Add ability to flag analyzers as experimental so that they are not always enabled

2026-03-20 00:04:27 +01:00 · 2016-05-14 07:20:53 -04:00
parent 30856f4a4f
commit 6f451736ba
17 changed files with 412 additions and 182 deletions
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
@@ -361,6 +361,29 @@ public class Check extends Update {
        this.showSummary = showSummary;
    }
    /**
     * Whether experimental analyzers are enabled.
     */
    private Boolean enableExperimental;
    /**
     * Get the value of enableExperimental.
     *
     * @return the value of enableExperimental
     */
    public Boolean isEnableExperimental() {
        return enableExperimental;
    }
    /**
     * Set the value of enableExperimental.
     *
     * @param enableExperimental new value of enableExperimental
     */
    public void setEnableExperimental(Boolean enableExperimental) {
        this.enableExperimental = enableExperimental;
    }
    /**
     * Whether or not the Jar Analyzer is enabled.
     */
@@ -854,6 +877,7 @@ public class Check extends Update {
        super.populateSettings();
        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -27,7 +27,7 @@ the project's dependencies.
 Configuration: dependency-check Task
 --------------------
-The following properties can be set on the dependency-check-update task.
+The following properties can be set on the dependency-check task.
 Property              | Description                                                                                                                                                                                        | Default Value
 ----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
@@ -43,6 +43,7 @@ proxyPort             | The Proxy Port.
 proxyUsername         | Defines the proxy user name.                                                                                                                                                                       | &nbsp;
 proxyPassword         | Defines the proxy password.                                                                                                                                                                        | &nbsp;
 connectionTimeout     | The URL Connection Timeout.                                                                                                                                                                        | &nbsp;
 enableExperimental    | Enable the experimental analyzers.                                                                                                                                                                 | false
 Analyzer Configuration
 ====================
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -280,6 +280,7 @@ public class App {
        final String cveBase12 = cli.getBaseCve12Url();
        final String cveBase20 = cli.getBaseCve20Url();
        final Integer cveValidForHours = cli.getCveValidForHours();
        final boolean experimentalEnabled = cli.isExperimentalEnabled();
        if (propertiesFile != null) {
            try {
@@ -318,6 +319,7 @@ public class App {
        Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
        //File Type Analyzer Settings
        Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled());
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -58,7 +58,8 @@ public final class CliParser {
     * Parses the arguments passed in and captures the results for later use.
     *
     * @param args the command line arguments
-     * @throws FileNotFoundException is thrown when a 'file' argument does not point to a file that exists.
+     * @throws FileNotFoundException is thrown when a 'file' argument does not
     * point to a file that exists.
     * @throws ParseException is thrown when a Parse Exception occurs.
     */
    public void parse(String[] args) throws FileNotFoundException, ParseException {
@@ -85,9 +86,10 @@ public final class CliParser {
    /**
     * Validates that the command line arguments are valid.
     *
-     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that does not
+     * @throws FileNotFoundException if there is a file specified by either the
-     * exist.
+     * SCAN or CPE command line arguments that does not exist.
-     * @throws ParseException is thrown if there is an exception parsing the command line.
+     * @throws ParseException is thrown if there is an exception parsing the
     * command line.
     */
    private void validateArgs() throws FileNotFoundException, ParseException {
        if (isUpdateOnly() || isRunScan()) {
@@ -141,12 +143,14 @@ public final class CliParser {
    }
    /**
-     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing file a
+     * Validates whether or not the path(s) points at a file that exists; if the
-     * FileNotFoundException is thrown.
+     * path(s) does not point to an existing file a FileNotFoundException is
     * thrown.
     *
     * @param paths the paths to validate if they exists
     * @param optType the option being validated (e.g. scan, out, etc.)
-     * @throws FileNotFoundException is thrown if one of the paths being validated does not exist.
+     * @throws FileNotFoundException is thrown if one of the paths being
     * validated does not exist.
     */
    private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
        for (String path : paths) {
@@ -155,12 +159,14 @@ public final class CliParser {
    }
    /**
-     * Validates whether or not the path points at a file that exists; if the path does not point to an existing file a
+     * Validates whether or not the path points at a file that exists; if the
-     * FileNotFoundException is thrown.
+     * path does not point to an existing file a FileNotFoundException is
     * thrown.
     *
     * @param path the paths to validate if they exists
     * @param argumentName the argument being validated (e.g. scan, out, etc.)
-     * @throws FileNotFoundException is thrown if the path being validated does not exist.
+     * @throws FileNotFoundException is thrown if the path being validated does
     * not exist.
     */
    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
        if (path == null) {
@@ -181,13 +187,11 @@ public final class CliParser {
                        throw new FileNotFoundException(msg);
                    }
                }
-            } else {
+            } else if (!f.exists()) {
                if (!f.exists()) {
                isValid = false;
                final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
                throw new FileNotFoundException(msg);
            }
            }
        } else if (path.startsWith("//") || path.startsWith("\\\\")) {
            isValid = false;
            final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
@@ -196,7 +200,8 @@ public final class CliParser {
    }
    /**
-     * Generates an Options collection that is used to parse the command line and to display the help message.
+     * Generates an Options collection that is used to parse the command line
     * and to display the help message.
     *
     * @return the command line options used for parsing the command line
     */
@@ -272,6 +277,10 @@ public final class CliParser {
                .desc("The number of hours to wait before checking for new updates from the NVD.")
                .build();
        final Option experimentalEnabled = Option.builder().longOpt(ARGUMENT.EXPERIMENTAL)
                .desc("Enables the experimental analzers.")
