diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java index a5b232990..0b0c7e0a3 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java @@ -51,7 +51,7 @@ import java.util.Set; * * @author Jeremy Long */ -public class Engine implements FileFilter{ +public class Engine implements FileFilter { /** * The list of dependencies. @@ -331,8 +331,8 @@ public class Engine implements FileFilter{ /** * Runs the analyzers against all of the dependencies. Since the mutable dependencies list is exposed via * {@link #getDependencies()}, this method iterates over a copy of the dependencies list. Thus, the potential for - * {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries - * from the dependencies list. + * {@link java.util.ConcurrentModificationException}s is avoided, and analyzers may safely add or remove entries from the + * dependencies list. */ public void analyzeDependencies() { boolean autoUpdate = true; @@ -511,7 +511,7 @@ public class Engine implements FileFilter{ /** * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown. * - * @throws NoDataException thrown if no data exists in the CPE Index + * @throws NoDataException thrown if no data exists in the CPE Index * @throws DatabaseException thrown if there is an exception opening the database */ private void ensureDataExists() throws NoDataException, DatabaseException { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java index 45fc8d050..7420e5302 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java @@ -872,7 +872,7 @@ public class DependencyCheckScanAgent { r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name()); } catch (IOException ex) { LOGGER.error( - "Unexpected exception occurred during analysis; please see the verbose error log for more details."); + "Unexpected exception occurred during analysis; please see the verbose error log for more details."); LOGGER.debug("", ex); } catch (Throwable ex) { LOGGER.error( @@ -1058,8 +1058,9 @@ public class DependencyCheckScanAgent { } } if (summary.length() > 0) { - LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\nSee the dependency-check report for more details.\n\n", - summary.toString()); + LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\n" + + "See the dependency-check report for more details.\n\n", + summary.toString()); } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java index a59cea4ad..6f23a75b2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java @@ -39,10 +39,8 @@ import java.util.Set; public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer { // - /** - * Base constructor that all children must call. This checks the configuration to determine if the analyzer is - * enabled. + * Base constructor that all children must call. This checks the configuration to determine if the analyzer is enabled. */ public AbstractFileTypeAnalyzer() { reset(); @@ -102,18 +100,16 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen // // - /** *

- * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. - * An example would be an analyzer that inspected Java jar files. Implementors may use - * {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.

+ * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer + * that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.

* * @return the file filter used to determine which files are to be analyzed *

*

- * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against - * every file loaded.

+ * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file + * loaded.

*/ protected abstract FileFilter getFileFilter(); @@ -125,11 +121,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen protected abstract void initializeFileTypeAnalyzer() throws Exception; /** - * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, - * scanned, and added to the list of dependencies within the engine. + * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, + * and added to the list of dependencies within the engine. * * @param dependency the dependency to analyze - * @param engine the engine scanning + * @param engine the engine scanning * @throws AnalysisException thrown if there is an analysis exception */ protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException; @@ -144,7 +140,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen // // - /** * Initializes the analyzer. * @@ -175,11 +170,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen } /** - * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, - * scanned, and added to the list of dependencies within the engine. + * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, + * and added to the list of dependencies within the engine. * * @param dependency the dependency to analyze - * @param engine the engine scanning + * @param engine the engine scanning * @throws AnalysisException thrown if there is an analysis exception */ @Override @@ -191,7 +186,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen @Override public boolean accept(File pathname) { - FileFilter filter = getFileFilter(); + final FileFilter filter = getFileFilter(); boolean accepted = false; if (null == filter) { LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName()); @@ -205,13 +200,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen } // - // - /** *

- * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a - * final static declaration.

+ * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static + * declaration.

*

*

* This implementation was copied from @@ -226,6 +219,5 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen return set; } - // } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java index ebe2eb19e..1c65608e8 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java @@ -17,7 +17,14 @@ */ package org.owasp.dependencycheck.analyzer; -import java.io.*; +import java.io.BufferedInputStream; +import java.io.BufferedOutputStream; +import java.io.File; +import java.io.FileFilter; +import java.io.FileInputStream; +import java.io.FileNotFoundException; +import java.io.FileOutputStream; +import java.io.IOException; import java.util.ArrayList; import java.util.Arrays; import java.util.Collections; @@ -47,8 +54,8 @@ import org.slf4j.LoggerFactory; /** *

- * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added - * to the dependency list.

+ * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added to the + * dependency list.

