From 9481b29d6b78e174a3531cfbe41420041aeaef26 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 21 Oct 2013 21:28:04 -0400
Subject: [PATCH 1/3] incremented version to 1.0.5-SNAPSHOT

Former-commit-id: 9ab1791c78c5bb7331c598c60bec0e39d6ba650e
---
 dependency-check-ant/pom.xml     | 2 +-
 dependency-check-cli/pom.xml     | 2 +-
 dependency-check-core/pom.xml    | 2 +-
 dependency-check-jenkins/pom.xml | 2 +-
 dependency-check-maven/pom.xml   | 2 +-
 pom.xml                          | 2 +-
 6 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml
index a24e2c71e..11066234d 100644
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -22,7 +22,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml
index 2ab082aff..457eff1f7 100644
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -22,7 +22,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index d96c56a3c..193667850 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -22,7 +22,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
diff --git a/dependency-check-jenkins/pom.xml b/dependency-check-jenkins/pom.xml
index 00d2a188c..ed609bf97 100644
--- a/dependency-check-jenkins/pom.xml
+++ b/dependency-check-jenkins/pom.xml
@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5-SNAPSHOT</version>
     </parent>
 
     <groupId>org.owasp</groupId>
diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml
index 94de6dea8..baa4e6616 100644
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -24,7 +24,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>
diff --git a/pom.xml b/pom.xml
index 742503a1a..e2306a06a 100644
--- a/pom.xml
+++ b/pom.xml
@@ -22,7 +22,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.0.4</version>
+    <version>1.0.5-SNAPSHOT</version>
     <packaging>pom</packaging>
 
     <parent>

From 1b4fe6135f009d7cc9bb5b6d2692d76d6359f199 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 26 Oct 2013 17:19:55 -0400
Subject: [PATCH 2/3] attempted to fix minor bug of files not being extracted
 due to a failure when calling mkdirs()

Former-commit-id: 2ca6840f3198adb11df764bf11a96c23885f3217
---
 .../dependencycheck/analyzer/ArchiveAnalyzer.java      | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
index 25bb036eb..0b78373da 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -231,6 +231,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     private File getNextTempDirectory() throws AnalysisException {
         dirCount += 1;
         final File directory = new File(tempFileLocation, String.valueOf(dirCount));
+        //getting an exception for some directories not being able to be created; might be because the directory already exists?
+        if (directory.exists()) {
+            return getNextTempDirectory();
+        }
         if (!directory.mkdirs()) {
             throw new AnalysisException("Unable to create temp directory '" + directory.getAbsolutePath() + "'.");
         }
@@ -267,8 +271,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
             while ((entry = zis.getNextZipEntry()) != null) {
                 if (entry.isDirectory()) {
                     final File d = new File(extractTo, entry.getName());
-                    if (!d.mkdirs()) {
-                        throw new AnalysisException("Unable to create '" + d.getAbsolutePath() + "'.");
+                    if (!d.exists()) {
+                        if (!d.mkdirs()) {
+                            throw new AnalysisException("Unable to create '" + d.getAbsolutePath() + "'.");
+                        }
                     }
                 } else {
                     final File file = new File(extractTo, entry.getName());

From e5235bd714d9abc5a3e7d03b34ab71e4c0d0589a Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Sat, 26 Oct 2013 17:21:14 -0400
Subject: [PATCH 3/3] added false positive checks for axis vs axis2

Former-commit-id: 69bcb7c2921fe3713c3ad548cd2ceb101b3c0ce2
---
 .../analyzer/FalsePositiveAnalyzer.java       | 35 +++++++++++++++++++
 1 file changed, 35 insertions(+)

diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
index 9c64495a6..b84acd74f 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -109,6 +109,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         removeJreEntries(dependency);
         removeBadMatches(dependency);
+        removeWrongVersionMatches(dependency);
         removeSpuriousCPE(dependency);
         addFalseNegativeCPEs(dependency);
     }
@@ -291,6 +292,40 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         }
     }
 
+    /**
+     * Removes CPE matches for the wrong version of a dependency. Currently,
+     * this only covers Axis 1 & 2.
+     *
+     * @param dependency the dependency to analyze
+     */
+    private void removeWrongVersionMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+
+        final String fileName = dependency.getFileName();
+        if (fileName != null && fileName.contains("axis2")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        } else if (fileName != null && fileName.contains("axis")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        }
+    }
+
     /**
      * There are some known CPE entries, specifically regarding sun and oracle
      * products due to the acquisition and changes in product names, that based