mirror of
https://github.com/ysoftdevs/DependencyCheck.git
synced 2026-01-15 00:03:43 +01:00
sonar, checkstyle, etc. suggested changes
This commit is contained in:
Jeremy Long
@@ -139,7 +139,7 @@ public class DependencyCheckTaskTest {
|
||||
public void testSuppressingSingle() {
|
||||
// GIVEN an ant task with a vulnerability using the legacy property
|
||||
final String antTaskName = "suppression-single";
|
||||
|
||||
|
||||
// WHEN executing the ant task
|
||||
buildFileRule.executeTarget(antTaskName);
|
||||
|
||||
@@ -157,9 +157,9 @@ public class DependencyCheckTaskTest {
|
||||
// GIVEN an ant task with a vulnerability using multiple was to configure the suppression file
|
||||
final String antTaskName = "suppression-multiple";
|
||||
|
||||
// WHEN executing the ant task
|
||||
// WHEN executing the ant task
|
||||
buildFileRule.executeTarget(antTaskName);
|
||||
|
||||
|
||||
// THEN the ant task executed without error
|
||||
final File report = new File("target/suppression-multiple-report.html");
|
||||
assertTrue("Expected the DependencyCheck report to be generated", report.exists());
|
||||
|
||||
@@ -65,7 +65,7 @@ public class App {
|
||||
Settings.initialize();
|
||||
final App app = new App();
|
||||
exitCode = app.run(args);
|
||||
LOGGER.debug("Exit code: " + exitCode);
|
||||
LOGGER.debug("Exit code: {}", exitCode);
|
||||
} finally {
|
||||
Settings.cleanup(true);
|
||||
}
|
||||
@@ -244,7 +244,7 @@ public class App {
|
||||
throw ex;
|
||||
}
|
||||
}
|
||||
if (exCol != null && exCol.getExceptions().size() > 0) {
|
||||
if (exCol != null && !exCol.getExceptions().isEmpty()) {
|
||||
throw exCol;
|
||||
}
|
||||
return determineReturnCode(engine, cvssFailScore);
|
||||
@@ -270,7 +270,7 @@ public class App {
|
||||
for (Dependency dep : engine.getDependencies()) {
|
||||
if (!dep.getVulnerabilities().isEmpty()) {
|
||||
for (Vulnerability vuln : dep.getVulnerabilities()) {
|
||||
LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName());
|
||||
LOGGER.debug("VULNERABILITY FOUND {}", dep.getDisplayFileName());
|
||||
if (vuln.getCvssScore() > cvssFailScore) {
|
||||
retCode = 1;
|
||||
}
|
||||
|
||||
@@ -197,9 +197,8 @@ public final class CliParser {
|
||||
final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
|
||||
throw new FileNotFoundException(msg);
|
||||
} else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) {
|
||||
final String msg = String.format("Possibly incorrect path '%s' from argument '%s' because it ends with a slash star; "
|
||||
LOGGER.warn("Possibly incorrect path '{}' from argument '{}' because it ends with a slash star; "
|
||||
+ "dependency-check uses ant-style paths", path, argumentName);
|
||||
LOGGER.warn(msg);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -222,10 +221,9 @@ public final class CliParser {
|
||||
* Adds the standard command line options to the given options collection.
|
||||
*
|
||||
* @param options a collection of command line arguments
|
||||
* @throws IllegalArgumentException thrown if there is an exception
|
||||
*/
|
||||
@SuppressWarnings("static-access")
|
||||
private void addStandardOptions(final Options options) throws IllegalArgumentException {
|
||||
private void addStandardOptions(final Options options) {
|
||||
final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
|
||||
"Print this message.");
|
||||
|
||||
@@ -327,10 +325,9 @@ public final class CliParser {
|
||||
* help messages.
|
||||
*
|
||||
* @param options a collection of command line arguments
|
||||
* @throws IllegalArgumentException thrown if there is an exception
|
||||
*/
|
||||
@SuppressWarnings("static-access")
|
||||
private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
|
||||
private void addAdvancedOptions(final Options options) {
|
||||
|
||||
final Option cve12Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_12)
|
||||
.desc("Base URL for each year’s CVE 1.2, the %d will be replaced with the year. ")
|
||||
@@ -508,10 +505,9 @@ public final class CliParser {
|
||||
* existing scripts.
|
||||
*
|
||||
* @param options a collection of command line arguments
|
||||
* @throws IllegalArgumentException thrown if there is an exception
|
||||
*/
|
||||
@SuppressWarnings({"static-access", "deprecation"})
|
||||
private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
|
||||
private void addDeprecatedOptions(final Options options) {
|
||||
|
||||
final Option proxyServer = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.PROXY_URL)
|
||||
.desc("The proxy url argument is deprecated, use proxyserver instead.")
