[maven-release-plugin] prepare release dependency-check-0.2.6.0

Former-commit-id: 72f4e6be540edb2a8fd5ea3700a244e4aa0d9fbd

README.txt

@@ -7,8 +7,8 @@ If found, it will generate a report linking to the associated CVE entries.
 Usage:
 $ mvn package
 $ cd target
-$ java -jar DependencyCheck-0.2.5.2.jar -h
+$ java -jar dependency-check-0.2.6.0.jar -h
-$ java -jar DependencyCheck-0.2.5.2.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
+$ java -jar dependency-check-0.2.6.0.jar -a Testing -out . -scan ./test-classes/org.mortbay.jetty.jar -scan ./test-classes/struts2-core-2.1.2.jar -scan ./lib
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 

pom.xml

@@ -14,16 +14,15 @@ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
+along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
 -->
 
-<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
-         xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
     <groupId>org.codesecure</groupId>
-    <artifactId>DependencyCheck</artifactId>
+    <artifactId>dependency-check</artifactId>
-    <version>0.2.5.2</version>
+    <version>0.2.6.0</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>
@@ -50,7 +49,8 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
         <connection>scm:git:git@github.com:jeremylong/DependencyCheck.git</connection>
         <url>https://github.com/jeremylong/DependencyCheck.git</url>
         <developerConnection>scm:git:git@github.com:jeremylong/DependencyCheck.git</developerConnection>
-    </scm>
+      <tag>dependency-check-0.2.6.0</tag>
+  </scm>
     <issueManagement>
         <system>github</system>
         <url>https://github.com/jeremylong/DependencyCheck/issues</url>
@@ -110,7 +110,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses/>.
                 <artifactId>maven-javadoc-plugin</artifactId>
                 <version>2.8.1</version>
                 <configuration>
-                    <bottom>Copyright&#169; 2012 Jeremy Long. All Rights Reserved.</bottom>
+                    <bottom>Copyright© 2012 Jeremy Long. All Rights Reserved.</bottom>
                 </configuration>
             </plugin>
             <plugin>

src/main/java/org/codesecure/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -95,7 +95,7 @@ public class FileNameAnalyzer implements Analyzer {
         String fileName = dependency.getFileName();
         int pos = fileName.lastIndexOf(".");
         if (pos > 0) {
-            fileName = fileName.substring(0, pos - 1);
+            fileName = fileName.substring(0, pos);
         }
 
         dependency.getProductEvidence().addEvidence("file", "name",

src/main/java/org/codesecure/dependencycheck/analyzer/JarAnalyzer.java

@@ -68,7 +68,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
     /**
      * A list of elements in the manifest to ignore.
      */
@@ -648,13 +648,21 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     private void addPredefinedData(Dependency dependency) {
-        Evidence spring = new Evidence("Manifest",
+        Evidence springTest1 = new Evidence("Manifest",
                 "Implementation-Title",
                 "Spring Framework",
                 Evidence.Confidence.HIGH);
 
-        if (dependency.getProductEvidence().getEvidence().contains(spring)) {
+        Evidence springTest2 = new Evidence("Manifest",
+                "Implementation-Title",
+                "org.springframework.core",
+                Evidence.Confidence.HIGH);
+
+        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
+        if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
+            dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
         }
     }
 }

src/main/java/org/codesecure/dependencycheck/analyzer/SpringCleaningAnalyzer.java

@@ -149,7 +149,8 @@ public class SpringCleaningAnalyzer extends AbstractAnalyzer {
 
     private boolean isSpringFrameworkCpe(Identifier identifier) {
         return "cpe".equals(identifier.getType())
-                && identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:");
+                && (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:")
+                || identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework"));
     }
 
     private boolean isCoreFramework(String filename) {

src/main/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzer.java

@@ -144,7 +144,6 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
             for (Entry e : entries) {
                 if (verifyEntry(e, dependency)) {
                     found = true;
-
                     dependency.addIdentifier(
                             "cpe",
                             e.getName(),
@@ -421,17 +420,24 @@ public class CPEAnalyzer implements org.codesecure.dependencycheck.analyzer.Anal
      */
     private boolean verifyEntry(final Entry entry, final Dependency dependency) {
         boolean isValid = false;
-        if (dependency.getProductEvidence().containsUsedString(entry.getProduct())
+
-                && dependency.getVendorEvidence().containsUsedString(entry.getVendor())) {
+        if (collectionContainsStrings(dependency.getProductEvidence(), entry.getProduct())
-            //TODO - determine if this is right? Should we be carrying too much about the
+                && collectionContainsStrings(dependency.getVendorEvidence(), entry.getVendor())
-            //  version at this point? Likely need to implement the versionAnalyzer....
+                && collectionContainsStrings(dependency.getVersionEvidence(), entry.getVersion())) {
-            if (dependency.getVersionEvidence().containsUsedString(entry.getVersion())) {
+            isValid = true;
-                isValid = true;
-            }
         }
         return isValid;
     }
 
