updated to version 0.3.2.4

Former-commit-id: 9d6644482abcfb4f69f360fa60cf08370579250c

.gitignore

@@ -6,4 +6,6 @@
 .idea/
 # Eclipse project files
 .classpath
-.project
+.project
+# Netbeans configuration
+nb-configuration.xml

NOTICES.txt

@@ -1,11 +1,13 @@
 DependencyCheck
 Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
 
-This product includes software developed by
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
-The Apache Software Foundation (http://www.apache.org/).
 
-This product includes software developed by
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
-Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includs software developed by Jonathan Hedley (jsoup.org)
 
 This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
 An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html

README.md

@@ -1,16 +1,24 @@
-DependencyCheck
+Dependency-Check
 =========
 
-DependencyCheck is a utility that attempts to detect publically disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
 
 More information can be found on the [wiki].
 
+Notice
+-
+
+A very big release of new functionality and plugins will be made available during the BlackHat Arsenal on July 31st, 2013. If you are at BlackHat stop by and see the demos!
+
 Usage
 -
 
 > $ mvn package
+
 > $ cd target
+
 > $ java -jar dependency-check-[version].jar -h
+
 > $ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
@@ -19,6 +27,7 @@ Mailing List
 -
 
 Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
+
 Post: [dependency-check@googlegroups.com] [post]
 
 Copyright & License

pom.xml

@@ -8,7 +8,7 @@ it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 
-DependencyCheck is distributed in the hope that it will be useful,
+Dependency-Check is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
@@ -20,14 +20,14 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
-    <groupId>org.owasp.dependency-check</groupId>
+    <groupId>org.owasp</groupId>
     <artifactId>dependency-check</artifactId>
-    <version>0.3.0.0</version>
+    <version>0.3.2.4</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>
     <url>https://github.com/jeremylong/DependencyCheck.git</url>
-    <description>Dependency-Check is a utility that attempts to detect publically disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
     <inceptionYear>2012</inceptionYear>
     <organization>
         <name>owasp</name>
@@ -36,14 +36,23 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
     <developers>
         <developer>
             <name>Jeremy Long</name>
-            <email>jeremy.long@gmail.com</email>
+            <email>jeremy.long@owasp.org</email>
-            <organization>owasp</organization>
+            <organization>OWASP</organization>
             <organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
             <roles>
                 <role>architect</role>
                 <role>developer</role>
             </roles>
         </developer>
+        <developer>
+            <name>Steve Springett</name>
+            <email>Steve.Springett@owasp.org</email>
+            <organization>OWASP</organization>
+            <organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
+            <roles>
+                <role>contributor</role>
+            </roles>
+        </developer>
     </developers>
     <scm>
         <connection>scm:git:git@github.com:jeremylong/DependencyCheck.git</connection>
@@ -147,7 +156,6 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
                     </excludes>
                 </configuration>
             </plugin>
-
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
@@ -331,6 +339,25 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
                             <groupId>org.codehaus.mojo</groupId>
                             <artifactId>taglist-maven-plugin</artifactId>
                             <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
                         </plugin>
                         <plugin>
                             <groupId>org.apache.maven.plugins</groupId>
@@ -378,13 +405,28 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
             </plugin>
         </plugins>
     </build>
-
     <dependencies>
+        <dependency>
+            <groupId>com.google.code.findbugs</groupId>
+            <artifactId>annotations</artifactId>
+            <version>2.0.1</version>
+            <scope>provided</scope><!-- don't include this in the libs-->
+        </dependency>
         <dependency>
             <groupId>commons-cli</groupId>
             <artifactId>commons-cli</artifactId>
             <version>1.2</version>
         </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.4</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.5</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
@@ -395,23 +437,17 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-core</artifactId>
-            <version>4.0.0</version>
+            <version>4.3.0</version>
-            <!--<version>3.5.0</version>-->
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-analyzers-common</artifactId>
-            <version>4.0.0</version>
+            <version>4.3.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-queryparser</artifactId>
-            <version>4.0.0</version>
+            <version>4.3.0</version>
-        </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.4</version>
         </dependency>
         <dependency>
             <groupId>org.apache.velocity</groupId>
@@ -465,7 +501,13 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
-            <version>1.3.171</version>
+            <version>1.3.172</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.7.2</version>
+            <type>jar</type>
         </dependency>
 
         <!-- The following dependencies are only scanned during integration testing -->

src/main/config/checkstyle-header.txt

@@ -1,19 +1,19 @@
 ^/\*\s*$
-^ \* This file is part of DependencyCheck\.\s*$
+^ \* This file is part of Dependency-Check\.\s*$
 ^ \*\s*$
-^ \* DependencyCheck is free software\: you can redistribute it and/or modify it\s*$
+^ \* Dependency-Check is free software\: you can redistribute it and/or modify it\s*$
 ^ \* under the terms of the GNU General Public License as published by the Free\s*$
 ^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
 ^ \* later version\.
 ^ \*\s*$
-^ \* DependencyCheck is distributed in the hope that it will be useful, but\s*$
+^ \* Dependency-Check is distributed in the hope that it will be useful, but\s*$
 ^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
 ^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
 ^ \* details\.\s*$
 ^ \*\s*$
 ^ \* You should have received a copy of the GNU General Public License along with\s*$
-^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* Dependency-Check\. If not, see http://www.gnu.org/licenses/\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 2012 Jeremy Long\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[23] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package

src/main/java/org/owasp/dependencycheck/App.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -51,7 +51,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The command line interface for the DependencyCheck application.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class App {
 
@@ -75,24 +75,23 @@ public class App {
      * Configures the logger for use by the application.
      */
     private static void prepareLogger() {
-        //while java doc for JUL says to use preferences api - it throws an exception...
+        InputStream in = null;
-        //Preferences.systemRoot().put("java.util.logging.config.file", "log.properties");
-        //System.getProperties().put("java.util.logging.config.file", "configuration/log.properties");
-
-        //removed the file handler. since this is a console app - just write to console.
-//        File dir = new File("logs");
-//        if (!dir.exists()) {
-//            dir.mkdir();
-//        }
         try {
-            final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+            in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
             LogManager.getLogManager().reset();
             LogManager.getLogManager().readConfiguration(in);
         } catch (IOException ex) {
-            System.err.println(ex.toString());
+            Logger.getLogger(App.class.getName()).log(Level.FINE, "IO Error preparing the logger", ex);
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
         } catch (SecurityException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(App.class.getName()).log(Level.FINE, "Error preparing the logger", ex);
+        } finally {
+            if (in != null) {
+                try {
+                    in.close();
+                } catch (Exception ex) {
+                    Logger.getLogger(App.class.getName()).log(Level.FINEST, "Error closing resource stream", ex);
+                }
+            }
         }
     }
 
@@ -109,20 +108,18 @@ public class App {
         } catch (FileNotFoundException ex) {
             System.err.println(ex.getMessage());
             cli.printHelp();
-            Logger.getLogger(App.class.getName()).log(Level.WARNING, null, ex);
             return;
         } catch (ParseException ex) {
             System.err.println(ex.getMessage());
             cli.printHelp();
-            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
             return;
         }
 