|
||||
@@ -906,7 +902,7 @@ public final class CliParser {
|
||||
String name = line.getOptionValue(ARGUMENT.PROJECT);
|
||||
if (name == null && appName != null) {
|
||||
name = appName;
|
||||
LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead.");
|
||||
LOGGER.warn("The '{}' argument should no longer be used; use '{}' instead.", ARGUMENT.APP_NAME, ARGUMENT.PROJECT);
|
||||
}
|
||||
return name;
|
||||
}
|
||||
|
||||
@@ -170,7 +170,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
"Found project command match with %d groups: %s",
|
||||
m.groupCount(), m.group(0)));
|
||||
final String group = m.group(1);
|
||||
LOGGER.debug("Group 1: " + group);
|
||||
LOGGER.debug("Group 1: {}", group);
|
||||
dependency.getProductEvidence().addEvidence(name, "Project",
|
||||
group, Confidence.HIGH);
|
||||
}
|
||||
@@ -202,8 +202,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
m.groupCount(), m.group(0));
|
||||
String product = m.group(1);
|
||||
final String version = m.group(2);
|
||||
LOGGER.debug("Group 1: " + product);
|
||||
LOGGER.debug("Group 2: " + version);
|
||||
LOGGER.debug("Group 1: {}", product);
|
||||
LOGGER.debug("Group 2: {}", version);
|
||||
final String aliasPrefix = "ALIASOF_";
|
||||
if (product.startsWith(aliasPrefix)) {
|
||||
product = product.replaceFirst(aliasPrefix, "");
|
||||
@@ -231,7 +231,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
currentDep.getVersionEvidence().addEvidence(source, "Version",
|
||||
version, Confidence.MEDIUM);
|
||||
}
|
||||
LOGGER.debug(String.format("Found %d matches.", count));
|
||||
LOGGER.debug("Found {} matches.", count);
|
||||
}
|
||||
|
||||
@Override
|
||||
|
||||
@@ -103,7 +103,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
*/
|
||||
@Override
|
||||
public void initializeFileTypeAnalyzer() throws InitializationException {
|
||||
LOGGER.debug("Initializing " + getName());
|
||||
LOGGER.debug("Initializing {}", getName());
|
||||
final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL, DEFAULT_URL);
|
||||
try {
|
||||
searcher = new NspSearch(new URL(searchUrl));
|
||||
|
||||
@@ -119,7 +119,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (bundleAuditPath != null) {
|
||||
bundleAudit = new File(bundleAuditPath);
|
||||
if (!bundleAudit.isFile()) {
|
||||
LOGGER.warn("Supplied `bundleAudit` path is incorrect: " + bundleAuditPath);
|
||||
LOGGER.warn("Supplied `bundleAudit` path is incorrect: {}", bundleAuditPath);
|
||||
bundleAudit = null;
|
||||
}
|
||||
}
|
||||
@@ -129,7 +129,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
final ProcessBuilder builder = new ProcessBuilder(args);
|
||||
builder.directory(folder);
|
||||
try {
|
||||
LOGGER.info("Launching: " + args + " from " + folder);
|
||||
LOGGER.info("Launching: {} from {}",args, folder);
|
||||
return builder.start();
|
||||
} catch (IOException ioe) {
|
||||
throw new AnalysisException("bundle-audit initialization failure; this error can be ignored if you are not analyzing Ruby. "
|
||||
@@ -183,7 +183,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
} else {
|
||||
try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) {
|
||||
if (!reader.ready()) {
|
||||
LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME);
|
||||
LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling {}", ANALYZER_NAME);
|
||||
setEnabled(false);
|
||||
throw new InitializationException("Bundle-audit error stream unexpectedly not ready.");
|
||||
} else {
|
||||
@@ -204,8 +204,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
|
||||
if (isEnabled()) {
|
||||
LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
|
||||
+ "occasionally to keep its database up to date.");
|
||||
LOGGER.info("{} is enabled. It is necessary to manually run \"bundle-audit update\" "
|
||||
+ "occasionally to keep its database up to date.",ANALYZER_NAME);
|
||||
}
|
||||
}
|
||||
|
||||
@@ -274,15 +274,15 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
|
||||
if (analyzer instanceof RubyBundlerAnalyzer) {
|
||||
((RubyBundlerAnalyzer) analyzer).setEnabled(false);
|
||||
LOGGER.info("Disabled " + RubyBundlerAnalyzer.class.getName() + " to avoid noisy duplicate results.");
|
||||
LOGGER.info("Disabled {} to avoid noisy duplicate results.",RubyBundlerAnalyzer.class.getName());
|
||||
} else if (analyzer instanceof RubyGemspecAnalyzer) {
|
||||
((RubyGemspecAnalyzer) analyzer).setEnabled(false);
|
||||
LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
|
||||
LOGGER.info("Disabled {} to avoid noisy duplicate results.",className);
|
||||
failed = false;
|
||||
}
|
||||
}
|
||||
if (failed) {
|
||||
LOGGER.warn("Did not find " + className + '.');
|
||||
LOGGER.warn("Did not find {}.",className);
|
||||
}
|
||||
needToDisableGemspecAnalyzer = false;
|
||||
}
|
||||
@@ -342,7 +342,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
map.put(gem, createDependencyForGem(engine, parentName, fileName, filePath, gem));
|
||||
}
|
||||
dependency = map.get(gem);
|
||||
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
|
||||
LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine);
