words;
/**
- * Constructs a new TokenPairConcatenatingFilter
+ * Constructs a new TokenPairConcatenatingFilter.
+ *
* @param stream the TokenStream that this filter will process
*/
public TokenPairConcatenatingFilter(TokenStream stream) {
@@ -60,14 +75,14 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
//collect all the terms into the words collection
while (input.incrementToken()) {
- String word = new String(termAtt.buffer(), 0, termAtt.length());
+ final String word = new String(termAtt.buffer(), 0, termAtt.length());
words.add(word);
}
//if we have a previousTerm - write it out as its own token concatenated
// with the current word (if one is available).
if (previousWord != null && words.size() > 0) {
- String word = words.getFirst();
+ final String word = words.getFirst();
clearAttributes();
termAtt.append(previousWord).append(word);
posIncAtt.setPositionIncrement(0);
@@ -76,7 +91,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
}
//if we have words, write it out as a single token
if (words.size() > 0) {
- String word = words.removeFirst();
+ final String word = words.removeFirst();
clearAttributes();
termAtt.append(word);
previousWord = word;
@@ -86,9 +101,10 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
}
/**
- * Resets the Filter and clears any internal state data that may
- * have been left-over from previous uses of the Filter.
- * If this Filter is re-used this method must be called between uses.
+ * Resets the Filter and clears any internal state data that may have
+ * been left-over from previous uses of the Filter.
+ * If this Filter is re-used this method must be called between
+ * uses.
*/
public void clear() {
previousWord = null;
diff --git a/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java b/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
index 45dac78c4..346c8db53 100644
--- a/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
+++ b/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
@@ -40,12 +40,13 @@ public class VersionAnalyzer extends Analyzer {
// http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
/**
- * The Lucene Version used
+ * The Lucene Version used.
*/
- private Version version = null;
+ private Version version;
/**
- * Creates a new VersionAnalyzer
+ * Creates a new VersionAnalyzer.
+ *
* @param version the Lucene version
*/
public VersionAnalyzer(Version version) {
@@ -61,7 +62,7 @@ public class VersionAnalyzer extends Analyzer {
*/
@Override
protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
- Tokenizer source = new WhitespaceTokenizer(version, reader);
+ final Tokenizer source = new WhitespaceTokenizer(version, reader);
TokenStream stream = source;
stream = new LowerCaseFilter(version, stream);
return new TokenStreamComponents(source, stream);
diff --git a/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java b/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
index 22da1ab66..812fce5c8 100644
--- a/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
+++ b/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
@@ -25,21 +25,27 @@ import org.apache.lucene.analysis.TokenStream;
import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
/**
- * Takes a TokenStream and splits or adds tokens to correctly index version numbers.
- * Example: "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".
+ * Takes a TokenStream and splits or adds tokens to correctly index version
+ * numbers.
+ * Example: "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
+ * 3.0.0.RELEASE".
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public final class VersionTokenizingFilter extends TokenFilter {
+ /**
+ * The char term attribute.
+ */
private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
/**
* A collection of tokens to add to the stream.
*/
- protected LinkedList tokens = null;
+ private LinkedList tokens;
/**
- * Constructs a new VersionTokenizingFilter
+ * Constructs a new VersionTokenizingFilter.
+ *
* @param stream the TokenStream that this filter will process
*/
public VersionTokenizingFilter(TokenStream stream) {
@@ -58,8 +64,8 @@ public final class VersionTokenizingFilter extends TokenFilter {
@Override
public boolean incrementToken() throws IOException {
if (tokens.size() == 0 && input.incrementToken()) {
- String version = new String(termAtt.buffer(), 0, termAtt.length());
- String[] toAnalyze = version.split("[_-]");
+ final String version = new String(termAtt.buffer(), 0, termAtt.length());
+ final String[] toAnalyze = version.split("[_-]");
if (toAnalyze.length > 1) { //ensure we analyze the whole string as one too
analyzeVersion(version);
}
@@ -72,23 +78,34 @@ public final class VersionTokenizingFilter extends TokenFilter {
/**
* Adds a term, if one exists, from the tokens collection.
+ *
* @return whether or not a new term was added
*/
private boolean addTerm() {
- boolean termAdded = tokens.size() > 0;
+ final boolean termAdded = tokens.size() > 0;
if (termAdded) {
- String version = tokens.pop();
+ final String version = tokens.pop();
clearAttributes();
termAtt.append(version);
}
return termAdded;
}
- //major.minor[.maintenance[.build]]
+ /**
+ * Analyzes the version and adds several copies of the version as
+ * different tokens. For example, the version 1.2.7 would create the tokens
+ * 1 1.2 1.2.7. This is useful in discovering the correct version -
+ * sometimes a maintenance or build number will throw off the version
+ * identification.
+ *
+ * expected format:&nbps;major.minor[.maintenance[.build]]
+ *
+ * @param version the version to analyze
+ */
private void analyzeVersion(String version) {
//todo should we also be splitting on dash or underscore? we would need
// to incorporate the dash or underscore back in...
- String[] versionParts = version.split("\\.");
+ final String[] versionParts = version.split("\\.");
String dottedVersion = null;
for (String current : versionParts) {
if (!current.matches("^/d+$")) {
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
index 57ed1fe96..5d5f94e61 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
@@ -25,6 +25,10 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
class CorruptDatabaseException extends DatabaseException {
+
+ /**
+ * the serial version uid.
+ */
private static final long serialVersionUID = 1L;
/**
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
index 6a70538d2..c57562adb 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -48,131 +48,131 @@ public class CveDB {
//
/**
- * SQL Statement to create an index on the reference table
+ * SQL Statement to create an index on the reference table.
*/
public static final String CREATE_INDEX_IDXREFERENCE = "CREATE INDEX IF NOT EXISTS idxReference ON reference(cveid)";
/**
- * SQL Statement to create an index on the software for finding CVE entries based on CPE data
+ * SQL Statement to create an index on the software for finding CVE entries based on CPE data.
*/
public static final String CREATE_INDEX_IDXSOFTWARE = "CREATE INDEX IF NOT EXISTS idxSoftware ON software(product, vendor, version)";
/**
- * SQL Statement to create an index for retrieving software by CVEID
+ * SQL Statement to create an index for retrieving software by CVEID.
*/
public static final String CREATE_INDEX_IDXSOFTWARECVE = "CREATE INDEX IF NOT EXISTS idxSoftwareCve ON software(cveid)";
/**
- * SQL Statement to create an index on the vulnerability table
+ * SQL Statement to create an index on the vulnerability table.
*/
public static final String CREATE_INDEX_IDXVULNERABILITY = "CREATE INDEX IF NOT EXISTS idxVulnerability ON vulnerability(cveid)";
/**
- * SQL Statement to create the reference table
+ * SQL Statement to create the reference table.
*/
public static final String CREATE_TABLE_REFERENCE = "CREATE TABLE IF NOT EXISTS reference (cveid CHAR(13), "
+ "name varchar(1000), url varchar(1000), source varchar(255))";
/**
- * SQL Statement to create the software table
+ * SQL Statement to create the software table.
*/
public static final String CREATE_TABLE_SOFTWARE = "CREATE TABLE IF NOT EXISTS software (cveid CHAR(13), cpe varchar(500), "
+ "vendor varchar(255), product varchar(255), version varchar(50), previousVersion varchar(50))";
/**
- * SQL Statement to create the vulnerability table
+ * SQL Statement to create the vulnerability table.
*/
public static final String CREATE_TABLE_VULNERABILITY = "CREATE TABLE IF NOT EXISTS vulnerability (cveid CHAR(13) PRIMARY KEY, "
+ "description varchar(8000), cwe varchar(10), cvssScore DECIMAL(3,1), cvssAccessVector varchar(20), "
+ "cvssAccessComplexity varchar(20), cvssAuthentication varchar(20), cvssConfidentialityImpact varchar(20), "
+ "cvssIntegrityImpact varchar(20), cvssAvailabilityImpact varchar(20))";
/**
- * SQL Statement to delete references by CVEID
+ * SQL Statement to delete references by CVEID.
*/
public static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
/**
- * SQL Statement to delete software by CVEID
+ * SQL Statement to delete software by CVEID.
*/
public static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
/**
- * SQL Statement to delete a vulnerability by CVEID
+ * SQL Statement to delete a vulnerability by CVEID.
*/
public static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE cveid = ?";
/**
- * SQL Statement to insert a new reference
+ * SQL Statement to insert a new reference.
*/
public static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
/**
- * SQL Statement to insert a new software
+ * SQL Statement to insert a new software.
*/
public static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpe, vendor, product, version, previousVersion) "
+ "VALUES (?, ?, ?, ?, ?, ?)";
/**
- * SQL Statement to insert a new vulnerability
+ * SQL Statement to insert a new vulnerability.
*/
public static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cveid, description, cwe, cvssScore, cvssAccessVector, "
+ "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
/**
- * SQL Statement to find CVE entries based on CPE data
+ * SQL Statement to find CVE entries based on CPE data.
*/
public static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cveid FROM software WHERE Vendor = ? AND Product = ? AND "
+ "(version = '-' OR previousVersion IS NOT NULL OR version=?)";
/**
- * SQL Statement to select references by CVEID
+ * SQL Statement to select references by CVEID.
*/
public static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
/**
- * SQL Statement to select software by CVEID
+ * SQL Statement to select software by CVEID.