                .build();
        //This is an option group because it can be specified more then once.
        final OptionGroup og = new OptionGroup();
        og.addOption(path);
@@ -292,12 +301,14 @@ public final class CliParser {
                .addOption(props)
                .addOption(verboseLog)
                .addOption(suppressionFile)
-                .addOption(cveValidForHours);
+                .addOption(cveValidForHours)
                .addOption(experimentalEnabled);
    }
    /**
-     * Adds the advanced command line options to the given options collection. These are split out for purposes of being able to
+     * Adds the advanced command line options to the given options collection.
-     * display two different help messages.
+     * These are split out for purposes of being able to display two different
     * help messages.
     *
     * @param options a collection of command line arguments
     * @throws IllegalArgumentException thrown if there is an exception
@@ -466,8 +477,10 @@ public final class CliParser {
    }
    /**
-     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not including
+     * Adds the deprecated command line options to the given options collection.
-     * them in the help message. We need to add the deprecated options so as not to break existing scripts.
+     * These are split out for purposes of not including them in the help
     * message. We need to add the deprecated options so as not to break
     * existing scripts.
     *
     * @param options a collection of command line arguments
     * @throws IllegalArgumentException thrown if there is an exception
@@ -514,7 +527,8 @@ public final class CliParser {
    }
    /**
-     * Returns the symbolic link depth (how deeply symbolic links will be followed).
+     * Returns the symbolic link depth (how deeply symbolic links will be
     * followed).
     *
     * @return the symbolic link depth
     */
@@ -534,7 +548,8 @@ public final class CliParser {
    /**
     * Returns true if the disableJar command line argument was specified.
     *
-     * @return true if the disableJar command line argument was specified; otherwise false
+     * @return true if the disableJar command line argument was specified;
     * otherwise false
     */
    public boolean isJarDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
@@ -543,7 +558,8 @@ public final class CliParser {
    /**
     * Returns true if the disableArchive command line argument was specified.
     *
-     * @return true if the disableArchive command line argument was specified; otherwise false
+     * @return true if the disableArchive command line argument was specified;
     * otherwise false
     */
    public boolean isArchiveDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
@@ -552,7 +568,8 @@ public final class CliParser {
    /**
     * Returns true if the disableNuspec command line argument was specified.
     *
-     * @return true if the disableNuspec command line argument was specified; otherwise false
+     * @return true if the disableNuspec command line argument was specified;
     * otherwise false
     */
    public boolean isNuspecDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
@@ -561,16 +578,19 @@ public final class CliParser {
    /**
     * Returns true if the disableAssembly command line argument was specified.
     *
-     * @return true if the disableAssembly command line argument was specified; otherwise false
+     * @return true if the disableAssembly command line argument was specified;
     * otherwise false
     */
    public boolean isAssemblyDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
    }
    /**
-     * Returns true if the disableBundleAudit command line argument was specified.
+     * Returns true if the disableBundleAudit command line argument was
     * specified.
     *
-     * @return true if the disableBundleAudit command line argument was specified; otherwise false
+     * @return true if the disableBundleAudit command line argument was
     * specified; otherwise false
     */
    public boolean isBundleAuditDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
@@ -579,7 +599,8 @@ public final class CliParser {
    /**
     * Returns true if the disablePyDist command line argument was specified.
     *
-     * @return true if the disablePyDist command line argument was specified; otherwise false
+     * @return true if the disablePyDist command line argument was specified;
     * otherwise false
     */
    public boolean isPythonDistributionDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_DIST);
@@ -588,7 +609,8 @@ public final class CliParser {
    /**
     * Returns true if the disablePyPkg command line argument was specified.
     *
-     * @return true if the disablePyPkg command line argument was specified; otherwise false
+     * @return true if the disablePyPkg command line argument was specified;
     * otherwise false
     */
    public boolean isPythonPackageDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_PKG);
@@ -597,7 +619,8 @@ public final class CliParser {
    /**
     * Returns whether the Ruby gemspec analyzer is disabled.
     *
-     * @return true if the {@link ARGUMENT#DISABLE_RUBYGEMS} command line argument was specified; otherwise false
+     * @return true if the {@link ARGUMENT#DISABLE_RUBYGEMS} command line
     * argument was specified; otherwise false
     */
    public boolean isRubyGemspecDisabled() {
        return (null != line) && line.hasOption(ARGUMENT.DISABLE_RUBYGEMS);
@@ -606,7 +629,8 @@ public final class CliParser {
    /**
     * Returns true if the disableCmake command line argument was specified.
     *
-     * @return true if the disableCmake command line argument was specified; otherwise false
+     * @return true if the disableCmake command line argument was specified;
     * otherwise false
     */
    public boolean isCmakeDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_CMAKE);
@@ -615,7 +639,8 @@ public final class CliParser {
    /**
     * Returns true if the disableAutoconf command line argument was specified.
     *
-     * @return true if the disableAutoconf command line argument was specified; otherwise false
+     * @return true if the disableAutoconf command line argument was specified;
     * otherwise false
     */
    public boolean isAutoconfDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_AUTOCONF);
@@ -624,7 +649,8 @@ public final class CliParser {
    /**
     * Returns true if the disableComposer command line argument was specified.
     *
-     * @return true if the disableComposer command line argument was specified; otherwise false
+     * @return true if the disableComposer command line argument was specified;
     * otherwise false
     */
    public boolean isComposerDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_COMPOSER);
@@ -633,7 +659,8 @@ public final class CliParser {
    /**
     * Returns true if the disableNexus command line argument was specified.
     *
-     * @return true if the disableNexus command line argument was specified; otherwise false
+     * @return true if the disableNexus command line argument was specified;
     * otherwise false
     */
    public boolean isNexusDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
@@ -642,7 +669,8 @@ public final class CliParser {
    /**
     * Returns true if the disableOpenSSL command line argument was specified.