|
||||
} else if (nextLine.startsWith(VERSION)) {
|
||||
vulnerability = createVulnerability(parentName, dependency, gem, nextLine);
|
||||
} else if (nextLine.startsWith(ADVISORY)) {
|
||||
@@ -380,7 +380,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
if (null != dependency) {
|
||||
dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE
|
||||
}
|
||||
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
|
||||
LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -399,7 +399,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
ref.setUrl(url);
|
||||
vulnerability.getReferences().add(ref);
|
||||
}
|
||||
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
|
||||
LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -430,7 +430,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
}
|
||||
vulnerability.setCvssScore(score);
|
||||
}
|
||||
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
|
||||
LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine);
|
||||
}
|
||||
|
||||
/**
|
||||
@@ -462,7 +462,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
|
||||
vulnerability.setCvssConfidentialityImpact("-");
|
||||
vulnerability.setCvssIntegrityImpact("-");
|
||||
}
|
||||
LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
|
||||
LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine);
|
||||
return vulnerability;
|
||||
}
|
||||
|
||||
|
||||
@@ -154,8 +154,7 @@ public final class ConnectionFactory {
|
||||
try {
|
||||
conn = DriverManager.getConnection(connectionString, userName, password);
|
||||
Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
|
||||
LOGGER.debug(
|
||||
"Unable to start the database in server mode; reverting to single user mode");
|
||||
LOGGER.debug("Unable to start the database in server mode; reverting to single user mode");
|
||||
} catch (SQLException sqlex) {
|
||||
LOGGER.debug("Unable to connect to the database", ex);
|
||||
throw new DatabaseException("Unable to connect to the database");
|
||||
|
||||
@@ -128,14 +128,14 @@ public class NvdCveUpdater implements CachedWebDataSource {
|
||||
} catch (IOException ex) {
|
||||
LOGGER.trace("Expected error as another thread has likely locked the file", ex);
|
||||
} finally {
|
||||
if (lock==null && ulFile!=null) {
|
||||
if (lock == null && ulFile != null) {
|
||||
ulFile.close();
|
||||
}
|
||||
}
|
||||
if (lock == null || !lock.isValid()) {
|
||||
try {
|
||||
LOGGER.debug(String.format("Sleeping thread %s for 5 seconds because we could not obtain the update lock.",
|
||||
Thread.currentThread().getName()));
|
||||
LOGGER.debug("Sleeping thread {} for 5 seconds because we could not obtain the update lock.",
|
||||
Thread.currentThread().getName());
|
||||
Thread.sleep(5000);
|
||||
} catch (InterruptedException ex) {
|
||||
LOGGER.trace("ignorable error, sleep was interrupted.", ex);
|
||||
@@ -161,11 +161,9 @@ public class NvdCveUpdater implements CachedWebDataSource {
|
||||
} catch (MalformedURLException ex) {
|
||||
throw new UpdateException("NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.", ex);
|
||||
} catch (DownloadFailedException ex) {
|
||||
LOGGER.warn(
|
||||
"Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
|
||||
LOGGER.warn("Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
|
||||
if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
|
||||
LOGGER.info(
|
||||
"If you are behind a proxy you may need to configure dependency-check to use the proxy.");
|
||||
LOGGER.info("If you are behind a proxy you may need to configure dependency-check to use the proxy.");
|
||||
}
|
||||
throw new UpdateException("Unable to download the NVD CVE data.", ex);
|
||||
} catch (DatabaseException ex) {
|
||||
|
||||
@@ -169,8 +169,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
|
||||
} catch (DownloadFailedException ex) {
|
||||
LOGGER.warn("Download Failed for NVD CVE - {}\nSome CVEs may not be reported.", nvdCveInfo.getId());
|
||||
if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
|
||||
LOGGER.info(
|
||||
"If you are behind a proxy you may need to configure dependency-check to use the proxy.");
|
||||
LOGGER.info("If you are behind a proxy you may need to configure dependency-check to use the proxy.");
|
||||
}
|
||||
LOGGER.debug("", ex);
|
||||
return null;
|
||||
|
||||
@@ -263,9 +263,12 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
|
||||
//TODO consider changing the regex to only compare alpha-numeric (i.e. strip everything else)
|
||||
String item = e.getValue();
|
||||
if (item != null) {
|
||||
final String value = urlCorrection(item.toLowerCase()).replaceAll("[\\s_-]", "");
|
||||
if (value.contains(textToTest)) {
|
||||
return true;
|
||||
final String uc = urlCorrection(item.toLowerCase());
|
||||
if (uc != null) {
|
||||
final String value = uc.replaceAll("[\\s_-]", "");
|
||||
if (value.contains(textToTest)) {
|
||||
return true;
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -538,6 +538,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
|
||||
|
||||
/**
|
||||
* Retruns the source that identified the vulnerability.