*/
public static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion FROM software WHERE cveid = ?";
/**
- * SQL Statement to select a vulnerability by CVEID
+ * SQL Statement to select a vulnerability by CVEID.
*/
public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
+ "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
//
//
/**
- * delete reference - parameters (cveid)
+ * delete reference - parameters (cveid).
*/
- private CallableStatement deleteReferences = null;
+ private CallableStatement deleteReferences;
/**
- * delete software - parameters (cveid)
+ * delete software - parameters (cveid).
*/
- private CallableStatement deleteSoftware = null;
+ private CallableStatement deleteSoftware;
/**
- * delete vulnerability - parameters (cveid)
+ * delete vulnerability - parameters (cveid).
*/
- private CallableStatement deleteVulnerabilities = null;
+ private CallableStatement deleteVulnerabilities;
/**
- * insert reference - parameters (cveid, name, url, source)
+ * insert reference - parameters (cveid, name, url, source).
*/
- private CallableStatement insertReference = null;
+ private CallableStatement insertReference;
/**
- * insert software - parameters (cveid, cpe, vendor, product, version, previousVersion)
+ * insert software - parameters (cveid, cpe, vendor, product, version, previousVersion).
*/
- private CallableStatement insertSoftware = null;
+ private CallableStatement insertSoftware;
/**
* insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector,
- * cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
+ * cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact).
*/
- private CallableStatement insertVulnerability = null;
+ private CallableStatement insertVulnerability;
/**
- * select cve from software - parameters (vendor, product, version)
+ * select cve from software - parameters (vendor, product, version).
*/
- private CallableStatement selectCveFromSoftware = null;
+ private CallableStatement selectCveFromSoftware;
/**
- * select vulnerability - parameters (cveid)
+ * select vulnerability - parameters (cveid).
*/
- private CallableStatement selectVulnerability = null;
+ private CallableStatement selectVulnerability;
/**
- * select reference - parameters (cveid)
+ * select reference - parameters (cveid).
*/
- private CallableStatement selectReferences = null;
+ private CallableStatement selectReferences;
/**
- * select software - parameters (cveid)
+ * select software - parameters (cveid).
*/
- private CallableStatement selectSoftware = null;
+ private CallableStatement selectSoftware;
//
/**
* Database connection
*/
- protected Connection conn = null;
+ private Connection conn;
/**
* Opens the database connection. If the database does not exist, it will
@@ -183,12 +183,12 @@ public class CveDB {
* @throws DatabaseException thrown if there is an error initializing a new database
*/
public void open() throws IOException, SQLException, DatabaseException {
- String fileName = CveDB.getDataDirectory().getCanonicalPath()
+ final String fileName = CveDB.getDataDirectory().getCanonicalPath()
+ File.separator
+ "cve";
- File f = new File(fileName);
- boolean createTables = !f.exists();
- String connStr = "jdbc:h2:file:" + fileName;
+ final File f = new File(fileName);
+ final boolean createTables = !f.exists();
+ final String connStr = "jdbc:h2:file:" + fileName;
conn = DriverManager.getConnection(connStr, "sa", "");
if (createTables) {
createTables();
@@ -236,7 +236,7 @@ public class CveDB {
} catch (UnsupportedEncodingException ex) {
Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
}
- List vulnerabilities = new ArrayList();
+ final List vulnerabilities = new ArrayList();
try {
selectCveFromSoftware.setString(1, cpe.getVendor());
@@ -244,7 +244,7 @@ public class CveDB {
selectCveFromSoftware.setString(3, cpe.getVersion());
rs = selectCveFromSoftware.executeQuery();
while (rs.next()) {
- Vulnerability v = getVulnerability(rs.getString("cveid"));
+ final Vulnerability v = getVulnerability(rs.getString("cveid"));
vulnerabilities.add(v);
}
} catch (SQLException ex) {
@@ -261,6 +261,13 @@ public class CveDB {
return vulnerabilities;
}
+ /**
+ * Gets a vulnerability for the provided CVE.
+ *
+ * @param cve the CVE to lookup
+ * @return a vulnerability object
+ * @throws DatabaseException if an exception occurs
+ */
private Vulnerability getVulnerability(String cve) throws DatabaseException {
ResultSet rsV = null;
ResultSet rsR = null;
@@ -275,7 +282,7 @@ public class CveDB {
vuln.setDescription(rsV.getString(2));
String cwe = rsV.getString(3);
if (cwe != null) {
- String name = CweDB.getCweName(cwe);
+ final String name = CweDB.getCweName(cwe);
if (name != null) {
cwe += " " + name;
}
@@ -297,8 +304,8 @@ public class CveDB {
selectSoftware.setString(1, cve);
rsS = selectSoftware.executeQuery();
while (rsS.next()) {
- String cpe = rsS.getString(1);
- String prevVers = rsS.getString(2);
+ final String cpe = rsS.getString(1);
+ final String prevVers = rsS.getString(2);
if (prevVers == null) {
vuln.addVulnerableSoftware(cpe);
} else {
@@ -399,9 +406,9 @@ public class CveDB {
* @throws IOException is thrown if an IOException occurs of course...
*/
public static File getDataDirectory() throws IOException {
- String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
- String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
- String decodedPath = URLDecoder.decode(filePath, "UTF-8");
+ final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
+ final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+ final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
File exePath = new File(decodedPath);
if (exePath.getName().toLowerCase().endsWith(".jar")) {
@@ -450,7 +457,7 @@ public class CveDB {
/**
* Builds the CallableStatements used by the application.
- * @throws DatabaseException
+ * @throws DatabaseException thrown if there is a database exception
*/
private void buildStatements() throws DatabaseException {
try {
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
index e335c011f..2495cd7fb 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java
@@ -24,9 +24,13 @@ package org.owasp.dependencycheck.data.nvdcve;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class DatabaseException extends Exception {
+ /**
+ * the serial version uid.
+ */
+ private static final long serialVersionUID = 1L;
/**
- * Creates an DatabaseException
+ * Creates an DatabaseException.
*
* @param msg the exception message
*/
@@ -35,7 +39,7 @@ public class DatabaseException extends Exception {
}
/**
- * Creates an DatabaseException
+ * Creates an DatabaseException.
*
* @param msg the exception message
* @param ex the cause of the exception
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
index 21d742d7b..b53ca5fc9 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java
@@ -45,7 +45,7 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
/**
* The CVE Index.
*/
- protected CveDB cveDB = null;
+ private CveDB cveDB;
/**
* Opens the data source.
@@ -102,8 +102,8 @@ public class NvdCveAnalyzer implements org.owasp.dependencycheck.analyzer.Analyz
for (Identifier id : dependency.getIdentifiers()) {
if ("cpe".equals(id.getType())) {
try {
- String value = id.getValue();
- List vulns = cveDB.getVulnerabilities(value);
+ final String value = id.getValue();
+ final List vulns = cveDB.getVulnerabilities(value);
for (Vulnerability v : vulns) {
dependency.addVulnerability(v);
}
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
index 0620a3724..dd0ba4555 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java
@@ -75,7 +75,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/
private static final String LAST_UPDATED_BASE = "lastupdated.";
/**
- * The current version of the database
+ * The current version of the database.
*/
public static final String DATABASE_VERSION = "2.2";
@@ -87,7 +87,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
*/
public void update() throws UpdateException {
try {
- Map update = updateNeeded();
+ final Map update = updateNeeded();
int maxUpdates = 0;
for (NvdCveUrl cve : update.values()) {
if (cve.getNeedsUpdate()) {
@@ -164,6 +164,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
*
* @param file the file containing the NVD CVE XML
* @param oldVersion contains the file containing the NVD CVE XML 1.2
+ * @throws ParserConfigurationException is thrown if there is a parserconfigurationexception
+ * @throws SAXException is thrown if there is a saxexception
+ * @throws IOException is thrown if there is a ioexception
+ * @throws SQLException is thrown if there is a sql exception
+ * @throws DatabaseException is thrown if there is a database exception
*/
private void importXML(File file, File oldVersion)
throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
@@ -177,12 +182,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
cpeIndex = new Index();
cpeIndex.openIndexWriter();
- SAXParserFactory factory = SAXParserFactory.newInstance();
- SAXParser saxParser = factory.newSAXParser();
+ final SAXParserFactory factory = SAXParserFactory.newInstance();
+ final SAXParser saxParser = factory.newSAXParser();
NvdCve12Handler cve12Handler = new NvdCve12Handler();
saxParser.parse(oldVersion, cve12Handler);
- Map> prevVersionVulnMap = cve12Handler.getVulnerabilities();
+ final Map> prevVersionVulnMap = cve12Handler.getVulnerabilities();
cve12Handler = null;
NvdCve20Handler cve20Handler = new NvdCve20Handler();
@@ -209,19 +214,19 @@ public class DatabaseUpdater implements CachedWebDataSource {
* Writes a properties file containing the last updated date to the
* VULNERABLE_CPE directory.
*
- * @param updated a map of the updated nvdcve.
