checkstyle suggested changes

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -120,7 +120,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
             throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
         }
         final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE);
-        List<String> failedLoadingFiles = new ArrayList<>();
+        final List<String> failedLoadingFiles = new ArrayList<>();
         if (suppressionFilePaths != null && suppressionFilePaths.length > 0) {
 
             // Load all the suppression file paths

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -60,7 +60,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "CMAKE";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -75,16 +75,16 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     private static final String SUPPORTED_EXTENSIONS = "jar";
 
     /**
-     * There may be temporary issues when connecting to MavenCentral.
+     * There may be temporary issues when connecting to MavenCentral. In order
-     * In order to compensate for 99% of the issues, we perform a retry
+     * to compensate for 99% of the issues, we perform a retry before finally
-     * before finally failing the analysis.
+     * failing the analysis.
      */
     private static final int NUMBER_OF_TRIES = 5;
 
     /**
      * The searcher itself.
      */
-    protected CentralSearch searcher;
+    private CentralSearch searcher;
 
     /**
      * Initializes the analyzer with the configured settings.
@@ -283,8 +283,17 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
             }
         }
 
-        final String message = "Finally failed connecting to Central search." +
+        final String message = "Finally failed connecting to Central search."
-                " Giving up after " + NUMBER_OF_TRIES + " tries.";
+                + " Giving up after " + NUMBER_OF_TRIES + " tries.";
         throw new IOException(message, lastException);
     }
+
+    /**
+     * Method used by unit tests to setup the analyzer.
+     *
+     * @param searcher the Central Search object to use.
+     */
+    protected void setCentralSearch(CentralSearch searcher) {
+        this.searcher = searcher;
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java

@@ -47,7 +47,7 @@ public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -49,7 +49,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Composer";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -75,7 +75,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Java";
     /**
@@ -1080,6 +1080,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @param classes a collection of class name information
      * @param value the value to check to see if it contains a package name
      * @param dep the dependency to add new entries too
+     * @param type the type of evidence (vendor, product, or version)
      */
     private static void addMatchingValues(List<ClassNameInformation> classes, String value, Dependency dep, EvidenceType type) {
         if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -57,7 +57,7 @@ public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
     private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class);
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "npm";
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java

@@ -47,7 +47,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "NuGet";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -61,7 +61,7 @@ public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Python.Dist";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -50,7 +50,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Python.Pkg";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java

@@ -52,7 +52,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
 
     /**
-     * A descriptor for the type of dependencies processed or added by this analyzer
+     * A descriptor for the type of dependencies processed or added by this
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -52,7 +52,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Ruby.Bundle";
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java

@@ -47,7 +47,7 @@ public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
      * A descriptor for the type of dependencies processed or added by this
-     * analyzer
+     * analyzer.
      */
     public static final String DEPENDENCY_ECOSYSTEM = "Swift.PM";
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -73,8 +73,7 @@ public class CentralSearch {
      * Creates a NexusSearch for the given repository URL.
      *
      * @param settings the configured settings
-     * @throws MalformedURLException thrown if the configured URL is
+     * @throws MalformedURLException thrown if the configured URL is invalid
-     *                               invalid
      */
     public CentralSearch(Settings settings) throws MalformedURLException {
         this.settings = settings;
@@ -102,8 +101,7 @@ public class CentralSearch {
      * @param sha1 the SHA-1 hash string for which to search
      * @return the populated Maven GAV.
      * @throws FileNotFoundException if the specified artifact is not found
-     * @throws IOException           if it's unable to connect to the specified
+     * @throws IOException if it's unable to connect to the specified repository
-     *                               repository
      */
     public List<MavenArtifact> searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -179,7 +177,7 @@ public class CentralSearch {
                 throw new FileNotFoundException("Artifact not found in Central");
             }
         } else {
-            String errorMessage = "Could not connect to MavenCentral (" + conn.getResponseCode() + "): " + conn.getResponseMessage();
+            final String errorMessage = "Could not connect to MavenCentral (" + conn.getResponseCode() + "): " + conn.getResponseMessage();
             throw new IOException(errorMessage);
         }
         return result;

