From 115f63c330588ee2f7ec9f4c263ea5e2fb2ffa7e Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 14:38:43 -0700 Subject: [PATCH 01/16] Removed an unused import and combined nested if statements. --- .../java/org/owasp/dependencycheck/utils/Settings.java | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index dc278bc4d..c8d8418cf 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -31,7 +31,6 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.Enumeration; import java.util.Properties; -import java.util.logging.Level; /** * A simple settings container that wraps the dependencycheck.properties file. @@ -626,11 +625,9 @@ public final class Settings { */ public static File getTempDirectory() throws IOException { final File tmpDir = new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")), "dctemp"); - if (!tmpDir.exists()) { - if (!tmpDir.mkdirs()) { - final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath()); - throw new IOException(msg); - } + if (!tmpDir.exists() && !tmpDir.mkdirs()) { + final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath()); + throw new IOException(msg); } tempDirectory = tmpDir; return tmpDir; From 444685bc05487e7ec05983462bac59216276e0fe Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 14:40:32 -0700 Subject: [PATCH 02/16] Inner class should be static (since it doesn't reference parent). --- .../org/owasp/dependencycheck/data/update/cpe/CPEHandler.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java index 6a155c6ca..2e46a4678 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java @@ -179,7 +179,7 @@ public class CPEHandler extends DefaultHandler { /** * A simple class to maintain information about the current element while parsing the CPE XML. */ - protected class Element { + protected static final class Element { /** * A node type in the CPE Schema 2.2 From df25bbb6d22ac027778d51aeeef283650b76effb Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 14:43:34 -0700 Subject: [PATCH 03/16] Replaced json iteration with more efficient entrySet. Also corrected an invalid logging statement. --- .../dependencycheck/analyzer/NodePackageAnalyzer.java | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index d489d97c0..597e14258 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -32,6 +32,7 @@ import javax.json.*; import java.io.File; import java.io.FileFilter; import java.io.IOException; +import java.util.Map; /** * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine @@ -146,20 +147,21 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { if (json.containsKey(key)) { - Object value = json.get(key); + JsonValue value = json.get(key); if (value instanceof JsonString) { collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); } else if (value instanceof JsonObject) { final JsonObject jsonObject = (JsonObject) value; - for (String property : jsonObject.keySet()) { - final Object subValue = jsonObject.get(property); + for (final Map.Entry entry : jsonObject.entrySet()) { + final String property = entry.getKey(); + final JsonValue subValue = entry.getValue(); if (subValue instanceof JsonString) { collection.addEvidence(PACKAGE_JSON, String.format("%s.%s", key, property), ((JsonString) subValue).getString(), Confidence.HIGHEST); } else { - LOGGER.warn("JSON sub-value not string as expected: %s"); + LOGGER.warn("JSON sub-value not string as expected: %s", subValue); } } } else { From af0255ee09459fccdc4b3bc084d9b426aa57d240 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 14:48:23 -0700 Subject: [PATCH 04/16] Rather than create a collection, then call addAll to populate, the collection can be created with the collection to clone. --- .../src/main/java/org/owasp/dependencycheck/Engine.java | 3 +-- .../owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java | 3 +-- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 2da745245..b6e170a7d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -366,8 +366,7 @@ public class Engine implements FileFilter { * This is okay for adds/deletes because it happens per analyzer. */ LOGGER.debug("Begin Analyzer '{}'", a.getName()); - final Set dependencySet = new HashSet(); - dependencySet.addAll(dependencies); + final Set dependencySet = new HashSet(dependencies); for (Dependency d : dependencySet) { boolean shouldAnalyze = true; if (a instanceof FileTypeAnalyzer) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index d518f8490..d136ee235 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -154,8 +154,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { */ @SuppressWarnings("null") private void removeSpuriousCPE(Dependency dependency) { - final List ids = new ArrayList(); - ids.addAll(dependency.getIdentifiers()); + final List ids = new ArrayList(dependency.getIdentifiers()); Collections.sort(ids); final ListIterator mainItr = ids.listIterator(); while (mainItr.hasNext()) { From 01450bacc21437f7c6ad01462b5f39bed6e058c0 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 14:51:26 -0700 Subject: [PATCH 05/16] Removed a redundant null check, and replaced an addAll with the constructor population. --- .../org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index f43e09240..d0f44ffc1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -184,7 +184,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { if (tempFileLocation != null && tempFileLocation.exists()) { LOGGER.debug("Attempting to delete temporary files"); final boolean success = FileUtils.delete(tempFileLocation); - if (!success && tempFileLocation != null && tempFileLocation.exists() && tempFileLocation.list().length > 0) { + if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) { LOGGER.warn("Failed to delete some temporary files, see the log for more details"); } } @@ -278,8 +278,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { final Set newDependencies; if (sizeChanged) { //get the new dependencies - newDependencies = new HashSet(); - newDependencies.addAll(after); + newDependencies = new HashSet(after); newDependencies.removeAll(before); } else { newDependencies = EMPTY_DEPENDENCY_SET; From 9a45c9aa7cb5a52703f053efdb1bc90211f06f98 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 15:21:54 -0700 Subject: [PATCH 06/16] Removed unused Cal10n MessageConveyor. --- .../owasp/dependencycheck/analyzer/AssemblyAnalyzer.java | 6 ------ 1 file changed, 6 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 26e795ee4..4885d81b5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -17,8 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import ch.qos.cal10n.IMessageConveyor; -import ch.qos.cal10n.MessageConveyor; import java.io.BufferedReader; import java.io.File; import java.io.FileFilter; @@ -75,10 +73,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { * The DocumentBuilder for parsing the XML */ private DocumentBuilder builder; - /** - * Message Conveyer - */ - private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault()); /** * Logger */ From 85604e8afad923e2ed7b4a7200f8d34b5098d70f Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 16:01:10 -0700 Subject: [PATCH 07/16] Logback-core is a transitive dependency from logback-classic -- no need to explicitly mention it. JSoup type is jar by default, so no need to mention that. SLF4J-Ext does not seem to be used, so can drop that. H2 only has runtime scope. --- dependency-check-core/pom.xml | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index 1f8f283cf..4bdfc39a2 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -280,22 +280,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. slf4j-api - - ch.qos.logback - logback-core - test - ch.qos.logback logback-classic test - - - org.slf4j - slf4j-ext - compile - org.owasp dependency-check-utils @@ -342,6 +331,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. com.h2database h2 + runtime org.glassfish @@ -350,7 +340,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.jsoup jsoup - jar com.sun.mail From a75c17ac5ee24e2bf869864ef6afc025e9e5498c Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 16:28:22 -0700 Subject: [PATCH 08/16] Added final keywords and elaborated the javax.json imports. --- .../analyzer/NodePackageAnalyzer.java | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index 597e14258..56a98fd7e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -28,11 +28,16 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.json.*; import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.util.Map; +import javax.json.Json; +import javax.json.JsonException; +import javax.json.JsonObject; +import javax.json.JsonReader; +import javax.json.JsonString; +import javax.json.JsonValue; /** * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine @@ -121,13 +126,13 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { "Problem occurred while reading dependency file.", e); } try { - JsonObject json = jsonReader.readObject(); + final JsonObject json = jsonReader.readObject(); final EvidenceCollection productEvidence = dependency.getProductEvidence(); final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); if (json.containsKey("name")) { - Object value = json.get("name"); + final Object value = json.get("name"); if (value instanceof JsonString) { - String valueString = ((JsonString) value).getString(); + final String valueString = ((JsonString) value).getString(); productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); } else { @@ -147,7 +152,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { if (json.containsKey(key)) { - JsonValue value = json.get(key); + final JsonValue value = json.get(key); if (value instanceof JsonString) { collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); } else if (value instanceof JsonObject) { From 537c4b3a50646ee3b57d019bed46e11f942a34eb Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 16:28:55 -0700 Subject: [PATCH 09/16] Added missing final keywords. --- .../org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index d0f44ffc1..357d5f351 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -271,9 +271,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * @return any dependencies that weren't known to the engine before */ private static Set findMoreDependencies(Engine engine, File file) { - List before = new ArrayList(engine.getDependencies()); + final List before = new ArrayList(engine.getDependencies()); engine.scan(file); - List after = engine.getDependencies(); + final List after = engine.getDependencies(); final boolean sizeChanged = before.size() != after.size(); final Set newDependencies; if (sizeChanged) { @@ -451,7 +451,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * * @param closeable to be closed */ - private static void close(Closeable closeable){ + private static void close(Closeable closeable) { if (null != closeable) { try { closeable.close(); From 769fcb20d8977d6377b10da637a86131c0f1b9d3 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 16:29:27 -0700 Subject: [PATCH 10/16] Removed a now unused import. --- .../org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java | 1 - 1 file changed, 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 4885d81b5..dc60c485b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -43,7 +43,6 @@ import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import java.util.ArrayList; import java.util.List; -import java.util.Locale; /** * Analyzer for getting company, product, and version information from a .NET assembly. From c09650a136d3da80986563e55a3c8ce76b6069d0 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 