+ * @param updated a map of the updated nvdcve
+ * @throws UpdateException is thrown if there is an update exception
*/
private void writeLastUpdatedPropertyFile(Map updated) throws UpdateException {
String dir;
try {
-
dir = CveDB.getDataDirectory().getCanonicalPath();
} catch (IOException ex) {
Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
throw new UpdateException("Unable to locate last updated properties file.", ex);
}
- File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
- Properties prop = new Properties();
+ final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
+ final Properties prop = new Properties();
prop.put("version", DATABASE_VERSION);
for (NvdCveUrl cve : updated.values()) {
prop.put(LAST_UPDATED_BASE + cve.id, String.valueOf(cve.getTimestamp()));
@@ -288,11 +293,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
throw new UpdateException("Unable to locate last updated properties file.", ex);
}
- File f = new File(dir);
+ final File f = new File(dir);
if (f.exists()) {
- File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
+ final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
if (cveProp.exists()) {
- Properties prop = new Properties();
+ final Properties prop = new Properties();
InputStream is = null;
try {
is = new FileInputStream(cveProp);
@@ -306,7 +311,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else {
try {
version = Float.parseFloat(prop.getProperty("version"));
- float currentVersion = Float.parseFloat(DATABASE_VERSION);
+ final float currentVersion = Float.parseFloat(DATABASE_VERSION);
if (currentVersion > version) {
deleteAndRecreate = true;
}
@@ -321,16 +326,16 @@ public class DatabaseUpdater implements CachedWebDataSource {
FileUtils.delete(f);
//this importer also updates the CPE index and it is also using an old version
- org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
- File cpeDir = cpeid.getDataDirectory();
+ final org.owasp.dependencycheck.data.cpe.Index cpeid = new org.owasp.dependencycheck.data.cpe.Index();
+ final File cpeDir = cpeid.getDataDirectory();
FileUtils.delete(cpeDir);
return currentlyPublished;
}
- long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
- Date now = new Date();
- int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
- int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
+ final long lastUpdated = Long.parseLong(prop.getProperty(LAST_UPDATED_MODIFIED));
+ final Date now = new Date();
+ final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS);
+ final int maxEntries = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
if (lastUpdated == currentlyPublished.get("modified").timestamp) {
currentlyPublished.clear(); //we don't need to update anything.
} else if (withinRange(lastUpdated, now.getTime(), days)) {
@@ -341,7 +346,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
} else { //we figure out which of the several XML files need to be downloaded.
currentlyPublished.get("modified").setNeedsUpdate(false);
for (int i = 1; i <= maxEntries; i++) {
- NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
+ final NvdCveUrl cve = currentlyPublished.get(String.valueOf(i));
long currentTimestamp = 0;
try {
currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0"));
@@ -386,7 +391,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
* @return whether or not the date is within the range.
*/
private boolean withinRange(long date, long compareTo, int range) {
- double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
+ final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
return differenceInDays < range;
}
@@ -405,7 +410,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
protected Map retrieveCurrentTimestampsFromWeb()
throws MalformedURLException, DownloadFailedException, InvalidDataException, InvalidSettingException {
- Map map = new HashMap();
+ final Map map = new HashMap();
String retrieveUrl = Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL);
NvdCveUrl item = new NvdCveUrl();
@@ -417,7 +422,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
item.timestamp = Downloader.getLastModified(new URL(retrieveUrl));
map.put("modified", item);
- int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
+ final int max = Settings.getInt(Settings.KEYS.CVE_URL_COUNT);
for (int i = 1; i <= max; i++) {
retrieveUrl = Settings.getString(Settings.KEYS.CVE_BASE_URL + Settings.KEYS.CVE_SCHEMA_2_0 + i);
item = new NvdCveUrl();
@@ -442,7 +447,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String id;
/**
- * Get the value of id
+ * Get the value of id.
*
* @return the value of id
*/
@@ -451,7 +456,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
- * Set the value of id
+ * Set the value of id.
*
* @param id new value of id
*/
@@ -464,7 +469,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private String url;
/**
- * Get the value of url
+ * Get the value of url.
*
* @return the value of url
*/
@@ -473,7 +478,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
- * Set the value of url
+ * Set the value of url.
*
* @param url new value of url
*/
@@ -481,12 +486,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
this.url = url;
}
/**
- * The 1.2 schema URL
+ * The 1.2 schema URL.
*/
- protected String oldSchemaVersionUrl;
+ private String oldSchemaVersionUrl;
/**
- * Get the value of oldSchemaVersionUrl
+ * Get the value of oldSchemaVersionUrl.
*
* @return the value of oldSchemaVersionUrl
*/
@@ -495,7 +500,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
- * Set the value of oldSchemaVersionUrl
+ * Set the value of oldSchemaVersionUrl.
*
* @param oldSchemaVersionUrl new value of oldSchemaVersionUrl
*/
@@ -510,7 +515,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private long timestamp;
/**
- * Get the value of timestamp - epoch time
+ * Get the value of timestamp - epoch time.
*
* @return the value of timestamp - epoch time
*/
@@ -519,7 +524,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
- * Set the value of timestamp - epoch time
+ * Set the value of timestamp - epoch time.
*
* @param timestamp new value of timestamp - epoch time
*/
@@ -532,7 +537,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
private boolean needsUpdate = true;
/**
- * Get the value of needsUpdate
+ * Get the value of needsUpdate.
*
* @return the value of needsUpdate
*/
@@ -541,7 +546,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
}
/**
- * Set the value of needsUpdate
+ * Set the value of needsUpdate.
*
* @param needsUpdate new value of needsUpdate
*/
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
index 0dda1b1ff..ffd4ff5cb 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java
@@ -25,10 +25,13 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class InvalidDataException extends Exception {
+ /**
+ * the serial version uid.
+ */
private static final long serialVersionUID = 1L;
/**
- * Creates an InvalidDataException
+ * Creates an InvalidDataException.
*
* @param msg the exception message
*/
@@ -37,7 +40,7 @@ public class InvalidDataException extends Exception {
}
/**
- * Creates an InvalidDataException
+ * Creates an InvalidDataException.
*
* @param msg the exception message
* @param ex the cause of the exception
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
index fcfbee68c..85ad08bc7 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java
@@ -38,18 +38,45 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve12Handler extends DefaultHandler {
+ /**
+ * the supported schema version.
+ */
private static final String CURRENT_SCHEMA_VERSION = "1.2";
- private String vulnerability = null;
- private List software = null;
- private String vendor = null;
- private String product = null;
+ /**
+ * the current vulnerability.
+ */
+ private String vulnerability;
+ /**
+ * a list of vulnerable software.
+ */
+ private List software;
+ /**
+ * the vendor name.
+ */
+ private String vendor;
+ /**
+ * the product name.
+ */
+ private String product;
+ /**
+ * if the nvd cve should be skipped because it was rejected.
+ */
private boolean skip = false;
+ /**
+ * flag indicating if there is a previous version.
+ */
private boolean hasPreviousVersion = false;
+ /**
+ * The current element.
+ */
private Element current = new Element();
- private Map> vulnerabilities = null;
+ /**
+ * a map of vulnerabilities.
+ */
+ private Map> vulnerabilities;
/**
- * Get the value of vulnerabilities
+ * Get the value of vulnerabilities.
*
* @return the value of vulnerabilities
*/
@@ -64,8 +91,8 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = null;
product = null;
hasPreviousVersion = false;
- String reject = attributes.getValue("reject");
- skip = (reject != null && reject.equals("1"));
+ final String reject = attributes.getValue("reject");
+ skip = "1".equals(reject);
if (!skip) {
vulnerability = attributes.getValue("name");
software = new ArrayList();
@@ -78,11 +105,11 @@ public class NvdCve12Handler extends DefaultHandler {
vendor = attributes.getValue("vendor");
product = attributes.getValue("name");
} else if (!skip && current.isVersNode()) {
- String prev = attributes.getValue("prev");
+ final String prev = attributes.getValue("prev");
if (prev != null && "1".equals(prev)) {
hasPreviousVersion = true;
- String edition = attributes.getValue("edition");
- String num = attributes.getValue("num");
+ final String edition = attributes.getValue("edition");
+ final String num = attributes.getValue("num");
/*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
purposes this is good enough as we won't use this if we don't find a corresponding "a"
@@ -94,13 +121,13 @@ public class NvdCve12Handler extends DefaultHandler {
if (edition != null) {
cpe += ":" + edition;
}
- VulnerableSoftware vs = new VulnerableSoftware();
+ final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
vs.setPreviousVersion(prev);
software.add(vs);
}
} else if (current.isNVDNode()) {
- String nvdVer = attributes.getValue("nvd_xml_version");
+ final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
@@ -128,29 +155,32 @@ public class NvdCve12Handler extends DefaultHandler {
protected static class Element {
/**
- * A node type in the NVD CVE Schema 1.2
+ * A node type in the NVD CVE Schema 1.2.
*/
public static final String NVD = "nvd";
/**
- * A node type in the NVD CVE Schema 1.2
+ * A node type in the NVD CVE Schema 1.2.
*/
public static final String ENTRY = "entry";
/**
- * A node type in the NVD CVE Schema 1.2
+ * A node type in the NVD CVE Schema 1.2.
*/
public static final String VULN_SOFTWARE = "vuln_soft";
/**
- * A node type in the NVD CVE Schema 1.2
+ * A node type in the NVD CVE Schema 1.2.
*/
public static final String PROD = "prod";
/**
- * A node type in the NVD CVE Schema 1.2
+ * A node type in the NVD CVE Schema 1.2.
*/
public static final String VERS = "vers";
- private String node = null;
+ /**
+ * The name of the current node.
+ */
+ private String node;
/**
- * Gets the value of node
+ * Gets the value of node.
*
* @return the value of node
*/
@@ -159,7 +189,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
- * Sets the value of node
+ * Sets the value of node.
