diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java index 824f7069b..69b1b2bbc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java @@ -1,3 +1,20 @@ +/* + * This file is part of dependency-check-core. + * + * Licensed under the Apache License, Version 2.0 (the "License"); + * you may not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + * + * Copyright (c) 2016 Stefan Neuhaus. All Rights Reserved. + */ package org.owasp.dependencycheck; import org.owasp.dependencycheck.analyzer.Analyzer; @@ -12,17 +29,44 @@ import java.util.List; import java.util.concurrent.Callable; /** - * The task of analyzing a single {@link Dependency} by a specific {@link Analyzer}. + * Task to support parallelism of dependency-check analysis. + * Analyses a single {@link Dependency} by a specific {@link Analyzer}. + * + * @author Stefan Neuhaus */ class AnalysisTask implements Callable { + /** + * Instance of the logger. + */ private static final Logger LOGGER = LoggerFactory.getLogger(AnalysisTask.class); + /** + * A reference to the analyzer. + */ private final Analyzer analyzer; + /** + * The dependency to analyze. + */ private final Dependency dependency; + /** + * A reference to the dependency-check engine. + */ private final Engine engine; + /** + * The list of exceptions that may occur during analysis. + */ private final List exceptions; + /** + * Creates a new analysis task. + * + * @param analyzer a reference of the analyzer to execute + * @param dependency the dependency to analyze + * @param engine the dependency-check engine + * @param exceptions exceptions that occur during analysis will be added to + * this collection of exceptions + */ AnalysisTask(Analyzer analyzer, Dependency dependency, Engine engine, List exceptions) { this.analyzer = analyzer; this.dependency = dependency; @@ -30,6 +74,12 @@ class AnalysisTask implements Callable { this.exceptions = exceptions; } + /** + * Executes the analysis task. + * + * @return null + * @throws Exception thrown if unable to execute the analysis task + */ @Override public Void call() { Settings.initialize(); @@ -53,6 +103,11 @@ class AnalysisTask implements Callable { return null; } + /** + * Determines if the analyzer can analyze the given dependency. + * + * @return whether or not the analyzer can analyze the dependency + */ boolean shouldAnalyze() { if (analyzer instanceof FileTypeAnalyzer) { final FileTypeAnalyzer fileTypeAnalyzer = (FileTypeAnalyzer) analyzer; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index caf127ea1..9c6ebe713 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -162,10 +162,10 @@ public class Engine implements FileFilter { } /** - * Get the dependencies identified. - * The returned list is a reference to the engine's synchronized list. You must synchronize on it, when you modify - * and iterate over it from multiple threads. E.g. this holds for analyzers supporting parallel processing during - * their analysis phase. + * Get the dependencies identified. The returned list is a reference to the + * engine's synchronized list. You must synchronize on it, when you modify + * and iterate over it from multiple threads. E.g. this holds for analyzers + * supporting parallel processing during their analysis phase. * * @return the dependencies identified * @see Collections#synchronizedList(List) @@ -323,7 +323,7 @@ public class Engine implements FileFilter { if (file.isFile()) { if (accept(file)) { dependency = new Dependency(file); - String sha1 = dependency.getSha1sum(); + final String sha1 = dependency.getSha1sum(); boolean found = false; synchronized (dependencies) { if (sha1 != null) { @@ -351,7 +351,7 @@ public class Engine implements FileFilter { * iterates over a copy of the dependencies list. Thus, the potential for * {@link java.util.ConcurrentModificationException}s is avoided, and * analyzers may safely add or remove entries from the dependencies list. - * + *

* Every effort is made to complete analysis on the dependencies. In some * cases an exception will occur with part of the analysis being performed * which may not affect the entire analysis. If an exception occurs it will @@ -428,13 +428,20 @@ public class Engine implements FileFilter { } } + /** + * Executes executes the analyzer using multiple threads. + * + * @param exceptions a collection of exceptions that occurred during analysis + * @param analyzer the analyzer to execute + * @throws ExceptionCollection thrown if exceptions occurred during analysis + */ void executeAnalysisTasks(Analyzer analyzer, List exceptions) throws ExceptionCollection { LOGGER.debug("Starting {}", analyzer.getName()); final List analysisTasks = getAnalysisTasks(analyzer, exceptions); final ExecutorService executorService = getExecutorService(analyzer); try { - List> results = executorService.invokeAll(analysisTasks, 10, TimeUnit.MINUTES); + final