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java

@@ -195,22 +195,23 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
     /**
      * Method that split versions for '.', '|' and '-". Then if a token start
      * with a number and then contains letters, it will split it too. For
-     * example "12a" is splitted in ["12", "a"]. This is done to support correct
+     * example "12a" is split into ["12", "a"]. This is done to support correct
      * comparison of "5.0.3a", "5.0.9" and "5.0.30".
      *
+     * @param s the string to split
      * @return an Array of String containing the tokens to be compared
      */
     private String[] split(String s) {
-        String[] splitted = s.split("(\\.|-)");
+        final Pattern pattern = Pattern.compile("^([\\d]+?)(.*)$");
+        final String[] splitted = s.split("(\\.|-)");
 
-        ArrayList<String> res = new ArrayList<>();
+        final ArrayList<String> res = new ArrayList<>();
         for (String token : splitted) {
             if (token.matches("^[\\d]+?[A-z]+")) {
-                Pattern pattern = Pattern.compile("^([\\d]+?)(.*)$");
+                final Matcher matcher = pattern.matcher(token);
-                Matcher matcher = pattern.matcher(token);
                 matcher.find();
-                String g1 = matcher.group(1);
+                final String g1 = matcher.group(1);
-                String g2 = matcher.group(2);
+                final String g2 = matcher.group(2);
 
                 res.add(g1);
                 res.add(g2);

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/InitializationException.java

@@ -37,7 +37,7 @@ public class InitializationException extends Exception {
     private boolean fatal = true;
 
     /**
-     * Get the value of fatal
+     * Get the value of fatal.
      *
      * @return the value of fatal
      */
@@ -46,7 +46,7 @@ public class InitializationException extends Exception {
     }
 
     /**
-     * Set the value of fatal
+     * Set the value of fatal.
      *
      * @param fatal new value of fatal
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/hints/EvidenceMatcher.java

@@ -22,10 +22,10 @@ import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Evidence;
 
 /**
- * EvidenceMatcher can match one or more {@link Evidence}s.
+ * EvidenceMatcher can match one or more {@link Evidence}s. By using regular
- * By using regular expressions for some fields and allowing omission of
+ * expressions for some fields and allowing omission of Evidence fields it can
- * Evidence fields it can be used to match more than one occurrence of evidence
+ * be used to match more than one occurrence of evidence to enable hints that
- * to enable hints that work for a range of similar false positives/false negatives.
+ * work for a range of similar false positives/false negatives.
  *
  * The EvidenceMatcher is used for processing Evidences of a project's
  * dependencies in conjuction with the {@code <given>} and {@code <remove>}
@@ -41,8 +41,8 @@ public class EvidenceMatcher {
     private String name;
 
     /**
-     * The source that the {@link Evidence} should have for a match.
+     * The source that the {@link Evidence} should have for a match. A
-     * A {@code null}-value is allowed and functions as a wildcard.
+     * {@code null}-value is allowed and functions as a wildcard.
      */
     private String source;
 
@@ -57,21 +57,22 @@ public class EvidenceMatcher {
      */
     private boolean regex = false;
 
-    
     /**
-     * The confidence that the {@link Evidence} should have for a match.
+     * The confidence that the {@link Evidence} should have for a match. A
-     * A {@code null}-value is allowed and functions as a wildcard.
+     * {@code null}-value is allowed and functions as a wildcard.
      */
     private Confidence confidence;
 
     /**
      * Creates a new EvidenceMatcher objects.
      *
-     * @param source the source of the evidence, a source that is {@code null} indicates any source should match.
+     * @param source the source of the evidence, a source that is {@code null}
+     * indicates any source should match.
      * @param name the non-{@code null} name of the evidence.
      * @param value the non-{@code null} value of the evidence.
      * @param regex whether value is a regex.
-     * @param confidence the confidence of the evidence, a confidence that is {@code null} indicates any confidence should match.
+     * @param confidence the confidence of the evidence, a confidence that is
+     * {@code null} indicates any confidence should match.
      */
     public EvidenceMatcher(String source, String name, String value, boolean regex, Confidence confidence) {
         this.source = source;
@@ -83,8 +84,9 @@ public class EvidenceMatcher {
 
