diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java index ccf1bd030..c68fefdb8 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java @@ -257,7 +257,7 @@ public class Check extends Update { * * @param r the reference to a path, fileset, dirset or filelist. */ - public void setRefId(Reference r) { + public synchronized void setRefId(Reference r) { if (path != null) { throw new BuildException("Nested elements are not allowed when using the refId attribute."); } @@ -923,7 +923,7 @@ public class Check extends Update { log(ex.getMessage(), Project.MSG_ERR); } } else { - for (Resource resource : path) { + for (Resource resource : getPath()) { final FileProvider provider = resource.as(FileProvider.class); if (provider != null) { final File file = provider.getFile(); @@ -987,7 +987,7 @@ public class Check extends Update { * @throws BuildException if the task was not configured correctly. */ private void validateConfiguration() throws BuildException { - if (path == null) { + if (getPath() == null) { throw new BuildException("No project dependencies have been defined to analyze."); } if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) { diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java index 52b99d0eb..23f520f35 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java @@ -144,7 +144,6 @@ public class Purge extends Task { */ protected void populateSettings() throws BuildException { Settings.initialize(); - try (InputStream taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE)) { Settings.mergeProperties(taskProperties); } catch (IOException ex) { diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index e01b729d4..506ae0cac 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -282,8 +282,8 @@ public class App { exCol = ex; } final List dependencies = engine.getDependencies(); - CveDB cve = CveDB.getInstance(); - DatabaseProperties prop = cve.getDatabaseProperties(); + final CveDB cve = CveDB.getInstance(); + final DatabaseProperties prop = cve.getDatabaseProperties(); final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop); try { report.generateReports(reportDirectory, outputFormat); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index a0dd8c94e..f87cb425f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -144,7 +144,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { dependency.getActualFilePath()); return; } else if (rc != 0) { - LOGGER.debug("Return code {} from GrokAssembly; dependency-check is unable to analyze the library: {}", rc, dependency.getActualFilePath()); + LOGGER.debug("Return code {} from GrokAssembly; dependency-check is unable to analyze the library: {}", + rc, dependency.getActualFilePath()); return; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index d172a2b10..cccfeb010 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -33,7 +33,6 @@ import org.slf4j.LoggerFactory; import java.io.FileFilter; import java.io.FileInputStream; -import java.io.FileNotFoundException; import java.io.IOException; import java.nio.charset.Charset; import java.security.MessageDigest; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java index 900474f1f..01a7dc699 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java @@ -52,7 +52,8 @@ import org.xml.sax.SAXException; * @author Jeremy Long */ public class HintAnalyzer extends AbstractAnalyzer { - /** + + /** * The Logger for use throughout the class */ private static final Logger LOGGER = LoggerFactory.getLogger(HintAnalyzer.class); @@ -121,7 +122,7 @@ public class HintAnalyzer extends AbstractAnalyzer { } } // - + /** * The HintAnalyzer uses knowledge about a dependency to add additional * information to help in identification of identifiers or vulnerabilities. diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 07f063a26..851ed70ba 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -25,8 +25,16 @@ import java.io.InputStream; import java.io.InputStreamReader; import java.io.Reader; import java.io.UnsupportedEncodingException; -import java.util.*; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.Enumeration; +import java.util.HashMap; +import java.util.List; +import java.util.Map; import java.util.Map.Entry; +import java.util.Properties; +import java.util.Set; +import java.util.StringTokenizer; import java.util.concurrent.atomic.AtomicInteger; import java.util.jar.Attributes; import java.util.jar.JarEntry; @@ -248,7 +256,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { */ protected boolean analyzePOM(Dependency dependency, List classes, Engine engine) throws AnalysisException { try (JarFile jar = new JarFile(dependency.getActualFilePath())) { - List pomEntries = retrievePomListing(jar); + final List pomEntries = retrievePomListing(jar); if (pomEntries != null && pomEntries.size() <= 1) { String path; File pomFile; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index a462d554a..b6eae2a1d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -144,7 +144,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.debug("Initializing Nexus Analyzer"); LOGGER.debug("Nexus Analyzer enabled: {}", isEnabled()); if (isEnabled()) { - boolean useProxy = useProxy(); + final boolean useProxy = useProxy(); final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL); LOGGER.debug("Nexus Analyzer URL: {}", searchUrl); try { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 21a523025..20e46663a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -33,7 +33,6 @@ import org.slf4j.LoggerFactory; import java.io.FileFilter; import java.io.FileInputStream; import java.io.FileNotFoundException; -import java.io.IOException; import org.owasp.dependencycheck.exception.InitializationException; /** @@ -132,7 +131,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { try { final NuspecParser parser = new XPathNuspecParser(); NugetPackage np = null; - try (FileInputStream fis =new FileInputStream(dependency.getActualFilePath())) { + try (FileInputStream fis = new FileInputStream(dependency.getActualFilePath())) { np = parser.parse(fis); } catch (NuspecParseException | FileNotFoundException ex) { throw new AnalysisException(ex); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 8b99153c4..551279eb7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -360,7 +360,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { if (null == manifest) { LOGGER.debug("Manifest file not found."); } else { - try (InputStream in = new BufferedInputStream(new FileInputStream(manifest))){ + try (InputStream in = new BufferedInputStream(new FileInputStream(manifest))) { result.load(in); } catch (MessagingException | FileNotFoundException e) { LOGGER.warn(e.getMessage(), e); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index 63e19aa10..f8239eadf 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -180,9 +180,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final String msg = String.format("Unexpected exit code from bundle-audit process. Disabling %s: %s", ANALYZER_NAME, exitValue); throw new InitializationException(msg); } else { - BufferedReader reader = null; - try { - reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8")); + try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) { if (!reader.ready()) { LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME); setEnabled(false); @@ -201,14 +199,6 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } catch (IOException ex) { setEnabled(false); throw new InitializationException("Unable to read bundle-audit output.", ex); - } finally { - if (null != reader) { - try { - reader.close(); - } catch (IOException ex) { - LOGGER.debug("Error closing reader", ex); - } - } } } @@ -296,35 +286,19 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue); throw new AnalysisException(msg); } - BufferedReader rdr = null; - BufferedReader errReader = null; try { - errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8")); - while (errReader.ready()) { - final String error = errReader.readLine(); - LOGGER.warn(error); + try (BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) { + while (errReader.ready()) { + final String error = errReader.readLine(); + LOGGER.warn(error); + } + } + try (BufferedReader rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"))) { + processBundlerAuditOutput(dependency, engine, rdr); } - rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8")); - processBundlerAuditOutput(dependency, engine, rdr); } catch (IOException ioe) { LOGGER.warn("bundle-audit failure", ioe); - } finally { - if (errReader != null) { - try { - errReader.close(); - } catch (IOException ioe) { - LOGGER.warn("bundle-audit close failure", ioe); - } - } - if (null != rdr) { - try { - rdr.close(); - } catch (IOException ioe) { - LOGGER.warn("bundle-audit close failure", ioe); - } - } } - } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 14ddab877..0a966a24b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -63,7 +63,7 @@ public final class CveDB { /** * Singleton instance of the CveDB. */ - private static CveDB INSTANCE = null; + private static CveDB instance = null; /** * The logger. */ @@ -91,27 +91,93 @@ public final class CveDB { * statement bundles "dbStatements*.properties". */ enum PreparedStatementCveDb { + /** + * Key for SQL Statement. + */ CLEANUP_ORPHANS, + /** + * Key for SQL Statement. + */ COUNT_CPE, + /** + * Key for SQL Statement. + */ DELETE_REFERENCE, + /** + * Key for SQL Statement. + */ DELETE_SOFTWARE, + /** + * Key for SQL Statement. + */ DELETE_VULNERABILITY, + /** + * Key for SQL Statement. + */ INSERT_CPE, + /** + * Key for SQL Statement. + */ INSERT_PROPERTY, + /** + * Key for SQL Statement. + */ INSERT_REFERENCE, + /** + * Key for SQL Statement. + */ INSERT_SOFTWARE, + /** + * Key for SQL Statement. + */ INSERT_VULNERABILITY, + /** + * Key for SQL Statement. + */ MERGE_PROPERTY, + /** + * Key for SQL Statement. + */ SELECT_CPE_ENTRIES, + /** + * Key for SQL Statement. + */ SELECT_CPE_ID, + /** + * Key for SQL Statement. + */ SELECT_CVE_FROM_SOFTWARE, + /** + * Key for SQL Statement. + */ SELECT_PROPERTIES, + /** + * Key for SQL Statement. + */ SELECT_REFERENCES, + /** + * Key for SQL Statement. + */ SELECT_SOFTWARE, + /** + * Key for SQL Statement. + */ SELECT_VENDOR_PRODUCT_LIST, + /** + * Key for SQL Statement. + */ SELECT_VULNERABILITY, + /** + * Key for SQL Statement. + */ SELECT_VULNERABILITY_ID, + /** + * Key for SQL Statement. + */ UPDATE_PROPERTY, + /** + * Key for SQL Statement. + */ UPDATE_VULNERABILITY } @@ -121,11 +187,11 @@ public final class CveDB { * @return the CveDB singleton * @throws DatabaseException thrown if there is a database error */ - public synchronized static CveDB getInstance() throws DatabaseException { - if (INSTANCE == null) { - INSTANCE = new CveDB(); + public static synchronized CveDB getInstance() throws DatabaseException { + if (instance == null) { + instance = new CveDB(); } - return INSTANCE; + return instance; } /** @@ -150,9 +216,9 @@ public final class CveDB { * * @return the product name of the database if successful, {@code null} else */ - private String determineDatabaseProductName() { + private synchronized String determineDatabaseProductName() { try { - final String databaseProductName = getConnection().getMetaData().getDatabaseProductName(); + final String databaseProductName = connection.getMetaData().getDatabaseProductName(); LOGGER.debug("Database product: {}", databaseProductName); return databaseProductName; } catch (SQLException se) { @@ -161,15 +227,6 @@ public final class CveDB { } } - /** - * Returns the database connection. - * - * @return the database connection - */ - private Connection getConnection() { - return connection; - } - /** * Opens the database connection. If the database does not exist, it will * create a new one. @@ -191,7 +248,7 @@ public final class CveDB { if (isOpen()) { closeStatements(); try { - getConnection().close(); + connection.close(); } catch (SQLException ex) { LOGGER.error("There was an error attempting to close the CveDB, see the log for more details."); LOGGER.debug("", ex); @@ -200,7 +257,7 @@ public final class CveDB { LOGGER.debug("", ex); } connection = null; - INSTANCE = null; + instance = null; } } @@ -210,7 +267,7 @@ public final class CveDB { * @return whether the database connection is open or closed */ private boolean isOpen() { - return getConnection() != null; + return connection != null; } /** @@ -229,9 +286,9 @@ public final class CveDB { final PreparedStatement preparedStatement; try { if (key == INSERT_VULNERABILITY || key == INSERT_CPE) { - preparedStatement = getConnection().prepareStatement(statementString, new String[]{"id"}); + preparedStatement = connection.prepareStatement(statementString, new String[]{"id"}); } else { - preparedStatement = getConnection().prepareStatement(statementString); + preparedStatement = connection.prepareStatement(statementString); } } catch (SQLException exception) { throw new DatabaseException(exception); @@ -272,7 +329,7 @@ public final class CveDB { public synchronized void commit() throws SQLException { //temporary remove this as autocommit is on. //if (isOpen()) { - // getConnection().commit(); + // connection.commit(); //} } @@ -625,6 +682,7 @@ public final class CveDB { insertReference.setString(4, r.getSource()); insertReference.execute(); } + final PreparedStatement