From 79b59f2aae524afbc23453a80565d68231bc1304 Mon Sep 17 00:00:00 2001 From: Jeremy Long Date: Wed, 29 Jul 2015 07:00:30 -0400 Subject: [PATCH] checkstyle/pmd/findbugs recommended updates --- .../ant/logging/AntLoggerAdapter.java | 43 ++++++++++++------- .../ant/logging/AntLoggerFactory.java | 17 +++++++- .../org/slf4j/impl/StaticLoggerBinder.java | 21 +++++++-- .../java/org/owasp/dependencycheck/App.java | 29 +++++-------- .../org/owasp/dependencycheck/CliParser.java | 2 +- .../org/owasp/dependencycheck/Engine.java | 7 ++- .../analyzer/ArchiveAnalyzer.java | 9 ++-- .../analyzer/AssemblyAnalyzer.java | 3 ++ .../analyzer/CMakeAnalyzer.java | 35 ++++++++------- .../analyzer/FalsePositiveAnalyzer.java | 3 ++ .../dependencycheck/analyzer/JarAnalyzer.java | 14 +++--- .../analyzer/OpenSSLAnalyzer.java | 29 +++++++------ .../analyzer/PythonDistributionAnalyzer.java | 8 +++- .../dependency/Dependency.java | 3 +- .../maven/slf4j/MavenLoggerAdapter.java | 40 +++++++++-------- .../maven/slf4j/MavenLoggerFactory.java | 17 +++++++- .../org/slf4j/impl/StaticLoggerBinder.java | 11 +++-- .../dependencycheck/utils/Downloader.java | 18 +++++++- .../owasp/dependencycheck/utils/Settings.java | 5 +-- 19 files changed, 209 insertions(+), 105 deletions(-) diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java index 137863026..6e7784a4e 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java @@ -30,13 +30,26 @@ import org.slf4j.helpers.MessageFormatter; */ public class AntLoggerAdapter extends MarkerIgnoringBase { + /** + * A reference to the Ant task used for logging. + */ private Task task; + /** + * Constructs an Ant Logger Adapter. + * + * @param task the Ant Task to use for logging + */ public AntLoggerAdapter(Task task) { super(); this.task = task; } + /** + * Sets the current Ant task to use for logging. + * + * @param task the Ant task to use for logging + */ public void setTask(Task task) { this.task = task; } @@ -56,7 +69,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void trace(String format, Object arg) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg); + final FormattingTuple tp = MessageFormatter.format(format, arg); task.log(tp.getMessage(), Project.MSG_VERBOSE); } } @@ -64,7 +77,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void trace(String format, Object arg1, Object arg2) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); + final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); task.log(tp.getMessage(), Project.MSG_VERBOSE); } } @@ -72,7 +85,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void trace(String format, Object... arguments) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arguments); + final FormattingTuple tp = MessageFormatter.format(format, arguments); task.log(tp.getMessage(), Project.MSG_VERBOSE); } } @@ -99,7 +112,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void debug(String format, Object arg) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg); + final FormattingTuple tp = MessageFormatter.format(format, arg); task.log(tp.getMessage(), Project.MSG_DEBUG); } } @@ -107,7 +120,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void debug(String format, Object arg1, Object arg2) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); + final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); task.log(tp.getMessage(), Project.MSG_DEBUG); } } @@ -115,7 +128,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void debug(String format, Object... arguments) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arguments); + final FormattingTuple tp = MessageFormatter.format(format, arguments); task.log(tp.getMessage(), Project.MSG_DEBUG); } } @@ -142,7 +155,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void info(String format, Object arg) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg); + final FormattingTuple tp = MessageFormatter.format(format, arg); task.log(tp.getMessage(), Project.MSG_INFO); } } @@ -150,7 +163,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void info(String format, Object arg1, Object arg2) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); + final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); task.log(tp.getMessage(), Project.MSG_INFO); } } @@ -158,7 +171,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void info(String format, Object... arguments) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arguments); + final FormattingTuple tp = MessageFormatter.format(format, arguments); task.log(tp.getMessage(), Project.MSG_INFO); } } @@ -185,7 +198,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void warn(String format, Object arg) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg); + final FormattingTuple tp = MessageFormatter.format(format, arg); task.log(tp.getMessage(), Project.MSG_WARN); } } @@ -193,7 +206,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void warn(String format, Object... arguments) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arguments); + final FormattingTuple tp = MessageFormatter.format(format, arguments); task.log(tp.getMessage(), Project.MSG_WARN); } } @@ -201,7 +214,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void warn(String format, Object arg1, Object