String cvssIntegrityImpact) {
         this.cvssIntegrityImpact = cvssIntegrityImpact;
     }
-    /**
-     * CVSS Availability Impact.
-     */
-    private String cvssAvailabilityImpact;
 
     /**
      * Get the value of cvssAvailabilityImpact.
@@ -420,15 +429,6 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
         //return v.getName().compareTo(this.getName());
     }
 
-    /**
-     * The CPE id that caused this vulnerability to be flagged.
-     */
-    private String matchedCPE;
-    /**
-     * Whether or not all previous versions were affected.
-     */
-    private String matchedAllPreviousCPE;
-
     /**
      * Sets the CPE that caused this vulnerability to be flagged.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ExceptionCollection.java

@@ -28,6 +28,19 @@ import java.util.List;
  * @author Jeremy Long
  */
 public class ExceptionCollection extends Exception {
+    /**
+     * The serial version uid.
+     */
+    private static final long serialVersionUID = 1L;
+    /**
+     * A collection of exceptions.
+     */
+    private List<Throwable> exceptions;
+    /**
+     * Flag indicating if a fatal exception occurred that would prevent the
+     * attempt at completing the analysis even if exceptions occurred.
+     */
+    private boolean fatal = false;
 
     /**
      * Instantiates a new exception collection.
@@ -99,7 +112,7 @@ public class ExceptionCollection extends Exception {
      */
     public ExceptionCollection(String msg, Throwable exception) {
         super(msg);
-        this.exceptions = new ArrayList<Throwable>();
+        this.exceptions = new ArrayList<>();
         this.exceptions.add(exception);
         this.fatal = false;
     }
@@ -109,17 +122,8 @@ public class ExceptionCollection extends Exception {
      */
     public ExceptionCollection() {
         super();
-        this.exceptions = new ArrayList<Throwable>();
+        this.exceptions = new ArrayList<>();
     }
-    /**
-     * The serial version uid.
-     */
-    private static final long serialVersionUID = 1L;
-
-    /**
-     * A collection of exceptions.
-     */
-    private List<Throwable> exceptions;
 
     /**
      * Get the value of exceptions.
@@ -150,12 +154,6 @@ public class ExceptionCollection extends Exception {
         this.fatal = fatal;
     }
 
-    /**
-     * Flag indicating if a fatal exception occurred that would prevent the
-     * attempt at completing the analysis even if exceptions occurred.
-     */
-    private boolean fatal = false;
-
     /**
      * Get the value of fatal.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Pair.java

@@ -26,6 +26,14 @@ package org.owasp.dependencycheck.utils;
  * @author Jeremy Long
  */
 public class Pair<L, R> {
+    /**
+     * The left element of the pair.
+     */
+    private L left = null;
+    /**
+     * The right element of the pair.
+     */
+    private R right = null;
 
     /**
      * Constructs a new empty pair.
@@ -43,10 +51,6 @@ public class Pair<L, R> {
         this.left = left;
         this.right = right;
     }
-    /**
-     * The left element of the pair.
-     */
-    private L left = null;
 
     /**
      * Get the value of left.
@@ -65,10 +69,6 @@ public class Pair<L, R> {
     public void setLeft(L left) {
         this.left = left;
     }
-    /**
-     * The right element of the pair.
-     */
-    private R right = null;
 
     /**
      * Get the value of right.

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/VendorDuplicatingHintRule.java

@@ -18,14 +18,24 @@
 package org.owasp.dependencycheck.xml.hints;
 
 /**
- * Used to duplicate vendor evidence within a collection. The intent is if any evidence
+ * Used to duplicate vendor evidence within a collection. The intent is if any
- * is found in a collection that matches the value given the evidence will be
+ * evidence is found in a collection that matches the value given the evidence
- * duplicated and the value replaced with the value indicated.
+ * will be duplicated and the value replaced with the value indicated.
  *
  * @author Jeremy Long
  */
 public class VendorDuplicatingHintRule {
 
+    /**
+     * The evidence value to duplicate if found.
+     */
+    private String value;
+
+    /**
+     * The value to replace when duplicating the evidence.
+     */
+    private String duplicate;
+
     /**
      * Constructs a new duplicating rule.
      *
@@ -37,11 +47,6 @@ public class VendorDuplicatingHintRule {
         this.duplicate = duplicate;
     }
 
-    /**
-     * The evidence value to duplicate if found.
-     */
-    private String value;
-
     /**
      * Get the value of value.
      *
@@ -60,11 +65,6 @@ public class VendorDuplicatingHintRule {
         this.value = value;
     }
 
-    /**
-     * The value to replace when duplicating the evidence.
-     */
-    private String duplicate;
-
     /**
      * Get the value of duplicate.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java

