github-mirrors/DependencyCheck
1
0
Fork 0
mirror of https://github.com/ysoftdevs/DependencyCheck.git synced 2026-01-14 07:43:40 +01:00
Code Issues Packages Projects Releases Wiki Activity

checkstyle/pmd/findbugs recommended updates

Browse Source
This commit is contained in:
Jeremy Long
2015-07-29 07:00:30 -04:00
parent 1eecd13ea7
commit 79b59f2aae
19 changed files with 209 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

43
dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
View File

@@ -30,13 +30,26 @@ import org.slf4j.helpers.MessageFormatter;
*/
public class AntLoggerAdapter extends MarkerIgnoringBase {
/**
* A reference to the Ant task used for logging.
*/
private Task task;
/**
* Constructs an Ant Logger Adapter.
*
* @param task the Ant Task to use for logging
*/
public AntLoggerAdapter(Task task) {
super();
this.task = task;
}
/**
* Sets the current Ant task to use for logging.
*
* @param task the Ant task to use for logging
*/
public void setTask(Task task) {
this.task = task;
}
@@ -56,7 +69,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void trace(String format, Object arg) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg);
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_VERBOSE);
}
}
@@ -64,7 +77,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void trace(String format, Object arg1, Object arg2) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_VERBOSE);
}
}
@@ -72,7 +85,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void trace(String format, Object... arguments) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arguments);
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_VERBOSE);
}
}
@@ -99,7 +112,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void debug(String format, Object arg) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg);
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_DEBUG);
}
}
@@ -107,7 +120,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void debug(String format, Object arg1, Object arg2) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_DEBUG);
}
}
@@ -115,7 +128,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void debug(String format, Object... arguments) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arguments);
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_DEBUG);
}
}
@@ -142,7 +155,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void info(String format, Object arg) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg);
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_INFO);
}
}
@@ -150,7 +163,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void info(String format, Object arg1, Object arg2) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_INFO);
}
}
@@ -158,7 +171,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void info(String format, Object... arguments) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arguments);
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_INFO);
}
}
@@ -185,7 +198,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void warn(String format, Object arg) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg);
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_WARN);
}
}
@@ -193,7 +206,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void warn(String format, Object... arguments) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arguments);
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_WARN);
}
}
@@ -201,7 +214,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void warn(String format, Object arg1, Object arg2) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_WARN);
}
}
@@ -228,7 +241,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void error(String format, Object arg) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg);
final FormattingTuple tp = MessageFormatter.format(format, arg);
task.log(tp.getMessage(), Project.MSG_ERR);
}
}
@@ -236,7 +249,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void error(String format, Object arg1, Object arg2) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
task.log(tp.getMessage(), Project.MSG_ERR);
}
}
@@ -244,7 +257,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
@Override
public void error(String format, Object... arguments) {
if (task != null) {
FormattingTuple tp = MessageFormatter.format(format, arguments);
final FormattingTuple tp = MessageFormatter.format(format, arguments);
task.log(tp.getMessage(), Project.MSG_ERR);
}
}

17
dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java
View File

@@ -28,13 +28,28 @@ import org.slf4j.Logger;
*/
public class AntLoggerFactory implements ILoggerFactory {
private AntLoggerAdapter antLoggerAdapter;
/**
* A reference to the Ant logger Adapter.
*/
private final AntLoggerAdapter antLoggerAdapter;
/**
* Constructs a new Ant Logger Factory.
*
* @param task the Ant task to use for logging
*/
public AntLoggerFactory(Task task) {
super();
this.antLoggerAdapter = new AntLoggerAdapter(task);
}
/**
* Returns the Ant logger adapter.
*
* @param name ignored in this implementation
* @return the Ant logger adapter
*/
@Override
public Logger getLogger(String name) {
return antLoggerAdapter;
}

21
dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
View File

@@ -48,7 +48,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
/**
* Ant tasks have the log method we actually want to call. So we hang onto the task as a delegate
*/
private Task task;
private Task task = null;
/**
* Set the Task which will this is to log through.
@@ -67,22 +67,37 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
// to avoid constant folding by the compiler, this field must *not* be final
public static String REQUESTED_API_VERSION = "1.7.12"; // final
private static final String loggerFactoryClassStr = AntLoggerFactory.class.getName();
private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName();
/**
* The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object
*/
private ILoggerFactory loggerFactory;
/**
* Constructs a new static logger binder.
*/
private StaticLoggerBinder() {
loggerFactory = new AntLoggerFactory(task);
}
/**
* Returns the logger factory.
*
* @return the logger factory
*/
@Override
public ILoggerFactory getLoggerFactory() {
return loggerFactory;
}
/**
* Returns the logger factory class string.
*
* @return the logger factory class string
*/
@Override
public String getLoggerFactoryClassStr() {
return loggerFactoryClassStr;
return LOGGER_FACTORY_CLASS;
}
}