arg2) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); + final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); task.log(tp.getMessage(), Project.MSG_WARN); } } @@ -228,7 +241,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void error(String format, Object arg) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg); + final FormattingTuple tp = MessageFormatter.format(format, arg); task.log(tp.getMessage(), Project.MSG_ERR); } } @@ -236,7 +249,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void error(String format, Object arg1, Object arg2) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); + final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2); task.log(tp.getMessage(), Project.MSG_ERR); } } @@ -244,7 +257,7 @@ public class AntLoggerAdapter extends MarkerIgnoringBase { @Override public void error(String format, Object... arguments) { if (task != null) { - FormattingTuple tp = MessageFormatter.format(format, arguments); + final FormattingTuple tp = MessageFormatter.format(format, arguments); task.log(tp.getMessage(), Project.MSG_ERR); } } diff --git a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java index 262e38326..f5d10d519 100644 --- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java +++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java @@ -28,13 +28,28 @@ import org.slf4j.Logger; */ public class AntLoggerFactory implements ILoggerFactory { - private AntLoggerAdapter antLoggerAdapter; + /** + * A reference to the Ant logger Adapter. + */ + private final AntLoggerAdapter antLoggerAdapter; + /** + * Constructs a new Ant Logger Factory. + * + * @param task the Ant task to use for logging + */ public AntLoggerFactory(Task task) { super(); this.antLoggerAdapter = new AntLoggerAdapter(task); } + /** + * Returns the Ant logger adapter. + * + * @param name ignored in this implementation + * @return the Ant logger adapter + */ + @Override public Logger getLogger(String name) { return antLoggerAdapter; } diff --git a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java index baaeea05a..47e84cc50 100644 --- a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java @@ -48,7 +48,7 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { /** * Ant tasks have the log method we actually want to call. So we hang onto the task as a delegate */ - private Task task; + private Task task = null; /** * Set the Task which will this is to log through. @@ -67,22 +67,37 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { // to avoid constant folding by the compiler, this field must *not* be final public static String REQUESTED_API_VERSION = "1.7.12"; // final - private static final String loggerFactoryClassStr = AntLoggerFactory.class.getName(); + private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName(); /** * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object */ private ILoggerFactory loggerFactory; + /** + * Constructs a new static logger binder. + */ private StaticLoggerBinder() { loggerFactory = new AntLoggerFactory(task); } + /** + * Returns the logger factory. + * + * @return the logger factory + */ + @Override public ILoggerFactory getLoggerFactory() { return loggerFactory; } + /** + * Returns the logger factory class string. + * + * @return the logger factory class string + */ + @Override public String getLoggerFactoryClassStr() { - return loggerFactoryClassStr; + return LOGGER_FACTORY_CLASS; } } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index ddce9547f..ff6dfd27d 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -23,7 +23,6 @@ import java.io.File; import java.io.FileNotFoundException; import java.io.IOException; import java.util.ArrayList; -import java.util.Arrays; import java.util.HashSet; import java.util.List; import java.util.Set; @@ -38,7 +37,6 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; import ch.qos.logback.core.FileAppender; -import java.util.logging.Level; import org.slf4j.impl.StaticLoggerBinder; /** @@ -127,23 +125,10 @@ public class App { Engine engine = null; try { engine = new Engine(); - List antStylePaths = new ArrayList(); - //TODO remove and treating everything as an ant style path to ensure sym links are handled correctly. -// for (String file : files) { -// if (file.contains("*") || file.contains("?")) { -// antStylePaths.add(file); -// } else { -// engine.scan(file); -// } -// } + final List antStylePaths = new ArrayList(); for (String file : files) { - File f = new File(file); -// if (f.exists() && f.isFile()) { -// engine.scan(f); -// } else { - String antPath = ensureCanonicalPath(file); + final String antPath = ensureCanonicalPath(file); antStylePaths.add(antPath); - //} } final Set paths = new HashSet(); @@ -406,10 +391,18 @@ public class App { rootLogger.addAppender(fa); } + /** + * Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style + * file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first * + * or ?). + * + * @param path the path to canonicalize + * @return the canonical path + */ protected String ensureCanonicalPath(String path) { String basePath = null; String wildCards = null; - String file = path.replace('\\', '/'); + final String file = path.replace('\\', '/'); if (file.contains("*") || file.contains("?")) { int pos = getLastFileSeparator(file); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 504e60f90..4f903eede 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -117,7 +117,7 @@ public final class CliParser { } if (line.hasOption((ARGUMENT.SYM_LINK_DEPTH))) { try { - int i = Integer.parseInt(line.getOptionValue(ARGUMENT.SYM_LINK_DEPTH)); + final int i = Integer.parseInt(line.getOptionValue(ARGUMENT.SYM_LINK_DEPTH)); if (i < 0) { throw new ParseException("Symbolic Link Depth (symLink) must be greater than zero."); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index 701d77aa1..cdb1a4706 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -37,7 +37,12 @@ import org.slf4j.LoggerFactory; import java.io.File; import java.io.FileFilter; -import java.util.