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(),
+            updateSettings(cli.isAutoUpdate(), cli.isDeepScan(), cli.getConnectionTimeout(), cli.getProxyUrl(), cli.getProxyPort());
-                    cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
+            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
         } else {
             cli.printHelp();
         }
@@ -137,12 +134,9 @@ public class App {
      * @param outputFormat the output format of the report
      * @param applicationName the application name for the report
      * @param files the files/directories to scan
-     * @param autoUpdate whether to auto-update the cached data from the Internet
-     * @param deepScan whether to perform a deep scan of the evidence in the project dependencies
      */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate, boolean deepScan) {
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
-        final Engine scanner = new Engine(autoUpdate);
+        final Engine scanner = new Engine();
-        Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
 
         for (String file : files) {
             scanner.scan(file);
@@ -155,9 +149,33 @@ public class App {
         try {
             report.generateReports(reportDirectory, outputFormat);
         } catch (IOException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
         } catch (Exception ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
+            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
+        }
+    }
+
+    /**
+     * Updates the global Settings.
+     * @param autoUpdate whether or not to update cached web data sources
+     * @param deepScan whether or not to perform a deep scan (increases false positives, but may reduce false negatives)
+     * @param connectionTimeout the timeout to use when downloading resources (null or blank will use default)
+     * @param proxyUrl the proxy url (null or blank means no proxy will be used)
+     * @param proxyPort the proxy port (null or blank means no port will be used)
+     */
+    private void updateSettings(boolean autoUpdate, boolean deepScan, String connectionTimeout, String proxyUrl, String proxyPort) {
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
+        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }
     }
 }

src/main/java/org/owasp/dependencycheck/Engine.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,6 +36,8 @@ import org.owasp.dependencycheck.data.UpdateException;
 import org.owasp.dependencycheck.data.UpdateService;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Scans files, directories, etc. for Dependencies. Analyzers are loaded and
@@ -43,29 +45,37 @@ import org.owasp.dependencycheck.utils.FileUtils;
  * Analyzer is associated with the file type then the file is turned into a
  * dependency.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Engine {
 
     /**
      * The list of dependencies.
      */
-    private List<Dependency> dependencies = new ArrayList<Dependency>();
+    private final List<Dependency> dependencies = new ArrayList<Dependency>();
     /**
      * A Map of analyzers grouped by Analysis phase.
      */
-    private EnumMap<AnalysisPhase, List<Analyzer>> analyzers =
+    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers =
             new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
     /**
      * A set of extensions supported by the analyzers.
      */
-    private Set<String> extensions = new HashSet<String>();
+    private final Set<String> extensions = new HashSet<String>();
 
     /**
      * Creates a new Engine.
      */
     public Engine() {
-        doUpdates();
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
+        }
+        if (autoUpdate) {
+            doUpdates();
+        }
         loadAnalyzers();
     }
 
@@ -73,8 +83,12 @@ public class Engine {
      * Creates a new Engine.
      *
      * @param autoUpdate indicates whether or not data should be updated from
-     * the Internet.
+     * the Internet
+     * @deprecated This function should no longer be used;
+     * the autoupdate flag should be set using:
+     * <code>Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);</code>
      */
+    @Deprecated
     public Engine(boolean autoUpdate) {
         if (autoUpdate) {
             doUpdates();
@@ -131,6 +145,18 @@ public class Engine {
      */
     public void scan(String path) {
         final File file = new File(path);
+        scan(file);
+    }
+    /**
+     * Scans a given file or directory. If a directory is specified, it will be
+     * scanned recursively. Any dependencies identified are added to the
+     * dependency collection.
+     *
+     * @since v0.3.2.4
+     *
+     * @param file the path to a file or directory to be analyzed.
+     */
+    public void scan(File file) {
         if (file.exists()) {
             if (file.isDirectory()) {
                 scanDirectory(file);
@@ -139,7 +165,6 @@ public class Engine {
             }
         }
     }
-
     /**
      * Recursively scans files and directories. Any dependencies identified are
      * added to the dependency collection.
@@ -148,11 +173,13 @@ public class Engine {
      */
     protected void scanDirectory(File dir) {
         final File[] files = dir.listFiles();
-        for (File f : files) {
+        if (files != null) {
-            if (f.isDirectory()) {
+            for (File f : files) {
-                scanDirectory(f);
+                if (f.isDirectory()) {
-            } else {
+                    scanDirectory(f);
-                scanFile(f);
+                } else {
+                    scanFile(f);
+                }
             }
         }
     }
@@ -165,8 +192,9 @@ public class Engine {
      */
     protected void scanFile(File file) {
         if (!file.isFile()) {
-            final String msg = String.format("Path passed to scanFile(File) is not a file: %s.", file.toString());
+            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
-            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+            return;
         }
         final String fileName = file.getName();
         final String extension = FileUtils.getFileExtension(fileName);
@@ -193,12 +221,13 @@ public class Engine {
                 try {
                     a.initialize();
                 } catch (Exception ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
+                    final String msg = String.format("\"Exception occurred initializing \"%s\".\"", a.getName());
-                            "Exception occurred initializing " + a.getName() + ".", ex);
+                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+                    Logger.getLogger(Engine.class.getName()).log(Level.INFO, msg, ex);
                     try {
                         a.close();
                     } catch (Exception ex1) {
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINER, null, ex1);
+                        Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
                     }
                 }
             }
@@ -209,15 +238,17 @@ public class Engine {
             final List<Analyzer> analyzerList = analyzers.get(phase);
 
             for (Analyzer a : analyzerList) {
-                //need to create a copy of the collection because some of the
+                /* need to create a copy of the collection because some of the
-                // analyzers may modify it. This prevents ConcurrentModificationExceptions.
+                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
+                 * This is okay for adds/deletes because it happens per analyzer.
+                 */
                 final Set<Dependency> dependencySet = new HashSet<Dependency>();
                 dependencySet.addAll(dependencies);
                 for (Dependency d : dependencySet) {
                     if (a.supportsExtension(d.getFileExtension())) {
                         try {
                             a.analyze(d, this);
-                          } catch (AnalysisException ex) {
+                        } catch (AnalysisException ex) {
                             d.addAnalysisException(ex);
                         }
                     }
@@ -232,14 +263,14 @@ public class Engine {
                 try {
                     a.close();
                 } catch (Exception ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
                 }
             }
         }
     }
 
     /**
-     *
+     * Cycles through the cached web data sources and calls update on all of them.
      */
     private void doUpdates() {
         final UpdateService service = UpdateService.getInstance();
@@ -249,8 +280,10 @@ public class Engine {
             try {
                 source.update();
             } catch (UpdateException ex) {
-                Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
+                Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
-                        "Unable to update " + source.getClass().getName(), ex);
+                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
+                Logger.getLogger(Engine.class.getName()).log(Level.FINE,
+                String.format("Unable to update details for %s", source.getClass().getName()), ex);
             }
         }
     }

src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,7 +24,7 @@ import java.util.Set;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class AbstractAnalyzer implements Analyzer {
 
@@ -47,15 +47,17 @@ public abstract class AbstractAnalyzer implements Analyzer {
 
     /**
      * The initialize method does nothing for this Analyzer.
+     * @throws Exception thrown if there is an exception
      */
-    public void initialize() {
+    public void initialize() throws Exception {
         //do nothing
     }
 
     /**
      * The close method does nothing for this Analyzer.
+     * @throws Exception thrown if there is an exception
      */
-    public void close() {
+    public void close() throws Exception {
         //do nothing
     }
 }

src/main/java/org/owasp/dependencycheck/analyzer/AnalysisException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An exception thrown when the analysis of a dependency fails.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class AnalysisException extends Exception {
 

src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,36 +21,44 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An enumeration defining the phases of analysis.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public enum AnalysisPhase {
 