+    private boolean collectionContainsStrings(EvidenceCollection ec, String text) {
+        String[] words = text.split("[\\s_-]");
+        boolean contains = true;
+        for (String word : words) {
+            contains &= ec.containsUsedString(word);
+        }
+        return contains;
+    }
+
     /**
      * Analyzes a dependency and attempts to determine if there are any CPE
      * identifiers for this dependency.

src/main/java/org/codesecure/dependencycheck/data/cpe/Index.java

@@ -40,6 +40,8 @@ import org.codesecure.dependencycheck.data.lucene.AbstractIndex;
 import org.codesecure.dependencycheck.utils.Settings;
 import org.codesecure.dependencycheck.data.lucene.FieldAnalyzer;
 import org.codesecure.dependencycheck.data.lucene.SearchFieldAnalyzer;
+import org.codesecure.dependencycheck.data.lucene.SearchVersionAnalyzer;
+import org.codesecure.dependencycheck.data.lucene.VersionAnalyzer;
 
 /**
  * The Index class is used to utilize and maintain the CPE Index.
@@ -97,7 +99,8 @@ public class Index extends AbstractIndex {
     public Analyzer createIndexingAnalyzer() {
         Map fieldAnalyzers = new HashMap();
 
-        fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
+        //fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
+        fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
         fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
 
         PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
@@ -117,8 +120,9 @@ public class Index extends AbstractIndex {
     public Analyzer createSearchingAnalyzer() {
         Map fieldAnalyzers = new HashMap();
 
-        fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
         fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
+        //fieldAnalyzers.put(Fields.VERSION, new KeywordAnalyzer());
+        fieldAnalyzers.put(Fields.VERSION, new SearchVersionAnalyzer(Version.LUCENE_40));
         productSearchFieldAnalyzer = new SearchFieldAnalyzer(Version.LUCENE_40);
         vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(Version.LUCENE_40);
         fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);

src/main/java/org/codesecure/dependencycheck/data/cwe/CweDB.java

@@ -0,0 +1,75 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.data.cwe;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.ObjectInputStream;
+import java.util.HashMap;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class CweDB {
+
+    private CweDB() {
+        //empty contructor for utility class
+    }
+    private static final HashMap<String, String> CWE = loadData();
+
+    private static HashMap<String, String> loadData() {
+        ObjectInputStream oin = null;
+        try {
+            String filePath = "data/cwe.hashmap.serialized";
+            InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
+            oin = new ObjectInputStream(input);
+            @SuppressWarnings("unchecked")
+            HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
+            return data;
+        } catch (ClassNotFoundException ex) {
+            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (IOException ex) {
+            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+        } finally {
+            if (oin != null) {
+                try {
+                    oin.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+                }
+            }
+        }
+        return null;
+    }
+
+    /**
+     * <p>Returns the full CWE name from the CWE ID.</p>
+     * @param cweId te CWE ID
+     * @return the full name of the CWE
+     */
+    public static String getCweName(String cweId) {
+        if (cweId != null) {
+            return CWE.get(cweId);
+        }
+        return null;
+    }
+}

src/main/java/org/codesecure/dependencycheck/data/cwe/CweHandler.java

@@ -0,0 +1,52 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.data.cwe;
+
+import java.util.HashMap;
+import org.xml.sax.Attributes;
+import org.xml.sax.SAXException;
+import org.xml.sax.helpers.DefaultHandler;
+
+/**
+ * A SAX Handler that will parse the CWE XML.
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class CweHandler extends DefaultHandler {
+
+    private HashMap<String, String> cwe = new HashMap<String, String>();
+
+    /**
+     * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
+     * @return a HashMap of CWE entries <String, String>
+     */
+    public HashMap<String, String> getCwe() {
+        return cwe;
+    }
+
+    @Override
+    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
+
+        if ("Weakness".equals(qName) || "Category".equals(qName)) {
+            String id = "CWE-" + attributes.getValue("ID");
+            String name = attributes.getValue("Name");
+            cwe.put(id, name);
+        }
+    }
+}

