diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
index 6b4caef8e..43528d863 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -51,8 +51,9 @@ import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
/**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
- * the evidence contained within the dependency to search the Lucene index.
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts
+ * to discern if there is an associated CPE. It uses the evidence contained
+ * within the dependency to search the Lucene index.
*
* @author Jeremy Long
*/
@@ -71,15 +72,18 @@ public class CPEAnalyzer implements Analyzer {
*/
static final String WEIGHTING_BOOST = "^5";
/**
- * A string representation of a regular expression defining characters utilized within the CPE Names.
+ * A string representation of a regular expression defining characters
+ * utilized within the CPE Names.
*/
static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
/**
- * A string representation of a regular expression used to remove all but alpha characters.
+ * A string representation of a regular expression used to remove all but
+ * alpha characters.
*/
static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
/**
- * The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
+ * The additional size to add to a new StringBuilder to account for extra
+ * data that will be written into the string.
*/
static final int STRING_BUILDER_BUFFER = 20;
/**
@@ -129,9 +133,10 @@ public class CPEAnalyzer implements Analyzer {
/**
* Opens the data source.
*
- * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
- * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
- * process.
+ * @throws IOException when the Lucene directory to be queried does not
+ * exist or is corrupt.
+ * @throws DatabaseException when the database throws an exception. This
+ * usually occurs when the database is in use by another process.
*/
public void open() throws IOException, DatabaseException {
if (!isOpen()) {
@@ -170,8 +175,9 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
- * within. The dependency passed in is updated with any identified CPE values.
+ * Searches the data store of CPE entries, trying to identify the CPE for
+ * the given dependency based on the evidence contained within. The
+ * dependency passed in is updated with any identified CPE values.
*
* @param dependency the dependency to search for CPE entries on.
* @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -215,9 +221,10 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
- * confidence). This attempts to prevent duplicate terms from being added.
Note, if the evidence is longer then 200
- * characters it will be truncated.
+ * Returns the text created by concatenating the text and the values from
+ * the EvidenceCollection (filtered for a specific confidence). This
+ * attempts to prevent duplicate terms from being added.
Note, if
+ * the evidence is longer then 200 characters it will be truncated.
*
* @param text the base text.
* @param ec an EvidenceCollection
@@ -248,17 +255,19 @@ public class CPEAnalyzer implements Analyzer {
/**
*
- * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
- * version.
+ * Searches the Lucene CPE index to identify possible CPE entries associated
+ * with the supplied vendor, product, and version.
*
*
- * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
- * the search.
+ * If either the vendorWeightings or productWeightings lists have been
+ * populated this data is used to add weighting factors to the search.
*
* @param vendor the text used to search the vendor field
* @param product the text used to search the product field
- * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
- * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
+ * @param vendorWeightings a list of strings to use to add weighting factors
+ * to the vendor field
+ * @param productWeightings Adds a list of strings that will be used to add
+ * weighting factors to the product search
* @return a list of possible CPE values
*/
protected List searchCPE(String vendor, String product,
@@ -297,16 +306,20 @@ public class CPEAnalyzer implements Analyzer {
/**
*
- * Builds a Lucene search string by properly escaping data and constructing a valid search query.
+ * Builds a Lucene search string by properly escaping data and constructing
+ * a valid search query.
*
*
- * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
- * the search string generated.
+ * If either the possibleVendor or possibleProducts lists have been
+ * populated this data is used to add weighting factors to the search string
+ * generated.
*
* @param vendor text to search the vendor field
* @param product text to search the product field
- * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
- * @param productWeightings a list of strings to apply to the product to boost the terms weight
+ * @param vendorWeighting a list of strings to apply to the vendor to boost
+ * the terms weight
+ * @param productWeightings a list of strings to apply to the product to
+ * boost the terms weight
* @return the Lucene query
*/
protected String buildSearch(String vendor, String product,
@@ -327,13 +340,17 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
- * within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
+ * This method constructs a Lucene query for a given field. The searchText
+ * is split into separate words and if the word is within the list of
+ * weighted words then an additional weighting is applied to the term as it
+ * is appended into the query.
*
* @param sb a StringBuilder that the query text will be appended to.
- * @param field the field within the Lucene index that the query is searching.
+ * @param field the field within the Lucene index that the query is
+ * searching.
* @param searchText text used to construct the query.
- * @param weightedText a list of terms that will be considered higher importance when searching.
+ * @param weightedText a list of terms that will be considered higher
+ * importance when searching.
* @return if the append was successful.
*/
private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set weightedText) {
@@ -379,7 +396,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Removes characters from the input text that are not used within the CPE index.
+ * Removes characters from the input text that are not used within the CPE
+ * index.
*
* @param text is the text to remove the characters from.