     /**
      * Tests whether the given Evidence matches this EvidenceMatcher.
-     * @param evidence
+     *
-     * @return whehter the evidence matches this matcher.
+     * @param evidence the evidence to match
+     * @return whether the evidence matches this matcher
      */
     public boolean matches(Evidence evidence) {
         return sourceMatches(evidence)
@@ -100,11 +102,13 @@ public class EvidenceMatcher {
      */
     @Override
     public String toString() {
-        return "HintEvidenceMatcher{" + "name=" + name + ", source=" + source + ", value=" + value + ", confidence=" + confidence + ", regex=" + regex +'}';
+        return "HintEvidenceMatcher{" + "name=" + name + ", source=" + source + ", value=" + value
+                + ", confidence=" + confidence + ", regex=" + regex + '}';
     }
 
     /**
      * package-private getter to allow testability of the parser without mocking
+     *
      * @return The name property
      */
     String getName() {
@@ -113,6 +117,7 @@ public class EvidenceMatcher {
 
     /**
      * package-private getter to allow testability of the parser without mocking
+     *
      * @return The source property
      */
     String getSource() {
@@ -121,6 +126,7 @@ public class EvidenceMatcher {
 
     /**
      * package-private getter to allow testability of the parser without mocking
+     *
      * @return The value property
      */
     String getValue() {
@@ -129,6 +135,7 @@ public class EvidenceMatcher {
 
     /**
      * package-private getter to allow testability of the parser without mocking
+     *
      * @return The regex property
      */
     boolean isRegex() {
@@ -137,6 +144,7 @@ public class EvidenceMatcher {
 
     /**
      * package-private getter to allow testability of the parser without mocking
+     *
      * @return The confidence property
      */
     Confidence getConfidence() {
@@ -144,13 +152,17 @@ public class EvidenceMatcher {
     }
 
     /**
-     * Checks whether the value of the evidence matches this matcher.
+     * Checks whether the value of the evidence matches this matcher. When
-     * When {@link #isRegEx()} is {@code true} value is used as a 
+     * {@link #isRegEx()} is {@code true} value is used as a
-     * {@link java.util.regex.Pattern} that it should match. Otherwise the 
+     * {@link java.util.regex.Pattern} that it should match. Otherwise the value
-     * value must be case-insensitive equal to the evidence's value.
+     * must be case-insensitive equal to the evidence's value.
      *
      * Uses {@link Evidence#getValue(java.lang.Boolean) to avoid setting
      * evidences to used while just checking for a match.
+     *
+     * @param evidence the evidence to match
+     * @return <code>true</code> if the evidence matches; otherwise
+     * <code>false</code>
      */
     private boolean valueMatches(Evidence evidence) {
         boolean result;
@@ -163,30 +175,30 @@ public class EvidenceMatcher {
     }
 
     /**
-     * Checks whether the source of the evidence matches this matcher.
+     * Checks whether the source of the evidence matches this matcher. If our
-     * If our source is {@code null} any source in the evidence matches.
+     * source is {@code null} any source in the evidence matches. Otherwise the
-     * Otherwise the source in the evidence must be case-insensitive equal to 
+     * source in the evidence must be case-insensitive equal to our source.
-     * our source.
      *
      * @param evidence The evidence to inspect
-     * @return {@code true} is the source of the evidence matches, false otherwise.
+     * @return {@code true} is the source of the evidence matches, false
+     * otherwise.
      */
     private boolean sourceMatches(Evidence evidence) {
         return this.source == null || source.equalsIgnoreCase(evidence.getSource());
     }
 
     /**
-     * Checks whether the confidence of the evidence matches this matcher.
+     * Checks whether the confidence of the evidence matches this matcher. If
-     * If our confidence is {@code null} any confidence in the evidence matches.
+     * our confidence is {@code null} any confidence in the evidence matches.
      * Otherwise the confidence in the evidence must be exactly equal to our
      * confidence.
      *
      * @param evidence The evidence to inspect
-     * @return {@code true} is the confidence of the evidence matches, false otherwise.
+     * @return {@code true} is the confidence of the evidence matches, false
+     * otherwise.
      */
     private boolean confidenceMatches(Evidence evidence) {
         return this.confidence == null || confidence.equals(evidence.getConfidence());
     }
 
-    
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java

@@ -54,14 +54,16 @@ public class CentralAnalyzerTest {
             throws IOException {
 
