diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
index fd2437d2b..7780c7a54 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
@@ -245,11 +245,12 @@ public final class CpeMemoryIndex {
* @throws IOException is thrown if there is an issue with the underlying
* Index
*/
- public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
+ public synchronized TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
if (searchString == null || searchString.trim().isEmpty()) {
throw new ParseException("Query is null or empty");
}
LOGGER.debug(searchString);
+ resetFieldAnalyzer();
final Query query = queryParser.parse(searchString);
return search(query, maxQueryResults);
}
@@ -263,7 +264,7 @@ public final class CpeMemoryIndex {
* @throws CorruptIndexException thrown if the Index is corrupt
* @throws IOException thrown if there is an IOException
*/
- public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
+ public synchronized TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
resetFieldAnalyzer();
return indexSearcher.search(query, maxQueryResults);
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
index 2ae21797c..60b577582 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -17,6 +17,9 @@
*/
package org.owasp.dependencycheck.data.update;
+import java.io.File;
+import java.io.IOException;
+import java.io.RandomAccessFile;
import java.net.MalformedURLException;
import java.util.Calendar;
import java.util.HashMap;
@@ -24,6 +27,8 @@ import java.util.HashSet;
import java.util.Map;
import java.util.Set;
import java.net.URL;
+import java.nio.channels.FileLock;
+import java.util.Date;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
@@ -31,6 +36,7 @@ import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
+import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
import org.owasp.dependencycheck.data.nvdcve.CveDB;
import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -89,32 +95,52 @@ public class NvdCveUpdater implements CachedWebDataSource {
/**
* Downloads the latest NVD CVE XML file from the web and imports it into
- * the current CVE Database.
+ * the current CVE Database. A lock on a file is obtained in an attempt to
+ * prevent more then one thread/JVM from updating the database at the same
+ * time. This method may sleep upto 5 minutes.
*
* @throws UpdateException is thrown if there is an error updating the
* database
*/
@Override
- public void update() throws UpdateException {
- try {
- if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
- return;
- }
- } catch (InvalidSettingException ex) {
- LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex);
- }
-
- boolean autoUpdate = true;
- try {
- autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
- } catch (InvalidSettingException ex) {
- LOGGER.debug("Invalid setting for auto-update; using true.");
- }
- if (!autoUpdate) {
+ public synchronized void update() throws UpdateException {
+ if (isUpdateConfiguredFalse()) {
return;
}
- initializeExecutorServices();
+ FileLock lock = null;
+ RandomAccessFile ulFile = null;
+ File lockFile = null;
try {
+ if (ConnectionFactory.isH2Connection()) {
+ final File dir = Settings.getDataDirectory();
+ lockFile = new File(dir, "odc.update.lock");
+ if (lockFile.isFile() && getFileAge(lockFile) > 5 && !lockFile.delete()) {
+ LOGGER.warn("An old db update lock file was found but the system was unable to delete the file. Consider manually deleting " + lockFile.getAbsolutePath());
+ }
+ int ctr = 0;
+ do {
+ try {
+ if (!lockFile.exists() && lockFile.createNewFile()) {
+ ulFile = new RandomAccessFile(lockFile, "rw");
+ lock = ulFile.getChannel().lock();
+ }
+ } catch (IOException ex) {
+ LOGGER.trace("Expected error as another thread has likely locked the file", ex);
+ }
+ if (lock == null || !lock.isValid()) {
+ try {
+ LOGGER.debug(String.format("Sleeping thread %s for 5 seconds because we could not obtain the update lock.", Thread.currentThread().getName()));
+ Thread.sleep(5000);
+ } catch (InterruptedException ex) {
+ LOGGER.trace("ignorable error, sleep was interrupted.", ex);
+ }
+ }
+ } while (++ctr < 60 && (lock == null || !lock.isValid()));
+ if (lock == null || !lock.isValid()) {
+ throw new UpdateException("Unable to obtain the update lock, skipping the database update. Skippinig the database update.");
+ }
+ }
+ initializeExecutorServices();
cveDb = CveDB.getInstance();
dbProperties = cveDb.getDatabaseProperties();
@@ -137,12 +163,66 @@ public class NvdCveUpdater implements CachedWebDataSource {
throw new UpdateException("Unable to download the NVD CVE data.", ex);
} catch (DatabaseException ex) {
throw new UpdateException("Database Exception, unable to update the data to use the most current data.", ex);
+ } catch (IOException ex) {
+ throw new UpdateException("Database Exception", ex);
} finally {
shutdownExecutorServices();
cveDb.close();
+ if (lock != null) {
+ try {
+ lock.release();
+ } catch (IOException ex) {
+ LOGGER.trace("Ignorable exception", ex);
+ }
+ }
+ if (ulFile != null) {
+ try {
+ ulFile.close();
+ } catch (IOException ex) {
+ LOGGER.trace("Ignorable exception", ex);
+ }
+ }
+ if (lockFile != null) {
+ lockFile.delete();
+ }
}
}
+ /**
+ * Checks if the system is configured NOT to update.
