bug fixes/checkstyle fixes

src/main/java/org/codesecure/dependencycheck/data/cpe/CPEQuery.java

@@ -258,9 +258,9 @@ public class CPEQuery {
         StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
         for (Evidence e : ec.iterator(confidenceFilter)) {
             String value = e.getValue();
-            if (sb.indexOf(value)<0) {
+            if (sb.indexOf(value) < 0) {
-                if (value.length()>200) {
+                if (value.length() > 200) {
-                    sb.append(value.substring(0,200));
+                    sb.append(value.substring(0, 200));
                 } else {
                     sb.append(value).append(' ');
                 }

src/main/java/org/codesecure/dependencycheck/scanner/AnalyzerService.java

@@ -26,6 +26,7 @@ import java.util.ServiceLoader;
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
 public class AnalyzerService {
+
     private static AnalyzerService service;
     private ServiceLoader<Analyzer> loader;
 

src/main/java/org/codesecure/dependencycheck/scanner/JarAnalyzer.java

@@ -22,11 +22,7 @@ import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
-import java.util.ArrayList;
-import java.util.Arrays;
 import java.util.HashMap;
-import java.util.HashSet;
-import java.util.List;
 import java.util.Map.Entry;
 import java.util.Set;
 import java.util.jar.Attributes;
@@ -52,12 +48,11 @@ import org.codesecure.dependencycheck.utils.Checksum;
  */
 public class JarAnalyzer extends AbstractAnalyzer {
 
-    private final static String ANALYZER_NAME = "Jar Analyzer";
+    private static final String ANALYZER_NAME = "Jar Analyzer";
-    
     /**
      * A list of elements in the manifest to ignore.
      */
-    private final static Set<String> IGNORE_LIST = newHashSet(
+    private static final Set<String> IGNORE_LIST = newHashSet(
             "built-by",
             "created-by",
             "license",
@@ -70,9 +65,10 @@ public class JarAnalyzer extends AbstractAnalyzer {
             "archiver-version",
             "classpath",
             "bundle-manifestversion");
-            
+    /**
-    private final static Set<String> extensions = newHashSet("jar");
+     * The set of file extensions supported by this analyzer.
-    
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("jar");
     /**
      * item in some manifest, should be considered medium confidence.
      */
@@ -91,11 +87,11 @@ public class JarAnalyzer extends AbstractAnalyzer {
     private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation
 
     /**
-     * Returns a list of file extensions supported by this analyzer.
+     * Returns a list of file EXTENSIONS supported by this analyzer.
-     * @return a list of file extensions supported by this analyzer.
+     * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
-        return extensions;
+        return EXTENSIONS;
     }
 
     /**
@@ -112,7 +108,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
      * @return whether or not the specified file extension is supported by tihs analyzer.
      */
     public boolean supportsExtension(String extension) {
-        return extensions.contains(extension);
+        return EXTENSIONS.contains(extension);
     }
 
     /**
@@ -187,9 +183,10 @@ public class JarAnalyzer extends AbstractAnalyzer {
                 fileNameEvidence, Evidence.Confidence.HIGH);
         dependency.getVendorEvidence().addEvidence("jar", "file name",
                 fileNameEvidence, Evidence.Confidence.HIGH);
-        dependency.getVersionEvidence().addEvidence("jar", "file name",
+        if (fileNameEvidence.matches(".*\\d.*")) {
-                fileNameEvidence, Evidence.Confidence.HIGH);
+            dependency.getVersionEvidence().addEvidence("jar", "file name",
-
+                    fileNameEvidence, Evidence.Confidence.HIGH);
+        }
         String md5 = null;
         String sha1 = null;
         try {
@@ -206,11 +203,6 @@ public class JarAnalyzer extends AbstractAnalyzer {
         parseManifest(dependency);
         analyzePackageNames(dependency);
 
