From f47c6b07f488a603bbe5618c25b00bcdaa343713 Mon Sep 17 00:00:00 2001
From: Jeremy Long <jeremy.long@gmail.com>
Date: Mon, 5 Dec 2016 22:41:15 -0500
Subject: [PATCH] jacks recommended change for thread safety

---
 dependency-check-core/pom.xml                 |  4 ++++
 .../data/nvdcve/DatabaseProperties.java       | 19 ++++++++-------
 .../reporting/ReportGenerator.java            | 24 ++++++++++++-------
 .../DatabasePropertiesIntegrationTest.java    | 24 +++++++++++++++++++
 pom.xml                                       |  5 ++++
 5 files changed, 58 insertions(+), 18 deletions(-)

diff --git a/dependency-check-core/pom.xml b/dependency-check-core/pom.xml
index cb0ada43c..0b1491437 100644
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -261,6 +261,10 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     </reporting>
     <dependencies>
         <!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
+        <dependency>
+            <groupId>joda-time</groupId>
+            <artifactId>joda-time</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.google.code.findbugs</groupId>
             <artifactId>annotations</artifactId>
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
index 10459b31a..2d4086f03 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
@@ -17,13 +17,13 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import java.text.DateFormat;
-import java.text.SimpleDateFormat;
-import java.util.Date;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.TreeMap;
+import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormat;
+import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.slf4j.Logger;
@@ -170,12 +170,13 @@ public class DatabaseProperties {
                 if (key.startsWith("NVD CVE ")) {
                     try {
                         final long epoch = Long.parseLong((String) entry.getValue());
-                        final Date date = new Date(epoch);
-                        synchronized (date) {
-                            final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
-                            final String formatted = format.format(date);
-                            map.put(key, formatted);
-                        }
+                        final DateTime date = new DateTime(epoch);
+                        DateTimeFormatter format = DateTimeFormat.forPattern("dd/MM/yyyy HH:mm:ss");
+                        String formatted = format.print(date);
+//                        final Date date = new Date(epoch);
+//                        final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
+//                        final String formatted = format.format(date);
+                        map.put(key, formatted);
                     } catch (Throwable ex) { //deliberately being broad in this catch clause
                         LOGGER.debug("Unable to parse timestamp from DB", ex);
                         map.put(key, (String) entry.getValue());
diff --git a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
index 1ce648110..2729c9f1c 100644
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -35,6 +35,9 @@ import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
 import org.apache.velocity.runtime.RuntimeConstants;
+import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormat;
+import org.joda.time.format.DateTimeFormatter;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -104,15 +107,18 @@ public class ReportGenerator {
 
         velocityEngine.init();
         final EscapeTool enc = new EscapeTool();
-        final Date d = new Date();
-        String scanDate;
-        String scanDateXML;
-        synchronized (d) {
-            final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
-            final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
-            scanDate = dateFormat.format(d);
-            scanDateXML = dateFormatXML.format(d);
-        }
+
+        final DateTime dt = DateTime.now();
+        DateTimeFormatter dateFormat = DateTimeFormat.forPattern("MMM d, yyyy 'at' HH:mm:ss z");
+        DateTimeFormatter dateFormatXML = DateTimeFormat.forPattern("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+                
+//        final Date d = new Date();
+//        final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
+//        final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+        
+        final String scanDate = dateFormat.print(dt);
+        final String scanDateXML = dateFormatXML.print(dt);
+
         context.put("applicationName", applicationName);
         context.put("dependencies", dependencies);
         context.put("analyzers", analyzers);
diff --git a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
index f505af9c9..d67096b68 100644
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
@@ -17,8 +17,14 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.Properties;
+import org.joda.time.DateTime;
+import org.joda.time.format.DateTimeFormat;
+import org.joda.time.format.DateTimeFormatter;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
@@ -143,4 +149,22 @@ public class DatabasePropertiesIntegrationTest extends BaseDBTestCase {
             }
         }
     }
+    
+    @Test
+    public void testTest() {
+        final Date now = new Date();
+        
+        final DateFormat format = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+        final String formatted = format.format(now);
+        
+        final DateTime dt = new DateTime(now.getTime());
+        DateTimeFormatter fmt = DateTimeFormat.forPattern("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+        String jodaFormatted = fmt.print(dt);
+        System.out.println(formatted);
+        System.out.println(jodaFormatted);
+        assertTrue(jodaFormatted.equals(formatted));
+        
+        
+        
+    }
 }
diff --git a/pom.xml b/pom.xml
index a6efd387b..b71888541 100644
--- a/pom.xml
+++ b/pom.xml
@@ -543,6 +543,11 @@ Copyright (c) 2012 - Jeremy Long
     </reporting>
     <dependencyManagement>
         <dependencies>
+            <dependency>
+                <groupId>joda-time</groupId>
+                <artifactId>joda-time</artifactId>
+                <version>2.9.6</version>
+            </dependency>
             <dependency>
                 <groupId>com.google.code.findbugs</groupId>
                 <artifactId>annotations</artifactId>