16:30:58 -0700 Subject: [PATCH 11/16] Removed unused slf4j-ext and slf4j-jdk14 dependency declarations. --- pom.xml | 10 ---------- 1 file changed, 10 deletions(-) diff --git a/pom.xml b/pom.xml index 0d69b1666..e83b0b7e0 100644 --- a/pom.xml +++ b/pom.xml @@ -620,16 +620,6 @@ Copyright (c) 2012 - Jeremy Long slf4j-api ${slf4j.version} - - org.slf4j - slf4j-ext - ${slf4j.version} - - - org.slf4j - slf4j-jdk14 - ${slf4j.version} - org.slf4j slf4j-simple From b51731d15f5d7d6f896a3cb192e555eb9169d641 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 16:35:23 -0700 Subject: [PATCH 12/16] Added final keyword. --- .../main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 90a1e3490..4ab780755 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -490,7 +490,7 @@ public class CveDB { deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE")); deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE")); updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY")); - String ids[] = {"id"}; + final String ids[] = {"id"}; insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"), //Statement.RETURN_GENERATED_KEYS); ids); From 480fa50af58726b7092378913ce646ae9eddebfa Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 17:01:24 -0700 Subject: [PATCH 13/16] Corrected Javadoc to eliminate warning. --- .../src/main/java/org/owasp/dependencycheck/App.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index ca5aa8e77..520c85009 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -416,7 +416,7 @@ public class App { } /** - * Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style + * Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style * file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first * * or ?). * From 54be70672e7d897894d2ea41f81cf3ee19feea14 Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 17:49:11 -0700 Subject: [PATCH 14/16] Replaced Date manipulation with more efficient System call. --- .../owasp/dependencycheck/data/update/EngineVersionCheck.java | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java index 81df9557b..c3ff0b7b5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java @@ -21,7 +21,6 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; -import java.util.Date; import org.apache.commons.io.IOUtils; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; @@ -88,7 +87,7 @@ public class EngineVersionCheck implements CachedWebDataSource { LOGGER.debug("Begin Engine Version Check"); final DatabaseProperties properties = cveDB.getDatabaseProperties(); final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0")); - final long now = (new Date()).getTime(); + final long now = System.currentTimeMillis(); updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, ""); final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0"); LOGGER.debug("Last checked: {}", lastChecked); From 2689a08026c884fd25a40efc16de75ce23d452aa Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Mon, 7 Sep 2015 17:50:02 -0700 Subject: [PATCH 15/16] Replaced Date manipulation with more efficient System call. --- .../owasp/dependencycheck/data/update/CpeUpdater.java | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index 0f6707488..e773f0f15 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -24,7 +24,6 @@ import java.io.FileOutputStream; import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; -import java.util.Date; import java.util.List; import java.util.zip.GZIPInputStream; import javax.xml.parsers.ParserConfigurationException; @@ -69,8 +68,8 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { for (Cpe cpe : cpes) { getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct()); } - final Date now = new Date(); - getProperties().save(LAST_CPE_UPDATE, Long.toString(now.getTime())); + final long now = System.currentTimeMillis(); + getProperties().save(LAST_CPE_UPDATE, Long.toString(now)); LOGGER.info("CPE update complete"); } } finally { @@ -134,14 +133,14 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { * @return true if the CPE data should be refreshed */ private boolean updateNeeded() { - final Date now = new Date(); + final long now = System.currentTimeMillis(); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30); long timestamp = 0; final String ts = getProperties().getProperty(LAST_CPE_UPDATE); if (ts != null && ts.matches("^[0-9]+$")) { timestamp = Long.parseLong(ts); } - return !DateUtil.withinDateRange(timestamp, now.getTime(), days); + return !DateUtil.withinDateRange(timestamp, now, days); } /** From 96768d852973487cf723fcbcd38bab2e835a2b4e Mon Sep 17 00:00:00 2001 From: Anthony Whitford Date: Tue, 8 Sep 2015 01:01:13 -0700 Subject: [PATCH 16/16] Replaced Date manipulation with more efficient System call. --- .../org/owasp/dependencycheck/data/update/NvdCveUpdater.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index ef9aa2846..570c542ea 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update; import java.net.MalformedURLException; import java.util.Calendar; -import java.util.Date; import java.util.HashSet; import java.util.Set; import java.util.concurrent.ExecutionException; @@ -214,11 +213,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { if (!getProperties().isEmpty()) { try { final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0")); - final Date now = new Date(); + final long now = System.currentTimeMillis(); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7); if (lastUpdated == updates.getTimeStamp(MODIFIED)) { updates.clear(); //we don't need to update anything. - } else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) { + } else if (DateUtil.withinDateRange(lastUpdated, now, days)) { for (NvdCveInfo entry : updates) { if (MODIFIED.equals(entry.getId())) { entry.setNeedsUpdate(true);