-        //TODO - can we get "version" information from the filename?  add it as medium confidence?
-        //   strip extension. find first numeric, chop off the first part. consider replacing [_-] with .
-        //dependency.getVersionEvidence().addEvidence("jar", "file name",
-        //                      version from file, Evidence.Confidence.MEDIUM);
-
         return dependency;
     }
 
@@ -389,7 +381,7 @@ public class JarAnalyzer extends AbstractAnalyzer {
 
         EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
         EvidenceCollection titleEvidence = dependency.getTitleEvidence();
-        EvidenceCollection versionEvidence = dependency.getVendorEvidence();
+        EvidenceCollection versionEvidence = dependency.getVersionEvidence();
 
         String source = "Manifest";
 

src/main/java/org/codesecure/dependencycheck/scanner/Scanner.java

@@ -21,14 +21,10 @@ package org.codesecure.dependencycheck.scanner;
 import java.io.File;
 import java.io.IOException;
 import java.util.ArrayList;
-import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
-import java.util.Map;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.codesecure.dependencycheck.utils.Settings;
-import org.codesecure.dependencycheck.utils.Settings.KEYS;
 
 /**
  * Scans files, directories, etc. for Dependencies. Analyzers are loaded and
@@ -62,7 +58,7 @@ public class Scanner {
     private void loadAnalyzers() {
         AnalyzerService service = AnalyzerService.getInstance();
         Iterator<Analyzer> iterator = service.getAnalyzers();
-        while(iterator.hasNext()) {
+        while (iterator.hasNext()) {
             Analyzer a = iterator.next();
             analyzers.add(a);
         }

src/main/java/org/codesecure/dependencycheck/utils/CliParser.java

@@ -135,6 +135,7 @@ public final class CliParser {
             throw new FileNotFoundException("Invalid file argument: " + path);
         }
     }
+
     /**
      * Generates an Options collection that is used to parse the command line
      * and to display the help message.
@@ -156,7 +157,8 @@ public final class CliParser {
                 .withDescription("the name of the application being scanned").create(ArgumentName.APPNAME_SHORT);
 
         Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("the path to scan - this option can be specified multiple times.").create(ArgumentName.SCAN_SHORT);
+                .withDescription("the path to scan - this option can be specified multiple times.")
+                .create(ArgumentName.SCAN_SHORT);
 
         Option load = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.CPE)
                 .withDescription("load the CPE xml file").create(ArgumentName.CPE_SHORT);
@@ -225,11 +227,11 @@ public final class CliParser {
         formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
                 "\n" + Settings.getString("application.name", "DependencyCheck")
                 + " can be used to identify if there are any known CVE vulnerabilities in libraries utillized by an application. "
-                + Settings.getString("application.name", "DependencyCheck") + " will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.\n",
+                + Settings.getString("application.name", "DependencyCheck")
+                + " will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.\n",
                 options, "", true);
     }
 
-
     /**
      * Retrieves the file command line parameter(s) specified for the 'cpe' argument.
      *
@@ -264,6 +266,7 @@ public final class CliParser {
     public String getApplicationName() {
         return line.getOptionValue(ArgumentName.APPNAME);
     }
+
     /**
      * <p>Prints the manifest information to standard output:</p>
      * <ul><li>Implementation-Title: ${pom.name}</li>
@@ -291,6 +294,7 @@ public final class CliParser {
      * line arguments.
      */
     public static class ArgumentName {
+
         /**
          * The long CLI argument name specifing the directory/file to scan
          */
@@ -347,6 +351,5 @@ public final class CliParser {
          * The short CLI argument name asking for the version.
          */
         public static final String VERSION = "version";
-
     }
 }

src/main/java/org/codesecure/dependencycheck/utils/DownloadFailedException.java

@@ -1,12 +1,27 @@
-/*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
- */
 package org.codesecure.dependencycheck.utils;
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License
+ * along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
 
 import java.io.IOException;
 
 /**
+ * An exception used when a download fails.
  *
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
@@ -14,17 +29,35 @@ public class DownloadFailedException extends IOException {
 
     private static final long serialVersionUID = 1L;
 