29
dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
View File

@@ -23,7 +23,6 @@ import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashSet;
import java.util.List;
import java.util.Set;
@@ -38,7 +37,6 @@ import org.owasp.dependencycheck.utils.Settings;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import ch.qos.logback.core.FileAppender;
import java.util.logging.Level;
import org.slf4j.impl.StaticLoggerBinder;
/**
@@ -127,23 +125,10 @@ public class App {
Engine engine = null;
try {
engine = new Engine();
List<String> antStylePaths = new ArrayList<String>();
//TODO remove and treating everything as an ant style path to ensure sym links are handled correctly.
// for (String file : files) {
// if (file.contains("*") || file.contains("?")) {
// antStylePaths.add(file);
// } else {
// engine.scan(file);
// }
// }
final List<String> antStylePaths = new ArrayList<String>();
for (String file : files) {
File f = new File(file);
// if (f.exists() && f.isFile()) {
// engine.scan(f);
// } else {
String antPath = ensureCanonicalPath(file);
final String antPath = ensureCanonicalPath(file);
antStylePaths.add(antPath);
//}
}
final Set<File> paths = new HashSet<File>();
@@ -406,10 +391,18 @@ public class App {
rootLogger.addAppender(fa);
}
/**
* Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style
* file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first *
* or ?).
*
* @param path the path to canonicalize
* @return the canonical path
*/
protected String ensureCanonicalPath(String path) {
String basePath = null;
String wildCards = null;
String file = path.replace('\\', '/');
final String file = path.replace('\\', '/');
if (file.contains("*") || file.contains("?")) {
int pos = getLastFileSeparator(file);

2
dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
View File

@@ -117,7 +117,7 @@ public final class CliParser {
}
if (line.hasOption((ARGUMENT.SYM_LINK_DEPTH))) {
try {
int i = Integer.parseInt(line.getOptionValue(ARGUMENT.SYM_LINK_DEPTH));
final int i = Integer.parseInt(line.getOptionValue(ARGUMENT.SYM_LINK_DEPTH));
if (i < 0) {
throw new ParseException("Symbolic Link Depth (symLink) must be greater than zero.");
}

7
dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
View File

@@ -37,7 +37,12 @@ import org.slf4j.LoggerFactory;
import java.io.File;
import java.io.FileFilter;
import java.util.*;
import java.util.ArrayList;
import java.util.EnumMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Set;
/**
* Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a

9
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
View File

@@ -108,8 +108,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
/**
* Detects files with extensions to remove from the engine's collection of dependencies.
*/
private static final FileFilter REMOVE_FROM_ANALYSIS =
FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar?
private static final FileFilter REMOVE_FROM_ANALYSIS
= FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar?
static {
final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
@@ -120,6 +120,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
EXTENSIONS.addAll(ZIPPABLES);
}
/**
* The file filter used to filter supported files.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
@Override
@@ -326,7 +329,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
} else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
File f = new File(destination, uncompressedName);
final File f = new File(destination, uncompressedName);
if (engine.accept(f)) {
decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f);
}

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
View File

@@ -302,6 +302,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
}
}
/**
* The File Filter used to filter supported extensions.
*/
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
SUPPORTED_EXTENSIONS).build();