*
* @param node new value of node
*/
@@ -168,7 +198,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the NVD node
+ * Checks if the handler is at the NVD node.
*
* @return true or false
*/
@@ -177,7 +207,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the ENTRY node
+ * Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
@@ -186,7 +216,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the VULN_SOFTWARE node
+ * Checks if the handler is at the VULN_SOFTWARE node.
*
* @return true or false
*/
@@ -195,7 +225,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the PROD node
+ * Checks if the handler is at the PROD node.
*
* @return true or false
*/
@@ -204,7 +234,7 @@ public class NvdCve12Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the VERS node
+ * Checks if the handler is at the VERS node.
*
* @return true or false
*/
diff --git a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
index ac7676e55..da6a75de5 100644
--- a/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
+++ b/src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java
@@ -42,12 +42,30 @@ import org.xml.sax.helpers.DefaultHandler;
*/
public class NvdCve20Handler extends DefaultHandler {
+ /**
+ * the current supported schema version.
+ */
private static final String CURRENT_SCHEMA_VERSION = "2.0";
+ /**
+ * the current element.
+ */
private Element current = new Element();
- StringBuilder nodeText = null;
- Vulnerability vulnerability = null;
- Reference reference = null;
- boolean hasApplicationCpe = false;
+ /**
+ * the text of the node.
+ */
+ private StringBuilder nodeText;
+ /**
+ * the vulnerability.
+ */
+ private Vulnerability vulnerability;
+ /**
+ * a reference for the cve.
+ */
+ private Reference reference;
+ /**
+ * flag indicating whether the application has a cpe.
+ */
+ private boolean hasApplicationCpe = false;
@Override
public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
@@ -59,7 +77,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnProductNode()) {
nodeText = new StringBuilder(100);
} else if (current.isVulnReferencesNode()) {
- String lang = attributes.getValue("xml:lang");
+ final String lang = attributes.getValue("xml:lang");
if ("en".equals(lang)) {
reference = new Reference();
} else {
@@ -73,7 +91,7 @@ public class NvdCve20Handler extends DefaultHandler {
} else if (current.isVulnSummaryNode()) {
nodeText = new StringBuilder(500);
} else if (current.isNVDNode()) {
- String nvdVer = attributes.getValue("nvd_xml_version");
+ final String nvdVer = attributes.getValue("nvd_xml_version");
if (!CURRENT_SCHEMA_VERSION.equals(nvdVer)) {
throw new SAXNotSupportedException("Schema version " + nvdVer + " is not supported");
}
@@ -121,7 +139,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability = null;
} else if (current.isCVSSScoreNode()) {
try {
- float score = Float.parseFloat(nodeText.toString());
+ final float score = Float.parseFloat(nodeText.toString());
vulnerability.setCvssScore(score);
} catch (NumberFormatException ex) {
Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
@@ -146,7 +164,7 @@ public class NvdCve20Handler extends DefaultHandler {
vulnerability.setCvssIntegrityImpact(nodeText.toString());
nodeText = null;
} else if (current.isVulnProductNode()) {
- String cpe = nodeText.toString();
+ final String cpe = nodeText.toString();
if (cpe.startsWith("cpe:/a:")) {
hasApplicationCpe = true;
vulnerability.addVulnerableSoftware(cpe);
@@ -166,10 +184,14 @@ public class NvdCve20Handler extends DefaultHandler {
nodeText = null;
}
}
- private CveDB cveDB = null;
+ /**
+ * the cve database.
+ */
+ private CveDB cveDB;
/**
- * Sets the cveDB
+ * Sets the cveDB.
+ *
* @param db a reference to the CveDB
*/
public void setCveDB(CveDB db) {
@@ -179,7 +201,7 @@ public class NvdCve20Handler extends DefaultHandler {
* A list of CVE entries and associated VulnerableSoftware entries that contain
* previous entries.
*/
- private Map> prevVersionVulnMap = null;
+ private Map> prevVersionVulnMap;
/**
* Sets the prevVersionVulnMap.
@@ -202,9 +224,9 @@ public class NvdCve20Handler extends DefaultHandler {
if (cveDB == null) {
return;
}
- String cveName = vuln.getName();
+ final String cveName = vuln.getName();
if (prevVersionVulnMap.containsKey(cveName)) {
- List vulnSoftware = prevVersionVulnMap.get(cveName);
+ final List vulnSoftware = prevVersionVulnMap.get(cveName);
for (VulnerableSoftware vs : vulnSoftware) {
vuln.updateVulnerableSoftware(vs);
}
@@ -216,10 +238,14 @@ public class NvdCve20Handler extends DefaultHandler {
}
cveDB.updateVulnerability(vuln);
}
- private Index cpeIndex = null;
+ /**
+ * the cpe index.
+ */
+ private Index cpeIndex;
/**
- * Sets the cpe index
+ * Sets the cpe index.
+ *
* @param index the CPE Lucene Index
*/
void setCpeIndex(Index index) {
@@ -261,7 +287,6 @@ public class NvdCve20Handler extends DefaultHandler {
* A node type in the NVD CVE Schema 2.0
*/
public static final String VULN_SUMMARY = "vuln:summary";
-
/**
* A node type in the NVD CVE Schema 2.0
*/
@@ -295,10 +320,13 @@ public class NvdCve20Handler extends DefaultHandler {
*/
public static final String CVSS_AVAILABILITY_IMPACT = "cvss:availability-impact";
- private String node = null;
+ /**
+ * The current node.
+ */
+ private String node;
/**
- * Gets the value of node
+ * Gets the value of node.
*
* @return the value of node
*/
@@ -307,7 +335,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Sets the value of node
+ * Sets the value of node.
*
* @param node new value of node
*/
@@ -316,7 +344,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the NVD node
+ * Checks if the handler is at the NVD node.
*
* @return true or false
*/
@@ -325,7 +353,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the ENTRY node
+ * Checks if the handler is at the ENTRY node.
*
* @return true or false
*/
@@ -334,7 +362,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the VULN_PRODUCT node
+ * Checks if the handler is at the VULN_PRODUCT node.
*
* @return true or false
*/
@@ -343,7 +371,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the REFERENCES node
+ * Checks if the handler is at the REFERENCES node.
*
* @return true or false
*/
@@ -352,7 +380,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the REFERENCE node
+ * Checks if the handler is at the REFERENCE node.
*
* @return true or false
*/
@@ -361,7 +389,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the VULN_SOURCE node
+ * Checks if the handler is at the VULN_SOURCE node.
*
* @return true or false
*/
@@ -370,7 +398,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the VULN_SUMMARY node
+ * Checks if the handler is at the VULN_SUMMARY node.
*
* @return true or false
*/
@@ -379,7 +407,7 @@ public class NvdCve20Handler extends DefaultHandler {
}
/**
- * Checks if the handler is at the VULN_CWE node
+ * Checks if the handler is at the VULN_CWE node.
*
* @return true or false
*/
@@ -387,7 +415,7 @@ public class NvdCve20Handler extends DefaultHandler {
return VULN_CWE.equals(node);
}
/**
- * Checks if the handler is at the CVSS_SCORE node
+ * Checks if the handler is at the CVSS_SCORE node.
*
* @return true or false
*/
@@ -395,7 +423,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_SCORE.equals(node);
}
/**
- * Checks if the handler is at the CVSS_ACCESS_VECTOR node
+ * Checks if the handler is at the CVSS_ACCESS_VECTOR node.
*
* @return true or false
*/
@@ -403,7 +431,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_VECTOR.equals(node);
}
/**
- * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node
+ * Checks if the handler is at the CVSS_ACCESS_COMPLEXITY node.
*
* @return true or false
*/
@@ -411,7 +439,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_ACCESS_COMPLEXITY.equals(node);
}
/**
- * Checks if the handler is at the CVSS_AUTHENTICATION node
+ * Checks if the handler is at the CVSS_AUTHENTICATION node.
*
* @return true or false
*/
@@ -419,7 +447,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_AUTHENTICATION.equals(node);
}
/**
- * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node
+ * Checks if the handler is at the CVSS_CONFIDENTIALITY_IMPACT node.
*
* @return true or false
*/
@@ -427,7 +455,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_CONFIDENTIALITY_IMPACT.equals(node);
}
/**
- * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node
+ * Checks if the handler is at the CVSS_INTEGRITY_IMPACT node.
*
* @return true or false
*/
@@ -435,7 +463,7 @@ public class NvdCve20Handler extends DefaultHandler {
return CVSS_INTEGRITY_IMPACT.equals(node);
}
/**
- * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node
+ * Checks if the handler is at the CVSS_AVAILABILITY_IMPACT node.
*
* @return true or false
*/
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
index e50ed8d3e..0af4f2524 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -44,43 +44,43 @@ public class Dependency {
/**
* The actual file path of the dependency on disk.
*/
- private String actualFilePath = null;
+ private String actualFilePath;
/**
* The file path to display.
*/
- private String filePath = null;
+ private String filePath;
/**
* The file name of the dependency.
*/
- private String fileName = null;
+ private String fileName;
/**
* The file extension of the dependency.
*/
- private String fileExtension = null;
+ private String fileExtension;
/**
* The md5 hash of the dependency.
*/
- private String md5sum = null;
+ private String md5sum;
/**
* The SHA1 hash of the dependency.
*/
- private String sha1sum = null;
+ private String sha1sum;
/**
* A list of Identifiers.