List> results = executorService.invokeAll(analysisTasks, 10, TimeUnit.MINUTES); // ensure there was no exception during execution for (Future result : results) { @@ -453,21 +460,34 @@ public class Engine implements FileFilter { } } + /** + * Returns the analysis tasks for the dependencies. + * + * @param analyzer the analyzer to create tasks for + * @param exceptions the collection of exceptions to collect + * @return a collection of analysis tasks + */ List getAnalysisTasks(Analyzer analyzer, List exceptions) { final List result = new ArrayList(); synchronized (dependencies) { for (final Dependency dependency : dependencies) { - AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions); + final AnalysisTask task = new AnalysisTask(analyzer, dependency, this, exceptions); result.add(task); } } return result; } + /** + * Returns the executor service for a given analyzer. + * + * @param analyzer the analyzer to obtain an executor + * @return the executor service + */ ExecutorService getExecutorService(Analyzer analyzer) { if (analyzer.supportsParallelProcessing()) { // just a fair trade-off that should be reasonable for all analyzer types - int maximumNumberOfThreads = 4 * Runtime.getRuntime().availableProcessors(); + final int maximumNumberOfThreads = 4 * Runtime.getRuntime().availableProcessors(); LOGGER.debug("Parallel processing with up to {} threads: {}.", maximumNumberOfThreads, analyzer.getName()); return Executors.newFixedThreadPool(maximumNumberOfThreads); @@ -620,6 +640,15 @@ public class Engine implements FileFilter { } } + /** + * Constructs and throws a fatal exception collection. + * + * @param message the exception message + * @param throwable the cause + * @param exceptions a collection of exception to include + * @throws ExceptionCollection a collection of exceptions that occurred + * during analysis + */ private void throwFatalExceptionCollection(String message, Throwable throwable, List exceptions) throws ExceptionCollection { LOGGER.error("{}\n\n{}", throwable.getMessage(), message); LOGGER.debug("", throwable); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index da3be5dee..4138b9ec2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -221,7 +221,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Does not support parallel processing as it both modifies and iterates over the engine's list of dependencies. + * Does not support parallel processing as it both modifies and iterates + * over the engine's list of dependencies. * * @see #analyzeFileType(Dependency, Engine) * @see #findMoreDependencies(Engine, File) @@ -421,7 +422,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { LOGGER.warn("Exception reading archive '{}'.", archive.getName()); LOGGER.debug("", ex); } finally { - //overly verbose and not needed... but keeping it anyway due to + //overly verbose and not needed... but keeping it anyway due to //having issue with file handles being left open close(fis); close(in); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 7400fb341..b82001da2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -124,7 +124,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { try { final Process proc = pb.start(); - DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); + final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); doc = builder.parse(proc.getInputStream()); // Try evacuating the error stream @@ -254,9 +254,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { // Try evacuating the error stream IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM); - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - final DocumentBuilder builder = factory.newDocumentBuilder(); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + final DocumentBuilder builder = factory.newDocumentBuilder(); final Document doc = builder.parse(p.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); final String error = xpath.evaluate("/assembly/error", doc); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index fd1fa7d7b..ed5c29f6c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -31,8 +31,6 @@ import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.nio.charset.Charset; -import java.util.ArrayList; -import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.owasp.dependencycheck.exception.InitializationException; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index bd34f9c8e..e81ea6e12 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -221,7 +221,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { } catch (UnsupportedEncodingException ex) { path = filePath.getBytes(); } - MessageDigest sha1 = getSha1MessageDigest(); + final MessageDigest sha1 = getSha1MessageDigest(); currentDep.setSha1sum(Checksum.getHex(sha1.digest(path))); engine.getDependencies().add(currentDep); } @@ -239,6 +239,11 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { return Settings.KEYS.ANALYZER_CMAKE_ENABLED; } + /** + * Returns the sha1 message digest. + * + * @return the sha1 message digest + */ private MessageDigest getSha1MessageDigest() { try { return MessageDigest.getInstance("SHA1"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java index 8e8da7b5a..bb1a24a7f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java @@ -111,7 +111,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { final Dependency d = new Dependency(dependency.getActualFile()); d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject())); final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject()); - MessageDigest sha1 = getSha1MessageDigest(); + final MessageDigest sha1 = getSha1MessageDigest(); d.setFilePath(filePath); d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset())))); d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST); @@ -165,6 +165,11 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer { return AnalysisPhase.INFORMATION_COLLECTION; } + /** + * Returns the sha1 message digest. + * + * @return the sha1 message digest + */ private MessageDigest getSha1MessageDigest() { try { return MessageDigest.getInstance("SHA1"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index c12cd164d..02b3ec4cb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -33,8 +33,6 @@ import java.io.File; import java.io.FileFilter; import java.io.IOException; import java.nio.charset.Charset; -import java.util.ArrayList; -import java.util.List; import java.util.regex.Matcher; import java.util.regex.Pattern; import org.owasp.dependencycheck.exception.InitializationException; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java index 52a0bcecc..6571e4d8c 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java @@ -110,9 +110,9 @@ public class CentralSearch { if (conn.getResponseCode() == 200) { boolean missing = false; try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - final DocumentBuilder builder = factory.newDocumentBuilder(); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + final DocumentBuilder builder = factory.newDocumentBuilder(); final Document doc = builder.parse(conn.getInputStream()); final XPath xpath = XPathFactory.newInstance().newXPath(); final String numFound = xpath.evaluate("/response/result/@numFound", doc); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java index f79db3fd9..3039f0ab3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java @@ -57,8 +57,9 @@ public class NexusSearch { /** * Creates a NexusSearch for the given repository URL. * - * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated relative to this - * URL, so it should end with a / + * @param rootURL the root URL of the repository on which searches should + * execute. full URL's are calculated relative to this URL, so it should end + * with a / */ public NexusSearch(URL rootURL) { this.rootURL = rootURL; @@ -66,6 +67,11 @@ public class NexusSearch { LOGGER.debug("Using proxy: {}", useProxy); } + /** + * Determine if a proxy should be used. + * + * @return {@code true} if a proxy should be used + */ private boolean useProxy() { try { return Settings.getString(Settings.KEYS.PROXY_SERVER) != null @@ -77,12 +83,14 @@ public class NexusSearch { } /** - * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a MavenArtifact is - * populated with the coordinate information. + * Searches the configured Nexus repository for the given sha1 hash. If the + * artifact is found, a MavenArtifact is populated with the + * coordinate information. * * @param sha1 The SHA-1 hash string for which to search * @return the populated Maven coordinates - * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found. + * @throws IOException if it's unable to connect to the specified repository + * or if the specified artifact is not found. */ public MavenArtifact searchSha1(String sha1) throws IOException { if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) { @@ -107,58 +115,60 @@ public class NexusSearch { conn.addRequestProperty("Accept", "application/xml"); conn.connect(); - if (conn.getResponseCode() == 200) { - try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - final DocumentBuilder builder = factory.newDocumentBuilder(); - final Document doc = builder.parse(conn.getInputStream()); - final XPath xpath = XPathFactory.newInstance().newXPath(); - final String groupId = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/groupId", - doc); - final String artifactId = xpath.evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", - doc); - final String version = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/version", - doc); - final String link = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", - doc); - final String pomLink = xpath - .evaluate( - "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink", - doc); - final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version); - if (link != null && !link.isEmpty()) { - ma.setArtifactUrl(link); + switch (conn.getResponseCode()) { + case 200: + try { + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + final DocumentBuilder builder = factory.newDocumentBuilder(); + final Document doc = builder.parse(conn.getInputStream()); + final XPath xpath = XPathFactory.newInstance().newXPath(); + final String groupId = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/groupId", + doc); + final String artifactId = xpath.evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", + doc); + final String version = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/version", + doc); + final String link = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", + doc); + final String pomLink = xpath + .evaluate( + "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink", + doc); + final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version); + if (link != null && !link.isEmpty()) { + ma.setArtifactUrl(link); + } + if (pomLink != null && !pomLink.isEmpty()) { + ma.setPomUrl(pomLink); + } + return ma; + } catch (Throwable e) { + // Anything else is jacked-up XML stuff that we really can't recover + // from well + throw new IOException(e.getMessage(), e); } - if (pomLink != null && !pomLink.isEmpty()) { - ma.setPomUrl(pomLink); - } - return ma; - } catch (Throwable e) { - // Anything else is jacked-up XML stuff that we really can't recover - // from well - throw new IOException(e.getMessage(), e); - } - } else if (conn.getResponseCode() == 404) { - throw new FileNotFoundException("Artifact not found in Nexus"); - } else { - LOGGER.debug("Could not connect to Nexus received response code: {} {}", - conn.getResponseCode(), conn.getResponseMessage()); - throw new IOException("Could not connect to Nexus"); + case 404: + throw new FileNotFoundException("Artifact not found in Nexus"); + default: + LOGGER.debug("Could not connect to Nexus received response code: {} {}", + conn.getResponseCode(), conn.getResponseMessage()); + throw new IOException("Could not connect to Nexus"); } } /** * Do a preflight request to see if the repository is actually working. * - * @return whether the repository is listening and returns the /status URL correctly + * @return whether the repository is listening and returns the /status URL + * correctly */ public boolean preflightRequest() { HttpURLConnection conn; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java index a49311e79..2769a17e7 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java @@ -36,7 +36,8 @@ public class XPathNuspecParser implements NuspecParser { * Gets the string value of a node or null if it's not present * * @param n the node to test - * @return the string content of the node, or null if the node itself is null + * @return the string content of the node, or null if the node itself is + * null */ private String getOrNull(Node n) { if (n != null) { @@ -56,10 +57,10 @@ public class XPathNuspecParser implements NuspecParser { @Override public NugetPackage parse(InputStream stream) throws NuspecParseException { try { - DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + final DocumentBuilderFactory factory = DocumentBuilderFactory.newInstance(); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); final Document d = factory.newDocumentBuilder().parse(stream); - + final XPath xpath = XPathFactory.newInstance().newXPath(); final NugetPackage nuspec = new NugetPackage(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index ff74907c3..8067e7163 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -119,7 +119,7 @@ public class CveDB { * @throws DatabaseException thrown if there is an error opening the * database connection */ - public synchronized final void open() throws DatabaseException { + public final synchronized void open() throws DatabaseException { if (!isOpen()) { conn = ConnectionFactory.getConnection(); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index 3f1b9b3be..247af94ac 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -117,7 +117,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { private List processXML(final File xml) throws UpdateException { try { final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); final SAXParser saxParser = factory.newSAXParser(); final CPEHandler handler = new CPEHandler(); saxParser.parse(xml, handler); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java index 81ebb4c8c..aaa89a91b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java @@ -38,7 +38,8 @@ import org.slf4j.LoggerFactory; import org.xml.sax.SAXException; /** - * A callable task that will process a given set of NVD CVE xml files and update the Cve Database accordingly. + * A callable task that will process a given set of NVD CVE xml files and update + * the Cve