* * @author Jeremy Long */ @@ -93,8 +100,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { */ private static final Set ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg"); /** - * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need - * to be explicitly handled in extractFiles(). + * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be + * explicitly handled in extractFiles(). */ private static final Set EXTENSIONS = newHashSet("tar", "gz", "tgz"); @@ -186,11 +193,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { } /** - * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, - * scanned, and added to the list of dependencies within the engine. + * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned, + * and added to the list of dependencies within the engine. * * @param dependency the dependency to analyze - * @param engine the engine scanning + * @param engine the engine scanning * @throws AnalysisException thrown if there is an analysis exception */ @Override @@ -288,9 +295,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * Extracts the contents of an archive into the specified directory. * - * @param archive an archive file such as a WAR or EAR + * @param archive an archive file such as a WAR or EAR * @param destination a directory to extract the contents to - * @param engine the scanning engine + * @param engine the scanning engine * @throws AnalysisException thrown if the archive is not found */ private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException { @@ -336,9 +343,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { /** * Extracts files from an archive. * - * @param input the archive to extract files from + * @param input the archive to extract files from * @param destination the location to write the files too - * @param engine the dependency-check engine + * @param engine the dependency-check engine * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive */ private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException { @@ -421,7 +428,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer { * Decompresses a file. * * @param inputStream the compressed file - * @param outputFile the location to write the decompressed file + * @param outputFile the location to write the decompressed file * @throws ArchiveExtractionException thrown if there is an exception decompressing the file */ private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java index 70701ced8..fff5e53ae 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java @@ -19,6 +19,13 @@ package org.owasp.dependencycheck.analyzer; import ch.qos.cal10n.IMessageConveyor; import ch.qos.cal10n.MessageConveyor; +import java.io.BufferedReader; +import java.io.File; +import java.io.FileFilter; +import java.io.FileOutputStream; +import java.io.IOException; +import java.io.InputStream; +import java.io.InputStreamReader; import org.owasp.dependencycheck.Engine; import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; @@ -37,7 +44,6 @@ import javax.xml.parsers.DocumentBuilderFactory; import javax.xml.xpath.XPath; import javax.xml.xpath.XPathExpressionException; import javax.xml.xpath.XPathFactory; -import java.io.*; import java.util.ArrayList; import java.util.List; import java.util.Locale; @@ -73,15 +79,15 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { /** * Message Conveyer */ - private final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault()); + private static final IMessageConveyor MESSAGE_CONVERYOR = new MessageConveyor(Locale.getDefault()); /** * LocLoggerFactory for localized logger */ - private final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR); + private static final LocLoggerFactory LLFACTORY = new LocLoggerFactory(MESSAGE_CONVERYOR); /** * Logger */ - private final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class); + private static final LocLogger LOGGER = LLFACTORY.getLocLogger(AssemblyAnalyzer.class); /** * Builds the beginnings of a List for ProcessBuilder @@ -279,6 +285,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer { builder = DocumentBuilderFactory.newInstance().newDocumentBuilder(); } + /** + * Removes resources used from the local file system. + * + * @throws Exception thrown if there is a problem closing the analyzer + */ @Override public void close() throws Exception { super.close(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java index f23e546a2..d25ad57de 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java @@ -103,9 +103,17 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { | Pattern.CASE_INSENSITIVE); } + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(CONFIGURE).addExtensions( EXTENSIONS).build(); + /** + * Returns the FileFilter + * + * @return the FileFilter + */ @Override protected FileFilter getFileFilter() { return FILTER; @@ -126,6 +134,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer { * * @return the phase that the analyzer is intended to run in. */ + @Override public AnalysisPhase getAnalysisPhase() { return ANALYSIS_PHASE; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java index 029f25c45..70e8d3159 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java @@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nexus.MavenArtifact; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; -import org.owasp.dependencycheck.utils.*; import org.owasp.dependencycheck.xml.pom.PomUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -36,6 +35,11 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.net.URL; import java.util.List; +import org.owasp.dependencycheck.utils.DownloadFailedException; +import org.owasp.dependencycheck.utils.Downloader; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; /** * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1 @@ -161,6 +165,9 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { return ANALYSIS_PHASE; } + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build(); @Override @@ -201,7 +208,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { pomFile = File.createTempFile("pom", ".xml", baseDir); if (!pomFile.delete()) { LOGGER.warn("Unable to fetch pom.xml for {} from Central; " - + "this could result in undetected CPE/CVEs.", dependency.getFileName()); + + "this could result in undetected CPE/CVEs.", dependency.getFileName()); LOGGER.debug("Unable to delete temp