     /**
-     * The first phase of analysis.
+     * Initialization phase.
      */
     INITIAL,
     /**
-     * The second phase of analysis.
+     * Information collection phase.
      */
     INFORMATION_COLLECTION,
     /**
-     * The third phase of analysis.
+     * Pre identifier analysis phase.
      */
     PRE_IDENTIFIER_ANALYSIS,
     /**
-     * The fourth phase of analysis.
+     * Identifier analysis phase.
      */
     IDENTIFIER_ANALYSIS,
     /**
-     * The fifth phase of analysis.
+     * Post identifier analysis phase.
      */
     POST_IDENTIFIER_ANALYSIS,
     /**
-     * The sixth phase of analysis.
+     * Pre finding analysis phase.
+     */
+    PRE_FINDING_ANALYSIS,
+    /**
+     * Finding analysis phase.
      */
     FINDING_ANALYSIS,
     /**
-     * The seventh and final phase of analysis.
+     * Post analysis phase.
+     */
+    POST_FINDING_ANALYSIS,
+    /**
+     * The final analysis phase.
      */
     FINAL
 }

src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * An analyzer will collect information about the dependency in the form of
  * Evidence.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public interface Analyzer {
 

src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class AnalyzerService {
 

src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,8 +23,12 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.ListIterator;
 import java.util.Set;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
 /**
  * <p>This analyzer ensures dependencies that should be grouped together, to
@@ -35,10 +39,22 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * <p>Note, this grouping only works on dependencies with identified CVE
  * entries</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
+    /**
+     * A pattern for obtaining the first part of a filename.
+     */
+    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
+    /**
+     * a flag indicating if this analyzer has run. This analyzer only runs once.
+     */
+    private boolean analyzed = false;
+    //</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The set of file extensions supported by this analyzer.
      */
@@ -50,11 +66,9 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
-
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
@@ -63,7 +77,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
 
     /**
      * Returns the name of the analyzer.
-     *
      * @return the name of the analyzer.
      */
     public String getName() {
@@ -72,7 +85,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
 
     /**
      * Returns whether or not this analyzer can process the given extension.
-     *
      * @param extension the file extension to test for support
      * @return whether or not the specified file extension is supported by this
      * analyzer.
@@ -83,16 +95,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
 
     /**
      * Returns the phase that the analyzer is intended to run in.
-     *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
-    /**
+    //</editor-fold>
-     * a flag indicating if this analyzer has run. This analyzer only runs once.
-     */
-    private boolean analyzed = false;
 
     /**
      * Analyzes a set of dependencies. If they have been found to have the same
@@ -118,7 +126,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                         final Dependency nextDependency = subIterator.next();
 
                         if (identifiersMatch(dependency, nextDependency)
-                                && hasSameBasePath(dependency, nextDependency)) {
+                                && hasSameBasePath(dependency, nextDependency)
+                                && fileNameMatch(dependency, nextDependency)) {
 
                             if (isCore(dependency, nextDependency)) {
                                 dependency.addRelatedDependency(nextDependency);
@@ -153,6 +162,64 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         }
     }
 
+    /**
+     * Attempts to trim a maven repo to a common base path. This is typically
+     * [drive]\[repo_location]\repository\[path1]\[path2].
+     *
+     * @param path the path to trim
+     * @return a string representing the base path.
+     */
+    private String getBaseRepoPath(final String path) {
+        int pos = path.indexOf("repository" + File.separator) + 11;
+        if (pos < 0) {
+            return path;
+        }
+        int tmp = path.indexOf(File.separator, pos);
+        if (tmp <= 0) {
+            return path;
+        }
+        if (tmp > 0) {
+            pos = tmp + 1;
+        }
+        tmp = path.indexOf(File.separator, pos);
+        if (tmp > 0) {
+            pos = tmp + 1;
+        }
+        return path.substring(0, pos);
+    }
+
+    /**
+     * Returns true if the file names (and version if it exists) of the two
+     * dependencies are sufficiently similiar.
+     * @param dependency1 a dependency2 to compare
+     * @param dependency2 a dependency2 to compare
+     * @return true if the identifiers in the two supplied dependencies are equal
+     */
+    private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency1.getFileName() == null
+                || dependency2 == null || dependency2.getFileName() == null) {
+            return false;
+        }
+        final String fileName1 = dependency1.getFileName();
+        final String fileName2 = dependency2.getFileName();
+        //version check
+        final DependencyVersion version1 = DependencyVersionUtil.parseVersionFromFileName(fileName1);
+        final DependencyVersion version2 = DependencyVersionUtil.parseVersionFromFileName(fileName2);
+        if (version1 != null && version2 != null) {
+            if (!version1.equals(version2)) {
+                return false;
+            }
+        }
+        //filename check
+        final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
+        final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
+        if (match1.find() && match2.find()) {
+            return match1.group().equals(match2.group());
+        }
+
+        return false;
+    }
+
     /**
      * Returns true if the identifiers in the two supplied dependencies are equal.
      * @param dependency1 a dependency2 to compare
@@ -179,15 +246,22 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             return false;
         }
         final File lFile = new File(dependency1.getFilePath());
-        final String left = lFile.getParent();
+        String left = lFile.getParent();
         final File rFile = new File(dependency2.getFilePath());
-        final String right = rFile.getParent();
+        String right = rFile.getParent();
         if (left == null) {
             if (right == null) {
                 return true;
             }
             return false;
         }
+        if (left.equalsIgnoreCase(right)) {
+            return true;
+        }
+        if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
+            left = getBaseRepoPath(left);
+            right = getBaseRepoPath(right);
+        }
         return left.equalsIgnoreCase(right);
     }
 
@@ -195,7 +269,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * This is likely a very broken attempt at determining if the 'left'
      * dependency is the 'core' library in comparison to the 'right' library.
      *
-     * TODO - consider spliting on /\._-\s/ and checking if all of one side is fully contained in the other
+     * TODO - consider splitting on /\._-\s/ and checking if all of one side is fully contained in the other
      *  With the exception of the word "core". This might work even on groups when we don't have a CVE.
      *
      * @param left the dependency to test

src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -1,38 +1,47 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.UnsupportedEncodingException;
+import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
+import java.util.ListIterator;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.cpe.Entry;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * This analyzer attempts to remove some well known false positives -
  * specifically regarding the java runtime.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The set of file extensions supported by this analyzer.
      */
@@ -48,7 +57,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
@@ -57,7 +65,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     /**
      * Returns the name of the analyzer.
-     *
      * @return the name of the analyzer.
      */
     public String getName() {
@@ -66,27 +73,26 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     /**
      * Returns whether or not this analyzer can process the given extension.
-     *
      * @param extension the file extension to test for support
      * @return whether or not the specified file extension is supported by this
      * analyzer.
      */
     public boolean supportsExtension(String extension) {
-        return true; //EXTENSIONS.contains(extension);
+        return true;
     }
 
     /**
      * Returns the phase that the analyzer is intended to run in.
-     *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
-     *
+     * Analyzes the dependencies and removes bad/incorrect CPE associations
-     *
+     * based on various heuristics.
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
      * @throws AnalysisException is thrown if there is an error reading the JAR
@@ -94,7 +100,16 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         removeJreEntries(dependency);
-        removeVersions(dependency);
+        removeBadMatches(dependency);
+        boolean deepScan = false;
+        try {
+            deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
+        } catch (InvalidSettingException ex) {
+            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.INFO, "deepscan setting is incorrect; expected a boolean.", ex);
+        }
+        if (!deepScan) {
+            removeSpuriousCPE(dependency);
+        }
     }
 