Database accordingly. * * @author Jeremy Long */ @@ -91,9 +92,11 @@ public class ProcessTask implements Callable { * Constructs a new ProcessTask used to process an NVD CVE update. * * @param cveDB the data store object - * @param filePair the download task that contains the URL references to download - * @param settings a reference to the global settings object; this is necessary so that when the thread is started the - * dependencies have a correct reference to the global settings. + * @param filePair the download task that contains the URL references to + * download + * @param settings a reference to the global settings object; this is + * necessary so that when the thread is started the dependencies have a + * correct reference to the global settings. */ public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) { this.cveDB = cveDB; @@ -106,8 +109,8 @@ public class ProcessTask implements Callable { * Implements the callable interface. * * @return this object - * @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks exception - * collection + * @throws Exception thrown if there is an exception; note that any + * UpdateExceptions are simply added to the tasks exception collection */ @Override public ProcessTask call() throws Exception { @@ -127,18 +130,20 @@ public class ProcessTask implements Callable { * * @param file the file containing the NVD CVE XML * @param oldVersion contains the file containing the NVD CVE XML 1.2 - * @throws ParserConfigurationException is thrown if there is a parser configuration exception + * @throws ParserConfigurationException is thrown if there is a parser + * configuration exception * @throws SAXException is thrown if there is a SAXException * @throws IOException is thrown if there is a IO Exception * @throws SQLException is thrown if there is a SQL exception * @throws DatabaseException is thrown if there is a database exception - * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded + * @throws ClassNotFoundException thrown if the h2 database driver cannot be + * loaded */ protected void importXML(File file, File oldVersion) throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException { final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); final SAXParser saxParser = factory.newSAXParser(); final NvdCve12Handler cve12Handler = new NvdCve12Handler(); @@ -154,7 +159,8 @@ public class ProcessTask implements Callable { /** * Processes the NVD CVE XML file and imports the data into the DB. * - * @throws UpdateException thrown if there is an error loading the data into the database + * @throws UpdateException thrown if there is an error loading the data into + * the database */ private void processFiles() throws UpdateException { LOGGER.info("Processing Started for NVD CVE - {}", filePair.getNvdCveInfo().getId()); @@ -181,6 +187,6 @@ public class ProcessTask implements Callable { filePair.cleanup(); } LOGGER.info("Processing Complete for NVD CVE - {} ({} ms)", filePair.getNvdCveInfo().getId(), - System.currentTimeMillis() - startProcessing); + System.currentTimeMillis() - startProcessing); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java index 2855df7d7..f25c76a24 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java @@ -140,11 +140,11 @@ public class DependencyVersion implements Iterable, Comparable other.versionParts.size()) ? this.versionParts.size() : other.versionParts.size(); - - if (minVersionMatchLength==1 && maxVersionMatchLength>=3) { + + if (minVersionMatchLength == 1 && maxVersionMatchLength >= 3) { return false; } - + //TODO steal better version of code from compareTo for (int i = 0; i < minVersionMatchLength; i++) { final String thisPart = this.versionParts.get(i); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java index e6fa4142c..15a4a0d5a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/HintParser.java @@ -109,8 +109,8 @@ public class HintParser { schemaStream = this.getClass().getClassLoader().getResourceAsStream(HINT_SCHEMA); final HintHandler handler = new HintHandler(); final SAXParserFactory factory = SAXParserFactory.newInstance(); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); - factory.setNamespaceAware(true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setNamespaceAware(true); factory.setValidating(true); final SAXParser saxParser = factory.newSAXParser(); saxParser.setProperty(HintParser.JAXP_SCHEMA_LANGUAGE, HintParser.W3C_XML_SCHEMA); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java index 2ff59b665..aef0899ad 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomParser.java @@ -47,10 +47,12 @@ public class PomParser { private static final Logger LOGGER = LoggerFactory.getLogger(PomParser.class); /** - * Parses the given xml file and returns a Model object containing only the fields dependency-check requires. + * Parses the given xml file and