+    /**
+     * Creates a new DownloadFailedException.
+     */
     public DownloadFailedException() {
         super();
     }
 
+    /**
+     * Creates a new DownloadFailedException.
+     * @param msg a message for the exception.
+     */
     public DownloadFailedException(String msg) {
         super(msg);
     }
+
+    /**
+     * Creates a new DownloadFailedException.
+     * @param ex the cause of te download failure.
+     */
     public DownloadFailedException(Throwable ex) {
         super(ex);
     }
+
+    /**
+     * Creates a new DownloadFailedException.
+     * @param msg a message for the exception.
+     * @param ex the cause of te download failure.
+     */
     public DownloadFailedException(String msg, Throwable ex) {
-        super(msg,ex);
+        super(msg, ex);
     }
 }

src/main/java/org/codesecure/dependencycheck/utils/Downloader.java

@@ -42,7 +42,6 @@ public class Downloader {
      * Private constructor for utility class.
      */
     private Downloader() {
-
     }
 
     /**
@@ -84,7 +83,7 @@ public class Downloader {
             conn.connect();
         } catch (IOException ex) {
             try {
-                if (conn!=null) {
+                if (conn != null) {
                     conn.disconnect();
                 }
             } finally {

src/main/java/org/codesecure/dependencycheck/utils/Settings.java

@@ -20,9 +20,6 @@ package org.codesecure.dependencycheck.utils;
 
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.Enumeration;
-import java.util.HashMap;
-import java.util.Map;
 import java.util.Properties;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -34,7 +31,6 @@ import java.util.logging.Logger;
  */
 public class Settings {
 
-
     /**
      * The collection of keys used within the properties file.
      */
@@ -60,10 +56,6 @@ public class Settings {
          * The properties key for the path where the OSVDB Lucene Index will be stored.
          */
         public static final String OSVDB_INDEX = "osvdb";
-        /**
-         * The properties key prefix for the analyzer assocations.
-         */
-        public static final String FILE_EXTENSION_ANALYZER_ASSOCIATION_PREFIX = "file.extension.analyzer.association.";
         /**
          * The properties key for the proxy url.
          */
@@ -146,6 +138,7 @@ public class Settings {
     public static int getInt(String key) {
         return Integer.parseInt(Settings.getString(key));
     }
+
     /**
      * Returns a boolean value from the properties file. If the value was specified as a
      * system property or passed in via the -Dprop=value argument - this method

src/test/java/org/codesecure/dependencycheck/scanner/JarAnalyzerTest.java

@@ -53,6 +53,41 @@ public class JarAnalyzerTest {
         assertEquals("89CE9E36AA9A9E03F1450936D2F4F8DD0F961F8B", result.getSha1sum());
         assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
         assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
+        
+        
+        file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
+        
+        result = instance.insepct(file);
+        boolean found = false;
+        for (Evidence e : result.getTitleEvidence()) {
+            if (e.getName().equals("package-title") && e.getValue().equals("org.mortbay.http")) {
+                found = true;
+                break;
+            }
+        }
+        assertTrue("package-title of org.mortbay.http not found in org.mortbay.jetty.jar", found);
+        
+        found = false;
+        for (Evidence e : result.getVendorEvidence()) {
+            if (e.getName().equals("implementation-url") && e.getValue().equals("http://jetty.mortbay.org")) {
+                found = true;
+                break;
+            }
+        }
+        assertTrue("implementation-url of http://jetty.mortbay.org not found in org.mortbay.jetty.jar", found);
+        
+        found = false;
+        for (Evidence e : result.getVersionEvidence()) {
+            if (e.getName().equals("Implementation-Version") && e.getValue().equals("4.2.27")) {
+                found = true;
+                break;
+            }
+        }
+        assertTrue("implementation-version of 4.2.27 not found in org.mortbay.jetty.jar", found);
+        
+        file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
+        result = instance.insepct(file);
+        assertEquals("org.mortbar,jmx.jar has version evidence?",result.getVersionEvidence().size(),0);     
     }
 
     /**