diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java index 44aae96da..7d6a03b9e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java @@ -464,6 +464,7 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly /** * Determine if the dependency ecosystem is equal in the given dependencies. * + * @param ecoSystem the ecosystem to validate against * @param dependency a dependency to compare * @param nextDependency a dependency to compare * @return true if the ecosystem is equal in both dependencies; otherwise diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index c0f5b2dce..9121c2680 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -102,10 +102,10 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException { if (engine.getMode() != Mode.EVIDENCE_COLLECTION) { try { - Settings settings = engine.getSettings(); + final Settings settings = engine.getSettings(); final String[] tmp = settings.getArray(Settings.KEYS.ECOSYSTEM_SKIP_NVDCVE); if (tmp != null) { - List skipEcosystems = Arrays.asList(tmp); + final List skipEcosystems = Arrays.asList(tmp); if (skipEcosystems.contains(DEPENDENCY_ECOSYSTEM) && !settings.getBoolean(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED)) { LOGGER.debug("NodePackageAnalyzer enabled without a corresponding vulnerability analyzer"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java index d3826563a..21059dfe4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java @@ -20,7 +20,6 @@ package org.owasp.dependencycheck.analyzer; import java.util.ArrayList; import java.util.Arrays; import java.util.List; -import java.util.Set; import javax.annotation.concurrent.ThreadSafe; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; @@ -46,7 +45,11 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { * The Logger for use throughout the class */ private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(NvdCveAnalyzer.class); - + /** + * The list of ecosystems to skip during analysis. These are skipped because + * there is generally a more accurate vulnerability analyzer in the + * pipeline. + */ private List skipEcosystems; /** @@ -80,7 +83,7 @@ public class NvdCveAnalyzer extends AbstractAnalyzer { if (skipEcosystems.contains(dependency.getEcosystem())) { return; } - + final CveDB cveDB = engine.getDatabase(); for (Identifier id : dependency.getIdentifiers()) { if ("cpe".equals(id.getType())) {