file"); } LOGGER.debug("Downloading {}", ma.getPomUrl()); @@ -210,7 +217,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { } catch (DownloadFailedException ex) { LOGGER.warn("Unable to download pom.xml for {} from Central; " - + "this could result in undetected CPE/CVEs.", dependency.getFileName()); + + "this could result in undetected CPE/CVEs.", dependency.getFileName()); } finally { if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) { pomFile.deleteOnExit(); @@ -228,5 +235,4 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer { errorFlag = true; } } - } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java index 94aaceb37..4c1c80145 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java @@ -164,8 +164,16 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer { */ private static final String[] EXTENSIONS = {"jar", "war"}; + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); + /** + * Returns the FileFilter. + * + * @return the FileFilter + */ @Override protected FileFilter getFileFilter() { return FILTER; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java index 057a1e23a..226c0aff2 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java @@ -25,7 +25,6 @@ import org.owasp.dependencycheck.data.nexus.NexusSearch; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.Evidence; -import org.owasp.dependencycheck.utils.*; import org.owasp.dependencycheck.xml.pom.PomUtils; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -36,6 +35,11 @@ import java.io.FileNotFoundException; import java.io.IOException; import java.net.MalformedURLException; import java.net.URL; +import org.owasp.dependencycheck.utils.DownloadFailedException; +import org.owasp.dependencycheck.utils.Downloader; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.InvalidSettingException; +import org.owasp.dependencycheck.utils.Settings; /** * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency. @@ -181,8 +185,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { return ANALYSIS_PHASE; } + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build(); + /** + * Returns the FileFilter + * + * @return the FileFilter + */ @Override protected FileFilter getFileFilter() { return FILTER; @@ -218,7 +230,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { pomFile = File.createTempFile("pom", ".xml", baseDir); if (!pomFile.delete()) { LOGGER.warn("Unable to fetch pom.xml for {} from Nexus repository; " - + "this could result in undetected CPE/CVEs.", dependency.getFileName()); + + "this could result in undetected CPE/CVEs.", dependency.getFileName()); LOGGER.debug("Unable to delete temp file"); } LOGGER.debug("Downloading {}", ma.getPomUrl()); @@ -226,7 +238,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer { PomUtils.analyzePOM(dependency, pomFile); } catch (DownloadFailedException ex) { LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; " - + "this could result in undetected CPE/CVEs.", dependency.getFileName()); + + "this could result in undetected CPE/CVEs.", dependency.getFileName()); } finally { if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) { pomFile.deleteOnExit(); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java index 0082963b6..9e24f56f5 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java @@ -101,9 +101,17 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer { return ANALYSIS_PHASE; } + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions( SUPPORTED_EXTENSIONS).build(); + /** + * Returns the FileFilter + * + * @return the FileFilter + */ @Override protected FileFilter getFileFilter() { return FILTER; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java index 530837945..87d21f168 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java @@ -26,7 +26,6 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException; import org.owasp.dependencycheck.dependency.Confidence; import org.owasp.dependencycheck.dependency.Dependency; import org.owasp.dependencycheck.dependency.EvidenceCollection; -import org.owasp.dependencycheck.utils.*; import org.slf4j.Logger; import org.slf4j.LoggerFactory; @@ -34,6 +33,12 @@ import javax.mail.MessagingException; import javax.mail.internet.InternetHeaders; import java.io.*; import java.util.regex.Pattern; +import org.owasp.dependencycheck.utils.ExtractionException; +import org.owasp.dependencycheck.utils.ExtractionUtil; +import org.owasp.dependencycheck.utils.FileFilterBuilder; +import org.owasp.dependencycheck.utils.FileUtils; +import org.owasp.dependencycheck.utils.Settings; +import org.owasp.dependencycheck.utils.UrlStringUtils; /** * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used @@ -112,9 +117,17 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { private static final NameFileFilter PKG_INFO_FILTER = new NameFileFilter( PKG_INFO); + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFileFilters( METADATA_FILTER, PKG_INFO_FILTER).addExtensions(EXTENSIONS).build(); + /** + * Returns the FileFilter + * + * @return the FileFilter + */ @Override protected FileFilter getFileFilter() { return FILTER; @@ -181,13 +194,13 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** * Collects the meta data from an archive. * - * @param dependency the archive being scanned - * @param folderFilter the filter to apply to the folder + * @param dependency the archive being scanned + * @param folderFilter the filter to apply to the folder * @param metadataFilter the filter to apply to the meta data * @throws AnalysisException thrown when there is a problem analyzing the dependency */ private void collectMetadataFromArchiveFormat(Dependency dependency, - FilenameFilter folderFilter, FilenameFilter metadataFilter) + FilenameFilter folderFilter, FilenameFilter metadataFilter) throws AnalysisException { final File temp = getNextTempDirectory(); LOGGER.debug("{} exists? {}", temp, temp.exists()); @@ -247,7 +260,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { * Gathers evidence from the METADATA file. * * @param dependency the dependency being analyzed - * @param file a reference to the manifest/properties file + * @param file a reference to the manifest/properties file * @throws AnalysisException thrown when there is an error */ private static void collectWheelMetadata(Dependency dependency, File file) @@ -277,13 +290,13 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer { /** * Adds a value to the evidence collection. * - * @param headers the properties collection - * @param evidence the evidence collection to add the value - * @param property the property name + * @param headers the properties collection + * @param evidence the evidence collection to add the value + * @param property the property name * @param confidence the confidence of the evidence */ private static void addPropertyToEvidence(InternetHeaders headers, - EvidenceCollection evidence, String property, Confidence confidence) { + EvidenceCollection evidence, String property, Confidence confidence) { final String value = headers.getHeader(property, null); LOGGER.debug("Property: {}, Value: {}", property, value); if (StringUtils.isNotBlank(value)) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java index 6aba3e1f6..8f909614b 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java @@ -132,8 +132,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer { return AnalysisPhase.INFORMATION_COLLECTION; } + /** + * The file filter used to determine which files this analyzer supports. + */ private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build(); + /** + * Returns the FileFilter + * + * @return the FileFilter + */ @Override protected FileFilter getFileFilter() { return FILTER; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java index 4855190a9..d787885f1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java @@ -278,6 +278,15 @@ public final class ConnectionFactory { } } + /** + * Updates the database schema by loading the upgrade script for the version specified. The intended use is that if the + * current schema version is 2.9 then we would call updateSchema(conn, "2.9"). This would load the upgrade_2.9.sql file and + * execute it against the database. The upgrade script must update the 'version' in the properties table. + * + * @param conn the database connection object + * @param schema the current schema version that is being upgraded + * @throws DatabaseException thrown if there is an exception upgrading the database schema + */ private static void updateSchema(Connection conn, String schema) throws DatabaseException { LOGGER.debug("Updating database structure"); InputStream is; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java index c06050160..153c35cfd 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java @@ -34,7 +34,6 @@ import java.util.Map.Entry; import java.util.Properties; import java.util.ResourceBundle; import java.util.Set; -import java.util.logging.Level; import org.owasp.dependencycheck.data.cwe.CweDB; import org.owasp.dependencycheck.dependency.Reference; import org.owasp.dependencycheck.dependency.Vulnerability; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java index 637a4f2d9..0f6707488 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java @@ -64,7 +64,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { if (updateNeeded()) { LOGGER.info("Updating the Common Platform Enumeration (CPE)"); final File xml = downloadCpe(); - List cpes = processXML(xml); + final List cpes = processXML(xml); getCveDB().deleteUnusedCpe(); for (Cpe cpe : cpes) { getCveDB().addCpe(cpe.getValue(), cpe.getVendor(), cpe.getProduct()); @@ -116,7 +116,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { try { final SAXParserFactory factory = SAXParserFactory.newInstance(); final SAXParser saxParser = factory.newSAXParser(); - CPEHandler handler = new CPEHandler(); + final CPEHandler handler = new CPEHandler(); saxParser.parse(xml, handler); return handler.getData(); } catch (ParserConfigurationException ex) { @@ -137,7 +137,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource { final Date now = new Date(); final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30); long timestamp = 0; - String ts = getProperties().getProperty(LAST_CPE_UPDATE); + final String ts = getProperties().getProperty(LAST_CPE_UPDATE); if (ts != null && ts.matches("^[0-9]+$")) { timestamp = Long.parseLong(ts); } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 94d03ca89..ef9aa2846 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -67,7 +67,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { public void update() throws UpdateException { try { openDataStores(); - UpdateableNvdCve updateable = getUpdatesNeeded(); + final UpdateableNvdCve updateable = getUpdatesNeeded(); if (updateable.isUpdateNeeded()) { performUpdate(updateable); } @@ -233,7 +233,8 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource { } else { long currentTimestamp = 0; try { - currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + entry.getId(), "0")); + currentTimestamp = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_UPDATED_BASE + + entry.getId(), "0")); } catch (NumberFormatException ex) { LOGGER.debug("Error parsing '{}' '{}' from nvdcve.lastupdated", DatabaseProperties.LAST_UPDATED_BASE, entry.getId(), ex); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java index 96fbda0d1..8720b3539 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java @@ -19,7 +19,6 @@ package org.owasp.dependencycheck.data.update; import java.util.Iterator; import java.util.ServiceLoader; -import org.owasp.dependencycheck.data.update.CachedWebDataSource; /** * The CachedWebDataSource Service Loader. This class loads all services that implement diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java index 2f7461881..6a155c6ca 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java @@ -18,7 +18,6 @@ package org.owasp.dependencycheck.data.update.cpe; import java.io.UnsupportedEncodingException; -import java.net.URLDecoder; import java.util.ArrayList; import java.util.List; import org.owasp.dependencycheck.data.update.NvdCveUpdater; @@ -43,11 +42,11 @@ public class CPEHandler extends DefaultHandler { /** * The text content of the node being processed. This can be used during the end element event. */ - StringBuilder nodeText = null; + private StringBuilder nodeText = null; /** * A reference to the current element. */ - Element current = new Element(); + private Element current = new Element(); /** * The logger. */ @@ -55,7 +54,7 @@ public class CPEHandler extends DefaultHandler { /** * The list of CPE values. */ - List data = new ArrayList(); + private List data = new ArrayList(); /** * Returns the list of CPE values. @@ -67,7 +66,7 @@ public class CPEHandler extends DefaultHandler { } /** - * Handles the start element event + * Handles the start element event. * * @param uri the elements uri * @param localName the local name @@ -80,12 +79,12 @@ public class CPEHandler extends DefaultHandler { nodeText = null; current.setNode(qName); if (current.isCpeItemNode()) { - String temp = attributes.getValue("deprecated"); - String value = attributes.getValue("name"); - boolean delete = (temp != null && temp.equalsIgnoreCase("true")); + final String temp = attributes.getValue("deprecated"); + final String value = attributes.getValue("name"); + final boolean delete = "true".equalsIgnoreCase(temp); if (!delete && value.startsWith("cpe:/a:") && value.length() > 7) { try { - Cpe cpe = new Cpe(value); + final Cpe cpe = new Cpe(value); data.add(cpe); } catch (UnsupportedEncodingException ex) { LOGGER.debug("Unable to parse the CPE", ex); @@ -230,6 +229,9 @@ public class CPEHandler extends DefaultHandler { * A node type in the CPE Schema 2.2 */ public static final String TIMESTAMP = "timestamp"; + /** + * A reference to the current node. + */ private String node = null; /** diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/Cpe.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/Cpe.java index 4309d2914..1d4c3cb33 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/Cpe.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/Cpe.java @@ -27,6 +27,13 @@ import org.owasp.dependencycheck.data.update.exception.InvalidDataException; */ public class Cpe { + /** + * Constructs a new Cpe Object by parsing the vendor and product from the CPE identifier value. + * + * @param value the cpe identifier (cpe:/a:vendor:product:version:....) + * @throws UnsupportedEncodingException thrown if UTF-8 is not supported + * @throws InvalidDataException thrown if the CPE provided is not the correct format + */ public Cpe(String value) throws UnsupportedEncodingException, InvalidDataException { this.value = value; final String[] data = value.substring(7).split(":"); @@ -66,7 +73,7 @@ public class Cpe { private String vendor; /** - * Get the value of vendor + * Get the value of vendor. * * @return the value of vendor */ @@ -75,7 +82,7 @@ public class Cpe { } /** - * Set the value of vendor + * Set the value of vendor. * * @param vendor new value of vendor */ @@ -89,7 +96,7 @@ public class Cpe { private String product; /** - * Get the value of product + * Get the value of product. * * @return the value of product */ @@ -98,7 +105,7 @@ public class Cpe { } /** - * Set the value of product + * Set the value of product. * * @param product new value of product */ @@ -106,9 +113,13 @@ public class Cpe { this.product = product; } + /** + * Returns the full CPE identifier. + * + * @return the full CPE identifier + */ @Override public String toString() { return value; } - } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java index df8c52819..8934337c9 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java @@ -31,8 +31,6 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB; import org.owasp.dependencycheck.data.nvdcve.DatabaseException; import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties; import org.owasp.dependencycheck.data.update.exception.UpdateException; -import org.owasp.dependencycheck.data.update.nvd.NvdCve12Handler; -import org.owasp.dependencycheck.data.update.nvd.NvdCve20Handler; import org.owasp.dependencycheck.dependency.VulnerableSoftware; import org.owasp.dependencycheck.utils.Settings; import org.slf4j.Logger; @@ -94,8 +92,8 @@ public class ProcessTask implements Callable { * * @param cveDB the data store object * @param filePair the download task that contains the URL references to download - * @param settings a reference to the global settings object; this is necessary so that when the thread is started - * the dependencies have a correct reference to the global settings. + * @param settings a reference to the global settings object; this is necessary so that when the thread is started the + * dependencies have a correct reference to the global settings. */ public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) { this.cveDB = cveDB; @@ -108,8 +106,8 @@ public class ProcessTask implements Callable { * Implements the callable interface. * * @return this object - * @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks - * exception collection + * @throws Exception thrown if there is an exception; note that any UpdateExceptions are simply added to the tasks exception + * collection */ @Override public ProcessTask call() throws Exception { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java index 4eedc5f36..e0e8a0540 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DCResources.java @@ -22,7 +22,7 @@ import ch.qos.cal10n.Locale; import ch.qos.cal10n.LocaleData; /** - * Created by colezlaw on 6/13/15. + * @author colezlaw */ @BaseName("dependencycheck-resources") @LocaleData(defaultCharset = "UTF-8", diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java index c1caa5a05..6aed21164 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java @@ -17,8 +17,6 @@ */ package org.owasp.dependencycheck.utils; -import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension; - import java.io.BufferedInputStream; import java.io.BufferedOutputStream; import java.io.Closeable; @@ -226,7 +224,7 @@ public final class ExtractionUtil { final File file = new File(destination, entry.getName()); if (filter.accept(file.getParentFile(), file.getName())) { LOGGER.debug("Extracting '{}'", - file.getPath()); + file.getPath()); BufferedOutputStream bos = null; FileOutputStream fos = null; try { @@ -302,5 +300,4 @@ public final class ExtractionUtil { } } } - } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java index 25ee59726..0b9016adc 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java @@ -15,7 +15,6 @@ * * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved. */ - package org.owasp.dependencycheck.utils; import org.apache.commons.io.IOCase; @@ -25,12 +24,17 @@ import org.apache.commons.io.filefilter.OrFileFilter; import org.apache.commons.io.filefilter.SuffixFileFilter; import java.io.FileFilter; -import java.util.*; +import java.util.ArrayList; +import java.util.Arrays; +import java.util.HashSet; +import java.util.List; +import java.util.Set; /** - *