*/
- private List identifiers = null;
+ private List identifiers;
/**
* A collection of vendor evidence.
*/
- protected EvidenceCollection vendorEvidence = null;
+ private EvidenceCollection vendorEvidence;
/**
* A collection of product evidence.
*/
- protected EvidenceCollection productEvidence = null;
+ private EvidenceCollection productEvidence;
/**
* A collection of version evidence.
*/
- protected EvidenceCollection versionEvidence = null;
+ private EvidenceCollection versionEvidence;
/**
* Constructs a new Dependency object.
@@ -244,7 +244,7 @@ public class Dependency {
* @param url the URL of the identifier.
*/
public void addIdentifier(String type, String value, String url) {
- Identifier i = new Identifier(type, value, url);
+ final Identifier i = new Identifier(type, value, url);
this.identifiers.add(i);
}
@@ -295,10 +295,10 @@ public class Dependency {
/**
* A list of exceptions that occurred during analysis of this dependency.
*/
- protected List analysisExceptions = new ArrayList();
+ private List analysisExceptions = new ArrayList();
/**
- * Get the value of analysisExceptions
+ * Get the value of analysisExceptions.
*
* @return the value of analysisExceptions
*/
@@ -307,7 +307,7 @@ public class Dependency {
}
/**
- * Set the value of analysisExceptions
+ * Set the value of analysisExceptions.
*
* @param analysisExceptions new value of analysisExceptions
*/
@@ -326,10 +326,10 @@ public class Dependency {
/**
* The description of the JAR file.
*/
- protected String description;
+ private String description;
/**
- * Get the value of description
+ * Get the value of description.
*
* @return the value of description
*/
@@ -338,7 +338,7 @@ public class Dependency {
}
/**
- * Set the value of description
+ * Set the value of description.
*
* @param description new value of description
*/
@@ -351,7 +351,7 @@ public class Dependency {
private String license;
/**
- * Get the value of license
+ * Get the value of license.
*
* @return the value of license
*/
@@ -360,7 +360,7 @@ public class Dependency {
}
/**
- * Set the value of license
+ * Set the value of license.
*
* @param license new value of license
*/
@@ -392,12 +392,12 @@ public class Dependency {
return false;
}
/**
- * A list of vulnerabilities for this dependency
+ * A list of vulnerabilities for this dependency.
*/
private SortedSet vulnerabilities;
/**
- * Get the list of vulnerabilities
+ * Get the list of vulnerabilities.
*
* @return the list of vulnerabilities
*/
@@ -406,7 +406,7 @@ public class Dependency {
}
/**
- * Set the value of vulnerabilities
+ * Set the value of vulnerabilities.
*
* @param vulnerabilities new value of vulnerabilities
*/
@@ -414,6 +414,11 @@ public class Dependency {
this.vulnerabilities = vulnerabilities;
}
+ /**
+ * Determines the sha1 and md5 sum for the given file.
+ *
+ * @param file the file to create checksums for
+ */
private void determineHashes(File file) {
String md5 = null;
String sha1 = null;
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
index 3308d08a7..a7c094ff4 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -67,10 +67,10 @@ public class Evidence {
/**
* The name of the evidence.
*/
- protected String name;
+ private String name;
/**
- * Get the value of name
+ * Get the value of name.
*
* @return the value of name
*/
@@ -79,7 +79,7 @@ public class Evidence {
}
/**
- * Set the value of name
+ * Set the value of name.
*
* @param name new value of name
*/
@@ -89,10 +89,10 @@ public class Evidence {
/**
* The source of the evidence.
*/
- protected String source;
+ private String source;
/**
- * Get the value of source
+ * Get the value of source.
*
* @return the value of source
*/
@@ -101,7 +101,7 @@ public class Evidence {
}
/**
- * Set the value of source
+ * Set the value of source.
*
* @param source new value of source
*/
@@ -111,10 +111,10 @@ public class Evidence {
/**
* The value of the evidence.
*/
- protected String value;
+ private String value;
/**
- * Get the value of value
+ * Get the value of value.
*
* @return the value of value
*/
@@ -124,7 +124,7 @@ public class Evidence {
}
/**
- * Set the value of value
+ * Set the value of value.
*
* @param value new value of value
*/
@@ -134,10 +134,10 @@ public class Evidence {
/**
* A value indicating if the Evidence has been "used" (aka read).
*/
- protected boolean used;
+ private boolean used;
/**
- * Get the value of used
+ * Get the value of used.
*
* @return the value of used
*/
@@ -146,7 +146,7 @@ public class Evidence {
}
/**
- * Set the value of used
+ * Set the value of used.
*
* @param used new value of used
*/
@@ -156,10 +156,10 @@ public class Evidence {
/**
* The confidence level for the evidence.
*/
- protected Confidence confidence;
+ private Confidence confidence;
/**
- * Get the value of confidence
+ * Get the value of confidence.
*
* @return the value of confidence
*/
@@ -168,7 +168,7 @@ public class Evidence {
}
/**
- * Set the value of confidence
+ * Set the value of confidence.
*
* @param confidence new value of confidence
*/
@@ -205,7 +205,7 @@ public class Evidence {
if (!(that instanceof Evidence)) {
return false;
}
- Evidence e = (Evidence) that;
+ final Evidence e = (Evidence) that;
return testEquality(name, e.name) && testEquality(source, e.source) && testEquality(value, e.value)
&& (confidence == null ? e.confidence == null : confidence == e.confidence);
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
index 940125f97..c1deb553c 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
@@ -52,7 +52,7 @@ public class EvidenceCollection implements Iterable {
return evidence.getConfidence() == Evidence.Confidence.MEDIUM;
}
};
- /*
+ /**
* Used to iterate over low confidence evidence contained in the collection.
*/
private static final Filter LOW_CONFIDENCE =
@@ -90,8 +90,14 @@ public class EvidenceCollection implements Iterable {
return EvidenceCollection.LOW_CONFIDENCE.filter(this.list);
}
}
- private Set list = null;
- private Set weightedStrings = null;
+ /**
+ * A collection of evidence.
+ */
+ private Set list;
+ /**
+ * A collection of strings used to adjust lucene's term weighting.
+ */
+ private Set weightedStrings;
/**
* Creates a new EvidenceCollection.
@@ -120,7 +126,7 @@ public class EvidenceCollection implements Iterable {
* @param confidence the confidence of the Evidence.
*/
public void addEvidence(String source, String name, String value, Evidence.Confidence confidence) {
- Evidence e = new Evidence(source, name, value, confidence);
+ final Evidence e = new Evidence(source, name, value, confidence);
addEvidence(e);
}
@@ -181,10 +187,10 @@ public class EvidenceCollection implements Iterable {
if (text == null) {
return false;
}
- text = text.toLowerCase();
+ final String textToTest = text.toLowerCase();
for (Evidence e : this.list) {
- if (e.used && e.value.toLowerCase().contains(text)) {
+ if (e.isUsed() && e.getValue().toLowerCase().contains(textToTest)) {
return true;
}
}
@@ -200,7 +206,7 @@ public class EvidenceCollection implements Iterable {
*/
public boolean contains(Evidence.Confidence confidence) {
for (Evidence e : list) {
- if (e.confidence == confidence) {
+ if (e.getConfidence().equals(confidence)) {
return true;
}
}
@@ -215,7 +221,7 @@ public class EvidenceCollection implements Iterable {
* @return a new EvidenceCollection containing the used evidence.
*/
public static EvidenceCollection mergeUsed(EvidenceCollection... ec) {
- EvidenceCollection ret = new EvidenceCollection();
+ final EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) {
for (Evidence e : col.list) {
if (e.isUsed()) {
@@ -233,7 +239,7 @@ public class EvidenceCollection implements Iterable {
* @return a new EvidenceCollection.
*/
public static EvidenceCollection merge(EvidenceCollection... ec) {
- EvidenceCollection ret = new EvidenceCollection();
+ final EvidenceCollection ret = new EvidenceCollection();
for (EvidenceCollection col : ec) {
ret.list.addAll(col.list);
ret.weightedStrings.addAll(col.weightedStrings);
@@ -248,7 +254,7 @@ public class EvidenceCollection implements Iterable {
*/
@Override
public String toString() {
- StringBuilder sb = new StringBuilder();
+ final StringBuilder sb = new StringBuilder();
for (Evidence e : this.list) {
sb.append(e.getValue()).append(' ');
}
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java b/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
index da2a53201..6261661b2 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
@@ -52,10 +52,10 @@ public class Identifier {
/**
* The value of the identifier
*/
- protected String value;
+ private String value;
/**
- * Get the value of value
+ * Get the value of value.
*
* @return the value of value
*/
@@ -64,7 +64,7 @@ public class Identifier {
}
/**
- * Set the value of value
+ * Set the value of value.
*
* @param value new value of value
*/
@@ -73,12 +73,12 @@ public class Identifier {
}
/**
- * The url for the identifier
+ * The url for the identifier.
*/
- protected String url;
+ private String url;
/**
- * Get the value of url
+ * Get the value of url.
*
* @return the value of url
*/
@@ -87,7 +87,7 @@ public class Identifier {
}
/**
- * Set the value of url
+ * Set the value of url.
*
* @param url new value of url
*/
@@ -95,12 +95,12 @@ public class Identifier {
this.url = url;
}
/**
- * The type of the identifier
+ * The type of the identifier.
*/
- protected String type;
+ private String type;
/**
- * Get the value of type
+ * Get the value of type.