src/main/java/org/codesecure/dependencycheck/data/cwe/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.codesecure.dependencycheck.data.cwe</title>
+ * </head>
+ * <body>
+ * Contains classes for working with the CWE Database.
+ * </body>
+ * </html>
+*/
+
+package org.codesecure.dependencycheck.data.cwe;

src/main/java/org/codesecure/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.data.lucene;
+
+import java.io.Reader;
+import org.apache.lucene.analysis.Analyzer;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.Tokenizer;
+import org.apache.lucene.analysis.core.LowerCaseFilter;
+import org.apache.lucene.analysis.core.WhitespaceTokenizer;
+import org.apache.lucene.util.Version;
+
+/**
+ * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class SearchVersionAnalyzer extends Analyzer {
+    //TODO consider implementing payloads/custom attributes...
+    // use custom attributes for major, minor, x, x, x, rcx
+    // these can then be used to weight the score for searches on the version.
+    // see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
+    // look at this article to implement
+    // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
+
+    /**
+     * The Lucene Version used
+     */
+    private Version version = null;
+
+    /**
+     * Creates a new SearchVersionAnalyzer
+     * @param version the Lucene version
+     */
+    public SearchVersionAnalyzer(Version version) {
+        this.version = version;
+    }
+
+    /**
+     * Creates the TokenStreamComponents
+     *
+     * @param fieldName the field name being analyzed
+     * @param reader the reader containing the input
+     * @return the TokenStreamComponents
+     */
+    @Override
+    protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
+        Tokenizer source = new WhitespaceTokenizer(version, reader);
+        TokenStream stream = source;
+        stream = new LowerCaseFilter(version, stream);
+        stream = new VersionTokenizingFilter(stream);
+        return new TokenStreamComponents(source, stream);
+    }
+}

src/main/java/org/codesecure/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -18,16 +18,52 @@
  */
 package org.codesecure.dependencycheck.data.lucene;
 
+import java.io.Reader;
+import org.apache.lucene.analysis.Analyzer;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.Tokenizer;
+import org.apache.lucene.analysis.core.LowerCaseFilter;
+import org.apache.lucene.analysis.core.WhitespaceTokenizer;
+import org.apache.lucene.util.Version;
+
 /**
  * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
  * @author Jeremy Long (jeremy.long@gmail.com)
  */
-public class VersionAnalyzer {
+public class VersionAnalyzer extends Analyzer {
-    //TODO Implement this...
+    //TODO consider implementing payloads/custom attributes...
     // use custom attributes for major, minor, x, x, x, rcx
     // these can then be used to weight the score for searches on the version.
     // see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
     // look at this article to implement
     // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
+
+    /**
+     * The Lucene Version used
+     */
+    private Version version = null;
+
+    /**
+     * Creates a new VersionAnalyzer
+     * @param version the Lucene version
+     */
+    public VersionAnalyzer(Version version) {
+        this.version = version;
+    }
+
+    /**
+     * Creates the TokenStreamComponents
+     *
+     * @param fieldName the field name being analyzed
+     * @param reader the reader containing the input
+     * @return the TokenStreamComponents
+     */
+    @Override
+    protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
+        Tokenizer source = new WhitespaceTokenizer(version, reader);
+        TokenStream stream = source;
+        stream = new LowerCaseFilter(version, stream);
+        return new TokenStreamComponents(source, stream);
+    }
 }