     *
-     * @return true if the disableOpenSSL command line argument was specified; otherwise false
+     * @return true if the disableOpenSSL command line argument was specified;
     * otherwise false
     */
    public boolean isOpenSSLDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL);
@@ -651,7 +679,8 @@ public final class CliParser {
    /**
     * Returns true if the disableNodeJS command line argument was specified.
     *
-     * @return true if the disableNodeJS command line argument was specified; otherwise false
+     * @return true if the disableNodeJS command line argument was specified;
     * otherwise false
     */
    public boolean isNodeJsDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NODE_JS);
@@ -660,7 +689,8 @@ public final class CliParser {
    /**
     * Returns true if the disableCentral command line argument was specified.
     *
-     * @return true if the disableCentral command line argument was specified; otherwise false
+     * @return true if the disableCentral command line argument was specified;
     * otherwise false
     */
    public boolean isCentralDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_CENTRAL);
@@ -669,7 +699,8 @@ public final class CliParser {
    /**
     * Returns the url to the nexus server if one was specified.
     *
-     * @return the url to the nexus server; if none was specified this will return null;
+     * @return the url to the nexus server; if none was specified this will
     * return null;
     */
    public String getNexusUrl() {
        if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
@@ -680,9 +711,11 @@ public final class CliParser {
    }
    /**
-     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is returned.
+     * Returns true if the Nexus Analyzer should use the configured proxy to
     * connect to Nexus; otherwise false is returned.
     *
-     * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
+     * @return true if the Nexus Analyzer should use the configured proxy to
     * connect to Nexus; otherwise false
     */
    public boolean isNexusUsesProxy() {
        // If they didn't specify whether Nexus needs to use the proxy, we should
@@ -722,7 +755,8 @@ public final class CliParser {
    }
    /**
-     * Retrieves the file command line parameter(s) specified for the 'scan' argument.
+     * Retrieves the file command line parameter(s) specified for the 'scan'
     * argument.
     *
     * @return the file paths specified on the command line for scan
     */
@@ -731,7 +765,8 @@ public final class CliParser {
    }
    /**
-     * Retrieves the list of excluded file patterns specified by the 'exclude' argument.
+     * Retrieves the list of excluded file patterns specified by the 'exclude'
     * argument.
     *
     * @return the excluded file patterns
     */
@@ -740,7 +775,8 @@ public final class CliParser {
    }
    /**
-     * Returns the directory to write the reports to specified on the command line.
+     * Returns the directory to write the reports to specified on the command
     * line.
     *
     * @return the path to the reports directory.
     */
@@ -749,7 +785,8 @@ public final class CliParser {
    }
    /**
-     * Returns the path to Mono for .NET Assembly analysis on non-windows systems.
+     * Returns the path to Mono for .NET Assembly analysis on non-windows
     * systems.
     *
     * @return the path to Mono
     */
@@ -767,7 +804,8 @@ public final class CliParser {
    }
    /**
-     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
+     * Returns the output format specified on the command line. Defaults to HTML
     * if no format was specified.
     *
     * @return the output format name.
     */
@@ -934,9 +972,11 @@ public final class CliParser {
    }
    /**
-     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will return false.
+     * Checks if the auto update feature has been disabled. If it has been
     * disabled via the command line this will return false.
     *
-     * @return <code>true</code> if auto-update is allowed; otherwise <code>false</code>
+     * @return <code>true</code> if auto-update is allowed; otherwise
     * <code>false</code>
     */
    public boolean isAutoUpdate() {
        return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
@@ -945,7 +985,8 @@ public final class CliParser {
    /**
     * Checks if the update only flag has been set.
     *
-     * @return <code>true</code> if the update only flag has been set; otherwise <code>false</code>.
+     * @return <code>true</code> if the update only flag has been set; otherwise
     * <code>false</code>.
     */
    public boolean isUpdateOnly() {
        return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY);
@@ -954,14 +995,16 @@ public final class CliParser {
    /**
     * Checks if the purge NVD flag has been set.
     *
-     * @return <code>true</code> if the purge nvd flag has been set; otherwise <code>false</code>.
+     * @return <code>true</code> if the purge nvd flag has been set; otherwise
     * <code>false</code>.
     */
    public boolean isPurge() {
        return line != null && line.hasOption(ARGUMENT.PURGE_NVD);
    }
    /**
-     * Returns the database driver name if specified; otherwise null is returned.
+     * Returns the database driver name if specified; otherwise null is
     * returned.
     *
     * @return the database driver name if specified; otherwise null is returned
     */
@@ -970,7 +1013,8 @@ public final class CliParser {
    }
    /**
-     * Returns the database driver path if specified; otherwise null is returned.
+     * Returns the database driver path if specified; otherwise null is
     * returned.
     *
     * @return the database driver name if specified; otherwise null is returned
     */
@@ -979,34 +1023,41 @@ public final class CliParser {
    }
    /**
-     * Returns the database connection string if specified; otherwise null is returned.
+     * Returns the database connection string if specified; otherwise null is
     * returned.
     *
-     * @return the database connection string if specified; otherwise null is returned
+     * @return the database connection string if specified; otherwise null is
     * returned
     */
    public String getConnectionString() {
        return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
    }
    /**
-     * Returns the database database user name if specified; otherwise null is returned.
+     * Returns the database database user name if specified; otherwise null is
     * returned.
     *
-     * @return the database database user name if specified; otherwise null is returned
+     * @return the database database user name if specified; otherwise null is
     * returned
     */
    public String getDatabaseUser() {
        return line.getOptionValue(ARGUMENT.DB_NAME);
    }
    /**
-     * Returns the database database password if specified; otherwise null is returned.
+     * Returns the database database password if specified; otherwise null is
     * returned.