*
* @return the value of type
*/
@@ -119,10 +119,10 @@ public class Identifier {
/**
* A description of the identifier.
*/
- protected String description;
+ private String description;
/**
- * Get the value of description
+ * Get the value of description.
*
* @return the value of description
*/
@@ -131,7 +131,7 @@ public class Identifier {
}
/**
- * Set the value of description
+ * Set the value of description.
*
* @param description new value of description
*/
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Reference.java b/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
index fc3af391d..5caa3178e 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/Reference.java
@@ -28,6 +28,9 @@ import java.io.Serializable;
*/
public class Reference implements Serializable {
+ /**
+ * the serial version uid.
+ */
private static final long serialVersionUID = -3444464824563008021L;
/**
* The name of the reference.
@@ -35,7 +38,7 @@ public class Reference implements Serializable {
private String name;
/**
- * Get the value of name
+ * Get the value of name.
*
* @return the value of name
*/
@@ -44,7 +47,7 @@ public class Reference implements Serializable {
}
/**
- * Set the value of name
+ * Set the value of name.
*
* @param name new value of name
*/
@@ -52,12 +55,12 @@ public class Reference implements Serializable {
this.name = name;
}
/**
- * the url for the reference
+ * the url for the reference.
*/
private String url;
/**
- * Get the value of url
+ * Get the value of url.
*
* @return the value of url
*/
@@ -66,7 +69,7 @@ public class Reference implements Serializable {
}
/**
- * Set the value of url
+ * Set the value of url.
*
* @param url new value of url
*/
@@ -79,7 +82,7 @@ public class Reference implements Serializable {
private String source;
/**
- * Get the value of source
+ * Get the value of source.
*
* @return the value of source
*/
@@ -88,7 +91,7 @@ public class Reference implements Serializable {
}
/**
- * Set the value of source
+ * Set the value of source.
*
* @param source new value of source
*/
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
index 05a1a82d2..859308bde 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java
@@ -29,14 +29,17 @@ import java.util.Set;
*/
public class Vulnerability implements Serializable, Comparable {
+ /**
+ * The serial version uid.
+ */
private static final long serialVersionUID = 307319490326651052L;
/**
- * The name of the vulnerability
+ * The name of the vulnerability.
*/
private String name;
/**
- * Get the value of name
+ * Get the value of name.
*
* @return the value of name
*/
@@ -45,7 +48,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of name
+ * Set the value of name.
*
* @param name new value of name
*/
@@ -53,12 +56,12 @@ public class Vulnerability implements Serializable, Comparable {
this.name = name;
}
/**
- * the description of the vulnerability
+ * the description of the vulnerability.
*/
private String description;
/**
- * Get the value of description
+ * Get the value of description.
*
* @return the value of description
*/
@@ -67,7 +70,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of description
+ * Set the value of description.
*
* @param description new value of description
*/
@@ -75,12 +78,12 @@ public class Vulnerability implements Serializable, Comparable {
this.description = description;
}
/**
- * References for this vulnerability
+ * References for this vulnerability.
*/
private Set references = new HashSet();
/**
- * Get the value of references
+ * Get the value of references.
*
* @return the value of references
*/
@@ -89,7 +92,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of references
+ * Set the value of references.
*
* @param references new value of references
*/
@@ -98,7 +101,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Adds a reference to the references collection
+ * Adds a reference to the references collection.
*
* @param ref a reference for the vulnerability
*/
@@ -107,25 +110,26 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Adds a reference
+ * Adds a reference.
+ *
* @param referenceSource the source of the reference
* @param referenceName the referenceName of the reference
* @param referenceUrl the url of the reference
*/
public void addReference(String referenceSource, String referenceName, String referenceUrl) {
- Reference ref = new Reference();
+ final Reference ref = new Reference();
ref.setSource(referenceSource);
ref.setName(referenceName);
ref.setUrl(referenceUrl);
this.references.add(ref);
}
/**
- * a set of vulnerable software
+ * A set of vulnerable software.
*/
- protected Set vulnerableSoftware = new HashSet();
+ private Set vulnerableSoftware = new HashSet();
/**
- * Get the value of vulnerableSoftware
+ * Get the value of vulnerableSoftware.
*
* @return the value of vulnerableSoftware
*/
@@ -134,7 +138,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of vulnerableSoftware
+ * Set the value of vulnerableSoftware.
*
* @param vulnerableSoftware new value of vulnerableSoftware
*/
@@ -143,7 +147,8 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Adds an entry for vulnerable software
+ * Adds an entry for vulnerable software.
+ *
* @param cpe string representation of a CPE entry
* @return if the add succeeded
*/
@@ -152,13 +157,15 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Adds an entry for vulnerable software
+ * Adds an entry for vulnerable software.
+ *
* @param cpe string representation of a cpe
- * @param previousVersion the previous version (previousVersion - cpe would be considered vulnerable)
+ * @param previousVersion the previous version (previousVersion - cpe would
+ * be considered vulnerable)
* @return if the add succeeded
*/
public boolean addVulnerableSoftware(String cpe, String previousVersion) {
- VulnerableSoftware vs = new VulnerableSoftware();
+ final VulnerableSoftware vs = new VulnerableSoftware();
vs.setCpe(cpe);
if (previousVersion != null) {
vs.setPreviousVersion(previousVersion);
@@ -167,7 +174,8 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Adds or updates a vulnerable software entry
+ * Adds or updates a vulnerable software entry.
+ *
* @param vulnSoftware the vulnerable software
* @return if the update succeeded
*/
@@ -178,12 +186,12 @@ public class Vulnerability implements Serializable, Comparable {
return vulnerableSoftware.add(vulnSoftware);
}
/**
- * The CWE for the vulnerability
+ * The CWE for the vulnerability.
*/
- protected String cwe;
+ private String cwe;
/**
- * Get the value of cwe
+ * Get the value of cwe.
*
* @return the value of cwe
*/
@@ -192,7 +200,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cwe
+ * Set the value of cwe.
*
* @param cwe new value of cwe
*/
@@ -200,12 +208,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cwe = cwe;
}
/**
- * CVSS Score
+ * CVSS Score.
*/
- protected float cvssScore;
+ private float cvssScore;
/**
- * Get the value of cvssScore
+ * Get the value of cvssScore.
*
* @return the value of cvssScore
*/
@@ -214,7 +222,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssScore
+ * Set the value of cvssScore.
*
* @param cvssScore new value of cvssScore
*/
@@ -222,12 +230,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cvssScore = cvssScore;
}
/**
- * CVSS Access Vector
+ * CVSS Access Vector.
*/
- protected String cvssAccessVector;
+ private String cvssAccessVector;
/**
- * Get the value of cvssAccessVector
+ * Get the value of cvssAccessVector.
*
* @return the value of cvssAccessVector
*/
@@ -236,7 +244,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssAccessVector
+ * Set the value of cvssAccessVector.
*
* @param cvssAccessVector new value of cvssAccessVector
*/
@@ -244,12 +252,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cvssAccessVector = cvssAccessVector;
}
/**
- * CVSS Access Complexity
+ * CVSS Access Complexity.
*/
- protected String cvssAccessComplexity;
+ private String cvssAccessComplexity;
/**
- * Get the value of cvssAccessComplexity
+ * Get the value of cvssAccessComplexity.
*
* @return the value of cvssAccessComplexity
*/
@@ -258,7 +266,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssAccessComplexity
+ * Set the value of cvssAccessComplexity.
*
* @param cvssAccessComplexity new value of cvssAccessComplexity
*/
@@ -266,12 +274,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cvssAccessComplexity = cvssAccessComplexity;
}
/**
- * CVSS Authentication
+ * CVSS Authentication.
*/
- protected String cvssAuthentication;
+ private String cvssAuthentication;
/**
- * Get the value of cvssAuthentication
+ * Get the value of cvssAuthentication.
*
* @return the value of cvssAuthentication
*/
@@ -280,7 +288,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssAuthentication
+ * Set the value of cvssAuthentication.
*
* @param cvssAuthentication new value of cvssAuthentication
*/
@@ -288,12 +296,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cvssAuthentication = cvssAuthentication;
}
/**
- * CVSS Confidentiality Impact
+ * CVSS Confidentiality Impact.
*/
- protected String cvssConfidentialityImpact;
+ private String cvssConfidentialityImpact;
/**
- * Get the value of cvssConfidentialityImpact
+ * Get the value of cvssConfidentialityImpact.
*
* @return the value of cvssConfidentialityImpact
*/
@@ -302,7 +310,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssConfidentialityImpact
+ * Set the value of cvssConfidentialityImpact.
*
* @param cvssConfidentialityImpact new value of cvssConfidentialityImpact
*/
@@ -310,12 +318,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cvssConfidentialityImpact = cvssConfidentialityImpact;
}
/**
- * CVSS Integrity Impact
+ * CVSS Integrity Impact.
*/
- protected String cvssIntegrityImpact;
+ private String cvssIntegrityImpact;
/**
- * Get the value of cvssIntegrityImpact
+ * Get the value of cvssIntegrityImpact.
*
* @return the value of cvssIntegrityImpact
*/
@@ -324,7 +332,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssIntegrityImpact
+ * Set the value of cvssIntegrityImpact.