     /**
@@ -102,18 +117,57 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      *
      * @param dependency the dependency being analyzed
      */
-    private void removeVersions(Dependency dependency) {
+    private void removeSpuriousCPE(Dependency dependency) {
-        //todo implement this so that the following is corrected?
+        final List<Identifier> ids = new ArrayList<Identifier>();
-        //cpe: cpe:/a:apache:axis2:1.4
+        ids.addAll(dependency.getIdentifiers());
-        //cpe: cpe:/a:apache:axis:1.4
+        final ListIterator<Identifier> mainItr = ids.listIterator();
-        /* the above was identified from the evidence below:
+        while (mainItr.hasNext()) {
-         Source    Name            Value
+            final Identifier currentId = mainItr.next();
-         Manifest  Bundle-Vendor   Apache Software Foundation
+            final Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue());
-         Manifest  Bundle-Version  1.4
+            if (currentCpe == null) {
-         file      name            axis2-kernel-1.4.1
+                continue;
-         pom       artifactid      axis2-kernel
+            }
-         pom       name            Apache Axis2 - Kernel
+            final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
-         */
+            while (subItr.hasNext()) {
+                final Identifier nextId = subItr.next();
+                final Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue());
+                if (nextCpe == null) {
+                    continue;
+                }
+                if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
+                    if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
+                        // see if one is contained in the other.. remove the contained one from dependency.getIdentifier
+                        final String mainVersion = currentCpe.getVersion();
+                        final String nextVersion = nextCpe.getVersion();
+                        if (mainVersion.length() < nextVersion.length()) {
+                            if (nextVersion.startsWith(mainVersion)) {
+                                //remove mainVersion
+                                dependency.getIdentifiers().remove(currentId);
+                            }
+                        } else {
+                            if (mainVersion.startsWith(nextVersion)) {
+                                //remove nextVersion
+                                dependency.getIdentifiers().remove(nextId);
+                            }
+                        }
+                    } else {
+                        if (currentCpe.getVersion().equals(nextCpe.getVersion())) {
+                            //same vendor and version - but different products
+                            // are we dealing with something like Axis & Axis2
+                            final String currentProd = currentCpe.getProduct();
+                            final String nextProd = nextCpe.getProduct();
+                            if (currentProd.startsWith(nextProd)) {
+                                dependency.getIdentifiers().remove(nextId);
+                            }
+                            if (nextProd.startsWith(currentProd)) {
+                                dependency.getIdentifiers().remove(currentId);
+                            }
+
+                        }
+                    }
+                }
+            }
+        }
     }
 
     /**
@@ -123,11 +177,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      * @param dependency the dependency to remove JRE CPEs from
      */
     private void removeJreEntries(Dependency dependency) {
-        final List<Identifier> identifiers = dependency.getIdentifiers();
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
         final Iterator<Identifier> itr = identifiers.iterator();
         while (itr.hasNext()) {
             final Identifier i = itr.next();
+
             if ((i.getValue().startsWith("cpe:/a:sun:java:")
+                    || i.getValue().startsWith("cpe:/a:sun:java_se")
+                    || i.getValue().startsWith("cpe:/a:oracle:java_se")
                     || i.getValue().startsWith("cpe:/a:oracle:jre")
                     || i.getValue().startsWith("cpe:/a:oracle:jdk"))
                     && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
@@ -135,4 +192,43 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
             }
         }
     }
+
+    /**
+     * Parses a CPE string into an Entry.
+     * @param type the type of identifier
+     * @param value the cpe identifier to parse
+     * @return an Entry constructed from the identifier
+     */
+    private Entry parseCpe(String type, String value) {
+        if (!"cpe".equals(type)) {
+            return null;
+        }
+        final Entry cpe = new Entry();
+        try {
+            cpe.parseName(value);
+        } catch (UnsupportedEncodingException ex) {
+            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            return null;
+        }
+        return cpe;
+    }
+
+    /**
+     * Removes bad CPE matches for a dependency. Unfortunately, right now
+     * these are hard-coded patches for specific problems identified when
+     * testing this ona LARGE volume of jar files.
+     * @param dependency the dependency to analyze
+     */
+    private void removeBadMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            //TODO move this startswith expression to a configuration file?
+            if (i.getValue().startsWith("cpe:/a:apache:xerces-c++:")
+                    && dependency.getFileName().toLowerCase().endsWith(".jar")) {
+                itr.remove();
+            }
+        }
+    }
 }

src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,10 +27,11 @@ import org.owasp.dependencycheck.Engine;
  *
  * Takes a dependency and analyzes the filename and determines the hashes.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -46,7 +47,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
@@ -55,7 +55,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns the name of the analyzer.
-     *
      * @return the name of the analyzer.
      */
     public String getName() {
@@ -64,7 +63,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns whether or not this analyzer can process the given extension.
-     *
      * @param extension the file extension to test for support.
      * @return whether or not the specified file extension is supported by this
      * analyzer.
@@ -75,12 +73,12 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns the phase that the analyzer is intended to run in.
-     *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
      * Collects information about the file name.

src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -25,10 +25,11 @@ import org.owasp.dependencycheck.dependency.Evidence;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -41,10 +42,8 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
      * The set of file extensions supported by this analyzer.
      */
     private static final Set<String> EXTENSIONS = null;
-
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
@@ -53,7 +52,6 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns the name of the analyzer.
-     *
      * @return the name of the analyzer.
      */
     public String getName() {
@@ -62,7 +60,6 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns whether or not this analyzer can process the given extension.
-     *
      * @param extension the file extension to test for support.
      * @return whether or not the specified file extension is supported by this
      * analyzer.
@@ -73,12 +70,12 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**
      * Returns the phase that the analyzer is intended to run in.
-     *
      * @return the phase that the analyzer is intended to run in.
      */
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
      * The HintAnalyzer uses knowledge about a dependency to add additional information
@@ -98,12 +95,24 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 "org.springframework.core",
                 Evidence.Confidence.HIGH);
 
-        final Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
+        final Evidence springTest3 = new Evidence("Manifest",
+                "Bundle-Vendor",
+                "SpringSource",
+                Evidence.Confidence.HIGH);
+
+
+        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
         if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
             dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
         }
 
+        evidence = dependency.getVendorEvidence().getEvidence();
+        if (evidence.contains(springTest3)) {
+            dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
+        }
+
     }
 }

src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -1,28 +1,29 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
-import java.io.FileInputStream;
+import java.util.Enumeration;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.bind.JAXBException;
+import javax.xml.parsers.ParserConfigurationException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -38,41 +39,43 @@ import java.util.Properties;
 import java.util.Set;
 import java.util.StringTokenizer;
 import java.util.jar.Attributes;
+import java.util.jar.JarEntry;
 import java.util.jar.JarFile;
 import java.util.jar.Manifest;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
-import java.util.zip.ZipInputStream;
 import javax.xml.bind.JAXBContext;
 import javax.xml.bind.JAXBElement;
 import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
+import org.jsoup.Jsoup;
+import org.owasp.dependencycheck.analyzer.pom.MavenNamespaceFilter;
 import org.owasp.dependencycheck.analyzer.pom.generated.License;
 import org.owasp.dependencycheck.analyzer.pom.generated.Model;
 import org.owasp.dependencycheck.analyzer.pom.generated.Organization;
 import org.owasp.dependencycheck.utils.NonClosingStream;
 import org.owasp.dependencycheck.utils.Settings;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLFilter;
+import org.xml.sax.XMLReader;
 