     *
-     * @return the database database password if specified; otherwise null is returned
+     * @return the database database password if specified; otherwise null is
     * returned
     */
    public String getDatabasePassword() {
        return line.getOptionValue(ARGUMENT.DB_PASSWORD);
    }
    /**
-     * Returns the additional Extensions if specified; otherwise null is returned.
+     * Returns the additional Extensions if specified; otherwise null is
     * returned.
     *
     * @return the additional Extensions; otherwise null is returned
     */
@@ -1028,7 +1079,17 @@ public final class CliParser {
    }
    /**
-     * A collection of static final strings that represent the possible command line arguments.
+     * Returns true if the experimental analyzers are enabled.
     *
     * @return true if the experimental analyzers are enabled; otherwise false
     */
    public boolean isExperimentalEnabled() {
        return line.hasOption(ARGUMENT.EXPERIMENTAL);
    }
    /**
     * A collection of static final strings that represent the possible command
     * line arguments.
     */
    public static class ARGUMENT {
@@ -1041,50 +1102,61 @@ public final class CliParser {
         */
        public static final String SCAN_SHORT = "s";
        /**
-         * The long CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+         * The long CLI argument name specifying that the CPE/CVE/etc. data
         * should not be automatically updated.
         */
        public static final String DISABLE_AUTO_UPDATE = "noupdate";
        /**
-         * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+         * The short CLI argument name specifying that the CPE/CVE/etc. data
         * should not be automatically updated.
         */
        public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
        /**
-         * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+         * The long CLI argument name specifying that only the update phase
         * should be executed; no scan should be run.
         */
        public static final String UPDATE_ONLY = "updateonly";
        /**
-         * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+         * The long CLI argument name specifying that only the update phase
         * should be executed; no scan should be run.
         */
        public static final String PURGE_NVD = "purge";
        /**
-         * The long CLI argument name specifying the directory to write the reports to.
+         * The long CLI argument name specifying the directory to write the
         * reports to.
         */
        public static final String OUT = "out";
        /**
-         * The short CLI argument name specifying the directory to write the reports to.
+         * The short CLI argument name specifying the directory to write the
         * reports to.
         */
        public static final String OUT_SHORT = "o";
        /**
-         * The long CLI argument name specifying the output format to write the reports to.
+         * The long CLI argument name specifying the output format to write the
         * reports to.
         */
        public static final String OUTPUT_FORMAT = "format";
        /**
-         * The short CLI argument name specifying the output format to write the reports to.
+         * The short CLI argument name specifying the output format to write the
         * reports to.
         */
        public static final String OUTPUT_FORMAT_SHORT = "f";
        /**
-         * The long CLI argument name specifying the name of the project to be scanned.
+         * The long CLI argument name specifying the name of the project to be
         * scanned.
         */
        public static final String PROJECT = "project";
        /**
-         * The long CLI argument name specifying the name of the application to be scanned.
+         * The long CLI argument name specifying the name of the application to
         * be scanned.
         *
         * @deprecated project should be used instead
         */
        @Deprecated
        public static final String APP_NAME = "app";
        /**
-         * The short CLI argument name specifying the name of the application to be scanned.
+         * The short CLI argument name specifying the name of the application to
         * be scanned.
         *
         * @deprecated project should be used instead
         */
@@ -1142,11 +1214,13 @@ public final class CliParser {
         */
        public static final String CONNECTION_TIMEOUT = "connectiontimeout";
        /**
-         * The short CLI argument name for setting the location of an additional properties file.
+         * The short CLI argument name for setting the location of an additional
         * properties file.
         */
        public static final String PROP_SHORT = "P";
        /**
-         * The CLI argument name for setting the location of an additional properties file.
+         * The CLI argument name for setting the location of an additional
         * properties file.
         */
        public static final String PROP = "propertyfile";
        /**
@@ -1170,7 +1244,8 @@ public final class CliParser {
         */
        public static final String CVE_BASE_20 = "cveUrl20Base";
        /**
-         * The short CLI argument name for setting the location of the data directory.
+         * The short CLI argument name for setting the location of the data
         * directory.
         */
        public static final String DATA_DIRECTORY_SHORT = "d";
        /**
@@ -1178,20 +1253,24 @@ public final class CliParser {
         */
        public static final String VERBOSE_LOG = "log";
        /**
-         * The short CLI argument name for setting the location of the data directory.
+         * The short CLI argument name for setting the location of the data
         * directory.
         */
        public static final String VERBOSE_LOG_SHORT = "l";
        /**
-         * The CLI argument name for setting the depth of symbolic links that will be followed.
+         * The CLI argument name for setting the depth of symbolic links that
         * will be followed.
         */
        public static final String SYM_LINK_DEPTH = "symLink";
        /**
-         * The CLI argument name for setting the location of the suppression file.
+         * The CLI argument name for setting the location of the suppression
         * file.
         */
        public static final String SUPPRESSION_FILE = "suppression";
        /**
-         * The CLI argument name for setting the location of the suppression file.
+         * The CLI argument name for setting the location of the suppression
         * file.
         */
        public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
        /**
@@ -1259,7 +1338,8 @@ public final class CliParser {
         */
        public static final String NEXUS_URL = "nexus";
        /**
-         * Whether or not the defined proxy should be used when connecting to Nexus.
+         * Whether or not the defined proxy should be used when connecting to
         * Nexus.
         */
        public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
        /**
@@ -1279,11 +1359,13 @@ public final class CliParser {
         */
        public static final String DB_DRIVER = "dbDriverName";
        /**
-         * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
+         * The CLI argument name for setting the path to the database driver; in
         * case it is not on the class path.
