merge from upstream

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -18,7 +18,9 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+
 import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.filefilter.NameFileFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -65,6 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
     //</editor-fold>
 
+    // Python init files
+    private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
+        "__init__.py",
+        "__init__.pyc",
+        "__init__.pyo"
+    });
+
     /**
      * Collects information about the file name.
      *
@@ -97,16 +106,16 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
 
         //add as vendor and product evidence
-//        if (fileName.contains("-")) {
-//            dependency.getProductEvidence().addEvidence("file", "name",
-//                    fileName, Confidence.HIGHEST);
-//            dependency.getVendorEvidence().addEvidence("file", "name",
-//                    fileName, Confidence.HIGHEST);
-//        } else {
+        if (fileName.contains("-")) {
+            dependency.getProductEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGHEST);
+            dependency.getVendorEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGHEST);
+        } else if (!IGNORED_FILES.accept(f)) {
             dependency.getProductEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
-//        }
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -185,7 +185,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         if (found) {
             dependency.setDisplayFileName(parentName + "/__init__.py");
             dependency.getProductEvidence().addEvidence(file.getName(),
-                    "PackageName", parentName, Confidence.MEDIUM);
+                    "PackageName", parentName, Confidence.HIGH);
         } else {
             // copy, alter and set in case some other thread is iterating over
             final List<Dependency> dependencies = new ArrayList<Dependency>(

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -25,7 +25,8 @@ CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(250), vend
 
 CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
     , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
-    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id)
+    , PRIMARY KEY (cveid, cpeEntryId));
 
 CREATE INDEX idxVulnerability ON vulnerability(cve);
 CREATE INDEX idxReference ON reference(cveid);
@@ -53,4 +54,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">
@@ -56,4 +56,4 @@
             </xs:sequence>
         </xs:complexType>
     </xs:element>
-</xs:schema>
+</xs:schema>