src/main/java/org/codesecure/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -0,0 +1,100 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.data.lucene;
+
+import java.io.IOException;
+import java.util.LinkedList;
+import org.apache.lucene.analysis.TokenFilter;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
+
+/**
+ * <p>Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
+ * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public final class VersionTokenizingFilter extends TokenFilter {
+
+    private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
+    /**
+     * A collection of tokens to add to the stream.
+     */
+    protected LinkedList<String> tokens = null;
+
+    /**
+     * Consructs a new VersionTokenizingFilter
+     * @param stream the TokenStream that this filter will process
+     */
+    public VersionTokenizingFilter(TokenStream stream) {
+        super(stream);
+        tokens = new LinkedList<String>();
+    }
+
+    /**
+     * Increments the underlying TokenStream and sets CharTermAtttributes to
+     * construct an expanded set of tokens by concatenting tokens with the
+     * previous token.
+     *
+     * @return whether or not we have hit the end of the TokenStream
+     * @throws IOException is thrown when an IOException occurs
+     */
+    @Override
+    public boolean incrementToken() throws IOException {
+        if (tokens.size() == 0 && input.incrementToken()) {
+            String version = new String(termAtt.buffer(), 0, termAtt.length());
+            analyzeVersion(version);
+        }
+        return addTerm();
+    }
+
+    /**
+     * Adds a term, if one exists, from the tokens collection..
+     * @return
+     */
+    private boolean addTerm() {
+        boolean termAdded = tokens.size() > 0;
+        if (termAdded) {
+            String version = tokens.pop();
+            clearAttributes();
+            termAtt.append(version);
+        }
+        return termAdded;
+    }
+
+    //major.minor[.maintenance[.build]]
+    private void analyzeVersion(String version) {
+        //todo should we also be splitting on dash or underscore? we would need
+        //  to incorporate the dash or underscore back in...
+        String[] versionParts = version.split("\\.");
+        String dottedVersion = null;
+        for (int x = 0; x < versionParts.length; x++) {
+            String current = versionParts[x];
+            if (!current.matches("^/d+$")) {
+                tokens.add(current);
+            }
+            if (dottedVersion == null) {
+                dottedVersion = current;
+            } else {
+                dottedVersion = dottedVersion + "." + current;
+            }
+            tokens.add(dottedVersion);
+        }
+    }
+}

src/main/java/org/codesecure/dependencycheck/data/nvdcve/CveDB.java

@@ -33,6 +33,7 @@ import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.codesecure.dependencycheck.data.cpe.Entry;
+import org.codesecure.dependencycheck.data.cwe.CweDB;
 import org.codesecure.dependencycheck.dependency.Reference;
 import org.codesecure.dependencycheck.dependency.Vulnerability;
 import org.codesecure.dependencycheck.dependency.VulnerableSoftware;
@@ -46,7 +47,6 @@ import org.codesecure.dependencycheck.utils.Settings;
 public class CveDB {
 
     //<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
-
     /**
      * SQL Statement to create an index on the reference table
      */
@@ -123,9 +123,9 @@ public class CveDB {
     /**
      * SQL Statement to select a vulnerability by CVEID
      */
-    public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
+    public static final String SELECT_VULNERABILITY = "SELECT cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
+            + "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cveid = ?";
     //</editor-fold>
-
     //<editor-fold defaultstate="collapsed" desc="Collection of CallableStatements to work with the DB">
     /**
      * delete reference - parameters (cveid)
@@ -148,7 +148,8 @@ public class CveDB {
      */
     private CallableStatement insertSoftware = null;
     /**
-     * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
+     * insert vulnerability - parameters (cveid, description, cwe, cvssScore, cvssAccessVector,
+     * cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact)
      */
     private CallableStatement insertVulnerability = null;
     /**
@@ -168,7 +169,6 @@ public class CveDB {
      */
     private CallableStatement selectSoftware = null;
     //</editor-fold>
-
     /**
      * Database connection
      */
@@ -273,7 +273,14 @@ public class CveDB {
                 vuln = new Vulnerability();
                 vuln.setName(cve);
                 vuln.setDescription(rsV.getString(2));
-                vuln.setCwe(rsV.getString(3));
+                String cwe = rsV.getString(3);
+                if (cwe != null) {
+                    String name = CweDB.getCweName(cwe);
+                    if (name != null) {
+                        cwe += " " + name;
+                    }
+                }
+                vuln.setCwe(cwe);
                 vuln.setCvssScore(rsV.getFloat(4));
                 vuln.setCvssAccessVector(rsV.getString(5));
                 vuln.setCvssAccessComplexity(rsV.getString(6));

src/main/java/org/codesecure/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java

@@ -77,7 +77,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
     /**
      * The current version of the database
      */
-    public static final String DATABASE_VERSION = "2.1";
+    public static final String DATABASE_VERSION = "2.2";
 
     /**
      * <p>Downloads the latest NVD CVE XML file from the web and imports it into

src/main/java/org/codesecure/dependencycheck/dependency/Dependency.java

@@ -23,6 +23,9 @@ import java.io.IOException;
 import java.security.NoSuchAlgorithmException;
 import java.util.ArrayList;
 import java.util.List;
+import java.util.Set;
+import java.util.SortedSet;
+import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.codesecure.dependencycheck.utils.Checksum;
@@ -87,7 +90,7 @@ public class Dependency {
         productEvidence = new EvidenceCollection();
         versionEvidence = new EvidenceCollection();
         identifiers = new ArrayList<Identifier>();
-        vulnerabilities = new ArrayList<Vulnerability>();
+        vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
     }
 