         */
        public static final String DB_DRIVER_PATH = "dbDriverPath";
        /**
-         * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
+         * The CLI argument name for setting the path to mono for .NET Assembly
         * analysis on non-windows systems.
         */
        public static final String PATH_TO_MONO = "mono";
        /**
@@ -1295,8 +1377,13 @@ public final class CliParser {
         */
        public static final String EXCLUDE = "exclude";
        /**
-         * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
+         * The CLI argument name for setting the path to bundle-audit for Ruby
         * bundle analysis.
         */
        public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
        /**
         * The CLI argument to enable the experimental analyzers.
         */
        private static final String EXPERIMENTAL = "enableExperimental";
    }
 }
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -18,7 +18,7 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp; | Parameter       | Description | Requir
       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
 \-v   | \-\-version           |                 | Print the version information. | Optional
       | \-\-cveValidForHours  | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
-
+       | \-\-experimental      |                 | Enable the experimental analyzers. | Optional
 Advanced Options
 ================
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -126,9 +126,8 @@ public class Engine implements FileFilter {
        }
        final AnalyzerService service = new AnalyzerService(serviceClassLoader);
-        final Iterator<Analyzer> iterator = service.getAnalyzers();
+        final List<Analyzer> iterator = service.getAnalyzers();
-        while (iterator.hasNext()) {
+        for (Analyzer a : iterator) {
            final Analyzer a = iterator.next();
            analyzers.get(a.getAnalysisPhase()).add(a);
            if (a instanceof FileTypeAnalyzer) {
                this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
@@ -17,8 +17,13 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.LoggerFactory;
 /**
 * The Analyzer Service Loader. This class loads all services that implement
@@ -27,11 +32,15 @@ import java.util.ServiceLoader;
 * @author Jeremy Long
 */
 public class AnalyzerService {
    /**
     * The Logger for use throughout the class.
     */
    private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(AnalyzerService.class);
    /**
     * The service loader for analyzers.
     */
-    private final ServiceLoader<Analyzer> loader;
+    private final ServiceLoader<Analyzer> service;
    /**
     * Creates a new instance of AnalyzerService.
@@ -39,15 +48,31 @@ public class AnalyzerService {
     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     */
    public AnalyzerService(ClassLoader classLoader) {
-        loader = ServiceLoader.load(Analyzer.class, classLoader);
+        service = ServiceLoader.load(Analyzer.class, classLoader);
    }
    /**
-     * Returns an Iterator for all instances of the Analyzer interface.
+     * Returns a list of all instances of the Analyzer interface.
     *
-     * @return an iterator of Analyzers.
+     * @return a list of Analyzers.
     */
-    public Iterator<Analyzer> getAnalyzers() {
+    public List<Analyzer> getAnalyzers() {
-        return loader.iterator();
+        List<Analyzer> analyzers = new ArrayList<Analyzer>();
        final Iterator<Analyzer> iterator = service.iterator();
        boolean experimentalEnabled = false;
        try {
            experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
        } catch (InvalidSettingException ex) {
            LOGGER.error("invalide experimental setting", ex);
        }
        while (iterator.hasNext()) {
            final Analyzer a = iterator.next();
            if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
                continue;
            }
            LOGGER.debug("Loaded Analyzer {}", a.getName());
            analyzers.add(a);
        }
        return analyzers;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
@@ -42,6 +42,7 @@ import java.util.regex.Pattern;
 * @author Dale Visser
 * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
 */
@Experimental
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
@@ -49,6 +49,7 @@ import java.util.regex.Pattern;
 *
 * @author Dale Visser
 */
@Experimental
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java
@@ -0,0 +1,34 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 /**
 * Annotation used to flag an analyzer as experimental.
 *
 * @author jeremy long
 */
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
 public @interface Experimental {
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -45,6 +45,7 @@ import javax.json.JsonValue;
 *
 * @author Dale Visser
 */
@Experimental
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
    /**
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -63,13 +63,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 # file type analyzer settings:
 analyzer.archive.enabled=true
 analyzer.jar.enabled=true
 analyzer.nuspec.enabled=true
 analyzer.assembly.enabled=true
 analyzer.composer.lock.enabled=true
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
 analyzer.nexus.url=https://repository.sonatype.org/service/local/
@@ -87,7 +80,7 @@ archive.scan.depth=3
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
-
+analyzer.experimental.enabled=false
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
@@ -18,9 +18,12 @@
 package org.owasp.dependencycheck.analyzer;
 import java.util.Iterator;
 import java.util.List;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 *
@@ -34,15 +37,42 @@ public class AnalyzerServiceTest extends BaseDBTestCase {
    @Test
    public void testGetAnalyzers() {
        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
-        Iterator<Analyzer> result = instance.getAnalyzers();
+        List<Analyzer> result = instance.getAnalyzers();
        boolean found = false;
-        while (result.hasNext()) {
+        for (Analyzer a : result) {
            Analyzer a = result.next();
            if ("Jar Analyzer".equals(a.getName())) {
                found = true;
            }
        }
        assertTrue("JarAnalyzer loaded", found);
    }
    /**
     * Test of getAnalyzers method, of class AnalyzerService.