@@ -65,16 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<>();
-
-    /**
-     * Get the value of suppressionRules.
-     *
-     * @return the value of suppressionRules
-     */
-    public List<SuppressionRule> getSuppressionRules() {
-        return suppressionRules;
-    }
     /**
      * The current rule being read.
      */
@@ -88,6 +79,15 @@ public class SuppressionHandler extends DefaultHandler {
      */
     private StringBuilder currentText;
 
+    /**
+     * Get the value of suppressionRules.
+     *
+     * @return the value of suppressionRules
+     */
+    public List<SuppressionRule> getSuppressionRules() {
+        return suppressionRules;
+    }
+
     /**
      * Handles the start element event.
      *
@@ -160,8 +160,8 @@ public class SuppressionHandler extends DefaultHandler {
     }
 
     /**
-     * Processes field members that have been collected during the characters and startElement method to construct a
+     * Processes field members that have been collected during the characters
-     * PropertyType object.
+     * and startElement method to construct a PropertyType object.
      *
      * @return a PropertyType object
      */

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java

@@ -41,7 +41,7 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
     @Test
     public void testSupportsExtensions() {
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
-        Set<String> expResult = new HashSet<String>();
+        Set<String> expResult = new HashSet<>();
         expResult.add("zip");
         expResult.add("war");
         expResult.add("ear");
@@ -114,6 +114,8 @@ public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of analyze method, of class ArchiveAnalyzer.
+     *
+     * @throws java.lang.Exception when an error occurs
      */
     @Test
     public void testAnalyze() throws Exception {

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import java.sql.SQLException;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
@@ -31,6 +32,7 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 
 /**
  *
@@ -42,12 +44,14 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
      * Pretty useless tests of open, commit, and close methods, of class CveDB.
      */
     @Test
-    public void testOpen() throws Exception {
+    public void testOpen() {
         CveDB instance = null;
         try {
             instance = new CveDB();
             instance.open();
             instance.commit();
+        } catch (DatabaseException | SQLException ex) {
+            fail(ex.getMessage());
         } finally {
             if (instance != null) {
                 instance.close();

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DriverLoaderTest.java

@@ -131,7 +131,7 @@ public class DriverLoaderTest extends BaseTest {
         File driver = new File(testClassPath, "../../src/test/resources/mysql-connector-java-5.1.27-bin.jar");
         assertTrue("MySQL Driver JAR file not found in src/test/resources?", driver.isFile());
 
-        Driver d = DriverLoader.load(className, driver.getAbsolutePath());
+        DriverLoader.load(className, driver.getAbsolutePath());
     }
 
     /**

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java

@@ -36,9 +36,6 @@ import org.owasp.dependencycheck.utils.Settings;
  */
 public class DownloadTaskTest extends BaseTest {
 
-    public DownloadTaskTest() {
-    }
-
     /**
      * Test of call method, of class DownloadTask.
      */

dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -218,7 +218,7 @@ public class DependencyTest extends BaseTest {
         instance.getProductEvidence().addEvidence("used", "used", "used", Confidence.HIGH);
         instance.getProductEvidence().addEvidence("not", "not", "not", Confidence.MEDIUM);
         for (Evidence e : instance.getProductEvidence().iterator(Confidence.HIGH)) {
-            String use = e.getValue();
+            e.getValue();
         }
 
         EvidenceCollection result = instance.getEvidenceUsed();

dependency-check-core/src/test/java/org/owasp/dependencycheck/xml/pom/ModelTest.java

@@ -71,9 +71,10 @@ public class ModelTest extends BaseTest {
      */
     @Test
     public void testSetOrganization() {
-        String organization = "";
+        String organization = "apache";
         Model instance = new Model();
         instance.setOrganization(organization);
+        assertEquals("apache", instance.getOrganization());
     }
 
     /**
@@ -188,9 +189,10 @@ public class ModelTest extends BaseTest {
      */
     @Test
     public void testSetParentGroupId() {
-        String parentGroupId = "";
+        String parentGroupId = "org.owasp";
         Model instance = new Model();
         instance.setParentGroupId(parentGroupId);
+        assertEquals("org.owasp", instance.getParentGroupId());
     }
 
     /**

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java

@@ -40,6 +40,10 @@ public final class Checksum {
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(Checksum.class);
+    /**
+     * Hex code characters used in getHex.
+     */
+    private static final String HEXES = "0123456789abcdef";
 
     /**
      * Private constructor for a utility class.
@@ -120,10 +124,6 @@ public final class Checksum {
         final byte[] b = getChecksum("SHA1", file);
         return getHex(b);
     }
-    /**
-     * Hex code characters used in getHex.
-     */
-    private static final String HEXES = "0123456789abcdef";
 
     /**
      * <p>