checkstyle/pmd/findbugs recommended updates

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -37,7 +37,12 @@ import org.slf4j.LoggerFactory;
 
 import java.io.File;
 import java.io.FileFilter;
-import java.util.*;
+import java.util.ArrayList;
+import java.util.EnumMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
 
 /**
  * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -108,8 +108,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Detects files with extensions to remove from the engine's collection of dependencies.
      */
-    private static final FileFilter REMOVE_FROM_ANALYSIS =
-            FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar?
+    private static final FileFilter REMOVE_FROM_ANALYSIS
+            = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz").build(); //TODO add nupkg, apk, sar?
 
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
@@ -120,6 +120,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         EXTENSIONS.addAll(ZIPPABLES);
     }
 
+    /**
+     * The file filter used to filter supported files.
+     */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
 
     @Override
@@ -326,7 +329,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                 extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
             } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
                 final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
-                File f = new File(destination, uncompressedName);
+                final File f = new File(destination, uncompressedName);
                 if (engine.accept(f)) {
                     decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f);
                 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -302,6 +302,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
+    /**
+     * The File Filter used to filter supported extensions.
+     */
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
             SUPPORTED_EXTENSIONS).build();
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -38,13 +38,14 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
- * <p>Used to analyze CMake build files, and collect information that can be used to
- * determine the associated CPE.</p>
+ * <p>
+ * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
  * <p/>
- * <p>Note: This analyzer catches straightforward invocations of the project command, plus some other observed
- * patterns of version inclusion in real CMake projects. Many projects make use of older versions of CMake and/or
- * use custom "homebrew" ways to insert version information. Hopefully as the newer CMake call pattern grows in usage,
- * this analyzer allow more CPEs to be identified.</p>
+ * <p>
+ * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
+ * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
+ * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
+ * identified.</p>
  *
  * @author Dale Visser <dvisser@ida.org>
  */
@@ -77,6 +78,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
             .addFilenames("CMakeLists.txt").build();
 
+    /**
+     * A reference to SHA1 message digest.
+     */
     private static MessageDigest sha1 = null;
 
     static {
@@ -91,7 +95,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      * Returns the name of the CMake analyzer.
      *
      * @return the name of the analyzer
-     **/
+     *
+     */
     @Override
     public String getName() {
         return "CMake Analyzer";
@@ -131,9 +136,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
-     * @param engine     the engine being used to perform the scan
-     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the
-     *                           dependency
+     * @param engine the engine being used to perform the scan
+     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
      */
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -151,7 +155,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
         }
 
         if (StringUtils.isNotBlank(contents)) {
-            Matcher m = PROJECT.matcher(contents);
+            final Matcher m = PROJECT.matcher(contents);
             int count = 0;
             while (m.find()) {
                 count++;
@@ -170,7 +174,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
     private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
         final Dependency orig = dependency;
-        Matcher m = SET_VERSION.matcher(contents);
+        final Matcher m = SET_VERSION.matcher(contents);
         int count = 0;
         while (m.find()) {
             count++;
@@ -181,11 +185,12 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
             final String version = m.group(2);
             LOGGER.debug("Group 1: " + product);
             LOGGER.debug("Group 2: " + version);
-            final String alias_prefix = "ALIASOF_";
-            if (product.startsWith(alias_prefix)) {
-                product = product.replaceFirst(alias_prefix, "");
+            final String aliasPrefix = "ALIASOF_";
+            if (product.startsWith(aliasPrefix)) {
+                product = product.replaceFirst(aliasPrefix, "");
             }
             if (count > 1) {
+                //TODO - refactor so we do not assign to the parameter (checkstyle)
                 dependency = new Dependency(orig.getActualFile());
                 dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product));
                 final String filePath = String.format("%s:%s", orig.getFilePath(), product);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -49,6 +49,9 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class);
 
+    /**
+     * The file filter used to find DLL and EXE.
+     */
     private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build();
 
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -17,7 +17,15 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.*;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileFilter;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.io.OutputStream;
+import java.io.Reader;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
@@ -134,10 +142,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * item in some manifest, should be considered medium confidence.
      */
     private static final String BUNDLE_NAME = "Bundle-Name"; //: Struts 2 Core
-    /**
-     * item in some manifest, should be considered medium confidence.
-     */
-    private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation
     /**
      * A pattern to detect HTML within text.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java

@@ -50,7 +50,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
     private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
     private static final Pattern VERSION_PATTERN = Pattern.compile(
             "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
-                    | Pattern.CASE_INSENSITIVE);
+            | Pattern.CASE_INSENSITIVE);
     private static final int MAJOR_OFFSET = 28;
     private static final long MINOR_MASK = 0x0ff00000L;
     private static final int MINOR_OFFSET = 20;
@@ -61,16 +61,20 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
     private static final int NUM_LETTERS = 26;
     private static final int STATUS_MASK = 0x0000000f;
 
+    /**
+     * Returns the open SSL version as a string.
+     *
+     * @param openSSLVersionConstant The open SSL version
+     * @return the version of openssl
+     */
     static String getOpenSSLVersion(long openSSLVersionConstant) {
-        long major = openSSLVersionConstant >>> MAJOR_OFFSET;
-        long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
-        long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
-        long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
-        String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" :
-                String.valueOf((char) (patchLevel + 'a' - 1));
-        int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
-        String status = 0xf == statusCode ? "" :
-                (0 == statusCode ? "-dev" : "-beta" + statusCode);
+        final long major = openSSLVersionConstant >>> MAJOR_OFFSET;
+        final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
+        final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
+        final long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
+        String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : String.valueOf((char) (patchLevel + 'a' - 1));
+        final int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
+        final String status = 0xf == statusCode ? "" : (0 == statusCode ? "-dev" : "-beta" + statusCode);
         return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
     }
 
@@ -118,7 +122,7 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
-     * @param engine     the engine being used to perform the scan
+     * @param engine the engine being used to perform the scan
      * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
      */
     @Override
@@ -164,9 +168,8 @@ public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
         return contents;
     }
 
-
     @Override
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
     }
-}
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -17,6 +17,12 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.BufferedInputStream;
+import java.io.File;
+import java.io.FileFilter;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FilenameFilter;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.apache.commons.io.filefilter.SuffixFileFilter;
 import org.apache.commons.io.input.AutoCloseInputStream;
@@ -32,7 +38,6 @@ import org.slf4j.LoggerFactory;
 
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetHeaders;
-import java.io.*;
 
 /**
  * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
@@ -147,6 +152,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @return the phase that the analyzer is intended to run in.
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -31,7 +31,6 @@ import java.util.TreeSet;
 import org.apache.commons.lang.ObjectUtils;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Checksum;
-import org.owasp.dependencycheck.utils.FileUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -68,7 +67,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
      * The file name of the dependency.
      */
     private String fileName;
-   /**
+    /**
      * The md5 hash of the dependency.
      */
     private String md5sum;