diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
new file mode 100644
index 000000000..381d61373
--- /dev/null
+++ b/RELEASE_NOTES.md
@@ -0,0 +1,28 @@
+# Release Notes
+
+Please see the [dependency-check google group](https://groups.google.com/forum/#!forum/dependency-check) for the release notes on versions not listed below.
+
+## [Version 3.0.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.2) (2017-11-13)
+
+### Bug fixes
+
+- Updated the query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail
+
+## [Version 3.0.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.1) (2017-10-20)
+
+### Bug fixes
+
+- Fixed a database connection issue that affected some usages.
+
+## [Version 3.0.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.0) (2017-10-16)
+
+- Several bug fixes and false positive reduction
+ - The 2.x branch introduced several new false positives – but also reduced the false negatives
+- Java 9 compatibility update
+- Stability issues with the Central Analyzer resolved
+ - This comes at a cost of a longer analysis time
+- The CSV report now includes the GAV and CPE
+- The Hint Analyzer now supports regular expressions
+- If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console – only that vulnerable libraries were identified
+- Resolved issues with threading and multiple connections to the embedded H2 database
+ - This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check
\ No newline at end of file
diff --git a/build-reporting/pom.xml b/build-reporting/pom.xml
index fc89f99dd..7d869e274 100644
--- a/build-reporting/pom.xml
+++ b/build-reporting/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2017 - Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
Dependency-Check Build-Reporting
build-reporting
diff --git a/dependency-check-ant/pom.xml b/dependency-check-ant/pom.xml
index dadc7853e..539ddedcf 100644
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
dependency-check-ant
diff --git a/dependency-check-cli/pom.xml b/dependency-check-cli/pom.xml
index 1239d0b69..e7b89ce9d 100644
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
dependency-check-cli
diff --git a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
index e21b5bff4..504837811 100644
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -205,10 +205,10 @@ public final class CliParser {
final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
throw new FileNotFoundException(msg);
}
- } else if (path.startsWith("//") || path.startsWith("\\\\")) {
- isValid = false;
- final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
- throw new FileNotFoundException(msg);
+// } else if (path.startsWith("//") || path.startsWith("\\\\")) {
+// isValid = false;
+// final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
+// throw new FileNotFoundException(msg);
} else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) {
LOGGER.warn("Possibly incorrect path '{}' from argument '{}' because it ends with a slash star; "
+ "dependency-check uses ant-style paths", path, argumentName);
diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index 88b029b05..be1c2cd6e 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
dependency-check-core
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
index c1e15538c..d6d2e8fb2 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -471,6 +471,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
boolean stillLooking = true;
int chr;
int nxtChr;
+ //CSOFF: InnerAssignment
+ //CSOFF: NestedIfDepth
while (stillLooking && (chr = in.read()) != -1) {
if (chr == '\n' || chr == '\r') {
in.mark(4);
@@ -488,6 +490,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
}
}
}
+ //CSON: InnerAssignment
+ //CSON: NestedIfDepth
} else {
in.reset();
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
index 49db7fd7c..62141b2c3 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyMergingAnalyzer.java
@@ -90,6 +90,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
@Override
protected boolean evaluateDependencies(final Dependency dependency, final Dependency nextDependency, final Set dependenciesToRemove) {
Dependency main;
+ //CSOFF: InnerAssignment
if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
if (main == dependency) {
mergeDependencies(dependency, nextDependency, dependenciesToRemove);
@@ -105,6 +106,7 @@ public class DependencyMergingAnalyzer extends AbstractDependencyComparingAnalyz
return true; //since we merged into the next dependency - skip forward to the next in mainIterator
}
}
+ //CSON: InnerAssignment
return false;
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
index edace0347..177b5b9f9 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
@@ -396,6 +396,7 @@ public final class ConnectionFactory {
final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
+ //CSOFF: EmptyBlock
if (e0 == c0 && e1 < c1) {
LOGGER.warn("A new version of dependency-check is available; consider upgrading");
settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
@@ -406,6 +407,7 @@ public final class ConnectionFactory {
UPGRADE_HELP_URL);
throw new DatabaseException("Database schema is out of date");
}
+ //CSON: EmptyBlock
}
}
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
index ff67ce54d..bc8c419e5 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/H2DBLock.java
@@ -145,8 +145,8 @@ public class H2DBLock {
if (lock == null || !lock.isValid()) {
try {
final Timestamp timestamp = new Timestamp(System.currentTimeMillis());
- LOGGER.debug("Sleeping thread {} ({}) for 10 seconds because an exclusive lock on the database could not be obtained ({})",