+ *
+ * @return false if the system is configured to perform an update; otherwise
+ * true
+ */
+ private boolean isUpdateConfiguredFalse() {
+ try {
+ if (!Settings.getBoolean(Settings.KEYS.UPDATE_NVDCVE_ENABLED, true)) {
+ return true;
+ }
+ } catch (InvalidSettingException ex) {
+ LOGGER.trace("invalid setting UPDATE_NVDCVE_ENABLED", ex);
+ }
+ boolean autoUpdate = true;
+ try {
+ autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+ } catch (InvalidSettingException ex) {
+ LOGGER.debug("Invalid setting for auto-update; using true.");
+ }
+ return !autoUpdate;
+ }
+
+ /**
+ * Returns the age of the file in minutes.
+ *
+ * @param file the file to calculate the age
+ * @return the age of the file
+ */
+ private long getFileAge(File file) {
+ final Date d = new Date();
+ final long modified = file.lastModified();
+ return (d.getTime() - modified) / 1000 / 60;
+ }
+
/**
* Initialize the executor services for download and processing of the NVD
* CVE XML data.
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index 34e1d4118..481048c12 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -545,4 +545,20 @@
^javax\.servlet:servlet-api:.*$
cpe:/a:sun:one_application_server
+
+
+ ^org\.apache\.tomcat\.embed:tomcat-embed.*$
+ CVE-2017-6056
+ CVE-2016-6325
+ CVE-2016-5425
+
+
+
+ ^org\.springframework\.boot:spring-boot-starter-data-jpa:.*$
+ CVE-2016-6652
+
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
index a3710f2f3..a23f4e866 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
@@ -8,7 +8,7 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
-import java.io.FileNotFoundException;
+import java.io.IOException;
import java.net.URL;
import java.util.List;
@@ -50,7 +50,7 @@ public class CentralSearchTest extends BaseTest {
// This test does generate network traffic and communicates with a host
// you may not be able to reach. Remove the @Ignore annotation if you want to
// test it anyway
- @Test(expected = FileNotFoundException.class)
+ @Test(expected = IOException.class)
public void testMissingSha1() throws Exception {
searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
}
diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml
index 7acd5269f..ec672c570 100644
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -228,6 +228,13 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
maven-invoker-plugin
2.0.0
+
+
+ 2
+
+ 690-threadsafety/pom.xml
+ 618-aggregator-purge/pom.xml
+
${project.build.directory}/it
target/local-repo
diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy b/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy
index 09ea6f264..007821d3e 100644
--- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy
+++ b/dependency-check-maven/src/it/617-hierarchical-cross-deps/postbuild.groovy
@@ -16,13 +16,4 @@
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
-import org.apache.commons.io.FileUtils;
-import org.apache.commons.lang.StringUtils;
-
-// Save NVD-CVE for next IT (if not already done)
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-if (datasDwl.exists() && !datasSave.exists()){
- System.out.println("Save NVD-CVE into backup");
- FileUtils.copyFile(datasDwl, datasSave);
-}
+return true;
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy b/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy
index c1e9eda11..9eff4bb5c 100644
--- a/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy
+++ b/dependency-check-maven/src/it/617-hierarchical-cross-deps/prebuild.groovy
@@ -15,14 +15,3 @@
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
-
-import org.apache.commons.io.FileUtils;
-
-// Load NVD-CVE if not exist and had been saved in a previous IT
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-
-if (!datasDwl.exists() && datasSave.exists()){
- System.out.println("Load NVD-CVE from backup");
- FileUtils.copyFile(datasSave, datasDwl);
-}
diff --git a/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy b/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy
index 77ed8d9d6..bf3b3246e 100644
--- a/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy
+++ b/dependency-check-maven/src/it/618-aggregator-purge/postbuild.groovy
@@ -27,3 +27,4 @@ if (!StringUtils.contains(log, "Database file purged; local copy of the NVD has
System.out.println("The database was not purged.");
return false;
}
+return true;
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy b/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy
index 389ddb710..a3aa62c8e 100644
--- a/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy
+++ b/dependency-check-maven/src/it/618-aggregator-update-only/postbuild.groovy
@@ -20,19 +20,11 @@ import java.nio.charset.Charset;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
-// Save NVD-CVE for next IT (if not already done)
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-if (datasDwl.exists() && !datasSave.exists()){
- System.out.println("Save NVD-CVE into backup");
- FileUtils.copyFile(datasDwl, datasSave);
-}
-
// Analyse number of "Checking for updates"
String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name());
int count = StringUtils.countMatches(log, "Checking for updates");
if (count > 1){
System.out.println(String.format("The update should be unique, it is %s", count));
return false;
- //throw new Exception(String.format("The update should be unique, it is %s", count));