returns a Model object containing only the + * fields dependency-check requires. * * @param file a pom.xml - * @return a Model object containing only the fields dependency-check requires + * @return a Model object containing only the fields dependency-check + * requires * @throws PomParseException thrown if the xml file cannot be parsed */ public Model parse(File file) throws PomParseException { @@ -73,7 +75,8 @@ public class PomParser { } /** - * Parses the given XML file and returns a Model object containing only the fields dependency-check requires. + * Parses the given XML file and returns a Model object containing only the + * fields dependency-check requires. * * @param inputStream an InputStream containing suppression rues * @return a list of suppression rules @@ -85,7 +88,7 @@ public class PomParser { final SAXParserFactory factory = SAXParserFactory.newInstance(); // factory.setNamespaceAware(true); // factory.setValidating(true); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); final SAXParser saxParser = factory.newSAXParser(); final XMLReader xmlReader = saxParser.getXMLReader(); xmlReader.setContentHandler(handler); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java index ffe61c4a5..5ddf49c4d 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/suppression/SuppressionParser.java @@ -128,7 +128,7 @@ public class SuppressionParser { final SAXParserFactory factory = SAXParserFactory.newInstance(); factory.setNamespaceAware(true); factory.setValidating(true); - factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); + factory.setFeature("http://apache.org/xml/features/disallow-doctype-decl", true); final SAXParser saxParser = factory.newSAXParser(); saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_LANGUAGE, SuppressionParser.W3C_XML_SCHEMA); saxParser.setProperty(SuppressionParser.JAXP_SCHEMA_SOURCE, new InputSource(schemaStream)); diff --git a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java index 7d02ed90f..09fb9eed1 100644 --- a/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java +++ b/dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Checksum.java @@ -24,7 +24,6 @@ import java.io.File; import java.io.FileInputStream; import java.io.IOException; import java.nio.ByteBuffer; -import java.nio.MappedByteBuffer; import java.nio.channels.FileChannel; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; @@ -61,17 +60,17 @@ public final class Checksum { * not exist */ public static byte[] getChecksum(String algorithm, File file) throws NoSuchAlgorithmException, IOException { - MessageDigest md = MessageDigest.getInstance(algorithm); + final MessageDigest md = MessageDigest.getInstance(algorithm); FileInputStream fis = null; FileChannel ch = null; try { fis = new FileInputStream(file); ch = fis.getChannel(); - ByteBuffer buf = ByteBuffer.allocateDirect(8192); + final ByteBuffer buf = ByteBuffer.allocateDirect(8192); int b = ch.read(buf); while ((b != -1) && (b != 0)) { buf.flip(); - byte[] bytes = new byte[b]; + final byte[] bytes = new byte[b]; buf.get(bytes); md.update(bytes, 0, b); buf.clear(); @@ -94,50 +93,6 @@ public final class Checksum { } } } - /* - // while the following is likely faster, it does not work as we need to - // be able to delete the file, see - // http://stackoverflow.com/questions/24589488/why-does-this-utility-method-leaves-files-locked - // - final MessageDigest digest = MessageDigest.getInstance(algorithm); - FileInputStream fis = null; - FileChannel ch = null; - try { - fis = new FileInputStream(file); - ch = fis.getChannel(); - long remainingToRead = file.length(); - long start = 0; - while (remainingToRead > 0) { - long amountToRead; - if (remainingToRead > Integer.MAX_VALUE) { - remainingToRead -= Integer.MAX_VALUE; - amountToRead = Integer.MAX_VALUE; - } else { - amountToRead = remainingToRead; - remainingToRead = 0; - } - final MappedByteBuffer byteBuffer = ch.map(FileChannel.MapMode.READ_ONLY, start, amountToRead); - digest.update(byteBuffer); - start += amountToRead; - } - } finally { - if (ch != null) { - try { - ch.close(); - } catch (IOException ex) { - LOGGER.trace("Error closing channel '{}'.", file.getName(), ex); - } - } - if (fis != null) { - try { - fis.close(); - } catch (IOException ex) { - LOGGER.trace("Error closing file '{}'.", file.getName(), ex); - } - } - } - return digest.digest(); - */ } /** diff --git a/src/main/config/checkstyle-header.txt b/src/main/config/checkstyle-header.txt index aef133a42..ac81f0010 100644 --- a/src/main/config/checkstyle-header.txt +++ b/src/main/config/checkstyle-header.txt @@ -13,6 +13,6 @@ ^ \* See the License for the specific language governing permissions and\s*$ ^ \* limitations under the License\.\s*$ ^ \*\s*$ -^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ +^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$ ^ \*/\s*$ ^package