diff --git a/README.md b/README.md index fab943828..4c4e30f73 100644 --- a/README.md +++ b/README.md @@ -1,3 +1,4 @@ +[![Build Status](https://dependency-check.ci.cloudbees.com/buildStatus/icon?job=dependency-check)](https://dependency-check.ci.cloudbees.com/job/dependency-check/) Dependency-Check ================ diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml index 7e7208aef..57ccb527b 100644 --- a/dependency-check-ant/pom.xml +++ b/dependency-check-ant/pom.xml @@ -190,18 +190,10 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. - - org.apache.maven.plugins - maven-compiler-plugin - - - org.apache.maven.plugins - maven-jar-plugin - org.apache.maven.plugins maven-shade-plugin - 2.3 + 2.4.1 @@ -273,96 +265,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. - - org.apache.maven.plugins - maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} - - - - summary - license - help - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - ${reporting.javadoc-plugin.version} - - false - Copyright© 2012-15 Jeremy Long. All Rights Reserved. - - - - default - - javadoc - - - - - - org.codehaus.mojo - versions-maven-plugin - ${reporting.versions-plugin.version} - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - ${reporting.jxr-plugin.version} - - - org.codehaus.mojo - cobertura-maven-plugin - ${reporting.cobertura-plugin.version} - - - org.apache.maven.plugins - maven-surefire-report-plugin - ${reporting.surefire-report-plugin.version} - - - - report-only - - - - - - org.codehaus.mojo - taglist-maven-plugin - ${reporting.taglist-plugin.version} - - - - - Todo Work - - - todo - ignoreCase - - - FIXME - exact - - - - - - - org.apache.maven.plugins maven-checkstyle-plugin @@ -395,11 +297,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved. - - org.codehaus.mojo - findbugs-maven-plugin - ${reporting.findbugs-plugin.version} - diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml index c76f50b72..0a1a7558b 100644 --- a/dependency-check-cli/pom.xml +++ b/dependency-check-cli/pom.xml @@ -124,10 +124,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. - - org.apache.maven.plugins - maven-compiler-plugin - org.codehaus.mojo appassembler-maven-plugin @@ -178,96 +174,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. - - org.apache.maven.plugins - maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} - - - - summary - license - help - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - ${reporting.javadoc-plugin.version} - - false - Copyright� 2012-15 Jeremy Long. All Rights Reserved. - - - - default - - javadoc - - - - - - org.codehaus.mojo - versions-maven-plugin - ${reporting.versions-plugin.version} - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - ${reporting.jxr-plugin.version} - - - org.codehaus.mojo - cobertura-maven-plugin - ${reporting.cobertura-plugin.version} - - - org.apache.maven.plugins - maven-surefire-report-plugin - ${reporting.surefire-report-plugin.version} - - - - report-only - - - - - - org.codehaus.mojo - taglist-maven-plugin - ${reporting.taglist-plugin.version} - - - - - Todo Work - - - todo - ignoreCase - - - FIXME - exact - - - - - - - org.apache.maven.plugins maven-checkstyle-plugin @@ -300,11 +206,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved. - - org.codehaus.mojo - findbugs-maven-plugin - ${reporting.findbugs-plugin.version} - diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index e810342bd..a470a88aa 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -423,7 +423,7 @@ public class App { } /** - * Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style + * Takes a path and resolves it to be a canonical & absolute path. The caveats are that this method will take an Ant style * file selector path (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at least to the left of the first * * or ?). * diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 07adadf28..dc4415b41 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -23,13 +23,12 @@ import java.util.logging.Level; import org.apache.commons.cli.CommandLine; import org.apache.commons.cli.CommandLineParser; +import org.apache.commons.cli.DefaultParser; import org.apache.commons.cli.HelpFormatter; import org.apache.commons.cli.Option; -import org.apache.commons.cli.OptionBuilder; import org.apache.commons.cli.OptionGroup; import org.apache.commons.cli.Options; import org.apache.commons.cli.ParseException; -import org.apache.commons.cli.PosixParser; import org.owasp.dependencycheck.reporting.ReportGenerator.Format; import org.owasp.dependencycheck.utils.InvalidSettingException; import org.owasp.dependencycheck.utils.Settings; @@ -79,7 +78,7 @@ public final class CliParser { * @throws ParseException if the arguments are invalid */ private CommandLine parseArgs(String[] args) throws ParseException { - final CommandLineParser parser = new PosixParser(); + final CommandLineParser parser = new DefaultParser(); final Options options = createCommandLineOptions(); return parser.parse(options, args); } @@ -209,8 +208,8 @@ public final class CliParser { final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false, "Print this message."); - final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP) - .withDescription("Print the advanced help message.").create(); + final Option advancedHelp = Option.builder().longOpt(ARGUMENT.ADVANCED_HELP) + .desc("Print the advanced help message.").build(); final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION, false, "Print the version information."); @@ -218,44 +217,44 @@ public final class CliParser { final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE, false, "Disables the automatic updating of the CPE data."); - final Option projectName = OptionBuilder.hasArg().withArgName("name").withLongOpt(ARGUMENT.PROJECT) - .withDescription("The name of the project being scanned. This is a required argument.") - .create(); + final Option projectName = Option.builder().hasArg().argName("name").longOpt(ARGUMENT.PROJECT) + .desc("The name of the project being scanned. This is a required argument.") + .build(); - final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN) - .withDescription("The path to scan - this option can be specified multiple times. Ant style" + final Option path = Option.builder(ARGUMENT.SCAN_SHORT).argName("path").hasArg().longOpt(ARGUMENT.SCAN) + .desc("The path to scan - this option can be specified multiple times. Ant style" + " paths are supported (e.g. path/**/*.jar).") - .create(ARGUMENT.SCAN_SHORT); + .build(); - final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE) - .withDescription("Specify and exclusion pattern. This option can be specified multiple times" + final Option excludes = Option.builder().argName("pattern").hasArg().longOpt(ARGUMENT.EXCLUDE) + .desc("Specify and exclusion pattern. This option can be specified multiple times" + " and it accepts Ant style excludsions.") - .create("p"); + .build(); - final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP) - .withDescription("A property file to load.") - .create(ARGUMENT.PROP_SHORT); + final Option props = Option.builder(ARGUMENT.PROP_SHORT).argName("file").hasArg().longOpt(ARGUMENT.PROP) + .desc("A property file to load.") + .build(); - final Option out = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.OUT) - .withDescription("The folder to write reports to. This defaults to the current directory. " + final Option out = Option.builder(ARGUMENT.OUT_SHORT).argName("path").hasArg().longOpt(ARGUMENT.OUT) + .desc("The folder to write reports to. This defaults to the current directory. " + "It is possible to set this to a specific file name if the format argument is not set to ALL.") - .create(ARGUMENT.OUT_SHORT); + .build(); - final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT) - .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.") - .create(ARGUMENT.OUTPUT_FORMAT_SHORT); + final Option outputFormat = Option.builder(ARGUMENT.OUTPUT_FORMAT_SHORT).argName("format").hasArg().longOpt(ARGUMENT.OUTPUT_FORMAT) + .desc("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.") + .build(); - final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG) - .withDescription("The file path to write verbose logging information.") - .create(ARGUMENT.VERBOSE_LOG_SHORT); + final Option verboseLog = Option.builder(ARGUMENT.VERBOSE_LOG_SHORT).argName("file").hasArg().longOpt(ARGUMENT.VERBOSE_LOG) + .desc("The file path to write verbose logging information.") + .build(); - final Option symLinkDepth = OptionBuilder.withArgName("depth").hasArg().withLongOpt(ARGUMENT.SYM_LINK_DEPTH) - .withDescription("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.") - .create(); + final Option symLinkDepth = Option.builder().argName("depth").hasArg().longOpt(ARGUMENT.SYM_LINK_DEPTH) + .desc("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.") + .build(); - final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE) - .withDescription("The file path to the suppression XML file.") - .create(); + final Option suppressionFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.SUPPRESSION_FILE) + .desc("The file path to the suppression XML file.") + .build(); //This is an option group because it can be specified more then once. final OptionGroup og = new OptionGroup(); @@ -289,119 +288,119 @@ public final class CliParser { @SuppressWarnings("static-access") private void addAdvancedOptions(final Options options) throws IllegalArgumentException { - final Option cve12Base = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_BASE_12) - .withDescription("Base URL for each year’s CVE 1.2, the %d will be replaced with the year. ") - .create(); + final Option cve12Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_12) + .desc("Base URL for each year’s CVE 1.2, the %d will be replaced with the year. ") + .build(); - final Option cve20Base = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_BASE_20) - .withDescription("Base URL for each year’s CVE 2.0, the %d will be replaced with the year.") - .create(); + final Option cve20Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_20) + .desc("Base URL for each year’s CVE 2.0, the %d will be replaced with the year.") + .build(); - final Option cve12Modified = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_MOD_12) - .withDescription("URL for the modified CVE 1.2.") - .create(); + final Option cve12Modified = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_MOD_12) + .desc("URL for the modified CVE 1.2.") + .build(); - final Option cve20Modified = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.CVE_MOD_20) - .withDescription("URL for the modified CVE 2.0.") - .create(); + final Option cve20Modified = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_MOD_20) + .desc("URL for the modified CVE 2.0.") + .build(); - final Option updateOnly = OptionBuilder.withLongOpt(ARGUMENT.UPDATE_ONLY) - .withDescription("Only update the local NVD data cache; no scan will be executed.").create(); + final Option updateOnly = Option.builder().longOpt(ARGUMENT.UPDATE_ONLY) + .desc("Only update the local NVD data cache; no scan will be executed.").build(); - final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY) - .withDescription("The location of the H2 Database file. This option should generally not be set.") - .create(ARGUMENT.DATA_DIRECTORY_SHORT); + final Option data = Option.builder(ARGUMENT.DATA_DIRECTORY_SHORT).argName("path").hasArg().longOpt(ARGUMENT.DATA_DIRECTORY) + .desc("The location of the H2 Database file. This option should generally not be set.") + .build(); - final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL) - .withDescription("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). " - + "If not set the Nexus Analyzer will be disabled.").create(); + final Option nexusUrl = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.NEXUS_URL) + .desc("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). " + + "If not set the Nexus Analyzer will be disabled.").build(); - final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY) - .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.") - .create(); + final Option nexusUsesProxy = Option.builder().argName("true/false").hasArg().longOpt(ARGUMENT.NEXUS_USES_PROXY) + .desc("Whether or not the configured proxy should be used when connecting to Nexus.") + .build(); - final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg() - .withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS) - .withDescription("A comma separated list of additional extensions to be scanned as ZIP files " - + "(ZIP, EAR, WAR are already treated as zip files)").create(); + final Option additionalZipExtensions = Option.builder().argName("extensions").hasArg() + .longOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS) + .desc("A comma separated list of additional extensions to be scanned as ZIP files " + + "(ZIP, EAR, WAR are already treated as zip files)").build(); - final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO) - .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.") - .create(); + final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO) + .desc("The path to Mono for .NET Assembly analysis on non-windows systems.") + .build(); - final Option pathToBundleAudit = OptionBuilder.withArgName("path").hasArg() - .withLongOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT) - .withDescription("The path to bundle-audit for Gem bundle analysis.").create(); + final Option pathToBundleAudit = Option.builder().argName("path").hasArg() + .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT) + .desc("The path to bundle-audit for Gem bundle analysis.").build(); - final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT) - .withDescription("The connection timeout (in milliseconds) to use when downloading resources.") - .create(ARGUMENT.CONNECTION_TIMEOUT_SHORT); + final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg().longOpt(ARGUMENT.CONNECTION_TIMEOUT) + .desc("The connection timeout (in milliseconds) to use when downloading resources.") + .build(); - final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER) - .withDescription("The proxy server to use when downloading resources.").create(); + final Option proxyServer = Option.builder().argName("server").hasArg().longOpt(ARGUMENT.PROXY_SERVER) + .desc("The proxy server to use when downloading resources.").build(); - final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT) - .withDescription("The proxy port to use when downloading resources.").create(); + final Option proxyPort = Option.builder().argName("port").hasArg().longOpt(ARGUMENT.PROXY_PORT) + .desc("The proxy port to use when downloading resources.").build(); - final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME) - .withDescription("The proxy username to use when downloading resources.").create(); + final Option proxyUsername = Option.builder().argName("user").hasArg().longOpt(ARGUMENT.PROXY_USERNAME) + .desc("The proxy username to use when downloading resources.").build(); - final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD) - .withDescription("The proxy password to use when downloading resources.").create(); + final Option proxyPassword = Option.builder().argName("pass").hasArg().longOpt(ARGUMENT.PROXY_PASSWORD) + .desc("The proxy password to use when downloading resources.").build(); - final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING) - .withDescription("The connection string to the database.").create(); + final Option connectionString = Option.builder().argName("connStr").hasArg().longOpt(ARGUMENT.CONNECTION_STRING) + .desc("The connection string to the database.").build(); - final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME) - .withDescription("The username used to connect to the database.").create(); + final Option dbUser = Option.builder().argName("user").hasArg().longOpt(ARGUMENT.DB_NAME) + .desc("The username used to connect to the database.").build(); - final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD) - .withDescription("The password for connecting to the database.").create(); + final Option dbPassword = Option.builder().argName("password").hasArg().longOpt(ARGUMENT.DB_PASSWORD) + .desc("The password for connecting to the database.").build(); - final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER) - .withDescription("The database driver name.").create(); + final Option dbDriver = Option.builder().argName("driver").hasArg().longOpt(ARGUMENT.DB_DRIVER) + .desc("The database driver name.").build(); - final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH) - .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.") - .create(); + final Option dbDriverPath = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.DB_DRIVER_PATH) + .desc("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.") + .build(); - final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR) - .withDescription("Disable the Jar Analyzer.").create(); + final Option disableJarAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_JAR) + .desc("Disable the Jar Analyzer.").build(); - final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE) - .withDescription("Disable the Archive Analyzer.").create(); + final Option disableArchiveAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ARCHIVE) + .desc("Disable the Archive Analyzer.").build(); - final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC) - .withDescription("Disable the Nuspec Analyzer.").create(); + final Option disableNuspecAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NUSPEC) + .desc("Disable the Nuspec Analyzer.").build(); - final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY) - .withDescription("Disable the .NET Assembly Analyzer.").create(); + final Option disableAssemblyAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_ASSEMBLY) + .desc("Disable the .NET Assembly Analyzer.").build(); - final Option disablePythonDistributionAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_DIST) - .withDescription("Disable the Python Distribution Analyzer.").create(); + final Option disablePythonDistributionAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_DIST) + .desc("Disable the Python Distribution Analyzer.").build(); - final Option disablePythonPackageAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_PKG) - .withDescription("Disable the Python Package Analyzer.").create(); + final Option disablePythonPackageAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_PY_PKG) + .desc("Disable the Python Package Analyzer.").build(); - final Option disableAutoconfAnalyzer = OptionBuilder - .withLongOpt(ARGUMENT.DISABLE_AUTOCONF) - .withDescription("Disable the Autoconf Analyzer.").create(); + final Option disableAutoconfAnalyzer = Option.builder() + .longOpt(ARGUMENT.DISABLE_AUTOCONF) + .desc("Disable the Autoconf Analyzer.").build(); - final Option disableOpenSSLAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_OPENSSL) - .withDescription("Disable the OpenSSL Analyzer.").create(); - final Option disableCmakeAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CMAKE). - withDescription("Disable the Cmake Analyzer.").create(); + final Option disableOpenSSLAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_OPENSSL) + .desc("Disable the OpenSSL Analyzer.").build(); + final Option disableCmakeAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CMAKE) + .desc("Disable the Cmake Analyzer.").build(); - final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL) - .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " - + "the Nexus Analyzer.").create(); + final Option disableCentralAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CENTRAL) + .desc("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable " + + "the Nexus Analyzer.").build(); - final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS) - .withDescription("Disable the Nexus Analyzer.").create(); + final Option disableNexusAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_NEXUS) + .desc("Disable the Nexus Analyzer.").build(); - final Option purge = OptionBuilder.withLongOpt(ARGUMENT.PURGE_NVD) - .withDescription("Purges the local NVD data cache") - .create(); + final Option purge = Option.builder().longOpt(ARGUMENT.PURGE_NVD) + .desc("Purges the local NVD data cache") + .build(); options.addOption(updateOnly) .addOption(cve12Base) @@ -422,20 +421,21 @@ public final class CliParser { .addOption(disableJarAnalyzer) .addOption(disableArchiveAnalyzer) .addOption(disableAssemblyAnalyzer) - .addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT) - .withDescription("Disable the Ruby Bundler Audit Analyzer.").create()) + .addOption(pathToBundleAudit) .addOption(disablePythonDistributionAnalyzer) .addOption(disableCmakeAnalyzer) .addOption(disablePythonPackageAnalyzer) - .addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_RUBYGEMS) - .withDescription("Disable the Ruby Gemspec Analyzer.").create()) + .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RUBYGEMS) + .desc("Disable the Ruby Gemspec Analyzer.").build()) + .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT) + .desc("Disable the Ruby Bundler-Audit Analyzer.").build()) .addOption(disableAutoconfAnalyzer) .addOption(disableOpenSSLAnalyzer) .addOption(disableNuspecAnalyzer) .addOption(disableCentralAnalyzer) .addOption(disableNexusAnalyzer) - .addOption(OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NODE_JS) - .withDescription("Disable the Node.js Package Analyzer.").create()) + .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS) + .desc("Disable the Node.js Package Analyzer.").build()) .addOption(nexusUrl) .addOption(nexusUsesProxy) .addOption(additionalZipExtensions) @@ -454,12 +454,12 @@ public final class CliParser { @SuppressWarnings({"static-access", "deprecation"}) private void addDeprecatedOptions(final Options options) throws IllegalArgumentException { - final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL) - .withDescription("The proxy url argument is deprecated, use proxyserver instead.") - .create(); - final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME) - .withDescription("The name of the project being scanned.") - .create(ARGUMENT.APP_NAME_SHORT); + final Option proxyServer = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.PROXY_URL) + .desc("The proxy url argument is deprecated, use proxyserver instead.") + .build(); + final Option appName = Option.builder(ARGUMENT.APP_NAME_SHORT).argName("name").hasArg().longOpt(ARGUMENT.APP_NAME) + .desc("The name of the project being scanned.") + .build(); options.addOption(proxyServer); options.addOption(appName); diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml index f77e3b9b4..4bdfc39a2 100644 --- a/dependency-check-core/pom.xml +++ b/dependency-check-core/pom.xml @@ -110,13 +110,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.apache.maven.plugins maven-jar-plugin - - jar - package - - jar - - test-jar package @@ -228,70 +221,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. - - org.apache.maven.plugins - maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} - - - - summary - license - help - - - - - - org.apache.maven.plugins - maven-javadoc-plugin - ${reporting.javadoc-plugin.version} - - false - Copyright© 2012-15 Jeremy Long. All Rights Reserved. - - - - default - - javadoc - - - - - - org.codehaus.mojo - versions-maven-plugin - ${reporting.versions-plugin.version} - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - ${reporting.jxr-plugin.version} - - - org.codehaus.mojo - cobertura-maven-plugin - ${reporting.cobertura-plugin.version} - org.apache.maven.plugins maven-surefire-report-plugin - ${reporting.surefire-report-plugin.version} - - - report-only - - integration-tests @@ -301,30 +234,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. - - org.codehaus.mojo - taglist-maven-plugin - ${reporting.taglist-plugin.version} - - - - - Todo Work - - - todo - ignoreCase - - - FIXME - exact - - - - - - - org.apache.maven.plugins maven-checkstyle-plugin @@ -357,11 +266,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. - - org.codehaus.mojo - findbugs-maven-plugin - ${reporting.findbugs-plugin.version} - @@ -376,22 +280,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. slf4j-api - - ch.qos.logback - logback-core - test - ch.qos.logback logback-classic test - - - org.slf4j - slf4j-ext - compile - org.owasp dependency-check-utils @@ -416,8 +309,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. commons-io - commons-lang - commons-lang + org.apache.commons + commons-lang3 org.apache.lucene @@ -438,6 +331,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. com.h2database h2 + runtime org.glassfish @@ -446,7 +340,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved. org.jsoup jsoup - jar com.sun.mail diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index cdb1a4706..b6e170a7d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -352,6 +352,7 @@ public class Engine implements FileFilter { LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------"); LOGGER.info("Analysis Starting"); + final long analysisStart = System.currentTimeMillis(); // analysis phases for (AnalysisPhase phase : AnalysisPhase.values()) { @@ -365,8 +366,7 @@ public class Engine implements FileFilter { * This is okay for adds/deletes because it happens per analyzer. */ LOGGER.debug("Begin Analyzer '{}'", a.getName()); - final Set dependencySet = new HashSet(); - dependencySet.addAll(dependencies); + final Set dependencySet = new HashSet(dependencies); for (Dependency d : dependencySet) { boolean shouldAnalyze = true; if (a instanceof FileTypeAnalyzer) { @@ -398,7 +398,7 @@ public class Engine implements FileFilter { } LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------"); - LOGGER.info("Analysis Complete"); + LOGGER.info("Analysis Complete ({} ms)", System.currentTimeMillis() - analysisStart); } /** @@ -442,6 +442,7 @@ public class Engine implements FileFilter { */ public void doUpdates() { LOGGER.info("Checking for updates"); + final long updateStart = System.currentTimeMillis(); final UpdateService service = new UpdateService(serviceClassLoader); final Iterator iterator = service.getDataSources(); while (iterator.hasNext()) { @@ -454,7 +455,7 @@ public class Engine implements FileFilter { LOGGER.debug("Unable to update details for {}", source.getClass().getName(), ex); } } - LOGGER.info("Check for updates complete"); + LOGGER.info("Check for updates complete ({} ms)", System.currentTimeMillis() - updateStart); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index f43e09240..27777440b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -89,16 +89,16 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { */ private static final Set ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg"); /** - * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need - * to be explicitly handled in {@link #extractFiles(File, File, Engine)}. + * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be + * explicitly handled in {@link #extractFiles(File, File, Engine)}. */ private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2"); /** * Detects files with extensions to remove from the engine's collection of dependencies. */ - private static final FileFilter REMOVE_FROM_ANALYSIS = - FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build(); + private static final FileFilter REMOVE_FROM_ANALYSIS + = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build(); static { final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS); @@ -184,7 +184,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { if (tempFileLocation != null && tempFileLocation.exists()) { LOGGER.debug("Attempting to delete temporary files"); final boolean success = FileUtils.delete(tempFileLocation); - if (!success && tempFileLocation != null && tempFileLocation.exists() && tempFileLocation.list().length > 0) { + if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) { LOGGER.warn("Failed to delete some temporary files, see the log for more details"); } } @@ -195,7 +195,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * and added to the list of dependencies within the engine. * * @param dependency the dependency to analyze - * @param engine the engine scanning + * @param engine the engine scanning * @throws AnalysisException thrown if there is an analysis exception */ @Override @@ -239,7 +239,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { final File tdir = getNextTempDirectory(); final String fileName = dependency.getFileName(); - LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName)); + LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName); final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar"); try { @@ -271,15 +271,14 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * @return any dependencies that weren't known to the engine before */ private static Set findMoreDependencies(Engine engine, File file) { - List before = new ArrayList(engine.getDependencies()); + final List before = new ArrayList(engine.getDependencies()); engine.scan(file); - List after = engine.getDependencies(); + final List after = engine.getDependencies(); final boolean sizeChanged = before.size() != after.size(); final Set newDependencies; if (sizeChanged) { //get the new dependencies - newDependencies = new HashSet(); - newDependencies.addAll(after); + newDependencies = new HashSet(after); newDependencies.removeAll(before); } else { newDependencies = EMPTY_DEPENDENCY_SET; @@ -287,7 +286,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { return newDependencies; } - /** * Retrieves the next temporary directory to extract an archive too. * @@ -311,9 +309,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * Extracts the contents of an archive into the specified directory. * - * @param archive an archive file such as a WAR or EAR + * @param archive an archive file such as a WAR or EAR * @param destination a directory to extract the contents to - * @param engine the scanning engine + * @param engine the scanning engine * @throws AnalysisException thrown if the archive is not found */ private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException { @@ -359,9 +357,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * Extracts files from an archive. * - * @param input the archive to extract files from + * @param input the archive to extract files from * @param destination the location to write the files too - * @param engine the dependency-check engine + * @param engine the dependency-check engine * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive */ private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException { @@ -423,7 +421,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * Decompresses a file. * * @param inputStream the compressed file - * @param outputFile the location to write the decompressed file + * @param outputFile the location to write the decompressed file * @throws ArchiveExtractionException thrown if there is an exception decompressing the file */ private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException { @@ -452,7 +450,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * * @param closeable to be closed */ - private static void close(Closeable closeable){ + private static void close(Closeable closeable) { if (null != closeable) { try { closeable.close(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 26e795ee4..dc60c485b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -17,8 +17,6 @@ */ package org.owasp.dependencycheck.analyzer; -import ch.qos.cal10n.IMessageConveyor; -import ch.qos.cal10n.MessageConveyor; import java.io.BufferedReader; import java.io.File; import java.io.FileFilter; @@ -45,7 +43,6 @@ import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; import java.util.ArrayList; import java.util.List; -import java.util.Locale; /** * Analyzer for getting company, product, and version information from a .NET assembly. @@ -75,10 +72,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { * The DocumentBuilder for parsing the XML */ private DocumentBuilder builder; - /** - * Message Conveyer - */ - private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault()); /** * Logger */ diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index eefe01d37..6c483137c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -18,7 +18,7 @@ package org.owasp.dependencycheck.analyzer; import org.apache.commons.io.FileUtils; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; @@ -167,7 +167,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { dependency.getProductEvidence().addEvidence(name, "Project", group, Confidence.HIGH); } - LOGGER.debug(String.format("Found %d matches.", count)); + LOGGER.debug("Found {} matches.", count); analyzeSetVersionCommand(dependency, engine, contents); } } @@ -178,9 +178,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { int count = 0; while (m.find()) { count++; - LOGGER.debug(String.format( - "Found project command match with %d groups: %s", - m.groupCount(), m.group(0))); + LOGGER.debug("Found project command match with {} groups: {}", + m.groupCount(), m.group(0)); String product = m.group(1); final String version = m.group(2); LOGGER.debug("Group 1: " + product); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java index ff737c451..e153ff2a3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java @@ -134,13 +134,14 @@ public class CPEAnalyzer implements Analyzer { * process. */ public void open() throws IOException, DatabaseException { - LOGGER.debug("Opening the CVE Database"); cve = new CveDB(); cve.open(); - LOGGER.debug("Creating the Lucene CPE Index"); cpe = CpeMemoryIndex.getInstance(); try { + LOGGER.info("Creating the CPE Index"); + final long creationStart = System.currentTimeMillis(); cpe.open(cve); + LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart); } catch (IndexException ex) { LOGGER.debug("IndexException", ex); throw new DatabaseException(ex); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java index d518f8490..d136ee235 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java @@ -154,8 +154,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer { */ @SuppressWarnings("null") private void removeSpuriousCPE(Dependency dependency) { - final List ids = new ArrayList(); - ids.addAll(dependency.getIdentifiers()); + final List ids = new ArrayList(dependency.getIdentifiers()); Collections.sort(ids); final ListIterator mainItr = ids.listIterator(); while (mainItr.hasNext()) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 226c0aff2..9c6b3aea6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -247,7 +247,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { } } catch (IllegalArgumentException iae) { //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1")); - LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName())); + LOGGER.info("invalid sha-1 hash on {}", dependency.getFileName()); } catch (FileNotFoundException fnfe) { //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository")); LOGGER.debug("Artifact not found in repository '{}'", dependency.getFileName()); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java index d489d97c0..4345904ca 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java @@ -28,14 +28,20 @@ import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; import org.slf4j.LoggerFactory; -import javax.json.*; import java.io.File; import java.io.FileFilter; import java.io.IOException; +import java.util.Map; +import javax.json.Json; +import javax.json.JsonException; +import javax.json.JsonObject; +import javax.json.JsonReader; +import javax.json.JsonString; +import javax.json.JsonValue; /** - * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine - * the associated CPE. + * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the + * associated CPE. * * @author Dale Visser */ @@ -60,8 +66,8 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { /** * Filter that detects files named "package.json". */ - private static final FileFilter PACKAGE_JSON_FILTER = - FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build(); + private static final FileFilter PACKAGE_JSON_FILTER + = FileFilterBuilder.newInstance().addFilenames(PACKAGE_JSON).build(); /** * Returns the FileFilter @@ -120,17 +126,17 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { "Problem occurred while reading dependency file.", e); } try { - JsonObject json = jsonReader.readObject(); + final JsonObject json = jsonReader.readObject(); final EvidenceCollection productEvidence = dependency.getProductEvidence(); final EvidenceCollection vendorEvidence = dependency.getVendorEvidence(); if (json.containsKey("name")) { - Object value = json.get("name"); + final Object value = json.get("name"); if (value instanceof JsonString) { - String valueString = ((JsonString) value).getString(); + final String valueString = ((JsonString) value).getString(); productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST); vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW); } else { - LOGGER.warn("JSON value not string as expected: %s", value); + LOGGER.warn("JSON value not string as expected: {}", value); } } addToEvidence(json, productEvidence, "description"); @@ -146,24 +152,25 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer { private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) { if (json.containsKey(key)) { - Object value = json.get(key); + final JsonValue value = json.get(key); if (value instanceof JsonString) { collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST); } else if (value instanceof JsonObject) { final JsonObject jsonObject = (JsonObject) value; - for (String property : jsonObject.keySet()) { - final Object subValue = jsonObject.get(property); + for (final Map.Entry entry : jsonObject.entrySet()) { + final String property = entry.getKey(); + final JsonValue subValue = entry.getValue(); if (subValue instanceof JsonString) { collection.addEvidence(PACKAGE_JSON, String.format("%s.%s", key, property), ((JsonString) subValue).getString(), Confidence.HIGHEST); } else { - LOGGER.warn("JSON sub-value not string as expected: %s"); + LOGGER.warn("JSON sub-value not string as expected: {}", subValue); } } } else { - LOGGER.warn("JSON value not string or JSON object as expected: %s", value); + LOGGER.warn("JSON value not string or JSON object as expected: {}", value); } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index c89aaed6f..55497f07e 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -26,7 +26,7 @@ import java.io.FilenameFilter; import org.apache.commons.io.filefilter.NameFileFilter; import org.apache.commons.io.filefilter.SuffixFileFilter; import org.apache.commons.io.input.AutoCloseInputStream; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java index 68c92a9d9..99707dcac 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java @@ -93,17 +93,12 @@ public final class LuceneUtils { * @return the escaped text. */ public static String escapeLuceneQuery(final CharSequence text) { - if (text == null) { return null; } - - int size = text.length(); - size = size >> 1; + final int size = text.length() << 1; final StringBuilder buf = new StringBuilder(size); - appendEscapedLuceneQuery(buf, text); - return buf.toString(); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index 90a1e3490..4ab780755 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -490,7 +490,7 @@ public class CveDB { deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE")); deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE")); updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY")); - String ids[] = {"id"}; + final String ids[] = {"id"}; insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"), //Statement.RETURN_GENERATED_KEYS); ids); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index 0f6707488..e773f0f15 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -24,7 +24,6 @@ import java.io.FileOutputStream; import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; -import java.util.Date; import java.util.List; import java.util.zip.GZIPInputStream; import javax.xml.parsers.ParserConfigurationException; @@ -69,8 +68,8 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { for (Cpe cpe : cpes) { getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct()); } - final Date now = new Date(); - getProperties().save(LAST_CPE_UPDATE, Long.toString(now.getTime())); + final long now = System.currentTimeMillis(); + getProperties().save(LAST_CPE_UPDATE, Long.toString(now)); LOGGER.info("CPE update complete"); } } finally { @@ -134,14 +133,14 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { * @return true if the CPE data should be refreshed */ private boolean updateNeeded() { - final Date now = new Date(); + final long now = System.currentTimeMillis(); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30); long timestamp = 0; final String ts = getProperties().getProperty(LAST_CPE_UPDATE); if (ts != null && ts.matches("^[0-9]+$")) { timestamp = Long.parseLong(ts); } - return !DateUtil.withinDateRange(timestamp, now.getTime(), days); + return !DateUtil.withinDateRange(timestamp, now, days); } /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java index 81df9557b..c3ff0b7b5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java @@ -21,7 +21,6 @@ import java.io.IOException; import java.net.HttpURLConnection; import java.net.MalformedURLException; import java.net.URL; -import java.util.Date; import org.apache.commons.io.IOUtils; import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; @@ -88,7 +87,7 @@ public class EngineVersionCheck implements CachedWebDataSource { LOGGER.debug("Begin Engine Version Check"); final DatabaseProperties properties = cveDB.getDatabaseProperties(); final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0")); - final long now = (new Date()).getTime(); + final long now = System.currentTimeMillis(); updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, ""); final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0"); LOGGER.debug("Last checked: {}", lastChecked); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index ef9aa2846..570c542ea 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update; import java.net.MalformedURLException; import java.util.Calendar; -import java.util.Date; import java.util.HashSet; import java.util.Set; import java.util.concurrent.ExecutionException; @@ -214,11 +213,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { if (!getProperties().isEmpty()) { try { final long lastUpdated = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED, "0")); - final Date now = new Date(); + final long now = System.currentTimeMillis(); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7); if (lastUpdated == updates.getTimeStamp(MODIFIED)) { updates.clear(); //we don't need to update anything. - } else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) { + } else if (DateUtil.withinDateRange(lastUpdated, now, days)) { for (NvdCveInfo entry : updates) { if (MODIFIED.equals(entry.getId())) { entry.setNeedsUpdate(true); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java index 6a155c6ca..2e46a4678 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java @@ -179,7 +179,7 @@ public class CPEHandler extends DefaultHandler { /** * A simple class to maintain information about the current element while parsing the CPE XML. */ - protected class Element { + protected static final class Element { /** * A node type in the CPE Schema 2.2 diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index ed1ab22bc..4b4d04201 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -185,6 +185,7 @@ public class DownloadTask implements Callable> { final URL url1 = new URL(nvdCveInfo.getUrl()); final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl()); LOGGER.info("Download Started for NVD CVE - {}", nvdCveInfo.getId()); + final long startDownload = System.currentTimeMillis(); try { Downloader.fetchFile(url1, first); Downloader.fetchFile(url2, second); @@ -204,7 +205,8 @@ public class DownloadTask implements Callable> { extractGzip(second); } - LOGGER.info("Download Complete for NVD CVE - {}", nvdCveInfo.getId()); + LOGGER.info("Download Complete for NVD CVE - {} ({} ms)", nvdCveInfo.getId(), + System.currentTimeMillis() - startDownload); if (this.processorService == null) { return null; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java index 8934337c9..775048cfb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java @@ -157,6 +157,7 @@ public class ProcessTask implements Callable { */ private void processFiles() throws UpdateException { LOGGER.info("Processing Started for NVD CVE - {}", filePair.getNvdCveInfo().getId()); + final long startProcessing = System.currentTimeMillis(); try { importXML(filePair.getFirst(), filePair.getSecond()); cveDB.commit(); @@ -178,6 +179,7 @@ public class ProcessTask implements Callable { } finally { filePair.cleanup(); } - LOGGER.info("Processing Complete for NVD CVE - {}", filePair.getNvdCveInfo().getId()); + LOGGER.info("Processing Complete for NVD CVE - {} ({} ms)", filePair.getNvdCveInfo().getId(), + System.currentTimeMillis() - startProcessing); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java index 26a6d1b56..20c896dc6 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java @@ -28,7 +28,7 @@ import java.util.Set; import java.util.SortedSet; import java.util.TreeSet; -import org.apache.commons.lang.ObjectUtils; +import org.apache.commons.lang3.ObjectUtils; import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.utils.Checksum; import org.slf4j.Logger; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java index 4fa29805b..de550e60c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java @@ -17,8 +17,8 @@ */ package org.owasp.dependencycheck.dependency; -import org.apache.commons.lang.ObjectUtils; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.ObjectUtils; +import org.apache.commons.lang3.StringUtils; import java.io.Serializable; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index 17336daee..6cadd85a9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -24,7 +24,7 @@ import java.util.Iterator; import java.util.List; import java.util.Set; import java.util.TreeSet; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.DependencyVersionUtil; import org.owasp.dependencycheck.utils.Filter; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java index f44d4b0d9..4a7a2b491 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java @@ -19,7 +19,7 @@ package org.owasp.dependencycheck.reporting; import java.io.UnsupportedEncodingException; import java.net.URLEncoder; -import org.apache.commons.lang.StringEscapeUtils; +import org.apache.commons.lang3.StringEscapeUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -65,7 +65,7 @@ public class EscapeTool { if (text == null || text.isEmpty()) { return text; } - return StringEscapeUtils.escapeHtml(text); + return StringEscapeUtils.escapeHtml4(text); } /** @@ -78,6 +78,6 @@ public class EscapeTool { if (text == null || text.isEmpty()) { return text; } - return StringEscapeUtils.escapeXml(text); + return StringEscapeUtils.escapeXml11(text); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java index 1c1f2146e..7f27a0db0 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java @@ -22,7 +22,7 @@ import java.util.Iterator; import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; -import org.apache.commons.lang.StringUtils; +import org.apache.commons.lang3.StringUtils; /** *