insertSoftware = getPreparedStatement(INSERT_SOFTWARE); for (VulnerableSoftware s : vuln.getVulnerableSoftware()) { int cpeProductId = 0; @@ -671,6 +729,7 @@ public final class CveDB { throw ex; } } + } } catch (SQLException ex) { final String msg = String.format("Error updating '%s'", vuln.getName()); @@ -856,10 +915,11 @@ public final class CveDB { public synchronized void deleteUnusedCpe() { PreparedStatement ps = null; try { - ps = getConnection().prepareStatement(statementBundle.getString("DELETE_UNUSED_DICT_CPE")); + ps = connection.prepareStatement(statementBundle.getString("DELETE_UNUSED_DICT_CPE")); ps.executeUpdate(); } catch (SQLException ex) { LOGGER.error("Unable to delete CPE dictionary entries", ex); + } finally { DBUtils.closeStatement(ps); } } @@ -877,13 +937,14 @@ public final class CveDB { public synchronized void addCpe(String cpe, String vendor, String product) { PreparedStatement ps = null; try { - ps = getConnection().prepareStatement(statementBundle.getString("ADD_DICT_CPE")); + ps = connection.prepareStatement(statementBundle.getString("ADD_DICT_CPE")); ps.setString(1, cpe); ps.setString(2, vendor); ps.setString(3, product); ps.executeUpdate(); } catch (SQLException ex) { LOGGER.error("Unable to add CPE dictionary entry", ex); + } finally { DBUtils.closeStatement(ps); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 61053ee72..80ebb1bf6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -78,7 +78,13 @@ public class NvdCveUpdater implements CachedWebDataSource { */ private ExecutorService downloadExecutorService = null; + /** + * Reference to the DAO. + */ private CveDB cveDb = null; + /** + * The properties obtained from the database. + */ private DatabaseProperties dbProperties = null; /** @@ -448,8 +454,16 @@ public class NvdCveUpdater implements CachedWebDataSource { */ private static class TimestampRetriever implements Callable { + /** + * The URL to obtain the timestamp from. + */ private final String url; + /** + * Instantiates a new timestamp retriever object. + * + * @param url the URL to hit + */ TimestampRetriever(String url) { this.url = url; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index 86d1b22a0..f291afcd6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update.nvd; import java.io.File; import java.io.FileInputStream; -import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.net.URL; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java index 899985f8b..2a5b8bf80 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve20Handler.java @@ -51,7 +51,8 @@ public class NvdCve20Handler extends DefaultHandler { */ private static final String CURRENT_SCHEMA_VERSION = "2.0"; /** - * a possible attribute value of the {@link AttributeValues#XML_LANG} attribute + * a possible attribute value of the {@link AttributeValues#XML_LANG} + * attribute */ private static final String EN = "en"; /** @@ -97,7 +98,8 @@ public class NvdCve20Handler extends DefaultHandler { private CveDB cveDB; /** - * A list of CVE entries and associated VulnerableSoftware entries that contain previous entries. + * A list of CVE entries and associated VulnerableSoftware entries that + * contain previous entries. */ private Map> prevVersionVulnMap; @@ -109,7 +111,7 @@ public class NvdCve20Handler extends DefaultHandler { public int getTotalNumberOfEntries() { return totalNumberOfEntries; } - + /** * Get the value of totalNumberOfApplicationEntries. * @@ -249,10 +251,12 @@ public class NvdCve20Handler extends DefaultHandler { public void setCveDB(CveDB db) { cveDB = db; } + /** * Sets the prevVersionVulnMap. * - * @param map the map of vulnerable software with previous versions being vulnerable + * @param map the map of vulnerable software with previous versions being + * vulnerable */ public void setPrevVersionVulnMap(Map> map) { prevVersionVulnMap = map; @@ -262,7 +266,8 @@ public class NvdCve20Handler extends DefaultHandler { * Saves a vulnerability to the CVE Database. * * @param vuln the vulnerability to store in the database - * @throws DatabaseException thrown if there is an error writing to the database + * @throws DatabaseException thrown if there is an error writing to the + * database * @throws CorruptIndexException is thrown if the CPE Index is corrupt * @throws IOException thrown if there is an IOException with the CPE Index */ @@ -281,7 +286,8 @@ public class NvdCve20Handler extends DefaultHandler { // /** - * A simple class to