improved logging to assist in resoloving issue #503

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -69,10 +69,11 @@ public class CveDB {
     private ResourceBundle statementBundle = null;
 
     /**
-     * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
+     * Creates a new CveDB object and opens the database connection. Note, the
-     * the close method.
+     * connection must be closed by the caller by calling the close method.
      *
-     * @throws DatabaseException thrown if there is an exception opening the database.
+     * @throws DatabaseException thrown if there is an exception opening the
+     * database.
      */
     public CveDB() throws DatabaseException {
         super();
@@ -103,9 +104,11 @@ public class CveDB {
     }
 
     /**
-     * Opens the database connection. If the database does not exist, it will create a new one.
+     * Opens the database connection. If the database does not exist, it will
+     * create a new one.
      *
-     * @throws DatabaseException thrown if there is an error opening the database connection
+     * @throws DatabaseException thrown if there is an error opening the
+     * database connection
      */
     public final void open() throws DatabaseException {
         if (!isOpen()) {
@@ -114,7 +117,8 @@ public class CveDB {
     }
 
     /**
-     * Closes the DB4O database. Close should be called on this object when it is done being used.
+     * Closes the DB4O database. Close should be called on this object when it
+     * is done being used.
      */
     public void close() {
         if (conn != null) {
@@ -165,7 +169,8 @@ public class CveDB {
         super.finalize();
     }
     /**
-     * Database properties object containing the 'properties' from the database table.
+     * Database properties object containing the 'properties' from the database
+     * table.
      */
     private DatabaseProperties databaseProperties;
 
@@ -179,11 +184,13 @@ public class CveDB {
     }
 
     /**
-     * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
+     * Searches the CPE entries in the database and retrieves all entries for a
-     * list will include all versions of the product that are registered in the NVD CVE data.
+     * given vendor and product combination. The returned list will include all
+     * versions of the product that are registered in the NVD CVE data.
      *
      * @param vendor the identified vendor name of the dependency being analyzed
-     * @param product the identified name of the product of the dependency being analyzed
+     * @param product the identified name of the product of the dependency being
+     * analyzed
      * @return a set of vulnerable software
      */
     public Set<VulnerableSoftware> getCPEs(String vendor, String product) {
@@ -215,7 +222,8 @@ public class CveDB {
      * Returns the entire list of vendor/product combinations.
      *
      * @return the entire list of vendor/product combinations
-     * @throws DatabaseException thrown when there is an error retrieving the data from the DB
+     * @throws DatabaseException thrown when there is an error retrieving the
+     * data from the DB
      */
     public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
         final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
@@ -438,7 +446,8 @@ public class CveDB {
     }
 
     /**
-     * Updates the vulnerability within the database. If the vulnerability does not exist it will be added.
+     * Updates the vulnerability within the database. If the vulnerability does
+     * not exist it will be added.
      *
      * @param vuln the vulnerability to add to the database
      * @throws DatabaseException is thrown if the database
@@ -565,12 +574,20 @@ public class CveDB {
                 } else {
                     insertSoftware.setString(3, s.getPreviousVersion());
                 }
-                insertSoftware.execute();
+                try {
+                    insertSoftware.execute();
+                } catch (SQLException ex) {
+                    if (ex.getMessage().contains("Duplicate entry")) {
+                        final String msg = String.format("Duplicate software key identified in '%s:%s'", vuln.getName(), s.getName());
+                        LOGGER.debug(msg, ex);
+                    } else {
+                        throw ex;
+                    }
+                }
             }
-
         } catch (SQLException ex) {
             final String msg = String.format("Error updating '%s'", vuln.getName());
-            LOGGER.debug("", ex);
+            LOGGER.debug(msg, ex);
             throw new DatabaseException(msg, ex);
         } finally {
             DBUtils.closeStatement(selectVulnerabilityId);
@@ -623,8 +640,9 @@ public class CveDB {
     }
 
     /**
-     * It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
+     * It is possible that orphaned rows may be generated during database
-     * been completed to ensure orphan entries are removed.
+     * updates. This should be called after all updates have been completed to
+     * ensure orphan entries are removed.
      */
     public void cleanupDatabase() {
         PreparedStatement ps = null;
@@ -642,13 +660,17 @@ public class CveDB {
     }
 
     /**
-     * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
+     * Determines if the given identifiedVersion is affected by the given cpeId
-     * string passed to the previous version argument indicates that all previous versions are affected.
+     * and previous version flag. A non-null, non-empty string passed to the
+     * previous version argument indicates that all previous versions are
+     * affected.
      *
      * @param vendor the vendor of the dependency being analyzed
      * @param product the product name of the dependency being analyzed
-     * @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
+     * @param vulnerableSoftware a map of the vulnerable software with a boolean
-     * @param identifiedVersion the identified version of the dependency being analyzed
+     * indicating if all previous versions are affected
+     * @param identifiedVersion the identified version of the dependency being
+     * analyzed
      * @return true if the identified version is affected, otherwise false
      */
     Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
@@ -715,7 +737,8 @@ public class CveDB {
     }
 
     /**
-     * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
+     * Parses the version (including revision) from a CPE identifier. If no
+     * version is identified then a '-' is returned.
      *
      * @param cpeStr a cpe identifier
      * @return a dependency version
@@ -732,7 +755,8 @@ public class CveDB {
     }
 
     /**
-     * Takes a CPE and parses out the version number. If no version is identified then a '-' is returned.
+     * Takes a CPE and parses out the version number. If no version is
+     * identified then a '-' is returned.
      *
      * @param cpe a cpe object
      * @return a dependency version
@@ -771,7 +795,8 @@ public class CveDB {
     }
 
     /**
-     * This method is only referenced in unused code and will likely break on MySQL if ever used due to the MERGE statement.
+     * This method is only referenced in unused code and will likely break on
+     * MySQL if ever used due to the MERGE statement.
      *
      * Merges CPE entries into the database.
      *