* @return the text having removed some characters.
@@ -389,7 +407,8 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Compares two strings after lower casing them and removing the non-alpha characters.
+ * Compares two strings after lower casing them and removing the non-alpha
+ * characters.
*
* @param l string one to compare.
* @param r string two to compare.
@@ -406,8 +425,9 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
- * for the CPE are contained within the dependencies evidence.
+ * Ensures that the CPE Identified matches the dependency. This validates
+ * that the product, vendor, and version information for the CPE are
+ * contained within the dependencies evidence.
*
* @param entry a CPE entry.
* @param dependency the dependency that the CPE entries could be for.
@@ -474,11 +494,13 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
+ * Analyzes a dependency and attempts to determine if there are any CPE
+ * identifiers for this dependency.
*
* @param dependency The Dependency to analyze.
* @param engine The analysis engine
- * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
+ * @throws AnalysisException is thrown if there is an issue analyzing the
+ * dependency.
*/
@Override
public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -494,15 +516,19 @@ public class CPEAnalyzer implements Analyzer {
}
/**
- * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
- * only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
- * the vendor, product, and version information.
+ * Retrieves a list of CPE values from the CveDB based on the vendor and
+ * product passed in. The list is then validated to find only CPEs that are
+ * valid for the given dependency. It is possible that the CPE identified is
+ * a best effort "guess" based on the vendor, product, and version
+ * information.
*
* @param dependency the Dependency being analyzed
* @param vendor the vendor for the CPE being analyzed
* @param product the product for the CPE being analyzed
- * @param currentConfidence the current confidence being used during analysis
- * @return true if an identifier was added to the dependency; otherwise false
+ * @param currentConfidence the current confidence being used during
+ * analysis
+ * @return true if an identifier was added to the dependency;
+ * otherwise false
* @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
*/
protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
@@ -512,7 +538,7 @@ public class CPEAnalyzer implements Analyzer {
Confidence bestGuessConf = null;
boolean hasBroadMatch = false;
final List collected = new ArrayList();
-
+
//TODO the following algorithm incorrectly identifies things as a lower version
// if there lower confidence evidence when the current (highest) version number
// is newer then anything in the NVD.
@@ -538,15 +564,13 @@ public class CPEAnalyzer implements Analyzer {
final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
collected.add(match);
- } else {
- //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
- if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
- && evVer.matchesAtLeastThreeLevels(dbVer)) {
- if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
- if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
- bestGuess = dbVer;
- bestGuessConf = conf;
- }
+ } else //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
+ if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
+ && evVer.matchesAtLeastThreeLevels(dbVer)) {
+ if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+ if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
+ bestGuess = dbVer;
+ bestGuessConf = conf;
}
}
}
@@ -605,14 +629,16 @@ public class CPEAnalyzer implements Analyzer {
*/
BEST_GUESS,
/**
- * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
- * specifies vendor/product.
+ * The entire vendor/product group must be added (without a guess at
+ * version) because there is a CVE with a VS that only specifies
+ * vendor/product.
*/
BROAD_MATCH
}
/**
- * A simple object to hold an identifier and carry information about the confidence in the identifier.
+ * A simple object to hold an identifier and carry information about the
+ * confidence in the identifier.
*/
private static class IdentifierMatch implements Comparable {
@@ -622,8 +648,10 @@ public class CPEAnalyzer implements Analyzer {
* @param type the type of identifier (such as CPE)
* @param value the value of the identifier
* @param url the URL of the identifier
- * @param identifierConfidence the confidence in the identifier: best guess or exact match
- * @param evidenceConfidence the confidence of the evidence used to find the identifier
+ * @param identifierConfidence the confidence in the identifier: best
+ * guess or exact match
+ * @param evidenceConfidence the confidence of the evidence used to find
+ * the identifier
*/
IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
this.identifier = new Identifier(type, value, url);
@@ -754,7 +782,8 @@ public class CPEAnalyzer implements Analyzer {
//
/**
- * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
+ * Standard implementation of compareTo that compares identifier
+ * confidence, evidence confidence, and then the identifier.
*
* @param o the IdentifierMatch to compare to
* @return the natural ordering of IdentifierMatch
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
index d6f4731bc..da6fb6078 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -644,7 +644,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* @return whether evidence was identified parsing the manifest
* @throws IOException if there is an issue reading the JAR file
*/
- protected boolean parseManifest(Dependency dependency,
+ protected boolean parseManifest(Dependency dependency,
List classInformation)
throws IOException {
boolean foundSomething = false;
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
index 2782c9968..087184bdd 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -61,13 +61,30 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
* The phase that this analyzer is intended to run in.
*/
private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
-
+ /**
+ * The filter defining which files will be analyzed.
