diff --git a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java index 1e86afed6..657b284b2 100644 --- a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java +++ b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java @@ -139,7 +139,7 @@ public class DependencyCheckTaskTest { public void testSuppressingSingle() { // GIVEN an ant task with a vulnerability using the legacy property final String antTaskName = "suppression-single"; - + // WHEN executing the ant task buildFileRule.executeTarget(antTaskName); @@ -157,9 +157,9 @@ public class DependencyCheckTaskTest { // GIVEN an ant task with a vulnerability using multiple was to configure the suppression file final String antTaskName = "suppression-multiple"; - // WHEN executing the ant task + // WHEN executing the ant task buildFileRule.executeTarget(antTaskName); - + // THEN the ant task executed without error final File report = new File("target/suppression-multiple-report.html"); assertTrue("Expected the DependencyCheck report to be generated", report.exists()); diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java index 9d1746f14..fc8e02192 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java @@ -65,7 +65,7 @@ public class App { Settings.initialize(); final App app = new App(); exitCode = app.run(args); - LOGGER.debug("Exit code: " + exitCode); + LOGGER.debug("Exit code: {}", exitCode); } finally { Settings.cleanup(true); } @@ -244,7 +244,7 @@ public class App { throw ex; } } - if (exCol != null && exCol.getExceptions().size() > 0) { + if (exCol != null && !exCol.getExceptions().isEmpty()) { throw exCol; } return determineReturnCode(engine, cvssFailScore); @@ -270,7 +270,7 @@ public class App { for (Dependency dep : engine.getDependencies()) { if (!dep.getVulnerabilities().isEmpty()) { for (Vulnerability vuln : dep.getVulnerabilities()) { - LOGGER.debug("VULNERABILITY FOUND " + dep.getDisplayFileName()); + LOGGER.debug("VULNERABILITY FOUND {}", dep.getDisplayFileName()); if (vuln.getCvssScore() > cvssFailScore) { retCode = 1; } diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java index 8df1725dd..080826b12 100644 --- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java +++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java @@ -197,9 +197,8 @@ public final class CliParser { final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path); throw new FileNotFoundException(msg); } else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) { - final String msg = String.format("Possibly incorrect path '%s' from argument '%s' because it ends with a slash star; " + LOGGER.warn("Possibly incorrect path '{}' from argument '{}' because it ends with a slash star; " + "dependency-check uses ant-style paths", path, argumentName); - LOGGER.warn(msg); } } @@ -222,10 +221,9 @@ public final class CliParser { * Adds the standard command line options to the given options collection. * * @param options a collection of command line arguments - * @throws IllegalArgumentException thrown if there is an exception */ @SuppressWarnings("static-access") - private void addStandardOptions(final Options options) throws IllegalArgumentException { + private void addStandardOptions(final Options options) { final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false, "Print this message."); @@ -327,10 +325,9 @@ public final class CliParser { * help messages. * * @param options a collection of command line arguments - * @throws IllegalArgumentException thrown if there is an exception */ @SuppressWarnings("static-access") - private void addAdvancedOptions(final Options options) throws IllegalArgumentException { + private void addAdvancedOptions(final Options options) { final Option cve12Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_12) .desc("Base URL for each year’s CVE 1.2, the %d will be replaced with the year. ") @@ -508,10 +505,9 @@ public final class CliParser { * existing scripts. * * @param options a collection of command line arguments - * @throws IllegalArgumentException thrown if there is an exception */ @SuppressWarnings({"static-access", "deprecation"}) - private void addDeprecatedOptions(final Options options) throws IllegalArgumentException { + private void addDeprecatedOptions(final Options options) { final Option proxyServer = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.PROXY_URL) .desc("The proxy url argument is deprecated, use proxyserver instead.") @@ -906,7 +902,7 @@ public final class CliParser { String name = line.getOptionValue(ARGUMENT.PROJECT); if (name == null && appName != null) { name = appName; - LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead."); + LOGGER.warn("The '{}' argument should no longer be used; use '{}' instead.", ARGUMENT.APP_NAME, ARGUMENT.PROJECT); } return name; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java index 5a889b7d7..f24a468c4 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java @@ -170,7 +170,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { "Found project command match with %d groups: %s", m.groupCount(), m.group(0))); final String group = m.group(1); - LOGGER.debug("Group 1: " + group); + LOGGER.debug("Group 1: {}", group); dependency.getProductEvidence().addEvidence(name, "Project", group, Confidence.HIGH); } @@ -202,8 +202,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { m.groupCount(), m.group(0)); String product = m.group(1); final String version = m.group(2); - LOGGER.debug("Group 1: " + product); - LOGGER.debug("Group 2: " + version); + LOGGER.debug("Group 1: {}", product); + LOGGER.debug("Group 2: {}", version); final String aliasPrefix = "ALIASOF_"; if (product.startsWith(aliasPrefix)) { product = product.replaceFirst(aliasPrefix, ""); @@ -231,7 +231,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer { currentDep.getVersionEvidence().addEvidence(source, "Version", version, Confidence.MEDIUM); } - LOGGER.debug(String.format("Found %d matches.", count)); + LOGGER.debug("Found {} matches.", count); } @Override diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java index 5dfa705c1..a49fc4145 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NspAnalyzer.java @@ -103,7 +103,7 @@ public class NspAnalyzer extends AbstractFileTypeAnalyzer { */ @Override public void initializeFileTypeAnalyzer() throws InitializationException { - LOGGER.debug("Initializing " + getName()); + LOGGER.debug("Initializing {}", getName()); final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NSP_URL, DEFAULT_URL); try { searcher = new NspSearch(new URL(searchUrl)); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java index ef4b6eea7..0de3ae8a1 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java @@ -119,7 +119,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { if (bundleAuditPath != null) { bundleAudit = new File(bundleAuditPath); if (!bundleAudit.isFile()) { - LOGGER.warn("Supplied `bundleAudit` path is incorrect: " + bundleAuditPath); + LOGGER.warn("Supplied `bundleAudit` path is incorrect: {}", bundleAuditPath); bundleAudit = null; } } @@ -129,7 +129,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { final ProcessBuilder builder = new ProcessBuilder(args); builder.directory(folder); try { - LOGGER.info("Launching: " + args + " from " + folder); + LOGGER.info("Launching: {} from {}",args, folder); return builder.start(); } catch (IOException ioe) { throw new AnalysisException("bundle-audit initialization failure; this error can be ignored if you are not analyzing Ruby. " @@ -183,7 +183,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } else { try (BufferedReader reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"))) { if (!reader.ready()) { - LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME); + LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling {}", ANALYZER_NAME); setEnabled(false); throw new InitializationException("Bundle-audit error stream unexpectedly not ready."); } else { @@ -204,8 +204,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } if (isEnabled()) { - LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " - + "occasionally to keep its database up to date."); + LOGGER.info("{} is enabled. It is necessary to manually run \"bundle-audit update\" " + + "occasionally to keep its database up to date.",ANALYZER_NAME); } } @@ -274,15 +274,15 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) { if (analyzer instanceof RubyBundlerAnalyzer) { ((RubyBundlerAnalyzer) analyzer).setEnabled(false); - LOGGER.info("Disabled " + RubyBundlerAnalyzer.class.getName() + " to avoid noisy duplicate results."); + LOGGER.info("Disabled {} to avoid noisy duplicate results.",RubyBundlerAnalyzer.class.getName()); } else if (analyzer instanceof RubyGemspecAnalyzer) { ((RubyGemspecAnalyzer) analyzer).setEnabled(false); - LOGGER.info("Disabled " + className + " to avoid noisy duplicate results."); + LOGGER.info("Disabled {} to avoid noisy duplicate results.",className); failed = false; } } if (failed) { - LOGGER.warn("Did not find " + className + '.'); + LOGGER.warn("Did not find {}.",className); } needToDisableGemspecAnalyzer = false; } @@ -342,7 +342,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { map.put(gem, createDependencyForGem(engine, parentName, fileName, filePath, gem)); } dependency = map.get(gem); - LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine)); + LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine); } else if (nextLine.startsWith(VERSION)) { vulnerability = createVulnerability(parentName, dependency, gem, nextLine); } else if (nextLine.startsWith(ADVISORY)) { @@ -380,7 +380,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { if (null != dependency) { dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE } - LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine)); + LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine); } /** @@ -399,7 +399,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { ref.setUrl(url); vulnerability.getReferences().add(ref); } - LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine)); + LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine); } /** @@ -430,7 +430,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { } vulnerability.setCvssScore(score); } - LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine)); + LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine); } /** @@ -462,7 +462,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer { vulnerability.setCvssConfidentialityImpact("-"); vulnerability.setCvssIntegrityImpact("-"); } - LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine)); + LOGGER.debug("bundle-audit ({}): {}", parentName, nextLine); return vulnerability; } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java index 67d858d3e..c79e21b2f 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java @@ -154,8 +154,7 @@ public final class ConnectionFactory { try { conn = DriverManager.getConnection(connectionString, userName, password); Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString); - LOGGER.debug( - "Unable to start the database in server mode; reverting to single user mode"); + LOGGER.debug("Unable to start the database in server mode; reverting to single user mode"); } catch (SQLException sqlex) { LOGGER.debug("Unable to connect to the database", ex); throw new DatabaseException("Unable to connect to the database"); diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java index 72081e97b..13ea1c412 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java @@ -128,14 +128,14 @@ public class NvdCveUpdater implements CachedWebDataSource { } catch (IOException ex) { LOGGER.trace("Expected error as another thread has likely locked the file", ex); } finally { - if (lock==null && ulFile!