}
+return true;
diff --git a/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy b/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy
index c1e9eda11..3071d8668 100644
--- a/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy
+++ b/dependency-check-maven/src/it/618-aggregator-update-only/prebuild.groovy
@@ -16,13 +16,3 @@
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
-import org.apache.commons.io.FileUtils;
-
-// Load NVD-CVE if not exist and had been saved in a previous IT
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-
-if (!datasDwl.exists() && datasSave.exists()){
- System.out.println("Load NVD-CVE from backup");
- FileUtils.copyFile(datasSave, datasDwl);
-}
diff --git a/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy b/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy
index 17401a332..acb7cb3a5 100644
--- a/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy
+++ b/dependency-check-maven/src/it/629-jackson-dataformat/postbuild.groovy
@@ -19,16 +19,6 @@
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang.StringUtils;
import java.nio.charset.Charset;
-
-// Save NVD-CVE for next IT (if not already done)
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-if (datasDwl.exists() && !datasSave.exists()){
- System.out.println("Save NVD-CVE into backup");
- FileUtils.copyFile(datasDwl, datasSave);
-}
-
-
// Check to see if jackson-dataformat-xml-2.4.5.jar was identified.
@@ -36,7 +26,7 @@ if (datasDwl.exists() && !datasSave.exists()){
String log = FileUtils.readFileToString(new File(basedir, "target/dependency-check-report.xml"), Charset.defaultCharset().name());
int count = StringUtils.countMatches(log, "jackson-dataformat-xml-2.4.5.jar");
if (count == 0){
- System.out.println(String.format("The update should be unique, it is %s", count));
+ System.out.println(String.format("jackson-dataformat-xml was identified %s times, expected 1", count));
return false;
- //throw new Exception(String.format("The update should be unique, it is %s", count));
}
+return true;
diff --git a/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy b/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy
index c1e9eda11..9eff4bb5c 100644
--- a/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy
+++ b/dependency-check-maven/src/it/629-jackson-dataformat/prebuild.groovy
@@ -15,14 +15,3 @@
*
* Copyright (c) 2014 Jeremy Long. All Rights Reserved.
*/
-
-import org.apache.commons.io.FileUtils;
-
-// Load NVD-CVE if not exist and had been saved in a previous IT
-File datasDwl = new File("target/local-repo/org/owasp/dependency-check-data/3.0", "dc.h2.db");
-File datasSave = new File("target/nvd-cve-backup", "dc.h2.db");
-
-if (!datasDwl.exists() && datasSave.exists()){
- System.out.println("Load NVD-CVE from backup");
- FileUtils.copyFile(datasSave, datasDwl);
-}
diff --git a/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml
new file mode 100644
index 000000000..09edb1412
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/first-a/pom.xml
@@ -0,0 +1,70 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ first-a
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+ org.apache.tomcat.embed
+ tomcat-embed-core
+ 8.5.11
+
+
+ org.springframework.boot
+ spring-boot-starter-data-jpa
+ 1.5.2.RELEASE
+
+
+ org.apache.james
+ apache-mime4j-dom
+ 0.7.2
+
+
+ org.glassfish.grizzly
+ grizzly-framework
+ 2.3.10
+
+
+ io.jsonwebtoken
+ jjwt
+ 0.7.0
+
+
+ com.thoughtworks.xstream
+ xstream
+ 1.4.1
+
+
+ org.apache.commons
+ commons-collections4
+ 4.1
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml
new file mode 100644
index 000000000..a5243f958
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/first-b/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ first-b
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/first/pom.xml b/dependency-check-maven/src/it/690-threadsafety/first/pom.xml
new file mode 100644
index 000000000..558d5c132
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/first/pom.xml
@@ -0,0 +1,70 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ first
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+ org.apache.tomcat.embed
+ tomcat-embed-core
+ 8.5.11
+
+
+ org.springframework.boot
+ spring-boot-starter-data-jpa
+ 1.5.2.RELEASE
+
+
+ org.apache.james
+ apache-mime4j-dom
+ 0.7.2
+
+
+ org.glassfish.grizzly
+ grizzly-framework
+ 2.3.10
+
+
+ io.jsonwebtoken
+ jjwt
+ 0.7.0
+
+
+ com.thoughtworks.xstream
+ xstream
+ 1.4.1
+
+
+ org.apache.commons
+ commons-collections4
+ 4.1
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml
new file mode 100644
index 000000000..1320efbf5
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/fourth-a/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ fourth-a
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/fourth-a/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml
new file mode 100644
index 000000000..c45db6287
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/fourth-b/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ fourth-b
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/fourth-b/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml b/dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml
new file mode 100644
index 000000000..9d000b344
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/fourth/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ fourth