+ */
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+ /**
+ * Name.
+ */
public static final String NAME = "Name: ";
+ /**
+ * Version.
+ */
public static final String VERSION = "Version: ";
+ /**
+ * Advisory.
+ */
public static final String ADVISORY = "Advisory: ";
+ /**
+ * Criticality.
+ */
public static final String CRITICALITY = "Criticality: ";
+ /**
+ * The DAL.
+ */
private CveDB cvedb;
/**
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
index 763f35b70..8aa06c797 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -60,9 +60,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
/**
*
- * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
+ * Downloads the latest NVD CVE XML file from the web and imports it into
+ * the current CVE Database.
*
- * @throws UpdateException is thrown if there is an error updating the database
+ * @throws UpdateException is thrown if there is an error updating the
+ * database
*/
@Override
public void update() throws UpdateException {
@@ -79,7 +81,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(System.currentTimeMillis()));
if (updateable.isUpdateNeeded()) {
performUpdate(updateable);
- }
+ }
}
} catch (MalformedURLException ex) {
LOGGER.warn(
@@ -99,12 +101,15 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
- * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the
- * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property
- * stores the timestamp of the last check.
+ * Checks if the NVD CVE XML files were last checked recently. As an
+ * optimization, we can avoid repetitive checks against the NVD. Setting
+ * CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before
+ * checking again. A database property stores the timestamp of the last
+ * check.
*
* @return true to proceed with the check, or false to skip.
- * @throws UpdateException thrown when there is an issue checking for updates.
+ * @throws UpdateException thrown when there is an issue checking for
+ * updates.
*/
private boolean checkUpdate() throws UpdateException {
boolean proceed = true;
@@ -146,11 +151,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
- * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
+ * Downloads the latest NVD CVE XML file from the web and imports it into
+ * the current CVE Database.
*
- * @param updateable a collection of NVD CVE data file references that need to be downloaded and processed to update the
+ * @param updateable a collection of NVD CVE data file references that need
+ * to be downloaded and processed to update the database
+ * @throws UpdateException is thrown if there is an error updating the
* database
- * @throws UpdateException is thrown if there is an error updating the database
*/
public void performUpdate(UpdateableNvdCve updateable) throws UpdateException {
int maxUpdates = 0;
@@ -244,13 +251,18 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
}
/**
- * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last update
- * date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to be updated.
+ * Determines if the index needs to be updated. This is done by fetching the
+ * NVD CVE meta data and checking the last update date. If the data needs to
+ * be refreshed this method will return the NvdCveUrl for the files that
+ * need to be updated.
*
* @return the collection of files that need to be updated
- * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
- * @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
- * @throws UpdateException Is thrown if there is an issue with the last updated properties file
+ * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
+ * data is incorrect
+ * @throws DownloadFailedException is thrown if there is an error.
+ * downloading the NVD CVE download data file
+ * @throws UpdateException Is thrown if there is an issue with the last
+ * updated properties file
*/
protected final UpdateableNvdCve getUpdatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
UpdateableNvdCve updates = null;
@@ -314,9 +326,12 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
* Retrieves the timestamps from the NVD CVE meta data file.
*
* @return the timestamp from the currently published nvdcve downloads page
- * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
- * @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
- * @throws InvalidDataException thrown if there is an exception parsing the timestamps
+ * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
+ * is incorrect.
+ * @throws DownloadFailedException thrown if there is an error downloading
+ * the nvd cve meta data file
+ * @throws InvalidDataException thrown if there is an exception parsing the
+ * timestamps
* @throws InvalidSettingException thrown if the settings are invalid
*/
private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
index 3d4b2ee26..5be391a27 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
@@ -20,7 +20,8 @@ package org.owasp.dependencycheck.dependency;
import java.io.Serializable;
/**
- * An external reference for a vulnerability. This contains a name, URL, and a source.
+ * An external reference for a vulnerability. This contains a name, URL, and a
+ * source.
*
* @author Jeremy Long
*/
@@ -99,7 +100,7 @@ public class Reference implements Serializable, Comparable {
@Override
public String toString() {
- return "Reference: { name='"+this.name+"', url='"+this.url+"', source='"+this.source+"' }";
+ return "Reference: { name='" + this.name + "', url='" + this.url + "', source='" + this.source + "' }";
}
@Override
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
index ed278076b..3de3f99ee 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -387,7 +387,7 @@ public class Vulnerability implements Serializable, Comparable {
@Override
public String toString() {
- StringBuilder sb = new StringBuilder("Vulnerability ");
+ final StringBuilder sb = new StringBuilder("Vulnerability ");
sb.append(this.name);
sb.append("\nReferences:\n");
for (Iterator i = this.references.iterator(); i.hasNext();) {