 /**
  *
  * Used to load a JAR file and collect information that can be used to determine
  * the associated CPE.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
     /**
      * The system independent newline character.
      */
     private static final String NEWLINE = System.getProperty("line.separator");
-    /**
-     * The name of the analyzer.
-     */
-    private static final String ANALYZER_NAME = "Jar Analyzer";
-    /**
-     * The phase that this analyzer is intended to run in.
-     */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
     /**
      * A list of elements in the manifest to ignore.
      */
@@ -98,11 +101,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             "class-path",
             "tool",
             "bundle-manifestversion",
-            "bundlemanifestversion");
+            "bundlemanifestversion",
-    /**
+            "include-resource");
-     * The set of file extensions supported by this analyzer.
+
-     */
-    private static final Set<String> EXTENSIONS = newHashSet("jar");
     /**
      * item in some manifest, should be considered medium confidence.
      */
@@ -119,10 +120,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * item in some manifest, should be considered medium confidence.
      */
     private static final String BUNDLE_VENDOR = "Bundle-Vendor"; //: Apache Software Foundation
+    /**
+     * A pattern to detect HTML within text.
+     */
+    private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
     /**
      * The unmarshaller used to parse the pom.xml from a JAR file.
      */
     private Unmarshaller pomUnmarshaller;
+    //</editor-fold>
 
     /**
      * Constructs a new JarAnalyzer.
@@ -132,31 +138,40 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.analyzer.pom.generated");
             pomUnmarshaller = jaxbContext.createUnmarshaller();
         } catch (JAXBException ex) { //guess we will just have a null pointer exception later...
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, "Unable to load parser. See the log for more details.");
+            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
         }
     }
 
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Jar Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("jar");
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
     public Set<String> getSupportedExtensions() {
         return EXTENSIONS;
     }
-
     /**
      * Returns the name of the analyzer.
-     *
      * @return the name of the analyzer.
      */
     public String getName() {
         return ANALYZER_NAME;
     }
-
     /**
      * Returns whether or not this analyzer can process the given extension.
-     *
      * @param extension the file extension to test for support.
      * @return whether or not the specified file extension is supported by this
      * analyzer.
@@ -164,7 +179,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     public boolean supportsExtension(String extension) {
         return EXTENSIONS.contains(extension);
     }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
@@ -173,6 +187,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
      * Loads a specified JAR file and collects information from the manifest and
@@ -185,11 +200,23 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         boolean addPackagesAsEvidence = false;
+        //todo - catch should be more granular here, one for each call likely
+        //todo - think about sources/javadoc jars, should we remove or move to related dependency?
         try {
-            addPackagesAsEvidence ^= parseManifest(dependency);
+            final boolean hasManifest = parseManifest(dependency);
-            addPackagesAsEvidence ^= analyzePOM(dependency);
+            final boolean hasPOM = analyzePOM(dependency);
-            addPackagesAsEvidence ^= Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
+            final boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
-            analyzePackageNames(dependency, addPackagesAsEvidence);
+            if ((!hasManifest && !hasPOM) || deepScan) {
+                addPackagesAsEvidence = true;
+            }
+            final boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
+            if (!hasClasses
+                    && (dependency.getFileName().toLowerCase().endsWith("-sources.jar")
+                    || dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
+                    || dependency.getFileName().toLowerCase().endsWith("-src.jar")
+                    || dependency.getFileName().toLowerCase().endsWith("-doc.jar"))) {
+                engine.getDependencies().remove(dependency);
+            }
         } catch (IOException ex) {
             throw new AnalysisException("Exception occurred reading the JAR file.", ex);
         }
@@ -201,144 +228,225 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * the strings contained within the pom.properties if one exists.
      *
      * @param dependency the dependency being analyzed.
-     * @throws IOException is thrown if there is an error reading the zip file.
+     * @throws AnalysisException is thrown if there is an exception parsing the pom.
-     * @throws AnalysisException is thrown if there is an exception parsing the
-     * pom.
      * @return whether or not evidence was added to the dependency
      */
-    protected boolean analyzePOM(Dependency dependency) throws IOException, AnalysisException {
+    protected boolean analyzePOM(Dependency dependency) throws AnalysisException {
         boolean foundSomething = false;
-        Properties pomProperties = null;
+        final JarFile jar;
-        final List<Model> poms = new ArrayList<Model>();
-        FileInputStream fs = null;
         try {
-            fs = new FileInputStream(dependency.getActualFilePath());
+            jar = new JarFile(dependency.getActualFilePath());
-            final ZipInputStream zin = new ZipInputStream(fs);
-            ZipEntry entry = zin.getNextEntry();
-
-            while (entry != null) {
-                final String entryName = (new File(entry.getName())).getName().toLowerCase();
-
-                if (!entry.isDirectory() && "pom.xml".equals(entryName)) {
-                    final NonClosingStream stream = new NonClosingStream(zin);
-                    Model p = null;
-                    try {
-                        final JAXBElement obj = (JAXBElement) pomUnmarshaller.unmarshal(stream);
-                        p = (Model) obj.getValue();
-                    } catch (JAXBException ex) {
-                        final String msg = String.format("Unable to parse POM '%s' in '%s'",
-                                entry.getName(), dependency.getFilePath());
-                        final AnalysisException ax = new AnalysisException(msg, ex);
-                        dependency.getAnalysisExceptions().add(ax);
-                        Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO, msg);
-                    }
-                    if (p != null) {
-                        poms.add(p);
-                    }
-                    zin.closeEntry();
-                } else if (!entry.isDirectory() && "pom.properties".equals(entryName)) {
-                    //TODO what if there is more then one pom.properties?
-                    // need to find the POM, then look to see if there is a sibling
-                    // pom.properties and use those together.
-                    if (pomProperties == null) {
-                        Reader reader;
-                        try {
-                            reader = new InputStreamReader(zin, "UTF-8");
-                            pomProperties = new Properties();
-                            pomProperties.load(reader);
-                        } finally {
-                            //zin.closeEntry closes the reader
-                            //reader.close();
-                            zin.closeEntry();
-                        }
-                    } else {
-                        final String msg = "JAR file contains multiple pom.properties files - unable to process POM";
-                        final AnalysisException ax = new AnalysisException(msg);
-                        dependency.getAnalysisExceptions().add(ax);
-                        Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO, msg);
-                    }
-                }
-
-                entry = zin.getNextEntry();
-            }
         } catch (IOException ex) {
-            throw new AnalysisException("Error reading JAR file as zip.", ex);
+            final String msg = String.format("Unable to read JarFile '%s'.", dependency.getActualFilePath());
-        } finally {
+            final AnalysisException ax = new AnalysisException(msg, ex);
-            if (fs != null) {
+            dependency.getAnalysisExceptions().add(ax);
-                fs.close();
+            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            }
+            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            return foundSomething;
+        }
+        List<String> pomEntries;
+        try {
+            pomEntries = retrievePomListing(jar);
+        } catch (IOException ex) {
+            final String msg = String.format("Unable to read Jar file entries in '%s'.", dependency.getActualFilePath());
+            final AnalysisException ax = new AnalysisException(msg, ex);
+            dependency.getAnalysisExceptions().add(ax);
+            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO, msg, ex);
+            return foundSomething;
         }
 