35
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
View File

@@ -38,13 +38,14 @@ import java.util.regex.Matcher;
import java.util.regex.Pattern;
/**
* <p>Used to analyze CMake build files, and collect information that can be used to
* determine the associated CPE.</p>
* <p>
* Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
* <p/>
* <p>Note: This analyzer catches straightforward invocations of the project command, plus some other observed
* patterns of version inclusion in real CMake projects. Many projects make use of older versions of CMake and/or
* use custom "homebrew" ways to insert version information. Hopefully as the newer CMake call pattern grows in usage,
* this analyzer allow more CPEs to be identified.</p>
* <p>
* Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
* inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
* version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
* identified.</p>
*
* @author Dale Visser <dvisser@ida.org>
*/
@@ -77,6 +78,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
.addFilenames("CMakeLists.txt").build();
/**
* A reference to SHA1 message digest.
*/
private static MessageDigest sha1 = null;
static {
@@ -91,7 +95,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
* Returns the name of the CMake analyzer.
*
* @return the name of the analyzer
**/
*
*/
@Override
public String getName() {
return "CMake Analyzer";
@@ -131,9 +136,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
* Analyzes python packages and adds evidence to the dependency.
*
* @param dependency the dependency being analyzed
* @param engine the engine being used to perform the scan
* @throws AnalysisException thrown if there is an unrecoverable error analyzing the
* dependency
* @param engine the engine being used to perform the scan
* @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
*/
@Override
protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -151,7 +155,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
}
if (StringUtils.isNotBlank(contents)) {
Matcher m = PROJECT.matcher(contents);
final Matcher m = PROJECT.matcher(contents);
int count = 0;
while (m.find()) {
count++;
@@ -170,7 +174,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
final Dependency orig = dependency;
Matcher m = SET_VERSION.matcher(contents);
final Matcher m = SET_VERSION.matcher(contents);
int count = 0;
while (m.find()) {
count++;
@@ -181,11 +185,12 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
final String version = m.group(2);
LOGGER.debug("Group 1: " + product);
LOGGER.debug("Group 2: " + version);
final String alias_prefix = "ALIASOF_";
if (product.startsWith(alias_prefix)) {
product = product.replaceFirst(alias_prefix, "");
final String aliasPrefix = "ALIASOF_";
if (product.startsWith(aliasPrefix)) {
product = product.replaceFirst(aliasPrefix, "");
}
if (count > 1) {
//TODO - refactor so we do not assign to the parameter (checkstyle)
dependency = new Dependency(orig.getActualFile());
dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product));
final String filePath = String.format("%s:%s", orig.getFilePath(), product);

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
View File

@@ -49,6 +49,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
*/
private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class);
/**
* The file filter used to find DLL and EXE.
*/
private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build();
//<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">

14
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
View File

@@ -17,7 +17,15 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.*;
import java.io.BufferedOutputStream;
import java.io.File;
import java.io.FileFilter;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.io.OutputStream;
import java.io.Reader;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Enumeration;
@@ -134,10 +142,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
* item in some manifest, should be considered medium confidence.
*/
private static final String BUNDLE_NAME = "Bundle-Name"; //: Struts 2 Core
/**
* item in some manifest, should be considered medium confidence.
*/
private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation
/**
* A pattern to detect HTML within text.
*/

29
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
View File

@@ -50,7 +50,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
private static final Pattern VERSION_PATTERN = Pattern.compile(
"define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
| Pattern.CASE_INSENSITIVE);
| Pattern.CASE_INSENSITIVE);
private static final int MAJOR_OFFSET = 28;
private static final long MINOR_MASK = 0x0ff00000L;
private static final int MINOR_OFFSET = 20;
@@ -61,16 +61,20 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
private static final int NUM_LETTERS = 26;
private static final int STATUS_MASK = 0x0000000f;
/**
* Returns the open SSL version as a string.
*
* @param openSSLVersionConstant The open SSL version
* @return the version of openssl
*/
static String getOpenSSLVersion(long openSSLVersionConstant) {
long major = openSSLVersionConstant >>> MAJOR_OFFSET;
long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" :
String.valueOf((char) (patchLevel + 'a' - 1));
int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
String status = 0xf == statusCode ? "" :
(0 == statusCode ? "-dev" : "-beta" + statusCode);
final long major = openSSLVersionConstant >>> MAJOR_OFFSET;
final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
final long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : String.valueOf((char) (patchLevel + 'a' - 1));
final int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
final String status = 0xf == statusCode ? "" : (0 == statusCode ? "-dev" : "-beta" + statusCode);
return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
}
@@ -118,7 +122,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
* Analyzes python packages and adds evidence to the dependency.
*
* @param dependency the dependency being analyzed
* @param engine the engine being used to perform the scan
* @param engine the engine being used to perform the scan
* @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
*/
@Override
@@ -164,9 +168,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
return contents;
}
@Override
protected String getAnalyzerEnabledSettingKey() {
return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
}
}
}