maintain information about the current element while parsing the NVD CVE XML. + * A simple class to maintain information about the current element while + * parsing the NVD CVE XML. */ protected static class Element { @@ -506,7 +512,8 @@ public class NvdCve20Handler extends DefaultHandler { // /** - * A simple class to maintain information about the attribute values encountered while parsing the NVD CVE XML. + * A simple class to maintain information about the attribute values + * encountered while parsing the NVD CVE XML. */ protected static class AttributeValues { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index ac8dbc7ad..8d14cd9b8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -153,7 +153,7 @@ public class Vulnerability implements Serializable, Comparable { * @return the list of references */ public List getReferences(boolean sorted) { - List sortedRefs = new ArrayList<>(this.references); + final List sortedRefs = new ArrayList<>(this.references); if (sorted) { Collections.sort(sortedRefs); } @@ -210,7 +210,7 @@ public class Vulnerability implements Serializable, Comparable { * @return the list of vulnerable software */ public List getVulnerableSoftware(boolean sorted) { - List sortedVulnerableSoftware = new ArrayList<>(this.vulnerableSoftware); + final List sortedVulnerableSoftware = new ArrayList<>(this.vulnerableSoftware); if (sorted) { Collections.sort(sortedVulnerableSoftware); } @@ -516,4 +516,4 @@ public class Vulnerability implements Serializable, Comparable { public boolean hasMatchedAllPreviousCPE() { return matchedAllPreviousCPE != null; } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java index c27c4b7d4..3dd1042fc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java @@ -47,7 +47,8 @@ public final class DBUtils { * * @param statement a prepared statement that just executed an insert * @return a primary key - * @throws DatabaseException thrown if there is an exception obtaining the key + * @throws DatabaseException thrown if there is an exception obtaining the + * key */ public static int getGeneratedKey(PreparedStatement statement) throws DatabaseException { ResultSet rs = null; @@ -72,27 +73,29 @@ public final class DBUtils { * @param statement a Statement object */ public static void closeStatement(Statement statement) { - if (statement != null) { - try { + try { + if (statement != null && !statement.isClosed()) { + statement.close(); - } catch (SQLException ex) { - LOGGER.trace(statement.toString(), ex); } + } catch (SQLException ex) { + LOGGER.trace(statement.toString(), ex); } } /** - * Closes the result set capturing and ignoring any SQLExceptions that occur. + * Closes the result set capturing and ignoring any SQLExceptions that + * occur. * * @param rs a ResultSet to close */ public static void closeResultSet(ResultSet rs) { - if (rs != null) { - try { + try { + if (rs != null && !rs.isClosed()) { rs.close(); - } catch (SQLException ex) { - LOGGER.trace(rs.toString(), ex); } + } catch (SQLException ex) { + LOGGER.trace(rs.toString(), ex); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java index af3716973..45308b9e6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java @@ -111,7 +111,7 @@ public final class UrlStringUtils { final int pos = tmp.lastIndexOf('.'); if (pos > 1) { importantParts.add(tmp.substring(0, pos)); - } else if (pos == 0 && tmp.length()>1) { + } else if (pos == 0 && tmp.length() > 1) { importantParts.add(tmp.substring(1)); } else { importantParts.add(tmp); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java index c834abf60..676067c5e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintHandler.java @@ -149,8 +149,17 @@ public class HintHandler extends DefaultHandler { * Internal type to track the parent node state. */ enum ParentType { + /** + * Marks the add node. + */ ADD, + /** + * Marks the given node. + */ GIVEN, + /** + * Marks the remove node. + */ REMOVE } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java index 9b9ecea9f..014d8043e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java @@ -101,7 +101,7 @@ public class PomHandler extends DefaultHandler { * The current node text being extracted from the element. */ private StringBuilder currentText; - + /** * Handles the start element event. * @@ -132,66 +132,77 @@ public class PomHandler extends DefaultHandler { public void endElement(String uri, String localName, String qName) throws SAXException { stack.pop(); final