=null) { + if (lock == null && ulFile != null) { ulFile.close(); } } if (lock == null || !lock.isValid()) { try { - LOGGER.debug(String.format("Sleeping thread %s for 5 seconds because we could not obtain the update lock.", - Thread.currentThread().getName())); + LOGGER.debug("Sleeping thread {} for 5 seconds because we could not obtain the update lock.", + Thread.currentThread().getName()); Thread.sleep(5000); } catch (InterruptedException ex) { LOGGER.trace("ignorable error, sleep was interrupted.", ex); @@ -161,11 +161,9 @@ public class NvdCveUpdater implements CachedWebDataSource { } catch (MalformedURLException ex) { throw new UpdateException("NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.", ex); } catch (DownloadFailedException ex) { - LOGGER.warn( - "Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD."); + LOGGER.warn("Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD."); if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) { - LOGGER.info( - "If you are behind a proxy you may need to configure dependency-check to use the proxy."); + LOGGER.info("If you are behind a proxy you may need to configure dependency-check to use the proxy."); } throw new UpdateException("Unable to download the NVD CVE data.", ex); } catch (DatabaseException ex) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java index 03a4309d2..e34d5ab12 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java @@ -169,8 +169,7 @@ public class DownloadTask implements Callable> { } catch (DownloadFailedException ex) { LOGGER.warn("Download Failed for NVD CVE - {}\nSome CVEs may not be reported.", nvdCveInfo.getId()); if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) { - LOGGER.info( - "If you are behind a proxy you may need to configure dependency-check to use the proxy."); + LOGGER.info("If you are behind a proxy you may need to configure dependency-check to use the proxy."); } LOGGER.debug("", ex); return null; diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java index 67afa87c0..b74062cbb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java @@ -263,9 +263,12 @@ public class EvidenceCollection implements Serializable, Iterable { //TODO consider changing the regex to only compare alpha-numeric (i.e. strip everything else) String item = e.getValue(); if (item != null) { - final String value = urlCorrection(item.toLowerCase()).replaceAll("[\\s_-]", ""); - if (value.contains(textToTest)) { - return true; + final String uc = urlCorrection(item.toLowerCase()); + if (uc != null) { + final String value = uc.replaceAll("[\\s_-]", ""); + if (value.contains(textToTest)) { + return true; + } } } } diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java index 055c65fc8..3574fba1a 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java @@ -538,6 +538,7 @@ public class Vulnerability implements Serializable, Comparable { /** * Retruns the source that identified the vulnerability. + * * @return the source */ public Source getSource() { @@ -546,6 +547,7 @@ public class Vulnerability implements Serializable, Comparable { /** * Sets the source that identified the vulnerability. + * * @param source the source */ public void setSource(Source source) { diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java index 5adf36d05..6e2e63dbb 100644 --- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java +++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java @@ -31,6 +31,7 @@ import java.util.regex.Pattern; * @author Jeremy Long */ public final class UrlStringUtils { + /** * A regular expression to test if a string contains a URL. */ @@ -51,6 +52,7 @@ public final class UrlStringUtils { */ private UrlStringUtils() { } + /** * Tests if the text provided contains a URL. This is somewhat limited * search in that it only looks for (ftp|http|https):// diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java index ea986dfbf..b7b2b9b85 100644 --- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java +++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java @@ -197,37 +197,37 @@ public class RubyBundleAuditAnalyzerTest extends BaseDBTestCase { return; } List dependencies = engine.getDependencies(); - LOGGER.info(dependencies.size() + " dependencies found."); + LOGGER.info("{} dependencies found.", dependencies.size()); Iterator dIterator = dependencies.iterator(); while (dIterator.hasNext()) { Dependency dept = dIterator.next(); - LOGGER.info("dept path: " + dept.getActualFilePath()); + LOGGER.info("dept path: {}", dept.getActualFilePath()); Set identifiers = dept.getIdentifiers(); Iterator idIterator = identifiers.iterator(); while (idIterator.hasNext()) { Identifier id = idIterator.next(); - LOGGER.info(" Identifier: " + id.getValue() + ", type=" + id.getType() + ", url=" + id.getUrl() + ", conf=" + id.getConfidence()); + LOGGER.info(" Identifier: {}, type={}, url={}, conf={}", id.getValue(), id.getType(), id.getUrl(), id.getConfidence()); } Set prodEv = dept.getProductEvidence().getEvidence(); Iterator it = prodEv.iterator(); while (it.hasNext()) { Evidence e = it.next(); - LOGGER.info(" prod: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence()); + LOGGER.info(" prod: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence()); } Set versionEv = dept.getVersionEvidence().getEvidence(); Iterator vIt = versionEv.iterator(); while (vIt.hasNext()) { Evidence e = vIt.next(); - LOGGER.info(" version: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence()); + LOGGER.info(" version: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence()); } Set vendorEv = dept.getVendorEvidence().getEvidence(); Iterator vendorIt = vendorEv.iterator(); while (vendorIt.hasNext()) { Evidence e = vendorIt.next(); - LOGGER.info(" vendor: name=" + e.getName() + ", value=" + e.getValue() + ", source=" + e.getSource() + ", confidence=" + e.getConfidence()); + LOGGER.info(" vendor: name={}, value={}, source={}, confidence={}", e.getName(), e.getValue(), e.getSource(), e.getConfidence()); } } }