8
dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
View File

@@ -17,6 +17,12 @@
*/
package org.owasp.dependencycheck.analyzer;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileFilter;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FilenameFilter;
import org.apache.commons.io.filefilter.NameFileFilter;
import org.apache.commons.io.filefilter.SuffixFileFilter;
import org.apache.commons.io.input.AutoCloseInputStream;
@@ -32,7 +38,6 @@ import org.slf4j.LoggerFactory;
import javax.mail.MessagingException;
import javax.mail.internet.InternetHeaders;
import java.io.*;
/**
* Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
@@ -147,6 +152,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
*
* @return the phase that the analyzer is intended to run in.
*/
@Override
public AnalysisPhase getAnalysisPhase() {
return ANALYSIS_PHASE;
}

3
dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
View File

@@ -31,7 +31,6 @@ import java.util.TreeSet;
import org.apache.commons.lang.ObjectUtils;
import org.owasp.dependencycheck.data.nexus.MavenArtifact;
import org.owasp.dependencycheck.utils.Checksum;
import org.owasp.dependencycheck.utils.FileUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
@@ -68,7 +67,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
* The file name of the dependency.
*/
private String fileName;
/**
/**
* The md5 hash of the dependency.
*/
private String md5sum;

40
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java
View File

@@ -28,12 +28,15 @@ import org.slf4j.helpers.MessageFormatter;
*/
public class MavenLoggerAdapter extends MarkerIgnoringBase {
private Log log;
/**
* A reference to the Maven log.
*/
private final Log log;
/**
* Creates a new Maven Logger Adapter.
*
* @param log the maven log
* @param log the Maven log
*/
public MavenLoggerAdapter(Log log) {
super();
@@ -41,8 +44,9 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
}
/**
* Returns true if trace is enabled.
*
* @return
* @return whether or not trace is enabled
*/
@Override
public boolean isTraceEnabled() {
@@ -63,7 +67,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void trace(String format, Object arg) {
String message = MessageFormatter.format(format, arg).getMessage();
final String message = MessageFormatter.format(format, arg).getMessage();
if (log != null) {
log.debug(message);
} else {
@@ -73,7 +77,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void trace(String format, Object arg1, Object arg2) {
String message = MessageFormatter.format(format, arg1, arg2).getMessage();
final String message = MessageFormatter.format(format, arg1, arg2).getMessage();
if (log != null) {
log.debug(message);
} else {
@@ -83,7 +87,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void trace(String format, Object... arguments) {
String message = MessageFormatter.format(format, arguments).getMessage();
final String message = MessageFormatter.format(format, arguments).getMessage();
if (log != null) {
log.debug(message);
} else {
@@ -120,7 +124,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void debug(String format, Object arg) {
String message = MessageFormatter.format(format, arg).getMessage();
final String message = MessageFormatter.format(format, arg).getMessage();
if (log != null) {
log.debug(message);
} else {
@@ -130,7 +134,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void debug(String format, Object arg1, Object arg2) {
String message = MessageFormatter.format(format, arg1, arg2).getMessage();
final String message = MessageFormatter.format(format, arg1, arg2).getMessage();
if (log != null) {
log.debug(message);
} else {
@@ -140,7 +144,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void debug(String format, Object... arguments) {
String message = MessageFormatter.format(format, arguments).getMessage();
final String message = MessageFormatter.format(format, arguments).getMessage();
if (log != null) {
log.debug(message);
} else {
@@ -177,7 +181,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void info(String format, Object arg) {
String message = MessageFormatter.format(format, arg).getMessage();
final String message = MessageFormatter.format(format, arg).getMessage();
if (log != null) {
log.info(message);
} else {
@@ -187,7 +191,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void info(String format, Object arg1, Object arg2) {
String message = MessageFormatter.format(format, arg1, arg2).getMessage();
final String message = MessageFormatter.format(format, arg1, arg2).getMessage();
if (log != null) {
log.info(message);
} else {
@@ -197,7 +201,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void info(String format, Object... arguments) {
String message = MessageFormatter.format(format, arguments).getMessage();
final String message = MessageFormatter.format(format, arguments).getMessage();
if (log != null) {
log.info(message);
} else {
@@ -234,7 +238,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void warn(String format, Object arg) {
String message = MessageFormatter.format(format, arg).getMessage();
final String message = MessageFormatter.format(format, arg).getMessage();
if (log != null) {
log.warn(message);
} else {
@@ -244,7 +248,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void warn(String format, Object arg1, Object arg2) {
String message = MessageFormatter.format(format, arg1, arg2).getMessage();
final String message = MessageFormatter.format(format, arg1, arg2).getMessage();
if (log != null) {
log.warn(message);
} else {
@@ -254,7 +258,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void warn(String format, Object... arguments) {
String message = MessageFormatter.format(format, arguments).getMessage();
final String message = MessageFormatter.format(format, arguments).getMessage();
if (log != null) {
log.warn(message);
} else {
@@ -291,7 +295,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void error(String format, Object arg) {
String message = MessageFormatter.format(format, arg).getMessage();
final String message = MessageFormatter.format(format, arg).getMessage();
if (log != null) {
log.error(message);
} else {
@@ -301,7 +305,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void error(String format, Object arg1, Object arg2) {
String message = MessageFormatter.format(format, arg1, arg2).getMessage();
final String message = MessageFormatter.format(format, arg1, arg2).getMessage();
if (log != null) {
log.error(message);
} else {
@@ -311,7 +315,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase {
@Override
public void error(String format, Object... arguments) {
String message = MessageFormatter.format(format, arguments).getMessage();
final String message = MessageFormatter.format(format, arguments).getMessage();
if (log != null) {
log.error(message);
} else {