     */
    @Test
    public void testGetExperimentalAnalyzers() {
        Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
        List<Analyzer> result = instance.getAnalyzers();
        String experimental = "CMake Analyzer";
        boolean found = false;
        for (Analyzer a : result) {
            if (experimental.equals(a.getName())) {
                found = true;
            }
        }
        assertFalse("Experimental analyzer loaded when set to false", found);
        Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, true);
        result = instance.getAnalyzers();
        found = false;
        for (Analyzer a : result) {
            if (experimental.equals(a.getName())) {
                found = true;
            }
        }
        assertTrue("Experimental analyzer not loaded when set to true", found);
    }
 }
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -58,12 +58,6 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 cpe.validfordays=30
 cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
 # file type analyzer settings:
 analyzer.archive.enabled=true
 analyzer.jar.enabled=true
 analyzer.nuspec.enabled=true
 analyzer.assembly.enabled=true
 analyzer.composer.lock.enabled=true
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
@@ -82,7 +76,7 @@ archive.scan.depth=3
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
-
+analyzer.experimental.enabled=true
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java
@@ -94,24 +94,32 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    @Parameter(defaultValue = "${project.build.directory}", required = true)
    private File outputDirectory;
    /**
-     * Specifies the destination directory for the generated Dependency-Check report. This generally maps to "target/site".
+     * Specifies the destination directory for the generated Dependency-Check
     * report. This generally maps to "target/site".
     */
    @Parameter(property = "project.reporting.outputDirectory", required = true)
    private File reportOutputDirectory;
    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
+     * Specifies if the build should be failed if a CVSS score above a specified
-     * means since the CVSS scores are 0-10, by default the build will never fail.
+     * level is identified. The default is 11 which means since the CVSS scores
     * are 0-10, by default the build will never fail.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
    private float failBuildOnCVSS = 11;
    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
-     * is true.
+     * recommended that this be turned to false. Default is true.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "autoUpdate")
    private Boolean autoUpdate;
    /**
     * Sets whether Experimental analyzers are enabled. Default is false.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "enableExperimental")
    private Boolean enableExperimental;
    /**
     * Generate aggregate reports in multi-module projects.
     *
@@ -121,8 +129,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    @Deprecated
    private Boolean aggregate;
    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
+     * The report format to be generated (HTML, XML, VULN, ALL). This
-     * Site plug-in unless the externalReport is set to true. Default is HTML.
+     * configuration option has no affect if using this within the Site plug-in
     * unless the externalReport is set to true. Default is HTML.
     */
    @SuppressWarnings("CanBeFinal")
    @Parameter(property = "format", defaultValue = "HTML", required = true)
@@ -234,7 +243,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    private Boolean nexusAnalyzerEnabled;
    /**
-     * The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
+     * The URL of a Nexus server's REST API end point
     * (http://domain/nexus/service/local).
     */
    @Parameter(property = "nexusUrl", required = false)
    private String nexusUrl;
@@ -268,7 +278,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    @Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
    private String databaseDriverPath;
    /**
-     * The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
+     * The server id in the settings.xml; used to retrieve encrypted passwords
     * from the settings.xml.
     */
    @Parameter(property = "serverId", defaultValue = "", required = false)
    private String serverId;
@@ -293,7 +304,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    @Parameter(property = "databasePassword", defaultValue = "", required = false)
    private String databasePassword;
    /**
-     * A comma-separated list of file extensions to add to analysis next to jar, zip, ....
+     * A comma-separated list of file extensions to add to analysis next to jar,
     * zip, ....
     */
    @Parameter(property = "zipExtensions", required = false)
    private String zipExtensions;
@@ -347,7 +359,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    @Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
    private String cveUrl20Base;
    /**
-     * Optionally skip excessive CVE update checks for a designated duration in hours.
+     * Optionally skip excessive CVE update checks for a designated duration in
     * hours.
     */
    @Parameter(property = "cveValidForHours", defaultValue = "", required = false)
    private Integer cveValidForHours;
@@ -382,7 +395,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    /**
     * Executes dependency-check.
     *
-     * @throws MojoExecutionException thrown if there is an exception executing the mojo
+     * @throws MojoExecutionException thrown if there is an exception executing
     * the mojo
     * @throws MojoFailureException thrown if dependency-check failed the build
     */
    @Override
@@ -398,8 +412,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Checks if the aggregate configuration parameter has been set to true. If it has a MojoExecutionException is thrown because
+     * Checks if the aggregate configuration parameter has been set to true. If
-     * the aggregate configuration parameter is no longer supported.
+     * it has a MojoExecutionException is thrown because the aggregate
     * configuration parameter is no longer supported.
     *
     * @throws MojoExecutionException thrown if aggregate is set to true
     */
@@ -417,7 +432,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     * @param sink the sink to write the report to
     * @param locale the locale to use when generating the report
     * @throws MavenReportException if a maven report exception occurs
-     * @deprecated use {@link #generate(org.apache.maven.doxia.sink.Sink, java.util.Locale)} instead.
+     * @deprecated use
     * {@link #generate(org.apache.maven.doxia.sink.Sink, java.util.Locale)}
     * instead.
     */
    @Override
    @Deprecated
@@ -464,17 +481,20 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Returns the correct output directory depending on if a site is being executed or not.
+     * Returns the correct output directory depending on if a site is being
     * executed or not.
     *
     * @return the directory to write the report(s)
-     * @throws MojoExecutionException thrown if there is an error loading the file path
+     * @throws MojoExecutionException thrown if there is an error loading the
     * file path
     */
    protected File getCorrectOutputDirectory() throws MojoExecutionException {
        return getCorrectOutputDirectory(this.project);
    }
    /**
-     * Returns the correct output directory depending on if a site is being executed or not.
+     * Returns the correct output directory depending on if a site is being
     * executed or not.
     *
     * @param current the Maven project to get the output directory from
     * @return the directory to write the report(s)
@@ -492,7 +512,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Returns the correct output directory depending on if a site is being executed or not.
+     * Returns the correct output directory depending on if a site is being
     * executed or not.
     *
     * @param current the Maven project to get the output directory from
     * @return the directory to write the report(s)
@@ -507,16 +528,15 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                final File f = new File((String) obj);
                return f;
            }
-        } else {
+        } else if (getLog().isDebugEnabled()) {
            if (getLog().isDebugEnabled()) {
            getLog().debug("Context value not found");
        }
        }
        return null;
    }
    /**
-     * Scans the project's artifacts and adds them to the engine's dependency list.