*
* @param cvssIntegrityImpact new value of cvssIntegrityImpact
*/
@@ -332,12 +340,12 @@ public class Vulnerability implements Serializable, Comparable {
this.cvssIntegrityImpact = cvssIntegrityImpact;
}
/**
- * CVSS Availability Impact
+ * CVSS Availability Impact.
*/
- protected String cvssAvailabilityImpact;
+ private String cvssAvailabilityImpact;
/**
- * Get the value of cvssAvailabilityImpact
+ * Get the value of cvssAvailabilityImpact.
*
* @return the value of cvssAvailabilityImpact
*/
@@ -346,7 +354,7 @@ public class Vulnerability implements Serializable, Comparable {
}
/**
- * Set the value of cvssAvailabilityImpact
+ * Set the value of cvssAvailabilityImpact.
*
* @param cvssAvailabilityImpact new value of cvssAvailabilityImpact
*/
@@ -375,11 +383,13 @@ public class Vulnerability implements Serializable, Comparable {
hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
return hash;
}
+
/**
- * Compares two vulnerabilities
+ * Compares two vulnerabilities.
*
* @param v a vulnerability to be compared
- * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than the specified vulnerability
+ * @return a negative integer, zero, or a positive integer as this object is
+ * less than, equal to, or greater than the specified vulnerability
*/
public int compareTo(Vulnerability v) {
return v.getName().compareTo(this.getName());
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java b/src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
index 19d15a087..e8fb8d2ef 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java
@@ -26,6 +26,9 @@ import java.util.Comparator;
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class VulnerabilityComparator implements Comparator, Serializable {
+ /**
+ * The serial version UID.
+ */
private static final long serialVersionUID = 1L;
/**
diff --git a/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java b/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
index 7f451806d..9e0f446b9 100644
--- a/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -32,10 +32,13 @@ import org.owasp.dependencycheck.data.cpe.Entry;
*/
public class VulnerableSoftware extends Entry implements Serializable {
+ /**
+ * The serial version UID.
+ */
private static final long serialVersionUID = 307319490326651052L;
/**
- * Parse a CPE entry from the cpe string representation
+ * Parse a CPE entry from the cpe string representation.
*
* @param cpe a cpe entry (e.g. cpe:/a:vendor:software:version)
*/
@@ -49,12 +52,12 @@ public class VulnerableSoftware extends Entry implements Serializable {
}
/**
- * If present, indicates that previous version are vulnerable
+ * If present, indicates that previous version are vulnerable.
*/
- protected String previousVersion = null;
+ private String previousVersion;
/**
- * Indicates if previous versions of this software are vulnerable
+ * Indicates if previous versions of this software are vulnerable.
*
* @return if previous versions of this software are vulnerable
*/
@@ -63,7 +66,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
}
/**
- * Get the value of previousVersion
+ * Get the value of previousVersion.
*
* @return the value of previousVersion
*/
@@ -72,7 +75,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
}
/**
- * Set the value of previousVersion
+ * Set the value of previousVersion.
*
* @param previousVersion new value of previousVersion
*/
@@ -89,7 +92,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
return false;
}
final VulnerableSoftware other = (VulnerableSoftware) obj;
- if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
+ if ((this.getName() == null) ? (other.getName() != null) : !this.getName().equals(other.getName())) {
return false;
}
return true;
@@ -98,7 +101,7 @@ public class VulnerableSoftware extends Entry implements Serializable {
@Override
public int hashCode() {
int hash = 7;
- hash = 83 * hash + (this.name != null ? this.name.hashCode() : 0);
+ hash = 83 * hash + (this.getName() != null ? this.getName().hashCode() : 0);
return hash;
}
}
diff --git a/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
index 70ada0661..a057bb1c2 100644
--- a/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -51,11 +51,11 @@ public class ReportGenerator {
/**
* The Velocity Engine.
*/
- private VelocityEngine engine = null;
+ private VelocityEngine engine;
/**
* The Velocity Engine Context.
*/
- private Context context = null;
+ private Context context;
/**
* Constructs a new ReportGenerator.
@@ -77,10 +77,11 @@ public class ReportGenerator {
/**
* Creates a new Velocity Engine.
+ *
* @return a velocity engine.
*/
private VelocityEngine createVelocityEngine() {
- VelocityEngine ve = new VelocityEngine();
+ final VelocityEngine ve = new VelocityEngine();
ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
return ve;
@@ -88,12 +89,13 @@ public class ReportGenerator {
/**
* Creates a new Velocity Context initialized with escape and date tools.
+ *
* @return a Velocity Context.
*/
private Context createContext() {
- ToolManager manager = new ToolManager();
- Context c = manager.createContext();
- EasyFactoryConfiguration config = new EasyFactoryConfiguration();
+ final ToolManager manager = new ToolManager();
+ final Context c = manager.createContext();
+ final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
config.addDefaultTools();
config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
manager.configure(config);
@@ -110,7 +112,7 @@ public class ReportGenerator {
* reports.
*/
public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
- if (outputFormat.equalsIgnoreCase("XML")) {
+ if ("XML".equalsIgnoreCase(outputFormat)) {
generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
} else {
generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
@@ -130,7 +132,7 @@ public class ReportGenerator {
public void generateReport(String templateName, String outFileName) throws IOException, Exception {
InputStream input = null;
String templatePath = null;
- File f = new File(templateName);
+ final File f = new File(templateName);
if (f.exists() && f.isFile()) {
try {
templatePath = templateName;
@@ -146,7 +148,7 @@ public class ReportGenerator {
throw new IOException("Template file doesn't exist");
}
- InputStreamReader reader = new InputStreamReader(input, "UTF-8");
+ final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
OutputStreamWriter writer = null;
OutputStream outputStream = null;
diff --git a/src/main/java/org/owasp/dependencycheck/utils/CliParser.java b/src/main/java/org/owasp/dependencycheck/utils/CliParser.java
index 2502bfec6..217c3515a 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/CliParser.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/CliParser.java
@@ -40,15 +40,15 @@ public final class CliParser {
/**
* The command line.
*/
- private CommandLine line = null;
+ private CommandLine line;
/**
* The options for the command line parser.
*/
private Options options = createCommandLineOptions();
/**
- * indicates whether the arguments are valid.
+ * Indicates whether the arguments are valid.
*/
- boolean isValid = true;
+ private boolean isValid = true;
/**
* Parses the arguments passed in and captures the results for later use.
@@ -74,8 +74,8 @@ public final class CliParser {
* @throws ParseException if the arguments are invalid
*/
private CommandLine parseArgs(String[] args) throws ParseException {
- CommandLineParser parser = new PosixParser();
- CommandLine ln = parser.parse(options, args);
+ final CommandLineParser parser = new PosixParser();
+ final CommandLine ln = parser.parse(options, args);
return ln;
}
@@ -84,6 +84,7 @@ public final class CliParser {
*
* @throws FileNotFoundException if there is a file specified by either the
* SCAN or CPE command line arguments that does not exist.
+ * @throws ParseException is thrown if there is an exception parsing the command line.
*/
private void validateArgs() throws FileNotFoundException, ParseException {
if (isRunScan()) {
@@ -93,8 +94,8 @@ public final class CliParser {
throw new ParseException("Scan cannot be run without specifying a directory "
+ "to write the reports to via the 'out' argument.");
} else {
- String p = line.getOptionValue(ArgumentName.OUT, "");
- File f = new File(p);
+ final String p = line.getOptionValue(ArgumentName.OUT, "");
+ final File f = new File(p);
if ("".equals(p) || !(f.exists() && f.isDirectory())) {
//TODO - need a new exception type here, this isn't really a ParseException.
throw new ParseException("A valid directory name must be specified for "
@@ -106,8 +107,8 @@ public final class CliParser {
+ "name via the 'app' argument.");
}
if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
- String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
- if (!(format.equalsIgnoreCase("XML") || format.equalsIgnoreCase("HTML"))) {
+ final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
+ if (!("XML".equalsIgnoreCase(format) || "HTML".equalsIgnoreCase(format))) {
throw new ParseException("Supported output formats are XML and HTML");
}
}
@@ -139,7 +140,7 @@ public final class CliParser {
* not exist.
*/
private void validatePathExists(String path) throws FileNotFoundException {
- File f = new File(path);
+ final File f = new File(path);
if (!f.exists()) {
isValid = false;
throw new FileNotFoundException("Invalid file argument: " + path);
@@ -154,47 +155,47 @@ public final class CliParser {
*/
@SuppressWarnings("static-access")
private Options createCommandLineOptions() {
- Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
+ final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
"print this message.");
- Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
+ final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
"shows additional help regarding properties file.");
- Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
+ final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
"extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
- Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
+ final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
false, "print the version information.");
- Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+ final Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
false, "disables the automatic updating of the CPE data.");
- Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
+ final Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
.withDescription("the name of the application being scanned.")
.create(ArgumentName.APPNAME_SHORT);
- Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
+ final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
.withDescription("the path to scan - this option can be specified multiple times.")
.create(ArgumentName.SCAN_SHORT);
- Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
+ final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
.withDescription("a property file to load.")
.create(ArgumentName.PROP_SHORT);
- Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
+ final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
.withDescription("the folder to write reports to.")
.create(ArgumentName.OUT_SHORT);
- Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+ final Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
.withDescription("the output format to write to.")
.create(ArgumentName.OUTPUT_FORMAT_SHORT);
//TODO add the ability to load a properties file to override the defaults...