-        for (Model pom : poms) {
+        for (String path : pomEntries) {
-            //group id
+            Properties pomProperties = null;
-            final String groupid = interpolateString(pom.getGroupId(), pomProperties);
+            try {
-            if (groupid != null) {
+                pomProperties = retrievePomProperties(path, jar);
-                foundSomething = true;
+            } catch (IOException ex) {
-                dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.HIGH);
+                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, "ignore this, failed reading a non-existent pom.properties", ex);
-                dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.LOW);
             }
-            //artifact id
+            Model pom = null;
-            final String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
+            try {
-            if (artifactid != null) {
+                pom = retrievePom(path, jar);
-                foundSomething = true;
+            } catch (JAXBException ex) {
-                dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH);
+                final String msg = String.format("Unable to parse POM '%s' in '%s'",
+                        path, dependency.getFilePath());
+                final AnalysisException ax = new AnalysisException(msg, ex);
+                dependency.getAnalysisExceptions().add(ax);
+                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ax);
+            } catch (IOException ex) {
+                final String msg = String.format("Unable to retrieve POM '%s' in '%s'",
+                        path, dependency.getFilePath());
+                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
             }
-            //version
+            foundSomething = setPomEvidence(dependency, pom, pomProperties) || foundSomething;
-            final String version = interpolateString(pom.getVersion(), pomProperties);
+        }
-            if (version != null) {
+        return foundSomething;
-                foundSomething = true;
+    }
-                dependency.getVersionEvidence().addEvidence("pom", "version", version, Evidence.Confidence.HIGH);
+
+    /**
+     * Given a path to a pom.xml within a JarFile, this method attempts to load
+     * a sibling pom.properties if one exists.
+     * @param path the path to the pom.xml within the JarFile
+     * @param jar the JarFile to load the pom.properties from
+     * @return a Properties object or null if no pom.properties was found
+     * @throws IOException thrown if there is an exception reading the pom.properties
+     */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "OS_OPEN_STREAM",
+    justification = "The reader is closed by closing the zipEntry")
+    private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
+        Properties pomProperties = null;
+        final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
+        final ZipEntry propEntry = jar.getEntry(propPath);
+        if (propEntry != null) {
+            final Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
+            pomProperties = new Properties();
+            pomProperties.load(reader);
+        }
+        return pomProperties;
+    }
+    /**
+     * Searches a JarFile for pom.xml entries and returns a listing of these entries.
+     * @param jar the JarFile to search
+     * @return a list of pom.xml entries
+     * @throws IOException thrown if there is an exception reading a JarEntry
+     */
+    private List<String> retrievePomListing(final JarFile jar) throws IOException {
+        final List<String> pomEntries = new ArrayList<String>();
+        final Enumeration<JarEntry> entries = jar.entries();
+        while (entries.hasMoreElements()) {
+            final JarEntry entry = entries.nextElement();
+            final String entryName = (new File(entry.getName())).getName().toLowerCase();
+                if (!entry.isDirectory() && "pom.xml".equals(entryName)) {
+                    pomEntries.add(entry.getName());
+                }
+        }
+        return pomEntries;
+    }
+    /**
+     * Retrieves the specified POM from a jar file and converts it to a Model.
+     * @param path the path to the pom.xml file within the jar file
+     * @param jar the jar file to extract the pom from
+     * @return returns a {@link org.owasp.dependencycheck.analyzer.pom.generated.Model} object
+     * @throws JAXBException is thrown if there is an exception parsing the pom
+     * @throws IOException is thrown if there is an exception reading the jar
+     */
+    private Model retrievePom(String path, JarFile jar) throws JAXBException, IOException {
+        final ZipEntry entry = jar.getEntry(path);
+        if (entry != null) { //should never be null
+            Model m = null;
+            try {
+                final XMLFilter filter = new MavenNamespaceFilter();
+                final SAXParserFactory spf = SAXParserFactory.newInstance();
+                final SAXParser sp = spf.newSAXParser();
+                final XMLReader xr = sp.getXMLReader();
+                filter.setParent(xr);
+                final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry));
+                final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
+                final InputSource xml = new InputSource(reader);
+                final SAXSource source = new SAXSource(filter, xml);
+                final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
+                m = el.getValue();
+            } catch (ParserConfigurationException ex) {
+                final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
+                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
+            } catch (SAXException ex) {
+                final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
+                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
             }
-            // org name
+            return m;
-            final Organization org = pom.getOrganization();
+        }
-            if (org != null && org.getName() != null) {
+        return null;
-                foundSomething = true;
+    }
-                final String orgName = interpolateString(org.getName(), pomProperties);
+
-                dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Evidence.Confidence.HIGH);
+    /**
-            }
+     * Sets evidence from the pom on the supplied dependency.
-            //pom name
+     * @param dependency the dependency to set data on
-            final String pomName = interpolateString(pom.getName(), pomProperties);
+     * @param pom the information from the pom
-            if (pomName != null) {
+     * @param pomProperties the pom properties file (null if none exists)
-                foundSomething = true;
+     * @return true if there was evidence within the pom that we could use; otherwise false
-                dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
+     */
+    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
+        boolean foundSomething = false;
+        if (pom == null) {
+            return foundSomething;
+        }
+        //group id
+        final String groupid = interpolateString(pom.getGroupId(), pomProperties);
+        if (groupid != null) {
+            foundSomething = true;
+            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Evidence.Confidence.LOW);
+        }
+        //artifact id
+        final String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
+        if (artifactid != null) {
+            foundSomething = true;
+            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.LOW);
+        }
+        //version
+        final String version = interpolateString(pom.getVersion(), pomProperties);
+        if (version != null) {
+            foundSomething = true;
+            dependency.getVersionEvidence().addEvidence("pom", "version", version, Evidence.Confidence.HIGH);
+        }
+        // org name
+        final Organization org = pom.getOrganization();
+        if (org != null && org.getName() != null) {
+            foundSomething = true;
+            final String orgName = interpolateString(org.getName(), pomProperties);
+            dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Evidence.Confidence.HIGH);
+        }
+        //pom name
+        final String pomName = interpolateString(pom.getName(), pomProperties);
+        if (pomName != null) {
+            foundSomething = true;
+            dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
+        }
+
+        //Description
+        if (pom.getDescription() != null) {
+            foundSomething = true;
+            String description = interpolateString(pom.getDescription(), pomProperties);
+
+            if (HTML_DETECTION_PATTERN.matcher(description).find()) {
+                description = Jsoup.parse(description).text();
             }
 
-            //Description
+            dependency.setDescription(description);
-            if (pom.getDescription() != null) {
+            dependency.getProductEvidence().addEvidence("pom", "description", description, Evidence.Confidence.MEDIUM);
-                foundSomething = true;
+            dependency.getVendorEvidence().addEvidence("pom", "description", description, Evidence.Confidence.MEDIUM);
-                final String description = interpolateString(pom.getDescription(), pomProperties);
+        }
-                dependency.setDescription(description);
-                dependency.getProductEvidence().addEvidence("pom", "description", description, Evidence.Confidence.MEDIUM);
-                dependency.getVendorEvidence().addEvidence("pom", "description", description, Evidence.Confidence.MEDIUM);
-            }
 
