Merge branch 'master' of https://github.com/jeremylong/DependencyCheck

Former-commit-id: 7a189b5240ff2c831c6d6f42555148f5f00586bd

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -140,7 +140,7 @@ public final class CliParser {
             throw new FileNotFoundException(msg);
         } else if (!path.contains("*") && !path.contains("?")) {
             File f = new File(path);
-            if ("o".equals(argumentName.substring(0, 1).toLowerCase()) && !"ALL".equals(this.getReportFormat().toUpperCase())) {
+            if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && !"ALL".equalsIgnoreCase(this.getReportFormat())) {
                 final String checkPath = path.toLowerCase();
                 if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")) {
                     if (f.getParentFile() == null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -116,7 +116,7 @@ public class Engine {
      * Loads the analyzers specified in the configuration file (or system properties).
      */
     private void loadAnalyzers() {
-        if (analyzers.size() > 0) {
+        if (!analyzers.isEmpty()) {
             return;
         }
         for (AnalysisPhase phase : AnalysisPhase.values()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
-            final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
             ZIPPABLES.addAll(ext);
         }
         EXTENSIONS.addAll(ZIPPABLES);
@@ -382,7 +382,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                             fos = new FileOutputStream(file);
                             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                             int count;
-                            final byte data[] = new byte[BUFFER_SIZE];
+                            final byte[] data = new byte[BUFFER_SIZE];
                             while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                                 bos.write(data, 0, count);
                             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -255,7 +255,7 @@ public class CPEAnalyzer implements Analyzer {
     protected List<IndexEntry> searchCPE(String vendor, String product,
             Set<String> vendorWeightings, Set<String> productWeightings) {
 
-        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
 
         final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
         if (searchString == null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -101,7 +102,7 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        final List<Evidence> newEntries = new ArrayList<Evidence>();
         while (itr.hasNext()) {
             final Evidence e = itr.next();
             if ("sun".equalsIgnoreCase(e.getValue(false))) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -227,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         try {
-            final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
+            final List<ClassNameInformation> classNames = collectClassNames(dependency);
             final String fileName = dependency.getFileName().toLowerCase();
             if (classNames.isEmpty()
                     && (fileName.endsWith("-sources.jar")
@@ -255,7 +255,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException is thrown if there is an exception parsing the pom
      * @return whether or not evidence was added to the dependency
      */
-    protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
+    protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
         boolean foundSomething = false;
         final JarFile jar;
         try {
@@ -408,7 +408,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             fos = new FileOutputStream(file);
             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
             int count;
-            final byte data[] = new byte[BUFFER_SIZE];
+            final byte[] data = new byte[BUFFER_SIZE];
             while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                 bos.write(data, 0, count);
             }
@@ -531,7 +531,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * file being analyzed
      * @return true if there was evidence within the pom that we could use; otherwise false
      */
-    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
+    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, List<ClassNameInformation> classes) {
         boolean foundSomething = false;
         boolean addAsIdentifier = true;
         if (pom == null) {
@@ -659,10 +659,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param dependency a dependency to analyze
      * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
      */
-    protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
+    protected void analyzePackageNames(List<ClassNameInformation> classNames,
             Dependency dependency, boolean addPackagesAsEvidence) {
-        final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
-        final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
         analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
 
         final int classCount = classNames.size();
@@ -704,7 +704,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @return whether evidence was identified parsing the manifest
      * @throws IOException if there is an issue reading the JAR file
      */
-    protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
+    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
         boolean foundSomething = false;
         JarFile jar = null;
         try {
@@ -1050,8 +1050,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param dependency the dependency being analyzed
      * @return an list of fully qualified class names
      */
-    private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
+    private List<ClassNameInformation> collectClassNames(Dependency dependency) {
-        final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
+        final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
@@ -1089,10 +1089,10 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param vendor HashMap of possible vendor names from package names (e.g. owasp)
      * @param product HashMap of possible product names from package names (e.g. dependencycheck)
      */
-    private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
+    private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
-            HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
+            Map<String, Integer> vendor, Map<String, Integer> product) {
         for (ClassNameInformation entry : classNames) {
-            final ArrayList<String> list = entry.getPackageStructure();
+            final List<String> list = entry.getPackageStructure();
             addEntry(vendor, list.get(0));
 
             if (list.size() == 2) {
@@ -1120,7 +1120,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param collection a collection of strings and their occurrence count
      * @param key the key to add to the collection
      */
-    private void addEntry(HashMap<String, Integer> collection, String key) {
+    private void addEntry(Map<String, Integer> collection, String key) {
         if (collection.containsKey(key)) {
             collection.put(key, collection.get(key) + 1);
         } else {
@@ -1137,7 +1137,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param value the value to check to see if it contains a package name
      * @param evidence the evidence collection to add new entries too
      */
-    private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
+    private void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
         if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
             return;
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -72,7 +72,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter {
      * @return whether or not a new term was added
      */
     protected boolean addTerm() {
-        final boolean termAdded = tokens.size() > 0;
+        final boolean termAdded = !tokens.isEmpty();
         if (termAdded) {
             final String term = tokens.pop();
             clearAttributes();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -92,7 +92,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
 