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/fourth/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/invoker.properties b/dependency-check-maven/src/it/690-threadsafety/invoker.properties
new file mode 100644
index 000000000..697b15bf3
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/invoker.properties
@@ -0,0 +1,19 @@
+#
+# This file is part of dependency-check-maven.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+# Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+#
+
+invoker.goals = install ${project.groupId}:${project.artifactId}:${project.version}:check -X -T 1
diff --git a/dependency-check-maven/src/it/690-threadsafety/pom.xml b/dependency-check-maven/src/it/690-threadsafety/pom.xml
new file mode 100644
index 000000000..1fbe16021
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/pom.xml
@@ -0,0 +1,39 @@
+
+
+
+ 4.0.0
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+ pom
+
+ first
+ second
+ third
+ fourth
+ first-a
+ second-a
+ third-a
+ fourth-a
+ first-b
+ second-b
+ third-b
+ fourth-b
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy b/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy
new file mode 100644
index 000000000..8c1b639fa
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/postbuild.groovy
@@ -0,0 +1,29 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+
+import java.nio.charset.Charset;
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.lang.StringUtils;
+
+String log = FileUtils.readFileToString(new File(basedir, "build.log"), Charset.defaultCharset().name());
+int count = StringUtils.countMatches(log, "Download Started for NVD CVE - 2002");
+if (count > 1){
+ System.out.println(String.format("NVD CVE was downloaded %s times, should be 0 or 1 times", count));
+ return false;
+}
+return true;
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy
new file mode 100644
index 000000000..9eff4bb5c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/prebuild.groovy
@@ -0,0 +1,17 @@
+/*
+ * This file is part of dependency-check-maven.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
diff --git a/dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml
new file mode 100644
index 000000000..ddd40f9ae
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/second-a/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ second-a
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/second-a/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml
new file mode 100644
index 000000000..b5398f613
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/second-b/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ second-b
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/second-b/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/second/pom.xml b/dependency-check-maven/src/it/690-threadsafety/second/pom.xml
new file mode 100644
index 000000000..ed04073ef
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/second/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ second
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/second/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml b/dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml
new file mode 100644
index 000000000..6470df160
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/third-a/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ third-a
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/third-a/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml b/dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml
new file mode 100644
index 000000000..2c589607c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/third-b/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ third-b
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/third-b/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/it/690-threadsafety/third/pom.xml b/dependency-check-maven/src/it/690-threadsafety/third/pom.xml
new file mode 100644
index 000000000..062992fbb
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/third/pom.xml
@@ -0,0 +1,35 @@
+
+
+
+ 4.0.0
+
+ org.owasp.test
+ threaded-parent
+ 1.0.0-SNAPSHOT
+
+ third
+ jar
+
+
+ log4j
+ log4j
+ 1.2.17
+
+
+
\ No newline at end of file
diff --git a/dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml b/dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml
new file mode 100644
index 000000000..65c96051c
--- /dev/null
+++ b/dependency-check-maven/src/it/690-threadsafety/third/src/main/webapp/WEB-INF/web.xml
@@ -0,0 +1,26 @@
+
+
+
+ test-app
+
+ index.html
+
+
+
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
index 490ffe45c..87f551140 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java
@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo(
name = "purge",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
- threadSafe = false,
+ threadSafe = true,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true,
aggregator = true
diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java
index ec0e6928d..4d8fc11b1 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java
@@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.Settings;
@Mojo(
name = "update-only",
defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
- threadSafe = false,
+ threadSafe = true,
requiresDependencyResolution = ResolutionScope.NONE,
requiresOnline = true,
aggregator = true