-            //license
+        //license
-            if (pom.getLicenses() != null) {
+        if (pom.getLicenses() != null) {
-                String license = null;
+            String license = null;
-                for (License lic : pom.getLicenses().getLicense()) {
+            for (License lic : pom.getLicenses().getLicense()) {
-                    String tmp = null;
+                String tmp = null;
-                    if (lic.getName() != null) {
+                if (lic.getName() != null) {
-                        tmp = interpolateString(lic.getName(), pomProperties);
+                    tmp = interpolateString(lic.getName(), pomProperties);
-                    }
+                }
-                    if (lic.getUrl() != null) {
+                if (lic.getUrl() != null) {
-                        if (tmp == null) {
-                            tmp = interpolateString(lic.getUrl(), pomProperties);
-                        } else {
-                            tmp += ": " + interpolateString(lic.getUrl(), pomProperties);
-                        }
-                    }
                     if (tmp == null) {
-                        continue;
+                        tmp = interpolateString(lic.getUrl(), pomProperties);
-                    }
-                    if (license == null) {
-                        license = tmp;
                     } else {
-                        license += "\n" + tmp;
+                        tmp += ": " + interpolateString(lic.getUrl(), pomProperties);
                     }
                 }
-                if (license != null) {
+                if (tmp == null) {
-                    dependency.setLicense(license);
+                    continue;
                 }
+                if (HTML_DETECTION_PATTERN.matcher(tmp).find()) {
+                    tmp = Jsoup.parse(tmp).text();
+                }
+                if (license == null) {
+                    license = tmp;
+                } else {
+                    license += "\n" + tmp;
+                }
+            }
+            if (license != null) {
+                dependency.setLicense(license);
             }
         }
         return foundSomething;
@@ -353,76 +461,26 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @param dependency A reference to the dependency.
      * @param addPackagesAsEvidence a flag indicating whether or not package
      * names should be added as evidence.
+     * @return returns true or false depending on whether classes were identified in the JAR
      * @throws IOException is thrown if there is an error reading the JAR file.
      */
-    protected void analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
+    protected boolean analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
             throws IOException {
-
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
-
+            final Enumeration en = jar.entries();
-            final java.util.Enumeration en = jar.entries();
-
             final HashMap<String, Integer> level0 = new HashMap<String, Integer>();
             final HashMap<String, Integer> level1 = new HashMap<String, Integer>();
             final HashMap<String, Integer> level2 = new HashMap<String, Integer>();
             final HashMap<String, Integer> level3 = new HashMap<String, Integer>();
-            int count = 0;
+            final int count = collectPackageNameInformation(en, level0, level1, level2, level3);
-            while (en.hasMoreElements()) {
-                final java.util.jar.JarEntry entry = (java.util.jar.JarEntry) en.nextElement();
-                if (entry.getName().endsWith(".class") && entry.getName().contains("/")) {
-                    final String[] path = entry.getName().toLowerCase().split("/");
-
-                    if ("java".equals(path[0])
-                            || "javax".equals(path[0])
-                            || ("com".equals(path[0]) && "sun".equals(path[0]))) {
-                        continue;
-                    }
-
-                    count += 1;
-                    String temp = path[0];
-                    if (level0.containsKey(temp)) {
-                        level0.put(temp, level0.get(temp) + 1);
-                    } else {
-                        level0.put(temp, 1);
-                    }
-
-                    if (path.length > 2) {
-                        temp += "/" + path[1];
-                        if (level1.containsKey(temp)) {
-                            level1.put(temp, level1.get(temp) + 1);
-                        } else {
-                            level1.put(temp, 1);
-                        }
-                    }
-                    if (path.length > 3) {
-                        temp += "/" + path[2];
-                        if (level2.containsKey(temp)) {
-                            level2.put(temp, level2.get(temp) + 1);
-                        } else {
-                            level2.put(temp, 1);
-                        }
-                    }
-
-                    if (path.length > 4) {
-                        temp += "/" + path[3];
-                        if (level3.containsKey(temp)) {
-                            level3.put(temp, level3.get(temp) + 1);
-                        } else {
-                            level3.put(temp, 1);
-                        }
-                    }
-
-                }
-            }
 
             if (count == 0) {
-                return;
+                return false;
             }
             final EvidenceCollection vendor = dependency.getVendorEvidence();
             final EvidenceCollection product = dependency.getProductEvidence();
-
             for (String s : level0.keySet()) {
                 if (!"org".equals(s) && !"com".equals(s)) {
                     vendor.addWeighting(s);
@@ -518,6 +576,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                 jar.close();
             }
         }
+        return true;
     }
 
     /**
@@ -540,9 +599,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
 
             final Manifest manifest = jar.getManifest();
             if (manifest == null) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
+                //don't log this for javadoc or sources jar files
-                        "Jar file '{0}' does not contain a manifest.",
+                if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
-                        dependency.getFileName());
+                        && !dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
+                        && !dependency.getFileName().toLowerCase().endsWith("-src.jar")
+                        && !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
+                    Logger.getLogger(JarAnalyzer.class.getName()).log(Level.INFO,
+                            String.format("Jar file '%s' does not contain a manifest.",
+                            dependency.getFileName()));
+                }
                 return false;
             }
             final Attributes atts = manifest.getMainAttributes();
@@ -555,7 +620,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
 
             for (Entry<Object, Object> entry : atts.entrySet()) {
                 String key = entry.getKey().toString();
-                final String value = atts.getValue(key);
+                String value = atts.getValue(key);
+                if (HTML_DETECTION_PATTERN.matcher(value).find()) {
+                    value = Jsoup.parse(value).text();
+                }
                 if (key.equals(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
                     foundSomething = true;
                     productEvidence.addEvidence(source, key, value, Evidence.Confidence.HIGH);
@@ -592,6 +660,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                             && !key.endsWith("jdk")
                             && !key.contains("lastmodified")
                             && !key.endsWith("package")
+                            && !key.endsWith("classpath")
+                            && !key.endsWith("class-path")
                             && !isImportPackage(key, value)) {
 
                         foundSomething = true;
@@ -726,4 +796,71 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
         return false;
     }
+
+    /**
+     * Cycles through an enumeration of JarEntries and collects level 0-3 directory
+     * structure names. This is helpful when analyzing vendor/product as many times
+     * this is included in the package name. This does not analyze core Java package
+     * names.
+     *
+     * @param en an Enumeration of JarEntries
+     * @param level0 HashMap of level 0 package names (e.g. org)
+     * @param level1 HashMap of level 1 package names (e.g. owasp)
+     * @param level2 HashMap of level 2 package names (e.g. dependencycheck)
+     * @param level3 HashMap of level 3 package names (e.g. analyzer)
+     * @return the number of entries processed that were included in the above HashMaps
+     */
+    private int collectPackageNameInformation(Enumeration en, HashMap<String, Integer> level0,
+            HashMap<String, Integer> level1, HashMap<String, Integer> level2, HashMap<String, Integer> level3) {
+        int count = 0;
+        while (en.hasMoreElements()) {
+            final JarEntry entry = (JarEntry) en.nextElement();
+            if (entry.getName().endsWith(".class")) {
+                String[] path;
+                if (entry.getName().contains("/")) {
+                    path = entry.getName().toLowerCase().split("/");
+                    if ("java".equals(path[0])
+                            || "javax".equals(path[0])
+                            || ("com".equals(path[0]) && "sun".equals(path[0]))) {
+                        continue;
+                    }
+                } else {
+                    path = new String[1];
+                    path[0] = entry.getName();
+                }
+                count += 1;
+                String temp = path[0];
+                if (level0.containsKey(temp)) {
+                    level0.put(temp, level0.get(temp) + 1);
+                } else {
+                    level0.put(temp, 1);
+                }
+                if (path.length > 2) {
+                    temp += "/" + path[1];
+                    if (level1.containsKey(temp)) {
+                        level1.put(temp, level1.get(temp) + 1);
+                    } else {
+                        level1.put(temp, 1);
+                    }
+                }
+                if (path.length > 3) {
+                    temp += "/" + path[2];
+                    if (level2.containsKey(temp)) {
+                        level2.put(temp, level2.get(temp) + 1);
+                    } else {
+                        level2.put(temp, 1);
+                    }
+                }
+                if (path.length > 4) {
+                    temp += "/" + path[3];
+                    if (level3.containsKey(temp)) {
+                        level3.put(temp, level3.get(temp) + 1);
+                    } else {
+                        level3.put(temp, 1);
+                    }
+                }
+            }
+        }
+        return count;
+    }
 }

src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,14 +28,11 @@ import java.util.regex.Pattern;
  * Used to load a JAR file and collect information that can be used to determine
  * the associated CPE.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
 