Utility class for building useful {@link FileFilter} instances for - * {@link org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer} implementations. The built filter uses - * {@link OrFileFilter} to logically OR the given filter conditions. Example usage:

+ *

+ * Utility class for building useful {@link FileFilter} instances for + * {@link org.owasp.dependencycheck.analyzer.AbstractFileTypeAnalyzer} implementations. The built filter uses {@link OrFileFilter} + * to logically OR the given filter conditions. Example usage:

* * 
  *     FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
@@ -41,13 +45,21 @@ import java.util.*;
  */
 public class FileFilterBuilder {
 
-    private Set filenames = new HashSet();
-    private Set extensions = new HashSet();
-    private List fileFilters = new ArrayList();
+    /**
+     * A set of filenames to filter.
+     */
+    private final Set filenames = new HashSet();
+    /**
+     * A set of extensions to filter.
+     */
+    private final Set extensions = new HashSet();
+    /**
+     * An array list of file filters.
+     */
+    private final List fileFilters = new ArrayList();
 
     /**
-     * Create a new instance and return it. This method is for convenience in using the builder pattern within a single
-     * statement.
+     * Create a new instance and return it. This method is for convenience in using the builder pattern within a single statement.
      *
      * @return a new builder instance
      */
@@ -111,7 +123,7 @@ public class FileFilterBuilder {
         if (filenames.isEmpty() && extensions.isEmpty() && fileFilters.isEmpty()) {
             throw new IllegalStateException("May only be invoked after at least one add... method has been invoked.");
         }
-        OrFileFilter filter = new OrFileFilter();
+        final OrFileFilter filter = new OrFileFilter();
         if (!filenames.isEmpty()) {
             filter.addFileFilter(new NameFileFilter(new ArrayList(filenames)));
         }