checkstyle suggestions

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java

@@ -207,7 +207,7 @@ public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer {
     protected Dependency findDependency(Engine engine, String name, String version) {
         for (Dependency d : engine.getDependencies()) {
             if (NPM_DEPENDENCY_ECOSYSTEM.equals(d.getEcosystem()) && name.equals(d.getName()) && version != null && d.getVersion() != null) {
-                String dependencyVersion = d.getVersion();
+                final String dependencyVersion = d.getVersion();
                 if (DependencyBundlingAnalyzer.npmVersionsMatch(version, dependencyVersion)) {
                     return d;
                 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -162,7 +162,8 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly
      * removed from the main analysis loop, this function adds to this
      * collection
      */
-    public static void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
+    public static void mergeDependencies(final Dependency dependency,
+            final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
         dependency.addRelatedDependency(relatedDependency);
         for (Dependency d : relatedDependency.getRelatedDependencies()) {
             dependency.addRelatedDependency(d);
@@ -496,7 +497,7 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly
      * This method attempts to evaluate version range checks.
      *
      * @param current a dependency version to compare
-     * @param nextDependency a dependency version to compare
+     * @param next a dependency version to compare
      * @return true if the version is equal in both dependencies; otherwise
      * false
      */
@@ -520,7 +521,7 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly
                 }
             }
             try {
-                Semver v = new Semver(right, SemverType.NPM);
+                final Semver v = new Semver(right, SemverType.NPM);
                 return v.satisfies(left);
             } catch (SemverException ex) {
                 LOGGER.trace("ignore", ex);
@@ -552,6 +553,13 @@ public class DependencyBundlingAnalyzer extends AbstractDependencyComparingAnaly
         return false;
     }
 
+    /**
+     * Strips leading non-numeric values from the start of the string. If no
+     * numbers are present this will return null.
+     *
+     * @param str the string to modify
+     * @return the string without leading non-numeric characters
+     */
     private static String stripLeadingNonNumeric(String str) {
         for (int x = 0; x < str.length(); x++) {
             if (Character.isDigit(str.codePointAt(x))) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -165,7 +165,7 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
     @Override
     protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         engine.removeDependency(dependency);
-        File dependencyFile = dependency.getActualFile();
+        final File dependencyFile = dependency.getActualFile();
         if (!dependencyFile.isFile() || dependencyFile.length() == 0) {
             return;
         }
@@ -178,9 +178,9 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
         } catch (IOException ex) {
             throw new RuntimeException(ex);
         }
-        File baseDir = dependencyFile.getParentFile();
+        final File baseDir = dependencyFile.getParentFile();
         if (PACKAGE_LOCK_JSON.equals(dependency.getFileName())) {
-            File shrinkwrap = new File(baseDir, SHRINKWRAP_JSON);
+            final File shrinkwrap = new File(baseDir, SHRINKWRAP_JSON);
             if (shrinkwrap.exists()) {
                 return;
             }
@@ -205,15 +205,27 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
         }
     }
 
+    /**
+     * Process the dependencies in the lock file by first parsing its
+     * dependencies and then finding the package.json for the module and adding
+     * it as a dependency.
+     *
+     * @param json
+     * @param baseDir
+     * @param rootFile
+     * @param parentPackage
+     * @param engine
+     * @throws AnalysisException
+     */
     private void processDependencies(final JsonObject json, File baseDir, File rootFile, final String parentPackage, Engine engine) throws AnalysisException {
         if (json.containsKey("dependencies")) {
-            JsonObject deps = json.getJsonObject("dependencies");
+            final JsonObject deps = json.getJsonObject("dependencies");
             for (Map.Entry<String, JsonValue> entry : deps.entrySet()) {
-                JsonObject jo = (JsonObject) entry.getValue();
+                final JsonObject jo = (JsonObject) entry.getValue();
                 final String name = entry.getKey();
                 final String version = jo.getString("version");
-                File base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
-                File f = new File(base, PACKAGE_JSON);
+                final File base = Paths.get(baseDir.getPath(), "node_modules", name).toFile();
+                final File f = new File(base, PACKAGE_JSON);
 
                 if (jo.containsKey("dependencies")) {
                     final String subPackageName = String.format("%s/%s:%s", parentPackage, name, version);
@@ -225,7 +237,7 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
                     //TOOD - we should use the integrity value instead of calculating the SHA1/MD5
                     child = new Dependency(f);
                     try (JsonReader jr = Json.createReader(FileUtils.openInputStream(f))) {
-                        JsonObject childJson = jr.readObject();
+                        final JsonObject childJson = jr.readObject();
                         gatherEvidence(childJson, child);
 
                     } catch (JsonException e) {
@@ -248,7 +260,7 @@ public class NodePackageAnalyzer extends AbstractNpmAnalyzer {
                 child.addProjectReference(parentPackage);
                 child.setEcosystem(DEPENDENCY_ECOSYSTEM);
 
-                Dependency existing = findDependency(engine, name, version);
+                final Dependency existing = findDependency(engine, name, version);
                 if (existing != null) {
                     if (existing.isVirtual()) {
                         DependencyMergingAnalyzer.mergeDependencies(child, existing, null);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java

@@ -43,7 +43,6 @@ import javax.json.JsonException;
 import javax.json.JsonObject;
 import javax.json.JsonObjectBuilder;
 import javax.json.JsonReader;
-import static org.owasp.dependencycheck.analyzer.NodePackageAnalyzer.DEPENDENCY_ECOSYSTEM;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.URLConnectionFailureException;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -108,4 +108,4 @@ public class NvdCveAnalyzer extends AbstractAnalyzer {
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_NVD_CVE_ENABLED;
     }
-}
+}