*; +import java.util.ArrayList; +import java.util.EnumMap; +import java.util.HashSet; +import java.util.Iterator; +import java.util.List; +import java.util.Set; /** * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index d09ec907b..434e961bc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -108,8 +108,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * Detects files with extensions to remove from the engine's collection of dependencies. */ - private static final FileFilter REMOVE_FROM_ANALYSIS = - FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar? + private static final FileFilter REMOVE_FROM_ANALYSIS + = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar? static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); @@ -120,6 +120,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { EXTENSIONS.addAll(ZIPPABLES); } + /** + * The file filter used to filter supported files. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); @Override @@ -326,7 +329,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine); } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) { final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName()); - File f = new File(destination, uncompressedName); + final File f = new File(destination, uncompressedName); if (engine.accept(f)) { decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index fff5e53ae..17a5ddaf7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -302,6 +302,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { } } + /** + * The File Filter used to filter supported extensions. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions( SUPPORTED_EXTENSIONS).build(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 0d6dd7457..eefe01d37 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -38,13 +38,14 @@ import java.util.regex.Matcher; import java.util.regex.Pattern; /** - *

Used to analyze CMake build files, and collect information that can be used to - * determine the associated CPE.

+ *

+ * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.

*

- *

Note: This analyzer catches straightforward invocations of the project command, plus some other observed - * patterns of version inclusion in real CMake projects. Many projects make use of older versions of CMake and/or - * use custom "homebrew" ways to insert version information. Hopefully as the newer CMake call pattern grows in usage, - * this analyzer allow more CPEs to be identified.

+ *

+ * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version + * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert + * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be + * identified.

* * @author Dale Visser */ @@ -77,6 +78,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake") .addFilenames("CMakeLists.txt").build(); + /** + * A reference to SHA1 message digest. + */ private static MessageDigest sha1 = null; static { @@ -91,7 +95,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { * Returns the name of the CMake analyzer. * * @return the name of the analyzer - **/ + * + */ @Override public String getName() { return "CMake Analyzer"; @@ -131,9 +136,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { * Analyzes python packages and adds evidence to the dependency. * * @param dependency the dependency being analyzed - * @param engine the engine being used to perform the scan - * @throws AnalysisException thrown if there is an unrecoverable error analyzing the - * dependency + * @param engine the engine being used to perform the scan + * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency */ @Override protected void analyzeFileType(Dependency dependency, Engine engine) @@ -151,7 +155,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { } if (StringUtils.isNotBlank(contents)) { - Matcher m = PROJECT.matcher(contents); + final Matcher m = PROJECT.matcher(contents); int count = 0; while (m.find()) { count++; @@ -170,7 +174,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) { final Dependency orig = dependency; - Matcher m = SET_VERSION.matcher(contents); + final Matcher m = SET_VERSION.matcher(contents); int count = 0; while (m.find()) { count++; @@ -181,11 +185,12 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { final String version = m.group(2); LOGGER.debug("Group 1: " + product); LOGGER.debug("Group 2: " + version); - final String alias_prefix = "ALIASOF_"; - if (product.startsWith(alias_prefix)) { - product = product.replaceFirst(alias_prefix, ""); + final String aliasPrefix = "ALIASOF_"; + if (product.startsWith(aliasPrefix)) { + product = product.replaceFirst(aliasPrefix, ""); } if (count > 1) { + //TODO - refactor so we do not assign to the parameter (checkstyle) dependency = new Dependency(orig.getActualFile()); dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product)); final String filePath = String.format("%s:%s", orig.getFilePath(), product); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index cec65d229..d518f8490 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -49,6 +49,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { */ private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class); + /** + * The file filter used to find DLL and EXE. + */ private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build(); // diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 4c1c80145..9c794aef1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -17,7 +17,15 @@ */ package org.owasp.dependencycheck.analyzer; -import java.io.*; +import java.io.BufferedOutputStream; +import java.io.File; +import java.io.FileFilter; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; +import java.io.OutputStream; +import java.io.Reader; import java.util.ArrayList; import java.util.Collections; import java.util.Enumeration; @@ -134,10 +142,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { * item in some manifest, should be considered medium confidence. */ private static final String BUNDLE_NAME = "Bundle-Name"; //: Struts 2 Core - /** - * item in some manifest, should be considered medium confidence. - */ - private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation /** * A pattern to detect HTML within text. */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java index 2940fed57..13266f691 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java @@ -50,7 +50,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build(); private static final Pattern VERSION_PATTERN = Pattern.compile( "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL - | Pattern.CASE_INSENSITIVE); + | Pattern.CASE_INSENSITIVE); private static final int MAJOR_OFFSET = 28; private static final long MINOR_MASK = 0x0ff00000L; private static final int MINOR_OFFSET = 20; @@ -61,16 +61,20 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { private static final int NUM_LETTERS = 26; private static final int STATUS_MASK = 0x0000000f; + /** + * Returns the open SSL version as a string. + * + * @param openSSLVersionConstant The open SSL version + * @return the version of openssl + */ static String getOpenSSLVersion(long openSSLVersionConstant) { - long major = openSSLVersionConstant >>> MAJOR_OFFSET; - long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET; - long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET; - long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET; - String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : - String.valueOf((char) (patchLevel + 'a' - 1)); - int statusCode = (int) (openSSLVersionConstant & STATUS_MASK); - String status = 0xf == statusCode ? "" : - (0 == statusCode ? "-dev" : "-beta" + statusCode); + final long major = openSSLVersionConstant >>> MAJOR_OFFSET; + final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET; + final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET; + final long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET; + String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : String.valueOf((char) (patchLevel + 'a' - 1)); + final int statusCode = (int) (openSSLVersionConstant & STATUS_MASK); + final String status = 0xf == statusCode ? "" : (0 == statusCode ? "-dev" : "-beta" + statusCode); return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status); } @@ -118,7 +122,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { * Analyzes python packages and adds evidence to the dependency. * * @param dependency the dependency being analyzed - * @param engine the engine being used to perform the scan + * @param engine the engine being used to perform the scan * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency */ @Override @@ -164,9 +168,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer { return contents; } - @Override protected String getAnalyzerEnabledSettingKey() { return Settings.KEYS.ANALYZER_OPENSSL_ENABLED; } -} \ No newline at end of file +} diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 8d3e2831c..01160323c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -17,6 +17,12 @@ */ package org.owasp.dependencycheck.analyzer; +import java.io.BufferedInputStream; +import java.io.File; +import java.io.FileFilter; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FilenameFilter; import org.apache.commons.io.filefilter.NameFileFilter; import org.apache.commons.io.filefilter.SuffixFileFilter; import org.apache.commons.io.input.AutoCloseInputStream; @@ -32,7 +38,6 @@ import org.slf4j.LoggerFactory; import javax.mail.MessagingException; import javax.mail.internet.InternetHeaders; -import java.io.