- Thread.currentThread().getName(), magic, timestamp.toString());
+ LOGGER.debug("Sleeping thread {} ({}) for {} seconds because an exclusive lock on the database could not be obtained ({})",
+ Thread.currentThread().getName(), magic, SLEEP_DURATION / 1000, timestamp.toString());
Thread.sleep(SLEEP_DURATION);
} catch (InterruptedException ex) {
LOGGER.debug("sleep was interrupted.", ex);
diff --git a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
index 8aee9fb1f..6cbeec1a2 100644
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -855,4 +855,19 @@
^com\.unboundid:unboundid-ldapsdk:.*$
cpe:/a:id:id-software
+
+
+ ^activesoap:jaxb-xercesImpl:[01].*$
+ cpe:/a:apache:xerces2_java
+
+
+
+ 73a51faadb407dccdbd77234e0d5a0a648665692
+ cpe:/a:apache:xerces2_java
+
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
index ebc8c84cc..8bf794121 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIT.java
@@ -103,13 +103,17 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
fp.initialize(getSettings());
fp.prepare(e);
- callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
- callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+ CpeSuppressionAnalyzer cpeSuppression = new CpeSuppressionAnalyzer();
+ cpeSuppression.initialize(getSettings());
+ cpeSuppression.prepare(e);
+
+ callDetermineCPE_full("hazelcast-2.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+ callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:springsource:spring_framework:2.5.5", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+ callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+ callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+ callDetermineCPE_full("ehcache-core-2.2.0.jar", null, cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+ callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2.27", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
+ callDetermineCPE_full("xstream-1.4.8.jar", "cpe:/a:x-stream:xstream:1.4.8", cpeAnalyzer, fnAnalyzer, jarAnalyzer, hAnalyzer, fp, cpeSuppression);
} finally {
cpeAnalyzer.close();
}
@@ -121,7 +125,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
* @throws Exception is thrown when an exception occurs
*/
public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer cpeAnalyzer, FileNameAnalyzer fnAnalyzer,
- JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {
+ JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp, CpeSuppressionAnalyzer cpeSuppression) throws Exception {
//File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
File file = BaseTest.getResourceAsFile(this, depName);
@@ -133,6 +137,7 @@ public class CPEAnalyzerIT extends BaseDBTestCase {
hAnalyzer.analyze(dep, null);
cpeAnalyzer.analyze(dep, null);
fp.analyze(dep, null);
+ cpeSuppression.analyze(dep, null);
if (expResult != null) {
boolean found = false;
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
index 6dd34a6dc..f6a2f4fb9 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CentralAnalyzerTest.java
@@ -84,8 +84,7 @@ public class CentralAnalyzerTest {
new Expectations() {
{
centralSearch.searchSha1(SHA1_SUM);
- result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
- result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
+ //result = new IOException("Could not connect to MavenCentral (500): Internal Server Error");
result = expectedMavenArtifacts;
}
};
diff --git a/dependency-check-maven/pom.xml b/dependency-check-maven/pom.xml
index 081ffa3a1..0a238dcbb 100644
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
dependency-check-maven
maven-plugin
diff --git a/dependency-check-maven/src/site/markdown/configuration.md b/dependency-check-maven/src/site/markdown/configuration.md
index ebf3cacc7..6e40a0e5f 100644
--- a/dependency-check-maven/src/site/markdown/configuration.md
+++ b/dependency-check-maven/src/site/markdown/configuration.md
@@ -80,7 +80,7 @@ cveUrl20Modified | URL for the modified CVE 2.0.
cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
connectionTimeout | Sets the URL Connection Timeout used when downloading external data. |
-dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. |
+dataDirectory | Sets the data directory to hold SQL CVEs contents. This should generally not be changed. | ~/.m2/repository/org/owasp/dependency-check-data/
databaseDriverName | The name of the database driver. Example: org.h2.Driver. |
databaseDriverPath | The path to the database driver JAR file; only used if the driver is not in the class path. |
connectionString | The connection string used to connect to the database. |
diff --git a/dependency-check-plugin/pom.xml b/dependency-check-plugin/pom.xml
index bf53910c7..828348391 100644
--- a/dependency-check-plugin/pom.xml
+++ b/dependency-check-plugin/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2017 Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
org.owasp
dependency-check-plugin
diff --git a/dependency-check-utils/pom.xml b/dependency-check-utils/pom.xml
index 502d4758a..15ed50461 100644
--- a/dependency-check-utils/pom.xml
+++ b/dependency-check-utils/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
dependency-check-utils
diff --git a/pom.xml b/pom.xml
index 53c3b847c..86da3e0be 100644
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
org.owasp
dependency-check-parent
- 3.0.2
+ 3.0.3-SNAPSHOT
pom
diff --git a/src/main/config/checkstyle-checks.xml b/src/main/config/checkstyle-checks.xml
index f237c7b39..41244e9b1 100644
--- a/src/main/config/checkstyle-checks.xml
+++ b/src/main/config/checkstyle-checks.xml
@@ -114,7 +114,7 @@
-
+