String parentNode = stack.peek(); - if (null != parentNode) switch (parentNode) { - case PROJECT: - if (null != qName) switch (qName) { - case GROUPID: - model.setGroupId(currentText.toString()); - break; - case ARTIFACTID: - model.setArtifactId(currentText.toString()); - break; - case VERSION: - model.setVersion(currentText.toString()); - break; - case NAME: - model.setName(currentText.toString()); - break; - case DESCRIPTION: - model.setDescription(currentText.toString()); - break; - case URL: - model.setProjectURL(currentText.toString()); - break; - default: - break; - } break; - case ORGANIZATION: - if (NAME.equals(qName)) { - model.setOrganization(currentText.toString()); - } else if (URL.equals(qName)) { - model.setOrganizationUrl(currentText.toString()); - } break; - case PARENT: - if (null != qName) switch (qName) { - case GROUPID: - model.setParentGroupId(currentText.toString()); - break; - case ARTIFACTID: - model.setParentArtifactId(currentText.toString()); - break; - case VERSION: - model.setParentVersion(currentText.toString()); - break; - default: - break; - } break; - case LICENSE: - if (license != null) { + if (null != parentNode) { + switch (parentNode) { + case PROJECT: + if (null != qName) { + switch (qName) { + case GROUPID: + model.setGroupId(currentText.toString()); + break; + case ARTIFACTID: + model.setArtifactId(currentText.toString()); + break; + case VERSION: + model.setVersion(currentText.toString()); + break; + case NAME: + model.setName(currentText.toString()); + break; + case DESCRIPTION: + model.setDescription(currentText.toString()); + break; + case URL: + model.setProjectURL(currentText.toString()); + break; + default: + break; + } + } + break; + case ORGANIZATION: if (NAME.equals(qName)) { - license.setName(currentText.toString()); + model.setOrganization(currentText.toString()); } else if (URL.equals(qName)) { - license.setUrl(currentText.toString()); + model.setOrganizationUrl(currentText.toString()); } - } break; - case LICENSES: - if (LICENSE.equals(qName)) { + break; + case PARENT: + if (null != qName) { + switch (qName) { + case GROUPID: + model.setParentGroupId(currentText.toString()); + break; + case ARTIFACTID: + model.setParentArtifactId(currentText.toString()); + break; + case VERSION: + model.setParentVersion(currentText.toString()); + break; + default: + break; + } + } + break; + case LICENSE: if (license != null) { - model.addLicense(license); + if (NAME.equals(qName)) { + license.setName(currentText.toString()); + } else if (URL.equals(qName)) { + license.setUrl(currentText.toString()); + } } - } break; - default: - break; + break; + case LICENSES: + if (LICENSE.equals(qName)) { + if (license != null) { + model.addLicense(license); + } + } + break; + default: + break; + } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java index 6e605fd6c..3b81e1591 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java @@ -80,10 +80,10 @@ public class PomParser { final SAXParser saxParser = XmlUtils.buildSecureSaxParser(); final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setContentHandler(handler); - BOMInputStream bomStream = new BOMInputStream(inputStream); - ByteOrderMark bom = bomStream.getBOM(); - String defaultEncoding = "UTF-8"; - String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); + final BOMInputStream bomStream = new BOMInputStream(inputStream); + final ByteOrderMark bom = bomStream.getBOM(); + final String defaultEncoding = "UTF-8"; + final String charsetName = bom == null ? defaultEncoding : bom.getCharsetName(); final Reader reader = new InputStreamReader(bomStream, charsetName); final InputSource in = new InputSource(reader); xmlReader.parse(in); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java index 86e84a4bc..ec1b7b1c2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionHandler.java @@ -199,4 +199,4 @@ public class SuppressionHandler extends DefaultHandler { } return pt; } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java index 30313be71..ca6c7ab05 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionRule.java @@ -529,4 +529,4 @@ public class SuppressionRule { sb.append('}'); return sb.toString(); } -} \ No newline at end of file +} diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 38c8dd71b..d2e95260c 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -17,13 +17,10 @@ */ package org.owasp.dependencycheck.maven; -import java.io.BufferedOutputStream; import