         //if we have a previousTerm - write it out as its own token concatenated
         // with the current word (if one is available).
-        if (previousWord != null && words.size() > 0) {
+        if (previousWord != null && !words.isEmpty()) {
             final String word = words.getFirst();
             clearAttributes();
             termAtt.append(previousWord).append(word);
@@ -100,7 +100,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
             return true;
         }
         //if we have words, write it out as a single token
-        if (words.size() > 0) {
+        if (!words.isEmpty()) {
             final String word = words.removeFirst();
             clearAttributes();
             termAtt.append(word);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -60,7 +60,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     public boolean incrementToken() throws IOException {
         final LinkedList<String> tokens = getTokens();
         final CharTermAttribute termAtt = getTermAtt();
-        if (tokens.size() == 0 && input.incrementToken()) {
+        if (tokens.isEmpty() && input.incrementToken()) {
             final String text = new String(termAtt.buffer(), 0, termAtt.length());
             if (UrlStringUtils.containsUrl(text)) {
                 final String[] parts = text.split("\\s");

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -28,6 +28,7 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.Set;
@@ -458,7 +459,8 @@ public class CveDB {
         final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
 
         PreparedStatement ps;
-        final HashSet<String> cveEntries = new HashSet<String>();
+        //TODO(code review): Looks like things are only added to this map, but never retrieved or checked
+        final Set<String> cveEntries = new HashSet<String>();
         try {
             ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
             ps.setString(1, cpe.getVendor());
@@ -466,7 +468,7 @@ public class CveDB {
             rs = ps.executeQuery();
             String currentCVE = "";
 
-            final HashMap<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
+            final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
             while (rs.next()) {
                 final String cveId = rs.getString(1);
                 if (!currentCVE.equals(cveId)) { //check for match and add
@@ -787,12 +789,12 @@ public class CveDB {
      * @param identifiedVersion the identified version of the dependency being analyzed
      * @return true if the identified version is affected, otherwise false
      */
-    protected Entry<String, Boolean> getMatchingSoftware(HashMap<String, Boolean> vulnerableSoftware, String vendor, String product,
+    protected Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
             DependencyVersion identifiedVersion) {
 
         final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
 
-        final HashSet<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
+        final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
         final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
         String majorVersionMatch = null;
         for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
@@ -875,9 +877,9 @@ public class CveDB {
      */
     private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
         DependencyVersion cpeVersion;
-        if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
+        if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
             String versionText;
-            if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
+            if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
                 versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
             } else {
                 versionText = cpe.getVersion();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -154,7 +154,7 @@ public class DatabaseProperties {
      * @return a map of the database meta data
      */
     public Map<String, String> getMetaData() {
-        final TreeMap<String, String> map = new TreeMap<String, String>();
+        final Map<String, String> map = new TreeMap<String, String>();
         for (Entry<Object, Object> entry : properties.entrySet()) {
             final String key = (String) entry.getKey();
             if (!"version".equals(key)) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -27,6 +27,7 @@ import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
@@ -75,7 +76,7 @@ public final class DriverLoader {
      */
     public static Driver load(String className, String pathToDriver) throws DriverLoadException {
         final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
-        final ArrayList<URL> urls = new ArrayList<URL>();
+        final List<URL> urls = new ArrayList<URL>();
         final String[] paths = pathToDriver.split(File.pathSeparator);
         for (String path : paths) {
             final File file = new File(path);

dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/ObjectFactory.java

@@ -31,7 +31,7 @@ import javax.xml.namespace.QName;
 @XmlRegistry
 public class ObjectFactory {
 
-    private final static QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
+    private static final QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
 
     /**
      * Create a new ObjectFactory that can be used to create new instances of schema derived classes for package: org.owasp.dependencycheck.analyzer.pom.generated