         CentralAnalyzer instance = new CentralAnalyzer();
-        instance.searcher = centralSearch;
+        instance.setCentralSearch(centralSearch);
         specifySha1SumFor(dependency);
 
         final List<MavenArtifact> expectedMavenArtifacts = Collections.emptyList();
-        new Expectations() {{
+        new Expectations() {
+            {
                 centralSearch.searchSha1(SHA1_SUM);
                 returns(expectedMavenArtifacts);
-        }};
+            }
+        };
 
         final List<MavenArtifact> actualMavenArtifacts = instance.fetchMavenArtifacts(dependency);
 
@@ -75,16 +77,18 @@ public class CentralAnalyzerTest {
             throws IOException {
 
         CentralAnalyzer instance = new CentralAnalyzer();
-        instance.searcher = centralSearch;
+        instance.setCentralSearch(centralSearch);
         specifySha1SumFor(dependency);
 
         final List<MavenArtifact> expectedMavenArtifacts = Collections.emptyList();
-        new Expectations() {{
+        new Expectations() {
+            {
                 centralSearch.searchSha1(SHA1_SUM);
                 result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
                 result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
                 result = expectedMavenArtifacts;
-        }};
+            }
+        };
 
         final List<MavenArtifact> actualMavenArtifacts = instance.fetchMavenArtifacts(dependency);
 
@@ -98,13 +102,15 @@ public class CentralAnalyzerTest {
             throws IOException {
 
         CentralAnalyzer instance = new CentralAnalyzer();
-        instance.searcher = centralSearch;
+        instance.setCentralSearch(centralSearch);
         specifySha1SumFor(dependency);
 
-        new Expectations() {{
+        new Expectations() {
+            {
                 centralSearch.searchSha1(SHA1_SUM);
                 result = new FileNotFoundException("Artifact not found in Central");
-        }};
+            }
+        };
 
         instance.fetchMavenArtifacts(dependency);
     }
@@ -116,31 +122,35 @@ public class CentralAnalyzerTest {
             throws IOException {
 
         CentralAnalyzer instance = new CentralAnalyzer();
-        instance.searcher = centralSearch;
+        instance.setCentralSearch(centralSearch);
         specifySha1SumFor(dependency);
 
-        new Expectations() {{
+        new Expectations() {
+            {
                 centralSearch.searchSha1(SHA1_SUM);
                 result = new IOException("no internet connection");
-        }};
+            }
+        };
 
         instance.fetchMavenArtifacts(dependency);
     }
 
     @Test(expected = AnalysisException.class)
     @SuppressWarnings("PMD.NonStaticInitializer")
-    public void testFetchMavenArtifactsAlwaysThrowsIOExceptionLetsTheAnalysisFail(@Mocked final CentralSearch centralSearch,
+    public void testFetchMavenArtifactsAlwaysThrowsIOExceptionLetsTheAnalysisFail(
-                                                                                  @Mocked final Dependency dependency)
+            @Mocked final CentralSearch centralSearch, @Mocked final Dependency dependency)
             throws AnalysisException, IOException {
 
         CentralAnalyzer instance = new CentralAnalyzer();
-        instance.searcher = centralSearch;
+        instance.setCentralSearch(centralSearch);
         specifySha1SumFor(dependency);
 
-        new Expectations() {{
+        new Expectations() {
+            {
                 centralSearch.searchSha1(SHA1_SUM);
                 result = new IOException("no internet connection");
-        }};
+            }
+        };
 
         instance.analyze(dependency, null);
     }
@@ -164,9 +174,11 @@ public class CentralAnalyzerTest {
      */
     @SuppressWarnings("PMD.NonStaticInitializer")
     private void specifySha1SumFor(final Dependency dependency) {
-        new Expectations() {{
+        new Expectations() {
+            {
                 dependency.getSha1sum();
                 returns(SHA1_SUM);
-        }};
+            }
+        };
     }
 }

src/main/config/checkstyle-header.txt

@@ -13,6 +13,6 @@
 ^ \* See the License for the specific language governing permissions and\s*$
 ^ \* limitations under the License\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses)\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[0-9] (Jeremy Long|Steve Springett|Stefan Neuhaus|Bianca Jiang|Josh Cain|IBM Corporation|The OWASP Foundation|Institute for Defense Analyses|Hans Aikema)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package