Merge remote-tracking branch 'upstream/master'

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -309,11 +309,23 @@ public class Engine implements FileFilter {
         if (file.isFile()) {
             if (accept(file)) {
                 dependency = new Dependency(file);
+                String sha1 = dependency.getSha1sum();
+                boolean found = false;
+                if (sha1 != null) {
+                    for (Dependency existing : dependencies) {
+                        if (sha1.equals(existing.getSha1sum())) {
+                            found = true;
+                            dependency = existing;
+                        }
+                    }
+                }
+                if (!found) {
                     dependencies.add(dependency);
                 }
             } else {
                 LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file);
             }
+        }
         return dependency;
     }
 
@@ -539,6 +551,16 @@ public class Engine implements FileFilter {
         return this.fileTypeAnalyzers;
     }
 
+    /**
+     * Adds a file type analyzer. This has been added solely to assist in unit
+     * testing the Engine.
+     *
+     * @param fta the file type analyzer to add
+     */
+    protected void addFileTypeAnalyzer(FileTypeAnalyzer fta) {
+        this.fileTypeAnalyzers.add(fta);
+    }
+
     /**
      * Checks the CPE Index to ensure documents exists. If none exist a
      * NoDataException is thrown.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -286,7 +286,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (InterruptedException ie) {
             throw new AnalysisException("bundle-audit process interrupted", ie);
         }
-        if (exitValue != 0) {
+        if (exitValue < 0 || exitValue > 1) {
             final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue);
             throw new AnalysisException(msg);
         }

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -122,8 +122,26 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             function setCopyText(name, matchType, matchValue, suppressType, suppressVal) {
                 xml =  '<suppress>\n';
                 xml += '   <notes><!'+'[CDATA[\n   file name: ' + name + '\n   ]]'+'></notes>\n';
+                if (matchType=='gav') {
+                    v = matchValue.match(/^[^:]+:[^:]+:/);
+                    if (v && v[0]) {
+                        xml += '   <'+matchType+' regex="true">^' + v[0].replace(/\./g,'\\.') + '.*$</'+matchType+'>\n';
+                    } else {
                         xml += '   <'+matchType+'>' + matchValue + '</'+matchType+'>\n';
+                    }
+                } else {
+                    xml += '   <'+matchType+'>' + matchValue + '</'+matchType+'>\n';
+                }
+                if (suppressType=='cpe') {
+                    v = suppressVal.match(/^cpe:\/a:[^:]+:[^:]+/);
+                    if (v && v[0]) {
+                        xml += '   <'+suppressType+'>' + v[0] + '</'+suppressType+'>\n';
+                    } else {
                         xml += '   <'+suppressType+'>' + suppressVal + '</'+suppressType+'>\n';
+                    }
+                } else {
+                    xml += '   <'+suppressType+'>' + suppressVal + '</'+suppressType+'>\n';
+                }
                 xml += '</suppress>';
                 $('#modal-text').text(xml);
                 $('#modal-content,#modal-background').addClass('active');

dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineTest.java

@@ -0,0 +1,53 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import java.io.File;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class EngineTest extends BaseDBTestCase {
+
+    /**
+     * Test of scanFile method, of class Engine.
+     */
+    @Test
+    public void testScanFile() throws DatabaseException {
+        Engine instance = new Engine();
+        instance.addFileTypeAnalyzer(new JarAnalyzer());
+        File file = BaseTest.getResourceAsFile(this, "dwr.jar");
+        Dependency dwr = instance.scanFile(file);
+        file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
+        Dependency jmx = instance.scanFile(file);
+        assertEquals(2, instance.getDependencies().size());
+        
+        file = BaseTest.getResourceAsFile(this, "dwr.jar");
+        Dependency secondDwr = instance.scanFile(file);
+        
+        assertEquals(2, instance.getDependencies().size());
+        assertTrue(dwr == secondDwr);
+        
+    }
+}

dependency-check-maven/pom.xml

@@ -38,7 +38,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     </distributionManagement>
     <!-- end copy -->
     <properties>
-        <version.maven-plugin-plugin>3.4</version.maven-plugin-plugin>
+        <version.maven-plugin-plugin>3.5</version.maven-plugin-plugin>
     </properties>
     <prerequisites>
         <maven>3.1</maven>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java

@@ -112,7 +112,7 @@ public class CheckMojo extends BaseDependencyCheckMojo {
                             }
                         }
                     }
-                    writeDataFile(getProject(), null, engine.getDependencies());
+                    //writeDataFile(getProject(), null, engine.getDependencies());
                     showSummary(getProject(), engine.getDependencies());
                     checkForFailure(engine.getDependencies());
                     if (exCol != null && this.isFailOnError()) {

pom.xml

@@ -222,7 +222,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-resources-plugin</artifactId>
-                    <version>3.0.0</version>
+                    <version>3.0.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -500,7 +500,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>findbugs-maven-plugin</artifactId>
-                <version>3.0.3</version>
+                <version>3.0.4</version>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
@@ -529,7 +529,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>versions-maven-plugin</artifactId>
-                <version>2.2</version>
+                <version>2.3</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -572,7 +572,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>com.sun.mail</groupId>
                 <artifactId>mailapi</artifactId>
-                <version>1.5.5</version>
+                <version>1.5.6</version>
             </dependency>
             <dependency>
                 <groupId>ch.qos.logback</groupId>
@@ -648,7 +648,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.maven.plugin-tools</groupId>
                 <artifactId>maven-plugin-annotations</artifactId>
-                <version>3.4</version>
+                <version>3.5</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.maven.reporting</groupId>