- OptionGroup og = new OptionGroup();
+ final OptionGroup og = new OptionGroup();
og.addOption(path);
- Options opts = new Options();
+ final Options opts = new Options();
opts.addOptionGroup(og);
opts.addOption(out);
opts.addOption(outputformat);
@@ -205,6 +206,7 @@ public final class CliParser {
opts.addOption(deepScan);
opts.addOption(props);
opts.addOption(advancedHelp);
+
return opts;
}
@@ -239,8 +241,8 @@ public final class CliParser {
* Displays the command line help message to the standard output.
*/
public void printHelp() {
- HelpFormatter formatter = new HelpFormatter();
- String nl = System.getProperty("line.separator");
+ final HelpFormatter formatter = new HelpFormatter();
+ final String nl = System.getProperty("line.separator");
String advancedHelp = null;
if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
advancedHelp = nl + nl
@@ -273,11 +275,10 @@ public final class CliParser {
*/
public String[] getScanFiles() {
return line.getOptionValues(ArgumentName.SCAN);
-
}
/**
- * returns the directory to write the reports to specified on the command
+ * Returns the directory to write the reports to specified on the command
* line.
*
* @return the path to the reports directory.
@@ -306,12 +307,12 @@ public final class CliParser {
}
/**
- * Prints the manifest information to standard output:
+ * Prints the manifest information to standard output.
* - Implementation-Title: ${pom.name}
* - Implementation-Version: ${pom.version}
*/
public void printVersionInfo() {
- String version = String.format("%s version %s",
+ final String version = String.format("%s version %s",
Settings.getString("application.name", "DependencyCheck"),
Settings.getString("application.version", "Unknown"));
System.out.println(version);
@@ -341,11 +342,11 @@ public final class CliParser {
public static class ArgumentName {
/**
- * The long CLI argument name specifying the directory/file to scan
+ * The long CLI argument name specifying the directory/file to scan.
*/
public static final String SCAN = "scan";
/**
- * The short CLI argument name specifying the directory/file to scan
+ * The short CLI argument name specifying the directory/file to scan.
*/
public static final String SCAN_SHORT = "s";
/**
diff --git a/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java b/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
index 7eec6d974..a7322cb6f 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java
@@ -27,6 +27,9 @@ import java.io.IOException;
*/
public class DownloadFailedException extends IOException {
+ /**
+ * The serial version UID.
+ */
private static final long serialVersionUID = 1L;
/**
diff --git a/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
index 5568f335f..c159d4332 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
@@ -38,7 +38,7 @@ import java.util.zip.InflaterInputStream;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
-public class Downloader {
+public final class Downloader {
/**
* Private constructor for utility class.
@@ -69,7 +69,7 @@ public class Downloader {
* downloading the file.
*/
public static void fetchFile(URL url, String outputPath, boolean unzip) throws DownloadFailedException {
- File f = new File(outputPath);
+ final File f = new File(outputPath);
fetchFile(url, f, unzip);
}
@@ -111,7 +111,7 @@ public class Downloader {
}
throw new DownloadFailedException("Error downloading file.", ex);
}
- String encoding = conn.getContentEncoding();
+ final String encoding = conn.getContentEncoding();
BufferedOutputStream writer = null;
InputStream reader = null;
@@ -125,7 +125,7 @@ public class Downloader {
}
writer = new BufferedOutputStream(new FileOutputStream(outputPath));
- byte[] buffer = new byte[4096];
+ final byte[] buffer = new byte[4096];
int bytesRead = 0;
while ((bytesRead = reader.read(buffer)) > 0) {
writer.write(buffer, 0, bytesRead);
@@ -201,18 +201,18 @@ public class Downloader {
private static HttpURLConnection getConnection(URL url) throws DownloadFailedException {
HttpURLConnection conn = null;
Proxy proxy = null;
- String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
+ final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_URL);
try {
if (proxyUrl != null) {
- int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
- SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
+ final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
+ final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
proxy = new Proxy(Proxy.Type.HTTP, addr);
conn = (HttpURLConnection) url.openConnection(proxy);
} else {
conn = (HttpURLConnection) url.openConnection();
}
if (Settings.getString(Settings.KEYS.CONNECTION_TIMEOUT) != null) {
- int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT);
+ final int timeout = Settings.getInt(Settings.KEYS.CONNECTION_TIMEOUT);
conn.setConnectTimeout(timeout);
}
} catch (IOException ex) {
diff --git a/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java b/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
index a7049e475..02204fb8c 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java
@@ -27,7 +27,7 @@ import java.io.IOException;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
-public class FileUtils {
+public final class FileUtils {
/**
* Private constructor for a utility class.
@@ -43,7 +43,7 @@ public class FileUtils {
*/
public static String getFileExtension(String fileName) {
String ret = null;
- int pos = fileName.lastIndexOf(".");
+ final int pos = fileName.lastIndexOf(".");
if (pos >= 0) {
ret = fileName.substring(pos + 1, fileName.length()).toLowerCase();
}
diff --git a/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java b/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
index 0273f54ea..3fb90d5db 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java
@@ -27,6 +27,9 @@ import java.io.IOException;
*/
public class InvalidSettingException extends IOException {
+ /**
+ * The serial version UID.
+ */
private static final long serialVersionUID = 1L;
/**
diff --git a/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java b/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
index 901ba187c..7ee6113d1 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
@@ -22,17 +22,17 @@ import java.io.FilterInputStream;
import java.io.InputStream;
/**
- * NonClosingStream is a stream filter which prevents
- * another class that processes the stream from closing
- * it. This is necessary when dealing with things like
- * JAXB and zipInputStreams.
+ * NonClosingStream is a stream filter which prevents another class that
+ * processes the stream from closing it. This is necessary when dealing with
+ * things like JAXB and zipInputStreams.
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
public class NonClosingStream extends FilterInputStream {
/**
- * Constructs a new NonClosingStream
+ * Constructs a new NonClosingStream.
+ *
* @param in an input stream.
*/
public NonClosingStream(InputStream in) {
diff --git a/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/src/main/java/org/owasp/dependencycheck/utils/Settings.java
index fff7149fc..4854886d7 100644
--- a/src/main/java/org/owasp/dependencycheck/utils/Settings.java
+++ b/src/main/java/org/owasp/dependencycheck/utils/Settings.java
@@ -31,12 +31,12 @@ import java.util.logging.Logger;
*
* @author Jeremy Long (jeremy.long@gmail.com)
*/
-public class Settings {
+public final class Settings {
/**
* The collection of keys used within the properties file.
*/
- public static class KEYS {
+ public static final class KEYS {
/**
* private constructor because this is a "utility" class containing constants
@@ -95,11 +95,11 @@ public class Settings {
*/
public static final String CVE_BASE_URL = "cve.url-";
/**
- * The properties key for the CVE schema version 1.2
+ * The properties key for the CVE schema version 1.2.
*/
public static final String CVE_SCHEMA_1_2 = "1.2.";
/**
- * The properties key for the CVE schema version 2.0
+ * The properties key for the CVE schema version 2.0.
*/
public static final String CVE_SCHEMA_2_0 = "2.0.";
@@ -122,8 +122,17 @@ public class Settings {
*/
public static final String PERFORM_DEEP_SCAN = "perform.deepscan";
}
+ /**
+ * The properties file location.
+ */
private static final String PROPERTIES_FILE = "configuration/dependencycheck.properties";
+ /**
+ * The singleton instance variable.
+ */
private static final Settings INSTANCE = new Settings();
+ /**
+ * The properties.
+ */
private Properties props = null;
/**
@@ -131,7 +140,7 @@ public class Settings {
* properties files.
*/
private Settings() {
- InputStream in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
+ final InputStream in = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
props = new Properties();
try {
props.load(in);
@@ -176,7 +185,7 @@ public class Settings {
* the properties.
*/
public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
- FileInputStream fis = new FileInputStream(filePath);
+ final FileInputStream fis = new FileInputStream(filePath);
mergeProperties(fis);
}
@@ -287,4 +296,4 @@ public class Settings {
}
return value;
}
-}
\ No newline at end of file
+}
diff --git a/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java b/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
index a64943a5e..8799920f3 100644
--- a/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
+++ b/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
@@ -46,16 +46,16 @@ public class DependencyTest {
String str = "apache";
String str2 = "owasp";
Dependency instance = new Dependency();
- instance.vendorEvidence.addEvidence("manifest", "something", "apache", Evidence.Confidence.HIGH);
- instance.vendorEvidence.addEvidence("manifest", "something", "owasp", Evidence.Confidence.MEDIUM);
+ instance.getVendorEvidence().addEvidence("manifest", "something", "apache", Evidence.Confidence.HIGH);
+ instance.getVendorEvidence().addEvidence("manifest", "something", "owasp", Evidence.Confidence.MEDIUM);
assertFalse(instance.containsUsedString(str));
assertFalse(instance.containsUsedString(str2));
- for (Evidence i : instance.vendorEvidence.iterator(Evidence.Confidence.HIGH)) {
+ for (Evidence i : instance.getVendorEvidence().iterator(Evidence.Confidence.HIGH)) {
String readValue = i.getValue();
}
assertTrue(instance.containsUsedString(str));
assertFalse(instance.containsUsedString(str2));
- for (Evidence i : instance.vendorEvidence.iterator(Evidence.Confidence.MEDIUM)) {
+ for (Evidence i : instance.getVendorEvidence().iterator(Evidence.Confidence.MEDIUM)) {
String readValue = i.getValue();
}
assertTrue(instance.containsUsedString(str));