     /**
@@ -366,7 +369,8 @@ public class Dependency {
     }
 
     /**
-     * Determines if the specified string was used when searching.
+     * Determines if the specified string was used when searching. This is
+     * currently only used in test.
      *
      * @param str is the string that is being checked if it was used.
      * @return true or false.
@@ -390,14 +394,14 @@ public class Dependency {
     /**
      * A list of vulnerabilities for this dependency
      */
-    private List<Vulnerability> vulnerabilities;
+    private SortedSet<Vulnerability> vulnerabilities;
 
     /**
      * Get the list of vulnerabilities
      *
      * @return the list of vulnerabilities
      */
-    public List<Vulnerability> getVulnerabilities() {
+    public Set<Vulnerability> getVulnerabilities() {
         return vulnerabilities;
     }
 
@@ -406,7 +410,7 @@ public class Dependency {
      *
      * @param vulnerabilities new value of vulnerabilities
      */
-    public void setVulnerabilities(List<Vulnerability> vulnerabilities) {
+    public void setVulnerabilities(SortedSet<Vulnerability> vulnerabilities) {
         this.vulnerabilities = vulnerabilities;
     }
 

src/main/java/org/codesecure/dependencycheck/dependency/Vulnerability.java

@@ -27,7 +27,7 @@ import java.util.Set;
  *
  * @author Jeremy
  */
-public class Vulnerability implements Serializable {
+public class Vulnerability implements Serializable, Comparable<Vulnerability> {
 
     private static final long serialVersionUID = 307319490326651052L;
     /**
@@ -375,4 +375,13 @@ public class Vulnerability implements Serializable {
         hash = 41 * hash + (this.name != null ? this.name.hashCode() : 0);
         return hash;
     }
+    /**
+     * Compares two vulnerabilities
+     *
+     * @param v a vulnerabilitiy to be compared
+     * @return a negative integer, zero, or a positive integer as this object is less than, equal to, or greater than the specified vulnerability
+     */
+    public int compareTo(Vulnerability v) {
+        return v.getName().compareTo(this.getName());
+    }
 }

src/main/java/org/codesecure/dependencycheck/dependency/VulnerabilityComparator.java

@@ -0,0 +1,40 @@
+/*
+ * This file is part of DependencyCheck.
+ *
+ * DependencyCheck is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * DependencyCheck is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.codesecure.dependencycheck.dependency;
+
+import java.io.Serializable;
+import java.util.Comparator;
+
+/**
+ * Comparator for Vulnerability objects.
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Implements the comparison of vulnerabilities.
+     * @param o1 a vulnerability
+     * @param o2 a second vulnerability
+     * @return the comparison
+     */
+    public int compare(Vulnerability o1, Vulnerability o2) {
+        return o2.getName().compareTo(o1.getName());
+    }
+}

