fixed compile issues in PR

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -32,9 +32,12 @@ import org.slf4j.LoggerFactory;
 
 import java.io.*;
 import java.util.*;
+import java.util.logging.Level;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 
 /**
- * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
+ * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party
+ * bundle-audit tool.
  *
  * @author Dale Visser
  */
@@ -59,7 +62,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     public static final String ADVISORY = "Advisory: ";
     public static final String CRITICALITY = "Criticality: ";
 
-    public static CveDB CVEDB = new CveDB();
+    public CveDB cvedb;
     //instance.open();
     //Vulnerability result = instance.getVulnerability("CVE-2015-3225");
 
@@ -96,20 +99,31 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
+     * temporary location.
      *
      * @throws Exception if anything goes wrong
      */
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
+        try {
+            cvedb = new CveDB();
+            cvedb.open();
+        } catch (DatabaseException ex) {
+            LOGGER.warn("Exception opening the database");
+            LOGGER.debug("error", ex);
+            setEnabled(false);
+            throw ex;
+        }
         // Now, need to see if bundle-audit actually runs from this location.
         Process process = null;
         try {
             process = launchBundleAudit(Settings.getTempDirectory());
-    	}
+        } catch (AnalysisException ae) {
-    	catch(AnalysisException ae) {
             LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
             setEnabled(false);
+            cvedb.close();
+            cvedb = null;
             throw ae;
         }
 
@@ -168,7 +182,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -178,8 +193,9 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have
-     * to disable {@link RubyGemspecAnalyzer}.
+     * successfully initialized, and it will be necessary to disable
+     * {@link RubyGemspecAnalyzer}.
      */
     private boolean needToDisableGemspecAnalyzer = true;
 
@@ -305,8 +321,15 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
             } else if ("Low".equals(criticality)) {
                 vulnerability.setCvssScore(2.0f);
             } else {
-                //vulnerability.getName()
+                try {
+                    //TODO wouldn't we want to do this for all items from bundle-audit? This
+                    //should give a more correct CVSS
+                     Vulnerability v = cvedb.getVulnerability(vulnerability.getName());
+                     vulnerability.setCvssScore(v.getCvssScore());
+                } catch (DatabaseException ex) {
                     vulnerability.setCvssScore(-1.0f);
+                    LOGGER.debug("Unable to look up vulnerability {}",vulnerability.getName());
+                }
             }
         }
         LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));