version 0.2.5.1

Former-commit-id: 7ced778f0f8a749ffca1efd7d3416c4a16c1da26

README.txt

@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
 Usage:
 $ mvn package
 $ cd target
-$ java -jar DependencyCheck-0.2.5.0.jar -h
-$ java -jar DependencyCheck-0.2.5.0.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
+$ java -jar DependencyCheck-0.2.5.1.jar -h
+$ java -jar DependencyCheck-0.2.5.1.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 

pom.xml

@@ -23,7 +23,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
 
     <groupId>org.codesecure</groupId>
     <artifactId>DependencyCheck</artifactId>
-    <version>0.2.5.0</version>
+    <version>0.2.5.1</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>
@@ -55,6 +55,15 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
         <system>github</system>
         <url>https://github.com/jeremylong/DependencyCheck/issues</url>
     </issueManagement>
+    <mailingLists>
+        <mailingList>
+            <name>Dependency Check</name>
+            <subscribe>dependency-check+subscribe@googlegroups.com</subscribe>
+            <unsubscribe>dependency-check+unsubscribe@googlegroups.com</unsubscribe>
+            <post>dependency-check@googlegroups.com</post>
+            <archive>https://groups.google.com/forum/?fromgroups#!forum/dependency-check</archive>
+        </mailingList>
+    </mailingLists>
     <licenses>
         <license>
             <name>GNU General Public License version 3</name>
@@ -257,7 +266,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
                             <reportSets>
                                 <reportSet>
                                     <reports>
-                                  <!--<report>mailing-list</report>-->
+                                        <report>mailing-list</report>
                                   <!--<report>cim</report>-->
                                         <report>index</report>
                                         <report>summary</report>
@@ -463,7 +472,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
         <!-- The following dependencies are only scanned during integration testing -->
         <!--<dependency>
             <groupId>org.springframework</groupId>
-            <artifactId>spring-beans</artifactId>
+            <artifactId>spring-webmvc</artifactId>
             <version>2.5.5</version>
             <scope>test</scope>
         </dependency>-->

src/main/java/org/codesecure/dependencycheck/Engine.java

@@ -19,9 +19,7 @@
 package org.codesecure.dependencycheck;
 
 import java.util.EnumMap;
-import org.codesecure.dependencycheck.dependency.Dependency;
 import java.io.File;
-import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -33,10 +31,10 @@ import org.codesecure.dependencycheck.analyzer.AnalysisException;
 import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
 import org.codesecure.dependencycheck.analyzer.Analyzer;
 import org.codesecure.dependencycheck.analyzer.AnalyzerService;
-import org.codesecure.dependencycheck.analyzer.ArchiveAnalyzer;
 import org.codesecure.dependencycheck.data.CachedWebDataSource;
 import org.codesecure.dependencycheck.data.UpdateException;
 import org.codesecure.dependencycheck.data.UpdateService;
+import org.codesecure.dependencycheck.dependency.Dependency;
 import org.codesecure.dependencycheck.utils.FileUtils;
 
 /**
@@ -188,9 +186,9 @@ public class Engine {
      * Runs the analyzers against all of the dependencies.
      */
     public void analyzeDependencies() {
+        //phase one initilize
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             List<Analyzer> analyzerList = analyzers.get(phase);
-
             for (Analyzer a : analyzerList) {
                 try {
                     a.initialize();
@@ -204,41 +202,34 @@ public class Engine {
                     }
                     continue;
                 }
+            }
+        }
+
+        // analysis phases
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            List<Analyzer> analyzerList = analyzers.get(phase);
+
+            for (Analyzer a : analyzerList) {
                 for (Dependency d : dependencies) {
                     if (a.supportsExtension(d.getFileExtension())) {
                         try {
-                            if (a instanceof ArchiveAnalyzer) {
-                                ArchiveAnalyzer aa = (ArchiveAnalyzer) a;
-                                aa.analyze(d, this);
-                            } else {
-                                a.analyze(d);
-                            }
+                            a.analyze(d, this);
                         } catch (AnalysisException ex) {
                             d.addAnalysisException(ex);
-                        } catch (IOException ex) {
-                            String msg = String.format("IOException occured while analyzing the file '%s'.",
-                                    d.getActualFilePath());
-                            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg, ex);
                         }
                     }
                 }
-                try {
-                    a.close();
-                } catch (Exception ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
-                }
             }
         }
 