+     * Scans the project's artifacts and adds them to the engine's dependency
     * list.
     *
     * @param project the project to scan the dependencies of
     * @param engine the engine to use to scan the dependencies
@@ -539,8 +559,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                                    d.getDisplayFileName()));
                        }
                    }
-                } else {
+                } else if (getLog().isDebugEnabled()) {
                    if (getLog().isDebugEnabled()) {
                    final String msg = String.format("More then 1 dependency was identified in first pass scan of '%s:%s:%s'",
                            a.getGroupId(), a.getArtifactId(), a.getVersion());
                    getLog().debug(msg);
@@ -548,13 +567,14 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
            }
        }
    }
    }
    /**
     * Executes the dependency-check scan and generates the necassary report.
     *
-     * @throws MojoExecutionException thrown if there is an exception running the scan
+     * @throws MojoExecutionException thrown if there is an exception running
-     * @throws MojoFailureException thrown if dependency-check is configured to fail the build
+     * the scan
     * @throws MojoFailureException thrown if dependency-check is configured to
     * fail the build
     */
    public abstract void runCheck() throws MojoExecutionException, MojoFailureException;
@@ -588,7 +608,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Returns whether this is an external report. This method always returns true.
+     * Returns whether this is an external report. This method always returns
     * true.
     *
     * @return <code>true</code>
     */
@@ -640,8 +661,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
+     * Takes the properties supplied and updates the dependency-check settings.
-     * required to change the proxy url, port, and connection timeout.
+     * Additionally, this sets the system properties required to change the
     * proxy url, port, and connection timeout.
     */
    protected void populateSettings() {
        Settings.initialize();
@@ -667,6 +689,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
        }
        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
        if (externalReport != null) {
            getLog().warn("The 'externalReport' option was set; this configuration option has been removed. "
                    + "Please update the dependency-check-maven plugin's configuration");
@@ -795,10 +819,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Tests is the artifact should be included in the scan (i.e. is the dependency in a scope that is being scanned).
+     * Tests is the artifact should be included in the scan (i.e. is the
     * dependency in a scope that is being scanned).
     *
     * @param a the Artifact to test
-     * @return <code>true</code> if the artifact is in an excluded scope; otherwise <code>false</code>
+     * @return <code>true</code> if the artifact is in an excluded scope;
     * otherwise <code>false</code>
     */
    protected boolean excludeFromScan(Artifact a) {
        if (skipTestScope && Artifact.SCOPE_TEST.equals(a.getScope())) {
@@ -814,10 +840,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Returns a reference to the current project. This method is used instead of auto-binding the project via component
+     * Returns a reference to the current project. This method is used instead
-     * annotation in concrete implementations of this. If the child has a <code>@Component MavenProject project;</code> defined
+     * of auto-binding the project via component annotation in concrete
-     * then the abstract class (i.e. this class) will not have access to the current project (just the way Maven works with the
+     * implementations of this. If the child has a
-     * binding).
+     * <code>@Component MavenProject project;</code> defined then the abstract
     * class (i.e. this class) will not have access to the current project (just
     * the way Maven works with the binding).
     *
     * @return returns a reference to the current project
     */
@@ -886,11 +914,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    //<editor-fold defaultstate="collapsed" desc="Methods to fail build or show summary">
    /**
-     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * Checks to see if a vulnerability has been identified with a CVSS score
-     * configuration.
+     * that is above the threshold set in the configuration.
     *
     * @param dependencies the list of dependency objects
-     * @throws MojoFailureException thrown if a CVSS score is found that is higher then the threshold set
+     * @throws MojoFailureException thrown if a CVSS score is found that is
     * higher then the threshold set
     */
    protected void checkForFailure(List<Dependency> dependencies) throws MojoFailureException {
        if (failBuildOnCVSS <= 10) {
@@ -919,7 +948,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their
     * associated CPE and CVE entries.
     *
     * @param mp the Maven project for which the summary is shown
     * @param dependencies a list of dependency objects
@@ -963,8 +993,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="Methods to read/write the serialized data file">
    /**
-     * Returns the key used to store the path to the data file that is saved by <code>writeDataFile()</code>. This key is used in
+     * Returns the key used to store the path to the data file that is saved by
-     * the <code>MavenProject.(set|get)ContextValue</code>.
+     * <code>writeDataFile()</code>. This key is used in the
     * <code>MavenProject.(set|get)ContextValue</code>.
     *
     * @return the key used to store the path to the data file
     */
@@ -973,8 +1004,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Returns the key used to store the path to the output directory. When generating the report in the
+     * Returns the key used to store the path to the output directory. When
-     * <code>executeAggregateReport()</code> the output directory should be obtained by using this key.
+     * generating the report in the <code>executeAggregateReport()</code> the
     * output directory should be obtained by using this key.
     *
     * @return the key used to store the path to the output directory
     */
@@ -983,7 +1015,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Writes the scan data to disk. This is used to serialize the scan data between the "check" and "aggregate" phase.
+     * Writes the scan data to disk. This is used to serialize the scan data
     * between the "check" and "aggregate" phase.
     *
     * @param mp the mMven project for which the data file was created
     * @param writeTo the directory to write the data file
@@ -1037,12 +1070,12 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
    }
    /**
-     * Reads the serialized scan data from disk. This is used to serialize the scan data between the "check" and "aggregate"
+     * Reads the serialized scan data from disk. This is used to serialize the
-     * phase.
+     * scan data between the "check" and "aggregate" phase.