src/main/resources/templates/HtmlReport.vsl

@@ -285,18 +285,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <div class="sectioncontent">Report Generated On: $date<br/><br/>
                 Dependencies Scanned:&nbsp;$dependencies.size()<br/><br/>
                 <div class="indent">
+                #set($lnkcnt=0)
                 #foreach($dependency in $dependencies)
+                    #set($lnkcnt=$lnkcnt+1)
                     #if($dependency.getVulnerabilities().size()>0)
-                        <a href="#$esc.html($esc.url($dependency.FilePath))">$esc.html($dependency.FileName)</a>&nbsp;<b style="color:#ff0000;">&#8226;</b><br/>
+                        <a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a>&nbsp;<b style="color:#ff0000;">&#8226;</b><br/>
                     #else
-                        <a href="#$esc.html($esc.url($dependency.FilePath))">$esc.html($dependency.FileName)</a><br/>
+                        <a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a><br/>
                     #end
                 #end
                 </div>
                 <h2>Dependencies</h2>
+                #set($lnkcnt=0)
                 #set($cnt=0)
                 #foreach($dependency in $dependencies)
-                    <h3 class="subsectionheader standardsubsection"><a name="$esc.html($dependency.FilePath)"></a>$esc.html($dependency.FileName)</h3>
+                    #set($lnkcnt=$lnkcnt+1)
+                    <h3 class="subsectionheader standardsubsection"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3>
                     <div class="subsectioncontent">
                         #if ($dependency.description)
                             <p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
@@ -359,14 +363,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                         <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
                         ##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4>
                         <div id="content$cnt" class="subsectioncontent standardsubsection">
-                        #if($cpeCount>1)
+                        #if ($dependency.getIdentifiers().size()==0)
-                            Several possible CPEs where identified. If one of the following are correct please update the configuration
-                            to set the hash code for this file to the CPE entry below.<br/><br/>
-                        #end
-                        #if($dependency.getIdentifiers().size()==0)
                             <ul><li><b>None</b></li></ul>
-                        #end
+                        #else ## ($dependency.getIdentifiers().size()>0)
-                        #if($dependency.getIdentifiers().size()>0)
                             <ul>
                             #foreach($id in $dependency.getIdentifiers())
                                 ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
@@ -388,14 +387,15 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                             <p>Severity:
                             #if ($vuln.cvssScore<4.0)
                                 Low
+                            #elseif ($vuln.cvssScore>=7.0)
+                                High
                             #else
-                                #if ($vuln.cvssScore>=7.0)
+                                Medium
-                                    High
-                                #else
-                                    Medium
-                                #end
                             #end
-                            <br/>CVSS Score: $vuln.cvssScore</p>
+                            <br/>CVSS Score: $vuln.cvssScore
+                            #if ($vuln.cwe)
+                                <br/>CWE: $vuln.cwe
+                            #end</p>
                             <p>$esc.html($vuln.description)
                                 #if ($vuln.getReferences().size()>0)
                                     <ul>

src/test/java/org/codesecure/dependencycheck/data/cpe/CPEAnalyzerTest.java

@@ -103,14 +103,25 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         Dependency spring = new Dependency(fileSpring);
         jarAnalyzer.analyze(spring, null);
 
+        File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+        Dependency spring3 = new Dependency(fileSpring3);
+        jarAnalyzer.analyze(spring3, null);
+
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
         String expResult = "cpe:/a:apache:struts:2.1.2";
+        String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
+        String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
         instance.determineCPE(depends);
         instance.determineCPE(spring);
+        instance.determineCPE(spring3);
         instance.close();
-        assertTrue("Incorrect match", depends.getIdentifiers().size() == 1);
+        assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() == 1);
-        assertTrue("Incorrect match", depends.getIdentifiers().get(0).getValue().equals(expResult));
+        assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
+        assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
+        assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
+        assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 9);
+        //assertTrue("Incorrect match - spring3", spring3.getIdentifiers().get(0).getValue().equals(expResultSpring3));
     }
 
 

src/test/java/org/codesecure/dependencycheck/data/cwe/CweDBTest.java

@@ -0,0 +1,78 @@
+/*
+ * To change this template, choose Tools | Templates
+ * and open the template in the editor.
+ */
+package org.codesecure.dependencycheck.data.cwe;
+
+import java.io.ObjectOutputStream;
+import java.io.FileOutputStream;
+import java.util.Map;
+import java.io.File;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class CweDBTest {
+
+    public CweDBTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+    }
+
+    @AfterClass
+    public static void tearDownClass() throws Exception {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Method to serlize the CWE HashMap. This is not used in
+     * production; this is only used once during dev to create
+     * the serialized hashmap.
+     */
+//    @Test
+//    public void testUpdate() throws Exception {
+//        SAXParserFactory factory = SAXParserFactory.newInstance();
+//        SAXParser saxParser = factory.newSAXParser();
+//
+//        CweHandler handler = new CweHandler();
+//        File file = new File(this.getClass().getClassLoader().getResource("cwe.2000.xml").getPath());
+//
+//        saxParser.parse(file, handler);
+//        System.out.println("Found " + handler.getCwe().size() + " cwe entries.");
+//        Map<String,String> cwe = handler.getCwe();
+//        FileOutputStream fout = new FileOutputStream("src/main/resources/data/cwe.hashmap.serialized");
+//        ObjectOutputStream objOut = new ObjectOutputStream(fout);
+//        objOut.writeObject(cwe);
+//        objOut.close();
+//    }
+
+    /**
+     * Test of getCweName method, of class CweDB.
+     */
+    @Test
+    public void testGetCweName() {
+        System.out.println("getCweName");
+        String cweId = "CWE-16";
+        String expResult = "Configuration";
+        String result = CweDB.getCweName(cweId);
+        assertEquals(expResult, result);
+    }
+}