java.io.File; import java.io.FileNotFoundException; -import java.io.FileOutputStream; import java.io.IOException; import java.io.InputStream; -import java.io.ObjectOutputStream; import java.util.List; import java.util.Locale; import org.apache.maven.artifact.Artifact; @@ -109,8 +106,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(readonly = true, required = true, property = "reactorProjects") private List reactorProjects; /** - * The entry point towards a Maven version independent way of resolving artifacts (handles both Maven 3.0 - * Sonatype and Maven 3.1+ eclipse Aether implementations). + * The entry point towards a Maven version independent way of resolving + * artifacts (handles both Maven 3.0 Sonatype and Maven 3.1+ eclipse Aether + * implementations). */ @Component private ArtifactResolver artifactResolver; @@ -118,13 +116,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma /** * The Maven Session. */ - @Parameter( defaultValue = "${session}", readonly = true, required = true ) + @Parameter(defaultValue = "${session}", readonly = true, required = true) protected MavenSession session; - /** + /** * Remote repositories which will be searched for artifacts. */ - @Parameter( defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true ) + @Parameter(defaultValue = "${project.remoteArtifactRepositories}", readonly = true, required = true) private List remoteRepositories; /** @@ -461,7 +459,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma @Parameter(property = "externalReport") @Deprecated private String externalReport = null; - + // // /** @@ -531,6 +529,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma protected String getConnectionString() { return connectionString; } + /** * Returns if the mojo should fail the build if an exception occurs. * @@ -624,6 +623,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma * @param project the project being scanned * @param nodes the list of dependency nodes, generally obtained via the * DependencyGraphBuilder + * @param buildingRequest the Maven project building request * @return a collection of exceptions that may have occurred while resolving * and scanning the dependencies */ @@ -636,8 +636,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } try { final ArtifactCoordinate coordinate = TransferUtils.toArtifactCoordinate(dependencyNode.getArtifact()); - final Artifact result = artifactResolver.resolveArtifact( buildingRequest, coordinate ).getArtifact(); - if (result.isResolved() && result.getFile()!= null) { + final Artifact result = artifactResolver.resolveArtifact(buildingRequest, coordinate).getArtifact(); + if (result.isResolved() && result.getFile() != null) { final List deps = engine.scan(result.getFile().getAbsoluteFile(), project.getName() + ":" + dependencyNode.getArtifact().getScope()); if (deps != null) { @@ -683,16 +683,13 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } /** - * @return Returns a new ProjectBuildingRequest populated from the current session and the current project remote - * repositories, used to resolve artifacts. + * @return Returns a new ProjectBuildingRequest populated from the current + * session and the current project remote repositories, used to resolve + * artifacts. */ - public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest() - { - ProjectBuildingRequest buildingRequest = - new DefaultProjectBuildingRequest( session.getProjectBuildingRequest() ); - - buildingRequest.setRemoteRepositories( remoteRepositories ); - + public ProjectBuildingRequest newResolveArtifactProjectBuildingRequest() { + final ProjectBuildingRequest buildingRequest = new DefaultProjectBuildingRequest(session.getProjectBuildingRequest()); + buildingRequest.setRemoteRepositories(remoteRepositories); return buildingRequest; } @@ -1060,8 +1057,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities: %n%s%n%n" + "See the dependency-check report for more details.%n%n", ids.toString()); } else { - msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than '%.1f': %n%s%n%n" - + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString()); + msg = String.format("%n%nOne or more dependencies were identified with vulnerabilities that have a CVSS score greater than '%.1f': " + + "%n%s%n%nSee the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString()); } throw new MojoFailureException(msg); @@ -1136,5 +1133,4 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } // - }