From 40ede24a996544f7853a5ced1e41fe7455735f69 Mon Sep 17 00:00:00 2001
From: Anthony Whitford <anthony@whitford.com>
Date: Sun, 18 Sep 2016 22:30:12 -0700
Subject: [PATCH 1/7] Upgraded plugins and dependencies.

---
 dependency-check-maven/pom.xml | 2 +-
 pom.xml                        | 8 ++++----
 2 files changed, 5 insertions(+), 5 deletions(-)

diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml
index fd7232551..c8d7a44f0 100644
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -38,7 +38,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     </distributionManagement>
     <!-- end copy -->
     <properties>
-        <version.maven-plugin-plugin>3.4</version.maven-plugin-plugin>
+        <version.maven-plugin-plugin>3.5</version.maven-plugin-plugin>
     </properties>
     <prerequisites>
         <maven>3.1</maven>
diff --git a/pom.xml b/pom.xml
index ccdc75fc9..65d3ce009 100644
--- a/pom.xml
+++ b/pom.xml
@@ -222,7 +222,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-resources-plugin</artifactId>
-                    <version>3.0.0</version>
+                    <version>3.0.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -500,7 +500,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>findbugs-maven-plugin</artifactId>
-                <version>3.0.3</version>
+                <version>3.0.4</version>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
@@ -529,7 +529,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.2</version>
+                <version>2.3</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -572,7 +572,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>com.sun.mail</groupId>
                 <artifactId>mailapi</artifactId>
-                <version>1.5.5</version>
+                <version>1.5.6</version>
             </dependency>
             <dependency>
                 <groupId>ch.qos.logback</groupId>

From d2154c9d294e61ef2b139da8a00af7339dbffdf8 Mon Sep 17 00:00:00 2001
From: Anthony Whitford <anthony@whitford.com>
Date: Sun, 18 Sep 2016 23:00:50 -0700
Subject: [PATCH 2/7] maven-plugin-annotations 3.5 released.

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index 65d3ce009..d2f28a046 100644
--- a/pom.xml
+++ b/pom.xml
@@ -648,7 +648,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.maven.plugin-tools</groupId>
                 <artifactId>maven-plugin-annotations</artifactId>
-                <version>3.4</version>
+                <version>3.5</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.maven.reporting</groupId>

From 79887c148abc61b56a1eaf26d447720b42b627e1 Mon Sep 17 00:00:00 2001
From: Tilmann Haak <tilmann.haak@xing.com>
Date: Tue, 20 Sep 2016 13:43:28 +0200
Subject: [PATCH 3/7] fixed check for bundle-audit's return code

---
 .../owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
index bca567fa5..08143565a 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -286,7 +286,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (InterruptedException ie) {
             throw new AnalysisException("bundle-audit process interrupted", ie);
         }
-        if (exitValue != 0) {
+        if (exitValue > 1) {
             final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue);
             throw new AnalysisException(msg);
         }

From 6326513c631aa09e32f2e5311a73d5de269a961d Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 21 Sep 2016 14:04:21 -0400
Subject: [PATCH 4/7] improved suppression capability within the report

---
 .../main/resources/templates/HtmlReport.vsl   | 22 +++++++++++++++++--
 1 file changed, 20 insertions(+), 2 deletions(-)

diff --git a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
index 4bdc1ffba..b62cd39b4 100644
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -122,8 +122,26 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             function setCopyText(name, matchType, matchValue, suppressType, suppressVal) {
                 xml =  '<suppress>\n';
                 xml += '   <notes><!'+'[CDATA[\n   file name: ' + name + '\n   ]]'+'></notes>\n';
-                xml += '   <'+matchType+'>' + matchValue + '</'+matchType+'>\n';
-                xml += '   <'+suppressType+'>' + suppressVal + '</'+suppressType+'>\n';
+                if (matchType=='gav') {
+                    v = matchValue.match(/^[^:]+:[^:]+:/);
+                    if (v && v[0]) {
+                        xml += '   <'+matchType+' regex="true">^' + v[0].replace(/\./g,'\\.') + '.*$</'+matchType+'>\n';
+                    } else {
+                        xml += '   <'+matchType+'>' + matchValue + '</'+matchType+'>\n';
+                    }
+                } else {
+                    xml += '   <'+matchType+'>' + matchValue + '</'+matchType+'>\n';
+                }
+                if (suppressType=='cpe') {
+                    v = suppressVal.match(/^cpe:\/a:[^:]+:[^:]+/);
+                    if (v && v[0]) {
+                        xml += '   <'+suppressType+'>' + v[0] + '</'+suppressType+'>\n';
+                    } else {
+                        xml += '   <'+suppressType+'>' + suppressVal + '</'+suppressType+'>\n';
+                    }
+                } else {
+                    xml += '   <'+suppressType+'>' + suppressVal + '</'+suppressType+'>\n';
+                }
                 xml += '</suppress>';
                 $('#modal-text').text(xml);
                 $('#modal-content,#modal-background').addClass('active');

From 99a1606df1f12a165ca7fccf77adf8d997b0a428 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 21 Sep 2016 14:05:19 -0400
Subject: [PATCH 5/7] stopped writting the serialized dc data

---
 .../main/java/org/owasp/dependencycheck/maven/CheckMojo.java    | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
index 4017a5d93..a707dcd36 100644
--- a/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
+++ b/dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java
@@ -112,7 +112,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
                             }
                         }
                     }
-                    writeDataFile(getProject(), null, engine.getDependencies());
+                    //writeDataFile(getProject(), null, engine.getDependencies());
                     showSummary(getProject(), engine.getDependencies());
                     checkForFailure(engine.getDependencies());
                     if (exCol != null && this.isFailOnError()) {

From d7100e54d1c6561fb3113ab76d78bdd95a74c715 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Wed, 21 Sep 2016 14:21:50 -0400
Subject: [PATCH 6/7] made exitValue check more robust to cover possible future
 negative exit values

---
 .../owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
index 08143565a..2376e7d80 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -286,7 +286,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (InterruptedException ie) {
             throw new AnalysisException("bundle-audit process interrupted", ie);
         }
-        if (exitValue > 1) {
+        if (exitValue < 0 || exitValue > 1) {
             final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue);
             throw new AnalysisException(msg);
         }

From 44edcabe15ca98b60d98d0fc71d8296e87349436 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 1 Oct 2016 06:55:37 -0400
Subject: [PATCH 7/7] fixed duplicate analysis identified in
 https://github.com/jeremylong/dependency-check-gradle/issues/19

---
 .../org/owasp/dependencycheck/Engine.java     | 28 ++++++++--
 .../org/owasp/dependencycheck/EngineTest.java | 53 +++++++++++++++++++
 2 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineTest.java

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
index 473ba3faf..c3d0f6584 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -309,10 +309,22 @@ public class Engine implements FileFilter {
         if (file.isFile()) {
             if (accept(file)) {
                 dependency = new Dependency(file);
-                dependencies.add(dependency);
+                String sha1 = dependency.getSha1sum();
+                boolean found = false;
+                if (sha1 != null) {
+                    for (Dependency existing : dependencies) {
+                        if (sha1.equals(existing.getSha1sum())) {
+                            found = true;
+                            dependency = existing;
+                        }
+                    }
+                }
+                if (!found) {
+                    dependencies.add(dependency);
+                }
+            } else {
+                LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file);
             }
-        } else {
-            LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file);
         }
         return dependency;
     }
@@ -539,6 +551,16 @@ public class Engine implements FileFilter {
         return this.fileTypeAnalyzers;
     }
 
+    /**
+     * Adds a file type analyzer. This has been added solely to assist in unit
+     * testing the Engine.
+     *
+     * @param fta the file type analyzer to add
+     */
+    protected void addFileTypeAnalyzer(FileTypeAnalyzer fta) {
+        this.fileTypeAnalyzers.add(fta);
+    }
+
     /**
      * Checks the CPE Index to ensure documents exists. If none exist a
      * NoDataException is thrown.
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineTest.java
new file mode 100644
index 000000000..3f2e9cfec
--- /dev/null
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineTest.java
@@ -0,0 +1,53 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import java.io.File;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class EngineTest extends BaseDBTestCase {
+
+    /**
+     * Test of scanFile method, of class Engine.
+     */
+    @Test
+    public void testScanFile() throws DatabaseException {
+        Engine instance = new Engine();
+        instance.addFileTypeAnalyzer(new JarAnalyzer());
+        File file = BaseTest.getResourceAsFile(this, "dwr.jar");
+        Dependency dwr = instance.scanFile(file);
+        file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
+        Dependency jmx = instance.scanFile(file);
+        assertEquals(2, instance.getDependencies().size());
+        
+        file = BaseTest.getResourceAsFile(this, "dwr.jar");
+        Dependency secondDwr = instance.scanFile(file);
+        
+        assertEquals(2, instance.getDependencies().size());
+        assertTrue(dwr == secondDwr);
+        
+    }
+}