-        //Now cycle through all of the analyzers one last time to call
-        // cleanup on any archiveanalyzers. These should only exist in the
-        // initial phase, but we are going to be thourough just in case.
+        //close/cleanup
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             List<Analyzer> analyzerList = analyzers.get(phase);
             for (Analyzer a : analyzerList) {
-                if (a instanceof ArchiveAnalyzer) {
-                    ArchiveAnalyzer aa = (ArchiveAnalyzer) a;
-                    aa.cleanup();
+                try {
+                    a.close();
+                } catch (Exception ex) {
+                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
                 }
             }
         }

src/main/java/org/codesecure/dependencycheck/analyzer/Analyzer.java

@@ -19,6 +19,7 @@
 package org.codesecure.dependencycheck.analyzer;
 
 import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.dependency.Dependency;
 
 /**
@@ -37,10 +38,12 @@ public interface Analyzer {
      * description or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
+     * @param engine the engine that is scanning the dependencies - this is useful
+     * if we need to check other dependencies
      * @throws AnalysisException is thrown if there is an error analyzing the
      * dependency file
      */
-    void analyze(Dependency dependency) throws AnalysisException;
+    void analyze(Dependency dependency, Engine engine) throws AnalysisException;
 
     /**
      * <p>Returns a list of supported file extensions. An example would be an

src/main/java/org/codesecure/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -1,48 +0,0 @@
-/*
- * This file is part of DependencyCheck.
- *
- * DependencyCheck is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * DependencyCheck is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.codesecure.dependencycheck.analyzer;
-
-import org.codesecure.dependencycheck.dependency.Dependency;
-import java.io.IOException;
-import org.codesecure.dependencycheck.Engine;
-
-/**
- * An interface that defines an Analyzer that is used to expand archives and
- * allow the engine to scan the contents.
- *
- * @author Jeremy Long (jeremy.long@gmail.com)
- */
-public interface ArchiveAnalyzer {
-
-    /**
-     * An ArchiveAnalyzer expands an archive and calls the scan method of the
-     * engine on the exploded contents.
-     *
-     * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies.
-     * @throws IOException is thrown if there is an error reading the dependency
-     * file
-     */
-    void analyze(Dependency dependency, Engine engine) throws IOException;
-
-    /**
-     * Cleans any temporary files generated when analyzing the archive.
-     */
-    void cleanup();
-}

src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -21,6 +21,7 @@ package org.codesecure.dependencycheck.analyzer;
 import org.codesecure.dependencycheck.dependency.Dependency;
 import org.codesecure.dependencycheck.dependency.Evidence;
 import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
 
 /**
  *
@@ -85,10 +86,11 @@ public class FileNameAnalyzer implements Analyzer {
      * Collects information about the file name.
      *
      * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
 
         String fileName = dependency.getFileName();
         int pos = fileName.lastIndexOf(".");

src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java

@@ -23,6 +23,7 @@ import java.io.FileInputStream;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.bind.JAXBException;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.dependency.Dependency;
 import org.codesecure.dependencycheck.dependency.Evidence;
 import org.codesecure.dependencycheck.dependency.EvidenceCollection;
@@ -54,7 +55,7 @@ import org.codesecure.dependencycheck.utils.NonClosingStream;
  *
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
-public class JarAnalyzer extends AbstractAnalyzer {
+public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * The system independent newline character.
@@ -178,10 +179,11 @@ public class JarAnalyzer extends AbstractAnalyzer {
      * checksums to identify the correct CPE information.
      *
      * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             parseManifest(dependency);
             analyzePackageNames(dependency);

src/main/java/org/codesecure/dependencycheck/analyzer/SpringCleaningAnalyzer.java

