resolve merge conflict and update test cases

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -280,7 +280,7 @@ public class Engine implements FileFilter, AutoCloseable {
         } catch (InvalidSettingException ex) {
             LOGGER.trace("Experimenal setting not configured; defaulting to false");
         }
-        final AnalyzerService service = new AnalyzerService(serviceClassLoader, loadExperimental);
+        final AnalyzerService service = new AnalyzerService(serviceClassLoader, settings);
         final List<Analyzer> iterator = service.getAnalyzers(mode.getPhases());
         for (Analyzer a : iterator) {
             a.initialize(this.settings);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -25,6 +25,8 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
 import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * The Analyzer Service Loader. This class loads all services that implement
@@ -47,18 +49,18 @@ public class AnalyzerService {
     /**
      * The configured settings.
      */
-    private final boolean loadExperimental;
+    private final Settings settings;
 
     /**
      * Creates a new instance of AnalyzerService.
      *
      * @param classLoader the ClassLoader to use when dynamically loading
      * Analyzer and Update services
-     * @param loadExperimental whether or not to load the experimental analyzers
+     * @param settings the configured settings
      */
-    public AnalyzerService(ClassLoader classLoader, boolean loadExperimental) {
+    public AnalyzerService(ClassLoader classLoader, Settings settings) {
-        this.loadExperimental = loadExperimental;
         service = ServiceLoader.load(Analyzer.class, classLoader);
+        this.settings = settings;
     }
 
     /**
@@ -91,12 +93,23 @@ public class AnalyzerService {
     private List<Analyzer> getAnalyzers(List<AnalysisPhase> phases) {
         final List<Analyzer> analyzers = new ArrayList<>();
         final Iterator<Analyzer> iterator = service.iterator();
+        boolean experimentalEnabled = false;
+        boolean retiredEnabled = false;
+        try {
+            experimentalEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
+            retiredEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, false);
+        } catch (InvalidSettingException ex) {
+            LOGGER.error("invalid experimental or retired setting", ex);
+        }
         while (iterator.hasNext()) {
             final Analyzer a = iterator.next();
             if (!phases.contains(a.getAnalysisPhase())) {
                 continue;
             }
-            if (!loadExperimental && a.getClass().isAnnotationPresent(Experimental.class)) {
+            if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
+                continue;
+            }
+            if (!retiredEnabled && a.getClass().isAnnotationPresent(Retired.class)) {
                 continue;
             }
             LOGGER.debug("Loaded Analyzer {}", a.getName());

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -47,8 +47,8 @@ import org.owasp.dependencycheck.dependency.EvidenceType;
  *
  * @author Dale Visser
  */
-@Experimental
 @ThreadSafe
+@Retired
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Retired.java

@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.lang.annotation.ElementType;
+import java.lang.annotation.Retention;
+import java.lang.annotation.RetentionPolicy;
+import java.lang.annotation.Target;
+
+/**
+ * Annotation used to flag an analyzer as retired.
+ *
+ * @author Steve Springett
+ */
+@Retention(RetentionPolicy.RUNTIME)
+@Target(ElementType.TYPE)
+public @interface Retired {
+
+}

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -88,7 +88,10 @@ archive.scan.depth=3
 downloader.quick.query.timestamp=true
 downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
 
+# defines if the experimental and retired analyzers can be enabled
 analyzer.experimental.enabled=false
+analyzer.retired.enabled=false
+
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java

@@ -40,7 +40,7 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
      */
     @Test
     public void testGetAnalyzers() {
-        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false);
+        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         List<Analyzer> result = instance.getAnalyzers();
 
         boolean found = false;
@@ -58,7 +58,7 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
      */
     @Test
     public void testGetAnalyzers_SpecificPhases() throws Exception {
-        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false);
+        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         List<Analyzer> result = instance.getAnalyzers(INITIAL, FINAL);
 
         for (Analyzer a : result) {
@@ -73,25 +73,54 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
      */
     @Test
     public void testGetExperimentalAnalyzers() {
-        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), false);
+        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         List<Analyzer> result = instance.getAnalyzers();
         String experimental = "CMake Analyzer";
+        String retired = "Node.js Package Analyzer";
         boolean found = false;
+        boolean retiredFound = false;
         for (Analyzer a : result) {
             if (experimental.equals(a.getName())) {
                 found = true;
             }
+            if (retired.equals(a.getName())) {
+                retiredFound = true;
+            }
         }
         assertFalse("Experimental analyzer loaded when set to false", found);
+        assertFalse("Retired analyzer loaded when set to false", retiredFound);
 
-        instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), true);
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
+        instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
         result = instance.getAnalyzers();
         found = false;
+        retiredFound = false;
         for (Analyzer a : result) {
             if (experimental.equals(a.getName())) {
                 found = true;
             }
+            if (retired.equals(a.getName())) {
+                retiredFound = true;
+            }
         }
         assertTrue("Experimental analyzer not loaded when set to true", found);
+        assertFalse("Retired analyzer loaded when set to false", retiredFound);
+        
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
+        getSettings().setBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, true);
+        instance = new AnalyzerService(Thread.currentThread().getContextClassLoader(), getSettings());
+        result = instance.getAnalyzers();
+        found = false;
+        retiredFound = false;
+        for (Analyzer a : result) {
+            if (experimental.equals(a.getName())) {
+                found = true;
+            }
+            if (retired.equals(a.getName())) {
+                retiredFound = true;
+            }
+        }
+        assertFalse("Experimental analyzer loaded when set to false", found);
+        assertTrue("Retired analyzer not loaded when set to true", retiredFound);
     }
 }

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -83,7 +83,10 @@ archive.scan.depth=3
 downloader.quick.query.timestamp=true
 downloader.tls.protocols=TLSv1,TLSv1.1,TLSv1.2,TLSv1.3
 
-analyzer.experimental.enabled=true
+# defines if the experimental and retired analyzers can be enabled
+analyzer.experimental.enabled=false
+analyzer.retired.enabled=false
+
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -253,6 +253,10 @@ public final class Settings {
          * The properties key for whether experimental analyzers are loaded.
          */
         public static final String ANALYZER_EXPERIMENTAL_ENABLED = "analyzer.experimental.enabled";
+        /**
+         * The properties key for whether experimental analyzers are loaded.
+         */
+        public static final String ANALYZER_RETIRED_ENABLED = "analyzer.retired.enabled";
         /**
          * The properties key for whether the Archive analyzer is enabled.
          */