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -112,7 +112,7 @@ public class SuppressionRule {
      * @return whether or not this suppression rule as CPE entries
      */
     public boolean hasCpe() {
-        return cpe.size() > 0;
+        return !cpe.isEmpty();
     }
     /**
      * The list of cvssBelow scores.
@@ -152,7 +152,7 @@ public class SuppressionRule {
      * @return whether or not this suppression rule has cvss suppressions
      */
     public boolean hasCvssBelow() {
-        return cvssBelow.size() > 0;
+        return !cvssBelow.isEmpty();
     }
     /**
      * The list of cwe entries to suppress.
@@ -192,7 +192,7 @@ public class SuppressionRule {
      * @return whether this suppression rule has CWE entries
      */
     public boolean hasCwe() {
-        return cwe.size() > 0;
+        return !cwe.isEmpty();
     }
     /**
      * The list of cve entries to suppress.
@@ -232,7 +232,7 @@ public class SuppressionRule {
      * @return whether this suppression rule has CVE entries
      */
     public boolean hasCve() {
-        return cve.size() > 0;
+        return !cve.isEmpty();
     }
     /**
      * A Maven GAV to suppression.
@@ -450,28 +450,28 @@ public class SuppressionRule {
         if (gav != null) {
             sb.append("gav=").append(gav).append(",");
         }
-        if (cpe != null && cpe.size() > 0) {
+        if (cpe != null && !cpe.isEmpty()) {
             sb.append("cpe={");
             for (PropertyType pt : cpe) {
                 sb.append(pt).append(",");
             }
             sb.append("}");
         }
-        if (cwe != null && cwe.size() > 0) {
+        if (cwe != null && !cwe.isEmpty()) {
             sb.append("cwe={");
             for (String s : cwe) {
                 sb.append(s).append(",");
             }
             sb.append("}");
         }
-        if (cve != null && cve.size() > 0) {
+        if (cve != null && !cve.isEmpty()) {
             sb.append("cve={");
             for (String s : cve) {
                 sb.append(s).append(",");
             }
             sb.append("}");
         }
-        if (cvssBelow != null && cvssBelow.size() > 0) {
+        if (cvssBelow != null && !cvssBelow.isEmpty()) {
             sb.append("cvssBelow={");
             for (Float s : cvssBelow) {
                 sb.append(s).append(",");

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -18,6 +18,7 @@
 package org.owasp.dependencycheck.utils;
 
 import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -62,7 +63,7 @@ public final class DependencyVersionUtil {
         //'-' is a special case used within the CVE entries, just include it as the version.
         if ("-".equals(text)) {
             final DependencyVersion dv = new DependencyVersion();
-            final ArrayList<String> list = new ArrayList<String>();
+            final List<String> list = new ArrayList<String>();
             list.add(text);
             dv.setVersionParts(list);
             return dv;

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java

@@ -107,7 +107,7 @@ public final class ExtractionUtil {
                             fos = new FileOutputStream(file);
                             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                             int count;
-                            final byte data[] = new byte[BUFFER_SIZE];
+                            final byte[] data = new byte[BUFFER_SIZE];
                             while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
                                 bos.write(data, 0, count);
                             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java

@@ -23,6 +23,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.regex.Pattern;
 
 /**
@@ -68,7 +69,7 @@ public final class UrlStringUtils {
     /**
      * A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
      */
-    private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
+    private static final Set<String> IGNORE_LIST = new HashSet<String>(
             Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));
 
     /**
@@ -86,7 +87,7 @@ public final class UrlStringUtils {
      * @throws MalformedURLException thrown if the URL is malformed
      */
     public static List<String> extractImportantUrlData(String text) throws MalformedURLException {
-        final ArrayList<String> importantParts = new ArrayList<String>();
+        final List<String> importantParts = new ArrayList<String>();
         final URL url = new URL(text);
         final String[] domain = url.getHost().split("\\.");
         //add the domain except www and the tld.

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -727,7 +727,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
     private Proxy getMavenProxy() {
         if (mavenSettings != null) {
             final List<Proxy> proxies = mavenSettings.getProxies();
-            if (proxies != null && proxies.size() > 0) {
+            if (proxies != null && !proxies.isEmpty()) {
                 if (mavenSettingsProxyId != null) {
                     for (Proxy proxy : proxies) {
                         if (mavenSettingsProxyId.equalsIgnoreCase(proxy.getId())) {
@@ -737,8 +737,8 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
                 } else if (proxies.size() == 1) {
                     return proxies.get(0);
                 } else {
-                    LOGGER.warning("Multiple proxy defentiions exist in the Maven settings. In the dependency-check "
+                    LOGGER.warning("Multiple proxy definitions exist in the Maven settings. In the dependency-check "
-                            + "configuration set the maveSettingsProxyId so that the correct proxy will be used.");
+                            + "configuration set the mavenSettingsProxyId so that the correct proxy will be used.");
                     throw new IllegalStateException("Ambiguous proxy definition");
                 }
             }