     *
     * @param project the Maven project to read the data file from
-     * @return a <code>Engine</code> object populated with dependencies if the serialized data file exists; otherwise
+     * @return a <code>Engine</code> object populated with dependencies if the
-     * <code>null</code> is returned
+     * serialized data file exists; otherwise <code>null</code> is returned
     */
    protected List<Dependency> readDataFile(MavenProject project) {
        final Object oPath = project.getContextValue(this.getDataFileContextKey());
--- a/dependency-check-maven/src/site/markdown/configuration.md
+++ b/dependency-check-maven/src/site/markdown/configuration.md
@@ -21,10 +21,11 @@ format               | The report format to be generated (HTML, XML, VULN, ALL).
 name                 | The name of the report in the site | dependency-check or dependency-check:aggregate
 outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
 skip                 | Skips the dependency-check analysis                       | false
-skipTestScope        | Should be skip analysis for artifacts with Test Scope     | true
+skipTestScope        | Skip analysis for artifacts with Test Scope               | true
-skipProvidedScope    | Should be skip analysis for artifacts with Provided Scope | false
+skipProvidedScope    | Skip analysis for artifacts with Provided Scope           | false
-skipRuntimeScope     | Should be skip analysis for artifacts with Runtime Scope  | false
+skipRuntimeScope     | Skip analysis for artifacts with Runtime Scope            | false
 suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) | &nbsp;
 enableExperimental   | Enable the experimental analyzers                         | false
 Analyzer Configuration
 ====================
--- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -189,6 +189,10 @@ public final class Settings {
         * The properties key for whether the Jar Analyzer is enabled.
         */
        public static final String ANALYZER_JAR_ENABLED = "analyzer.jar.enabled";
        /**
         * The properties key for whether experimental analyzers are loaded.
         */
        public static final String ANALYZER_EXPERIMENTAL_ENABLED = "analyzer.experimental.enabled";
        /**
         * The properties key for whether the Archive analyzer is enabled.
         */
@@ -309,7 +313,7 @@ public final class Settings {
    /**
     * Thread local settings.
     */
-    private static ThreadLocal<Settings> localSettings = new ThreadLocal<Settings>();
+    private static final ThreadLocal<Settings> LOCAL_SETTINGS = new ThreadLocal<Settings>();
    /**
     * The properties.
     */
@@ -346,7 +350,7 @@ public final class Settings {
     * also call Settings.cleanup() to properly release resources.
     */
    public static void initialize() {
-        localSettings.set(new Settings(PROPERTIES_FILE));
+        LOCAL_SETTINGS.set(new Settings(PROPERTIES_FILE));
    }
    /**
@@ -356,7 +360,7 @@ public final class Settings {
     * @param propertiesFilePath the path to the base properties file to load
     */
    public static void initialize(String propertiesFilePath) {
-        localSettings.set(new Settings(propertiesFilePath));
+        LOCAL_SETTINGS.set(new Settings(propertiesFilePath));
    }
    /**
@@ -385,7 +389,7 @@ public final class Settings {
            }
        }
        try {
-            localSettings.remove();
+            LOCAL_SETTINGS.remove();
        } catch (Throwable ex) {
            LOGGER.debug("Error cleaning up Settings", ex);
        }
@@ -397,7 +401,7 @@ public final class Settings {
     * @return the Settings object
     */
    public static Settings getInstance() {
-        return localSettings.get();
+        return LOCAL_SETTINGS.get();
    }
    /**
@@ -406,7 +410,7 @@ public final class Settings {
     * @param instance the instance of the settings object to use in this thread
     */
    public static void setInstance(Settings instance) {
-        localSettings.set(instance);
+        LOCAL_SETTINGS.set(instance);
    }
    /**
@@ -452,7 +456,7 @@ public final class Settings {
     * @param value the value for the property
     */
    public static void setString(String key, String value) {
-        localSettings.get().props.setProperty(key, value);
+        LOCAL_SETTINGS.get().props.setProperty(key, value);
        LOGGER.debug("Setting: {}='{}'", key, value);
    }
@@ -509,7 +513,7 @@ public final class Settings {
     * @param value the value for the property
     */
    public static void setInt(String key, int value) {
-        localSettings.get().props.setProperty(key, String.valueOf(value));
+        LOCAL_SETTINGS.get().props.setProperty(key, String.valueOf(value));
        LOGGER.debug("Setting: {}='{}'", key, value);
    }
@@ -584,8 +588,8 @@ public final class Settings {
     * @throws IOException is thrown when there is an exception loading/merging the properties
     */
    public static void mergeProperties(InputStream stream) throws IOException {
-        localSettings.get().props.load(stream);
+        LOCAL_SETTINGS.get().props.load(stream);
-        logProperties("Properties updated via merge", localSettings.get().props);
+        logProperties("Properties updated via merge", LOCAL_SETTINGS.get().props);
    }
    /**
@@ -665,7 +669,7 @@ public final class Settings {
     * @return the property from the properties file
     */
    public static String getString(String key, String defaultValue) {
-        final String str = System.getProperty(key, localSettings.get().props.getProperty(key, defaultValue));
+        final String str = System.getProperty(key, LOCAL_SETTINGS.get().props.getProperty(key, defaultValue));
        return str;
    }
@@ -699,7 +703,7 @@ public final class Settings {
     * @return the property from the properties file
     */
    public static String getString(String key) {
-        return System.getProperty(key, localSettings.get().props.getProperty(key));
+        return System.getProperty(key, LOCAL_SETTINGS.get().props.getProperty(key));
    }
    /**
@@ -708,7 +712,7 @@ public final class Settings {
     * @param key the property key to remove
     */
    public static void removeProperty(String key) {
-        localSettings.get().props.remove(key);
+        LOCAL_SETTINGS.get().props.remove(key);
    }
    /**