@@ -0,0 +1,158 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.analyzer;
+
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
+import org.codesecure.dependencycheck.dependency.Dependency;
+import org.codesecure.dependencycheck.dependency.Identifier;
+
+/**
+ * This analyzer ensures that the Spring Framework Core CPE identifiers are only associated
+ * with the "core" jar files. If there are other Spring JARs, such as spring-beans, and
+ * spring-core is in the scanned dependencies then only the spring-core will have a reference
+ * to the CPE values (if there are any for the version of spring being used).
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class SpringCleaningAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("jar");
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Jar Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by tihs
+     * analyzer.
+     */
+    public boolean supportsExtension(String extension) {
+        return EXTENSIONS.contains(extension);
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer
+     * @throws Exception never thrown by this analyzer
+     */
+    public void initialize() throws Exception {
+        //do nothing
+    }
+
+    /**
+     * The close method does nothing for this Analyzer
+     * @throws Exception never thrown by this analyzer
+     */
+    public void close() throws Exception {
+        //do nothing
+    }
+    private List<Identifier> springVersions = null;
+
+    /**
+     * Determines if several "spring" libraries were scanned and trimes the
+     * cpe:/a:springsource:spring_framework:[version] from the none "core" framework
+     * if the core framework was part of the scan.
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
+     */
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+
+        collectSpringFrameworkIdentifiers(engine);
+
+        List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
+        for (Identifier identifier : dependency.getIdentifiers()) {
+            if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) {
+                identifiersToRemove.add(identifier);
+            }
+        }
+
+        for (Identifier i : identifiersToRemove) {
+            dependency.getIdentifiers().remove(i);
+        }
+    }
+
+    private void collectSpringFrameworkIdentifiers(Engine engine) {
+        //check to see if any of the libs are the core framework
+        if (springVersions == null) {
+            springVersions = new ArrayList<Identifier>();
+            for (Dependency d : engine.getDependencies()) {
+                if (supportsExtension(d.getFileExtension())) {
+                    for (Identifier i : d.getIdentifiers()) {
+                        if (isSpringFrameworkCpe(i)) {
+                            if (isCoreFramework(d.getFileName())) {
+                                springVersions.add(i);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+
+    private boolean isSpringFrameworkCpe(Identifier identifier) {
+        return "cpe".equals(identifier.getType())
+                && identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:");
+    }
+
+    private boolean isCoreFramework(String filename) {
+        return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*");
+    }
+}

src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java

@@ -29,6 +29,7 @@ import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
 import org.apache.lucene.search.ScoreDoc;
 import org.apache.lucene.search.TopDocs;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.analyzer.AnalysisException;
 import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
 import org.codesecure.dependencycheck.data.lucene.LuceneUtils;
@@ -436,10 +437,11 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
      * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze.
+     * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the
      * dependency.
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {

src/main/java/org/codesecure/dependencycheck/data/nvdcve/NvdCveAnalyzer.java

@@ -22,6 +22,7 @@ import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
+import org.codesecure.dependencycheck.Engine;
 import org.codesecure.dependencycheck.analyzer.AnalysisException;
 import org.codesecure.dependencycheck.analyzer.AnalysisPhase;
 import org.codesecure.dependencycheck.dependency.Dependency;
@@ -92,11 +93,12 @@ public class NvdCveAnalyzer implements org.codesecure.dependencycheck.analyzer.A
      * Analyzes a dependency and attempts to determine if there are any CPE
      * identifiers for this dependency.
      *
-     * @param dependency The Dependency to analyze.
+     * @param dependency The Dependency to analyze
+     * @param engine The analysis engine
      * @throws AnalysisException is thrown if there is an issue analyzing the
-     * dependency.
+     * dependency
      */
-    public void analyze(Dependency dependency) throws AnalysisException {
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {

src/main/java/org/codesecure/dependencycheck/dependency/Identifier.java

@@ -138,4 +138,31 @@ public class Identifier {
     public void setDescription(String description) {
         this.description = description;
     }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final Identifier other = (Identifier) obj;
+        if ((this.value == null) ? (other.value != null) : !this.value.equals(other.value)) {
+            return false;
+        }
+        if ((this.type == null) ? (other.type != null) : !this.type.equals(other.type)) {
+            return false;
+        }
+        return true;
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 5;
+        hash = 53 * hash + (this.value != null ? this.value.hashCode() : 0);
+        hash = 53 * hash + (this.type != null ? this.type.hashCode() : 0);
+        return hash;
+    }
+
 }

src/main/resources/META-INF/services/org.codesecure.dependencycheck.analyzer.Analyzer