|
||||
*
|
||||
* @return the source
|
||||
*/
|
||||
public Source getSource() {
|
||||
@@ -546,6 +547,7 @@ public class Vulnerability implements Serializable, Comparable<Vulnerability> {
|
||||
|
||||
/**
|
||||
* Sets the source that identified the vulnerability.
|
||||
*
|
||||
* @param source the source
|
||||
*/
|
||||
public void setSource(Source source) {
|
||||
|
||||
@@ -31,6 +31,7 @@ import java.util.regex.Pattern;
|
||||
* @author Jeremy Long
|
||||
*/
|
||||
public final class UrlStringUtils {
|
||||
|
||||
/**
|
||||
* A regular expression to test if a string contains a URL.
|
||||
*/
|
||||
@@ -51,6 +52,7 @@ public final class UrlStringUtils {
|
||||
*/
|
||||
private UrlStringUtils() {
|
||||
}
|
||||
|
||||
/**
|
||||
* Tests if the text provided contains a URL. This is somewhat limited
|
||||
* search in that it only looks for (ftp|http|https)://
|
||||
|
||||
@@ -197,37 +197,37 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase {
|
||||
return;
|
||||
}
|
||||
List<Dependency> dependencies = engine.getDependencies();
|
||||
LOGGER.info(dependencies.size() + " dependencies found.");
|
||||
LOGGER.info("{} dependencies found.", dependencies.size());
|
||||
Iterator<Dependency> dIterator = dependencies.iterator();
|
||||
while (dIterator.hasNext()) {
|
||||
Dependency dept = dIterator.next();
|
||||
LOGGER.info("dept path: " + dept.getActualFilePath());
|
||||
LOGGER.info("dept path: {}", dept.getActualFilePath());
|
||||
|
||||
Set<Identifier> identifiers = dept.getIdentifiers();
|
||||
Iterator<Identifier> idIterator = identifiers.iterator();
|
||||
while (idIterator.hasNext()) {
|
||||
Identifier id = idIterator.next();
|
||||
LOGGER.info(" Identifier: " + id.getValue() + ", type=" + id.getType() + ", url=" + id.getUrl() + ", conf=" + id.getConfidence());
|
||||
LOGGER.info(" Identifier: {}, type={}, url={}, conf={}", id.getValue(), id.getType(), id.getUrl(), id.getConfidence());
|
||||
}
|
||||
|
||||
Set<Evidence> prodEv = dept.getProductEvidence().getEvidence();
|
||||
Iterator<Evidence> it = prodEv.iterator();
|
||||
while (it.hasNext()) {
|
||||
Evidence e = it.next();
|
||||
LOGGER.info(" prod: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
|
||||
LOGGER.info(" prod: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence());
|
||||
}
|
||||
Set<Evidence> versionEv = dept.getVersionEvidence().getEvidence();
|
||||
Iterator<Evidence> vIt = versionEv.iterator();
|
||||
while (vIt.hasNext()) {
|
||||
Evidence e = vIt.next();
|
||||
LOGGER.info(" version: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
|
||||
LOGGER.info(" version: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence());
|
||||
}
|
||||
|
||||
Set<Evidence> vendorEv = dept.getVendorEvidence().getEvidence();
|
||||
Iterator<Evidence> vendorIt = vendorEv.iterator();
|
||||
while (vendorIt.hasNext()) {
|
||||
Evidence e = vendorIt.next();
|
||||
LOGGER.info(" vendor: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence());
|
||||
LOGGER.info(" vendor: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence());
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user