17
dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java
View File

@@ -28,13 +28,28 @@ import org.slf4j.Logger;
*/
public class MavenLoggerFactory implements ILoggerFactory {
private MavenLoggerAdapter mavenLoggerAdapter;
/**
* A reference to the Maven log adapter.
*/
private final MavenLoggerAdapter mavenLoggerAdapter;
/**
* Constructs a new logger factory.
*
* @param log a reference to the Maven log
*/
public MavenLoggerFactory(Log log) {
super();
this.mavenLoggerAdapter = new MavenLoggerAdapter(log);
}
/**
* Returns the Maven Logger Adapter.
*
* @param name ignored in this implementation
* @return the maven logger adapter
*/
@Override
public Logger getLogger(String name) {
return mavenLoggerAdapter;
}

11
dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
View File

@@ -32,7 +32,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
/**
* The unique instance of this class
*
*/
private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
@@ -67,13 +66,19 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
// to avoid constant folding by the compiler, this field must *not* be final
public static String REQUESTED_API_VERSION = "1.7.12"; // final
private static final String loggerFactoryClassStr = MavenLoggerFactory.class.getName();
/**
* The logger factory class string.
*/
private static final String LOGGER_FACTORY_CLASS = MavenLoggerFactory.class.getName();
/**
* The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the same object
*/
private ILoggerFactory loggerFactory;
/**
* Constructs the static logger factory.
*/
private StaticLoggerBinder() {
loggerFactory = new MavenLoggerFactory(log);
}
@@ -95,6 +100,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
*/
@Override
public String getLoggerFactoryClassStr() {
return loggerFactoryClassStr;
return LOGGER_FACTORY_CLASS;
}
}

18
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java
View File

@@ -17,10 +17,14 @@
*/
package org.owasp.dependencycheck.utils;
import java.io.BufferedOutputStream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import java.io.*;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.net.HttpURLConnection;
import java.net.URISyntaxException;
import java.net.URL;
@@ -223,7 +227,7 @@ public final class Downloader {
}
timestamp = lastModifiedFile.lastModified();
} else {
String httpMethod = determineHttpMethod();
final String httpMethod = determineHttpMethod();
HttpURLConnection conn = null;
try {
conn = URLConnectionFactory.createHttpURLConnection(url);
@@ -278,10 +282,20 @@ public final class Downloader {
}
}
/**
* Returns the HEAD or GET HTTP method. HEAD is the default.
*
* @return the HTTP method to use
*/
private static String determineHttpMethod() {
return isQuickQuery() ? HEAD : GET;
}
/**
* Determines if the HTTP method GET or HEAD should be used to check the timestamp on external resources.
*
* @return true if configured to use HEAD requests
*/
private static boolean isQuickQuery() {
boolean quickQuery;

5
dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java
View File

@@ -281,7 +281,7 @@ public final class Settings {
public static final String VFEED_UPDATE_STATUS = "vfeed.update_status";
/**
* The HTTP request method for query last modified date
* The HTTP request method for query last modified date.
*/
public static final String DOWNLOADER_QUICK_QUERY_TIMESTAMP = "downloader.quick.query.timestamp";
}
@@ -757,8 +757,7 @@ public final class Settings {
throws IOException, InvalidSettingException {
final String connStr = Settings.getString(connectionStringKey);
if (connStr == null) {
final String msg = String.format("Invalid properties file; data.connection_string is missing.",
connectionStringKey);
final String msg = String.format("Invalid properties file; %s is missing.", connectionStringKey);
throw new InvalidSettingException(msg);
}
if (connStr.contains("%s")) {