@@ -1,4 +1,5 @@
 org.codesecure.dependencycheck.analyzer.JarAnalyzer
 org.codesecure.dependencycheck.analyzer.FileNameAnalyzer
+org.codesecure.dependencycheck.analyzer.SpringCleaningAnalyzer
 org.codesecure.dependencycheck.data.cpe.CPEAnalyzer
 org.codesecure.dependencycheck.data.nvdcve.NvdCveAnalyzer

src/main/resources/configuration/dependencycheck.properties

@@ -22,7 +22,7 @@ cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modifie
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
 # the number of cve.urls
-cve.url.count=11
+cve.url.count=12
 # the paths to the various nvd cve files (schema version 2.0)
 cve.url-2.0.1=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2002.xml
 cve.url-2.0.2=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2003.xml
@@ -35,6 +35,7 @@ cve.url-2.0.8=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2009.xml
 cve.url-2.0.9=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2010.xml
 cve.url-2.0.10=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2011.xml
 cve.url-2.0.11=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2012.xml
+cve.url-2.0.12=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-2013.xml
 
 # the paths to the various nvd cve files (schema version 1.2).
 cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
@@ -48,4 +49,5 @@ cve.url-1.2.7=http://nvd.nist.gov/download/nvdcve-2008.xml
 cve.url-1.2.8=http://nvd.nist.gov/download/nvdcve-2009.xml
 cve.url-1.2.9=http://nvd.nist.gov/download/nvdcve-2010.xml
 cve.url-1.2.10=http://nvd.nist.gov/download/nvdcve-2011.xml
-cve.url-1.2.11=http://nvd.nist.gov/download/nvdcve-2012.xml
+cve.url-1.2.11=http://nvd.nist.gov/download/nvdcve-2012.xml
+cve.url-1.2.12=http://nvd.nist.gov/download/nvdcve-2013.xml

src/test/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzerTest.java

@@ -19,7 +19,7 @@ import static org.junit.Assert.*;
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
 public class FileNameAnalyzerTest {
-    
+
     public FileNameAnalyzerTest() {
     }
 
@@ -30,11 +30,11 @@ public class FileNameAnalyzerTest {
     @AfterClass
     public static void tearDownClass() throws Exception {
     }
-    
+
     @Before
     public void setUp() {
     }
-    
+
     @After
     public void tearDown() {
     }
@@ -97,7 +97,7 @@ public class FileNameAnalyzerTest {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         Dependency result = new Dependency(file);
         FileNameAnalyzer instance = new FileNameAnalyzer();
-        instance.analyze(result);
+        instance.analyze(result, null);
         assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("struts"));
     }
 
@@ -119,7 +119,7 @@ public class FileNameAnalyzerTest {
     public void testClose() {
         System.out.println("close");
         FileNameAnalyzer instance = new FileNameAnalyzer();
-        instance.close();        
+        instance.close();
         assertTrue(true); //close does nothing.
     }
 }

src/test/java/org/codesecure/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -53,14 +53,14 @@ public class JarAnalyzerTest {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         Dependency result = new Dependency(file);
         JarAnalyzer instance = new JarAnalyzer();
-        instance.analyze(result);
+        instance.analyze(result, null);
         assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
         assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));
 
 
         file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
         result = new Dependency(file);
-        instance.analyze(result);
+        instance.analyze(result, null);
         boolean found = false;
         for (Evidence e : result.getProductEvidence()) {
             if (e.getName().equalsIgnoreCase("package-title")
@@ -93,7 +93,7 @@ public class JarAnalyzerTest {
 
         file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
         result = new Dependency(file);
-        instance.analyze(result);
+        instance.analyze(result, null);
         assertEquals("org.mortbar,jmx.jar has version evidence?", result.getVersionEvidence().size(), 0);
     }
 

src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java

@@ -97,11 +97,11 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
         JarAnalyzer jarAnalyzer = new JarAnalyzer();
         Dependency depends = new Dependency(file);
-        jarAnalyzer.analyze(depends);
+        jarAnalyzer.analyze(depends, null);
 
         File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
         Dependency spring = new Dependency(fileSpring);
-        jarAnalyzer.analyze(spring);
+        jarAnalyzer.analyze(spring, null);
 
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();