*; /** * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used @@ -147,6 +152,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { * * @return the phase that the analyzer is intended to run in. */ + @Override public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 67ea1a890..dd2f5bb26 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -31,7 +31,6 @@ import java.util.TreeSet; import org.apache.commons.lang.ObjectUtils; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.utils.Checksum; -import org.owasp.dependencycheck.utils.FileUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -68,7 +67,7 @@ public class Dependency implements Serializable, Comparable { * The file name of the dependency. */ private String fileName; - /** + /** * The md5 hash of the dependency. */ private String md5sum; diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java index d5aee3047..f1ab7b953 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerAdapter.java @@ -28,12 +28,15 @@ import org.slf4j.helpers.MessageFormatter; */ public class MavenLoggerAdapter extends MarkerIgnoringBase { - private Log log; + /** + * A reference to the Maven log. + */ + private final Log log; /** * Creates a new Maven Logger Adapter. * - * @param log the maven log + * @param log the Maven log */ public MavenLoggerAdapter(Log log) { super(); @@ -41,8 +44,9 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { } /** + * Returns true if trace is enabled. * - * @return + * @return whether or not trace is enabled */ @Override public boolean isTraceEnabled() { @@ -63,7 +67,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void trace(String format, Object arg) { - String message = MessageFormatter.format(format, arg).getMessage(); + final String message = MessageFormatter.format(format, arg).getMessage(); if (log != null) { log.debug(message); } else { @@ -73,7 +77,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void trace(String format, Object arg1, Object arg2) { - String message = MessageFormatter.format(format, arg1, arg2).getMessage(); + final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); if (log != null) { log.debug(message); } else { @@ -83,7 +87,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void trace(String format, Object... arguments) { - String message = MessageFormatter.format(format, arguments).getMessage(); + final String message = MessageFormatter.format(format, arguments).getMessage(); if (log != null) { log.debug(message); } else { @@ -120,7 +124,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void debug(String format, Object arg) { - String message = MessageFormatter.format(format, arg).getMessage(); + final String message = MessageFormatter.format(format, arg).getMessage(); if (log != null) { log.debug(message); } else { @@ -130,7 +134,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void debug(String format, Object arg1, Object arg2) { - String message = MessageFormatter.format(format, arg1, arg2).getMessage(); + final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); if (log != null) { log.debug(message); } else { @@ -140,7 +144,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void debug(String format, Object... arguments) { - String message = MessageFormatter.format(format, arguments).getMessage(); + final String message = MessageFormatter.format(format, arguments).getMessage(); if (log != null) { log.debug(message); } else { @@ -177,7 +181,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void info(String format, Object arg) { - String message = MessageFormatter.format(format, arg).getMessage(); + final String message = MessageFormatter.format(format, arg).getMessage(); if (log != null) { log.info(message); } else { @@ -187,7 +191,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void info(String format, Object arg1, Object arg2) { - String message = MessageFormatter.format(format, arg1, arg2).getMessage(); + final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); if (log != null) { log.info(message); } else { @@ -197,7 +201,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void info(String format, Object... arguments) { - String message = MessageFormatter.format(format, arguments).getMessage(); + final String message = MessageFormatter.format(format, arguments).getMessage(); if (log != null) { log.info(message); } else { @@ -234,7 +238,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void warn(String format, Object arg) { - String message = MessageFormatter.format(format, arg).getMessage(); + final String message = MessageFormatter.format(format, arg).getMessage(); if (log != null) { log.warn(message); } else { @@ -244,7 +248,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void warn(String format, Object arg1, Object arg2) { - String message = MessageFormatter.format(format, arg1, arg2).getMessage(); + final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); if (log != null) { log.warn(message); } else { @@ -254,7 +258,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void warn(String format, Object... arguments) { - String message = MessageFormatter.format(format, arguments).getMessage(); + final String message = MessageFormatter.format(format, arguments).getMessage(); if (log != null) { log.warn(message); } else { @@ -291,7 +295,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void error(String format, Object arg) { - String message = MessageFormatter.format(format, arg).getMessage(); + final String message = MessageFormatter.format(format, arg).getMessage(); if (log != null) { log.error(message); } else { @@ -301,7 +305,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void error(String format, Object arg1, Object arg2) { - String message = MessageFormatter.format(format, arg1, arg2).getMessage(); + final String message = MessageFormatter.format(format, arg1, arg2).getMessage(); if (log != null) { log.error(message); } else { @@ -311,7 +315,7 @@ public class MavenLoggerAdapter extends MarkerIgnoringBase { @Override public void error(String format, Object... arguments) { - String message = MessageFormatter.format(format, arguments).getMessage(); + final String message = MessageFormatter.format(format, arguments).getMessage(); if (log != null) { log.error(message); } else { diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java index 00bd98912..639952939 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/slf4j/MavenLoggerFactory.java @@ -28,13 +28,28 @@ import org.slf4j.Logger; */ public class MavenLoggerFactory implements ILoggerFactory { - private MavenLoggerAdapter mavenLoggerAdapter; + /** + * A reference to the Maven log adapter. + */ + private final MavenLoggerAdapter mavenLoggerAdapter; + /** + * Constructs a new logger factory. + * + * @param log a reference to the Maven log + */ public MavenLoggerFactory(Log log) { super(); this.mavenLoggerAdapter = new MavenLoggerAdapter(log); } + /** + * Returns the Maven Logger Adapter. + * + * @param name ignored in this implementation + * @return the maven logger adapter + */ + @Override public Logger getLogger(String name) { return mavenLoggerAdapter; } diff --git a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java index 41327792a..877d1051c 100644 --- a/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java +++ b/dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java @@ -32,7 +32,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { /** * The unique instance of this class - * */ private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder(); @@ -67,13 +66,19 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { // to avoid constant folding by the compiler, this field must *not* be final public static String REQUESTED_API_VERSION = "1.7.12"; // final - private static final String loggerFactoryClassStr = MavenLoggerFactory.class.getName(); + /** + * The logger factory class string. + */ + private static final String LOGGER_FACTORY_CLASS = MavenLoggerFactory.class.getName(); /** * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the same object */ private ILoggerFactory loggerFactory; + /** + * Constructs the static logger factory. + */ private StaticLoggerBinder() { loggerFactory = new MavenLoggerFactory(log); } @@ -95,6 +100,6 @@ public class StaticLoggerBinder implements LoggerFactoryBinder { */ @Override public String getLoggerFactoryClassStr() { - return loggerFactoryClassStr; + return LOGGER_FACTORY_CLASS; } } diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java index 90859d4f1..45136c6db 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java @@ -17,10 +17,14 @@ */ package org.owasp.dependencycheck.utils; +import java.io.BufferedOutputStream; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import java.io.*; +import java.io.File; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; import java.net.HttpURLConnection; import java.net.URISyntaxException; import java.net.URL; @@ -223,7 +227,7 @@ public final class Downloader { } timestamp = lastModifiedFile.lastModified(); } else { - String httpMethod = determineHttpMethod(); + final String httpMethod = determineHttpMethod(); HttpURLConnection conn = null; try { conn = URLConnectionFactory.createHttpURLConnection(url); @@ -278,10 +282,20 @@ public final class Downloader { } } + /** + * Returns the HEAD or GET HTTP method. HEAD is the default. + * + * @return the HTTP method to use + */ private static String determineHttpMethod() { return isQuickQuery() ? HEAD : GET; } + /** + * Determines if the HTTP method GET or HEAD should be used to check the timestamp on external resources. + * + * @return true if configured to use HEAD requests + */ private static boolean isQuickQuery() { boolean quickQuery; diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index a204dd68e..e8da13f70 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -281,7 +281,7 @@ public final class Settings { public static final String VFEED_UPDATE_STATUS = "vfeed.update_status"; /** - * The HTTP request method for query last modified date + * The HTTP request method for query last modified date. */ public static final String DOWNLOADER_QUICK_QUERY_TIMESTAMP = "downloader.quick.query.timestamp"; } @@ -757,8 +757,7 @@ public final class Settings { throws IOException, InvalidSettingException { final String connStr = Settings.getString(connectionStringKey); if (connStr == null) { - final String msg = String.format("Invalid properties file; data.connection_string is missing.", - connectionStringKey); + final String msg = String.format("Invalid properties file; %s is missing.", connectionStringKey); throw new InvalidSettingException(msg); } if (connStr.contains("%s")) {