diff --git a/dependency-check-gradle/build.gradle b/dependency-check-gradle/build.gradle index 13508a3c4..aaaf3813c 100644 --- a/dependency-check-gradle/build.gradle +++ b/dependency-check-gradle/build.gradle @@ -38,6 +38,9 @@ apply plugin: 'maven' apply plugin: 'signing' apply plugin: "com.gradle.plugin-publish" +sourceCompatibility = 1.6 +targetCompatibility = 1.6 + repositories { mavenCentral() } diff --git a/dependency-check-gradle/pom.xml b/dependency-check-gradle/pom.xml index 8bfaa9197..372562a66 100644 --- a/dependency-check-gradle/pom.xml +++ b/dependency-check-gradle/pom.xml @@ -34,12 +34,6 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. dependency-check-gradle is a Gradle Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries. 2015 - - - The Apache Software License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0.txt - - @@ -48,6 +42,12 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. ${basedir}/../target/site/${project.version}/dependency-check-gradle + + + true + + true + @@ -58,7 +58,7 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. org.apache.maven.doxia doxia-module-markdown - 1.4 + 1.6 @@ -67,22 +67,4 @@ Copyright (c) 2015 Wei Ma. All Rights Reserved. - - - - org.apache.maven.plugins - maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} - - - - summary - license - help - - - - - - diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml index 7816728b6..e8020175e 100644 --- a/dependency-check-jenkins/pom.xml +++ b/dependency-check-jenkins/pom.xml @@ -19,6 +19,13 @@ + + + true + + true + + pom 2012 @@ -47,12 +54,6 @@ github https://github.com/jenkinsci/dependency-check-jenkins/issues - - - The Apache Software License, Version 2.0 - http://www.apache.org/licenses/LICENSE-2.0.txt - - @@ -62,7 +63,7 @@ org.apache.maven.doxia doxia-module-markdown - 1.4 + 1.6 @@ -71,22 +72,4 @@ - - - - org.apache.maven.plugins - maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} - - - - summary - license - help - - - - - - diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml index c9de29a1f..5634ff81e 100644 --- a/dependency-check-maven/pom.xml +++ b/dependency-check-maven/pom.xml @@ -40,6 +40,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. + + 3.4 + @@ -63,6 +66,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.apache.maven.plugins maven-plugin-plugin + ${version.maven-plugin-plugin} true dependency-check @@ -119,117 +123,24 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. - - org.apache.maven.plugins - maven-compiler-plugin - - - org.apache.maven.plugins - maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} - - - - summary - license - help - - - - org.apache.maven.plugins maven-plugin-plugin - ${reporting.maven-plugin-plugin.version} + ${version.maven-plugin-plugin} dependency-check - - org.apache.maven.plugins - maven-javadoc-plugin - ${reporting.javadoc-plugin.version} - - false - Copyright© 2012-15 Jeremy Long. All Rights Reserved. - - - - default - - javadoc - - - - - - org.codehaus.mojo - versions-maven-plugin - ${reporting.versions-plugin.version} - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - ${reporting.jxr-plugin.version} - - - org.codehaus.mojo - cobertura-maven-plugin - ${reporting.cobertura-plugin.version} - - - org.apache.maven.plugins - maven-surefire-report-plugin - ${reporting.surefire-report-plugin.version} - - - - report-only - - - - - - org.codehaus.mojo - taglist-maven-plugin - ${reporting.taglist-plugin.version} - - - - - Todo Work - - - todo - ignoreCase - - - FIXME - exact - - - - - - - org.apache.maven.plugins maven-checkstyle-plugin ${reporting.checkstyle-plugin.version} + **/HelpMojo.java false false ${basedir}/../src/main/config/checkstyle-checks.xml @@ -258,11 +169,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. - - org.codehaus.mojo - findbugs-maven-plugin - ${reporting.findbugs-plugin.version} - @@ -279,23 +185,22 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.apache.maven maven-plugin-api + provided org.apache.maven maven-settings + provided org.apache.maven maven-core - - - org.apache.maven.plugins - maven-site-plugin + provided org.apache.maven.plugin-tools maven-plugin-annotations - compile + provided org.apache.maven.reporting diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java index 82697e6d5..69599b35c 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java @@ -46,7 +46,7 @@ import org.owasp.dependencycheck.utils.Settings; @Mojo( name = "aggregate", defaultPhase = LifecyclePhase.COMPILE, - aggregator = true, + /*aggregator = true,*/ threadSafe = true, requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME, requiresOnline = true @@ -69,9 +69,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { for (MavenProject current : getReactorProjects()) { final File dataFile = getDataFile(current); if (dataFile == null) { //dc was never run on this project. write the ser to the target. - if (getLog().isDebugEnabled()) { - getLog().debug(String.format("Executing dependency-check on %s", current.getName())); - } + getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform the check but dependencies may be missed resulting in false negatives.", current.getName())); generateDataFile(engine, current); } } @@ -108,9 +106,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo { } } catch (AnalysisException ex) { getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex); - if (getLog().isDebugEnabled()) { - getLog().debug("Bundling Exception", ex); - } + getLog().debug("Bundling Exception", ex); } File outputDir = getCorrectOutputDirectory(current); @@ -119,8 +115,6 @@ public class AggregateMojo extends BaseDependencyCheckMojo { //we shouldn't write this because nothing is configured to generate this report. outputDir = new File(current.getBuild().getDirectory()); } - getLog().warn("\n\n\nwritting: " + outputDir); - getLog().warn("for: " + current.getName()); writeReports(engine, current, outputDir); } } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java index 82ccaf15a..b07cadefe 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java @@ -30,15 +30,10 @@ import java.io.OutputStream; import java.util.List; import java.util.Locale; import org.apache.maven.artifact.Artifact; -import org.apache.maven.artifact.metadata.ArtifactMetadataRetrievalException; -import org.apache.maven.artifact.metadata.ArtifactMetadataSource; -import org.apache.maven.artifact.repository.ArtifactRepository; -import org.apache.maven.artifact.versioning.ArtifactVersion; import org.apache.maven.doxia.sink.Sink; import org.apache.maven.plugin.AbstractMojo; import org.apache.maven.plugin.MojoExecutionException; import org.apache.maven.plugin.MojoFailureException; -import org.apache.maven.plugins.annotations.Component; import org.apache.maven.plugins.annotations.Parameter; import org.apache.maven.project.MavenProject; import org.apache.maven.reporting.MavenReport; @@ -53,7 +48,6 @@ import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Identifier; import org.owasp.dependencycheck.dependency.Vulnerability; import org.owasp.dependencycheck.reporting.ReportGenerator; -import org.owasp.dependencycheck.utils.DependencyVersion; import org.owasp.dependencycheck.utils.Settings; /** @@ -82,23 +76,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma /** * The Maven Project Object. */ - @Component + @Parameter(property = "project", required = true, readonly = true) private MavenProject project; - /** - * The meta data source for retrieving artifact version information. - */ - @Component - private ArtifactMetadataSource metadataSource; - /** - * A reference to the local repository. - */ - @Parameter(property = "localRepository", readonly = true) - private ArtifactRepository localRepository; - /** - * References to the remote repositories. - */ - @Parameter(property = "project.remoteArtifactRepositories", readonly = true) - private List remoteRepositories; /** * List of Maven project of the current build */ @@ -441,8 +420,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma } final Object obj = current.getContextValue(getDataFileContextKey()); if (obj != null) { - if (obj instanceof File) { - return (File) obj; + if (obj instanceof String) { + final File f = new File((String) obj); + return f; } } else { if (getLog().isDebugEnabled()) { @@ -475,31 +455,6 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma getLog().debug(String.format("Adding project reference %s on dependency %s", project.getName(), d.getDisplayFileName())); } - if (metadataSource != null) { - try { - final DependencyVersion currentVersion = new DependencyVersion(a.getVersion()); - final List versions = metadataSource.retrieveAvailableVersions(a, - localRepository, remoteRepositories); - for (ArtifactVersion av : versions) { - final DependencyVersion newVersion = new DependencyVersion(av.toString()); - if (currentVersion.compareTo(newVersion) < 0) { - d.addAvailableVersion(av.toString()); - } - } - } catch (ArtifactMetadataRetrievalException ex) { - getLog().warn( - "Unable to check for new versions of dependencies; see the log for more details."); - if (getLog().isDebugEnabled()) { - getLog().debug("", ex); - } - } catch (Throwable t) { - getLog().warn( - "Unexpected error occured checking for new versions; see the log for more details."); - if (getLog().isDebugEnabled()) { - getLog().debug("", t); - } - } - } } } else { if (getLog().isDebugEnabled()) { @@ -955,11 +910,9 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma file = new File(writeTo, dataFileName); } final File parent = file.getParentFile(); - if (!parent.isDirectory()) { - if (parent.mkdirs()) { - getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", - parent.getAbsolutePath())); - } + if (!parent.isDirectory() && parent.mkdirs()) { + getLog().error(String.format("Directory '%s' does not exist and cannot be created; unable to write data file.", + parent.getAbsolutePath())); } OutputStream os = null; diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java index 900bcaef4..f849c8a7e 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/Engine.java @@ -117,7 +117,7 @@ public class Engine extends org.owasp.dependencycheck.Engine { */ @Override protected Analyzer initializeAnalyzer(Analyzer analyzer) { - if ((analyzer instanceof CPEAnalyzer)) { + if (analyzer instanceof CPEAnalyzer) { CPEAnalyzer cpe = getPreviouslyLoadedCPEAnalyzer(); if (cpe != null && cpe.isOpen()) { return cpe; @@ -152,7 +152,7 @@ public class Engine extends org.owasp.dependencycheck.Engine { */ @Override protected void closeAnalyzer(Analyzer analyzer) { - if ((analyzer instanceof CPEAnalyzer)) { + if (analyzer instanceof CPEAnalyzer) { if (getPreviouslyLoadedCPEAnalyzer() == null) { super.closeAnalyzer(analyzer); } diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java index d9f766498..4d387d4bd 100644 --- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java +++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java @@ -25,7 +25,6 @@ import org.apache.maven.plugin.MojoFailureException; import org.apache.maven.plugins.annotations.LifecyclePhase; import org.apache.maven.plugins.annotations.Mojo; import org.apache.maven.plugins.annotations.ResolutionScope; -import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.utils.Settings; /** diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml index 21ce57bdd..1d558b279 100644 --- a/dependency-check-utils/pom.xml +++ b/dependency-check-utils/pom.xml @@ -38,7 +38,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. - UTF-8 + org.owasp.dependencycheck.utils.* @@ -97,90 +97,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. org.apache.maven.plugins maven-failsafe-plugin - - org.apache.maven.plugins - maven-compiler-plugin - - - org.apache.maven.plugins - maven-javadoc-plugin - ${reporting.javadoc-plugin.version} - - false - Copyright© 2012-15 Jeremy Long. All Rights Reserved. - - - - default - - javadoc - - - - - - org.codehaus.mojo - versions-maven-plugin - ${reporting.versions-plugin.version} - - - - dependency-updates-report - plugin-updates-report - - - - - - org.apache.maven.plugins - maven-jxr-plugin - ${reporting.jxr-plugin.version} - - - org.codehaus.mojo - cobertura-maven-plugin - ${reporting.cobertura-plugin.version} - - - org.apache.maven.plugins - maven-surefire-report-plugin - ${reporting.surefire-report-plugin.version} - - - - report-only - - - - - - org.codehaus.mojo - taglist-maven-plugin - ${reporting.taglist-plugin.version} - - - - - Todo Work - - - todo - ignoreCase - - - FIXME - exact - - - - - - - org.apache.maven.plugins maven-checkstyle-plugin @@ -213,14 +133,6 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved. - - org.codehaus.mojo - findbugs-maven-plugin - ${reporting.findbugs-plugin.version} - - org.owasp.dependencycheck.utils.* - - diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java index 63c5a0b19..a81b089c9 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java @@ -31,7 +31,6 @@ import java.io.UnsupportedEncodingException; import java.net.URLDecoder; import java.util.Enumeration; import java.util.Properties; -import java.util.logging.Level; /** * A simple settings container that wraps the dependencycheck.properties file. @@ -634,11 +633,9 @@ public final class Settings { */ public static File getTempDirectory() throws IOException { final File tmpDir = new File(Settings.getString(Settings.KEYS.TEMP_DIRECTORY, System.getProperty("java.io.tmpdir")), "dctemp"); - if (!tmpDir.exists()) { - if (!tmpDir.mkdirs()) { - final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath()); - throw new IOException(msg); - } + if (!tmpDir.exists() && !tmpDir.mkdirs()) { + final String msg = String.format("Unable to make a temporary folder '%s'", tmpDir.getPath()); + throw new IOException(msg); } tempDirectory = tmpDir; return tmpDir; diff --git a/pom.xml b/pom.xml index 7badae07c..e83b0b7e0 100644 --- a/pom.xml +++ b/pom.xml @@ -129,19 +129,9 @@ Copyright (c) 2012 - Jeremy Long 4.7.2 1.7.12 1.1.3 - 2.11 - 2.6 - 2.5.3 - 2.9.1 - 2.4 - - 3.2 - 3.0.1 - - 2.7 - 2.16 - 2.4 - 2.1 + 2.16 + 2.7 + 3.5 @@ -189,7 +179,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-enforcer-plugin - 1.3.1 + 1.4.1 org.apache.maven.plugins @@ -216,11 +206,6 @@ Copyright (c) 2012 - Jeremy Long maven-jar-plugin 2.6 - - org.apache.maven.plugins - maven-plugin-plugin - ${reporting.maven-plugin-plugin.version} - org.apache.maven.plugins maven-release-plugin @@ -234,11 +219,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.plugins maven-site-plugin - - 3.3 + 3.4 org.apache.maven.plugins @@ -334,7 +315,7 @@ Copyright (c) 2012 - Jeremy Long org.apache.maven.doxia doxia-module-markdown - 1.5 + 1.6 @@ -366,10 +347,36 @@ Copyright (c) 2012 - Jeremy Long + + org.apache.maven.plugins + maven-dependency-plugin + + + org.apache.maven.plugins + maven-javadoc-plugin + 2.10.3 + + false + Copyright© 2012-15 Jeremy Long. All Rights Reserved. + + + + default + + javadoc + + + + + + org.apache.maven.plugins + maven-jxr-plugin + 2.5 + org.apache.maven.plugins maven-project-info-reports-plugin - ${reporting.project-info-reports-plugin.version} + 2.8 @@ -393,6 +400,72 @@ Copyright (c) 2012 - Jeremy Long + + org.apache.maven.plugins + maven-surefire-report-plugin + 2.18.1 + + + + report-only + + + + + + org.codehaus.mojo + cobertura-maven-plugin + ${reporting.cobertura-plugin.version} + + + + cobertura + + + + + + org.codehaus.mojo + findbugs-maven-plugin + 3.0.2 + + + org.codehaus.mojo + taglist-maven-plugin + 2.4 + + + + + Todo Work + + + todo + ignoreCase + + + FIXME + exact + + + + + + + + + org.codehaus.mojo + versions-maven-plugin + 2.2 + + + + dependency-updates-report + plugin-updates-report + + + + @@ -410,10 +483,7 @@ Copyright (c) 2012 - Jeremy Long commons-cli commons-cli - - 1.2 + 1.3.1 commons-io @@ -421,14 +491,14 @@ Copyright (c) 2012 - Jeremy Long 2.4 - commons-lang - commons-lang - 2.6 + org.apache.commons + commons-lang3 + 3.4 com.sun.mail mailapi - 1.5.2 + 1.5.4 ch.qos.logback @@ -449,17 +519,17 @@ Copyright (c) 2012 - Jeremy Long org.apache.commons commons-compress - 1.9 + 1.10 org.apache.ant ant - 1.9.5 + 1.9.6 org.apache.ant ant-testutil - 1.9.5 + 1.9.6 org.apache.lucene @@ -543,23 +613,13 @@ Copyright (c) 2012 - Jeremy Long org.jsoup jsoup - 1.7.2 + 1.8.3 org.slf4j slf4j-api ${slf4j.version} - - org.slf4j - slf4j-ext - ${slf4j.version} - - - org.slf4j - slf4j-jdk14 - ${slf4j.version} - org.slf4j slf4j-simple diff --git a/src/site/site.xml b/src/site/site.xml index 0ee832dae..f9485aaa1 100644 --- a/src/site/site.xml +++ b/src/site/site.xml @@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved. org.apache.maven.skins maven-fluido-skin - 1.3.1 + 1.4