-    /**
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
-     * The system independent newline character.
-     */
-    private static final String NEWLINE = System.getProperty("line.separator");
     /**
      * The name of the analyzer.
      */
@@ -86,6 +83,7 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
      * Loads a specified JAR file and collects information from the manifest and
@@ -101,32 +99,23 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     }
 
-    /**
-     * Adds license information to the given dependency.
-     *
-     * @param d the dependency
-     * @param license the license
-     */
-    private void addLicense(Dependency d, String license) {
-        if (d.getLicense() == null) {
-            d.setLicense(license);
-        } else if (!d.getLicense().contains(license)) {
-            d.setLicense(d.getLicense() + NEWLINE + license);
-        }
-    }
-
     /**
      * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
      */
-    public void initialize() {
+    @Override
+    public void initialize() throws Exception {
         //do nothing
     }
 
     /**
      * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
      */
-    public void close() {
+    @Override
+    public void close() throws Exception {
         //do nothing
     }
-
 }

src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java

@@ -1,163 +0,0 @@
-/*
- * This file is part of DependencyCheck.
- *
- * DependencyCheck is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * DependencyCheck is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.analyzer;
-
-import java.util.ArrayList;
-import java.util.List;
-import java.util.Set;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Identifier;
-
-/**
- * This analyzer ensures that the Spring Framework Core CPE identifiers are only associated
- * with the "core" jar files. If there are other Spring JARs, such as spring-beans, and
- * spring-core is in the scanned dependencies then only the spring-core will have a reference
- * to the CPE values (if there are any for the version of spring being used).
- *
- * @author Jeremy Long (jeremy.long@gmail.com)
- */
-public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer {
-
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = newHashSet("jar");
-    /**
-     * The name of the analyzer.
-     */
-    private static final String ANALYZER_NAME = "Jar Analyzer";
-    /**
-     * The phase that this analyzer is intended to run in.
-     */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
-    /**
-     * Returns the name of the analyzer.
-     *
-     * @return the name of the analyzer.
-     */
-    public String getName() {
-        return ANALYZER_NAME;
-    }
-
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
-    /**
-     * Returns the phase that the analyzer is intended to run in.
-     *
-     * @return the phase that the analyzer is intended to run in.
-     */
-    public AnalysisPhase getAnalysisPhase() {
-        return ANALYSIS_PHASE;
-    }
-
-    /**
-     * a list of spring versions.
-     */
-    private List<Identifier> springVersions;
-
-    /**
-     * Determines if several "spring" libraries were scanned and trims the
-     * cpe:/a:springsource:spring_framework:[version] from the none "core" framework
-     * if the core framework was part of the scan.
-     *
-     * @param dependency the dependency to analyze.
-     * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
-     * file.
-     */
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        collectSpringFrameworkIdentifiers(engine);
-
-        final List<Identifier> identifiersToRemove = new ArrayList<Identifier>();
-        for (Identifier identifier : dependency.getIdentifiers()) {
-            if (springVersions.contains(identifier) && !isCoreFramework(dependency.getFileName())) {
-                identifiersToRemove.add(identifier);
-            }
-        }
-
-        for (Identifier i : identifiersToRemove) {
-            dependency.getIdentifiers().remove(i);
-        }
-    }
-
-    /**
-     * Cycles through the dependencies and creates a collection of the spring identifiers.
-     *
-     * @param engine the core engine.
-     */
-    private void collectSpringFrameworkIdentifiers(Engine engine) {
-        //check to see if any of the libs are the core framework
-        if (springVersions == null) {
-            springVersions = new ArrayList<Identifier>();
-            for (Dependency d : engine.getDependencies()) {
-                if (supportsExtension(d.getFileExtension())) {
-                    for (Identifier i : d.getIdentifiers()) {
-                        if (isSpringFrameworkCpe(i)) {
-                            if (isCoreFramework(d.getFileName())) {
-                                springVersions.add(i);
-                            }
-                        }
-                    }
-                }
-            }
-        }
-    }
-
-    /**
-     * Attempts to determine if the identifier is for the spring framework.
-     *
-     * @param identifier an identifier
-     * @return whether or not it is believed to be a spring identifier
-     */
-    private boolean isSpringFrameworkCpe(Identifier identifier) {
-        return "cpe".equals(identifier.getType())
-                && (identifier.getValue().startsWith("cpe:/a:springsource:spring_framework:")
-                || identifier.getValue().startsWith("cpe:/a:vmware:springsource_spring_framework"));
-    }
-
-    /**
-     * Attempts to determine if the file name passed in is for the core spring-framework.
-     *
-     * @param filename a file name
-     * @return whether or not it is believed the file name is for the core spring framework
-     */
-    private boolean isCoreFramework(String filename) {
-        return filename.toLowerCase().matches("^spring([ _-]?core)?[ _-]?\\d.*");
-    }
-}

src/main/java/org/owasp/dependencycheck/analyzer/package-info.java

@@ -1,13 +1,11 @@
 /**
  * <html>
  * <head>
- * <title>org.owasp.dependencycheck.scanner</title>
+ * <title>org.owasp.dependencycheck.analyzer</title>
  * </head>
  * <body>
- * The scanner package contains the utilities to scan files and directories for
+ * Analyzers are used to inspect the identified dependencies, collect Evidence,
- * dependencies. Analyzers are used to inspect the identified dependencies and
+ * and process the dependencies.
- * collect Evidence. This evidence is then used to determine if the dependency
- * has a known CPE.
  * </body>
  * </html>
 */

src/main/java/org/owasp/dependencycheck/analyzer/pom/MavenNamespaceFilter.java

@@ -0,0 +1,93 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer.pom;
+
+import org.xml.sax.Attributes;
+import org.xml.sax.SAXException;
+import org.xml.sax.helpers.XMLFilterImpl;
+
+/**
+ * This filter is used when parsing POM documents. Some POM documents
+ * do not specify the xmlns="http://maven.apache.org/POM/4.0.0". This
+ * filter ensures that the correct namespace is added so that both
+ * types of POMs can be read.
+ * @author Jeremy Long (jeremy.long@gmail.com)
+ */
+public class MavenNamespaceFilter extends XMLFilterImpl {
+
+    /**
+     * The namespace to add for Maven POMs.
+     */
+    private static final String NAMESPACE = "http://maven.apache.org/POM/4.0.0";
+    /**
+     * A flag indicating whether or not the namespace (prefix) has been added.
+     */
+    private boolean namespaceAdded = false;
+
+    /**
+     * Called at the start of the document parsing.
+     * @throws SAXException thrown if there is a SAXException
+     */
+    @Override
+    public void startDocument() throws SAXException {
+        super.startDocument();
+        startPrefixMapping("", NAMESPACE);
+    }
+
+    /**
+     * Called when an element is started.
+     * @param uri the uri
+     * @param localName the localName
+     * @param qName the qualified name
+     * @param atts the attributes
+     * @throws SAXException thrown if there is a SAXException
+     */
+    @Override
+    public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException {
+        super.startElement(NAMESPACE, localName, qName, atts);
+    }
+
+    /**
+     * Indicatees the start of the document.
+     * @param uri the uri
+     * @param localName the localName
+     * @param qName the qualified name
+     * @throws SAXException thrown if there is a SAXException
+     */
+    @Override
+    public void endElement(String uri, String localName, String qName)
+            throws SAXException {
+        super.endElement(NAMESPACE, localName, qName);
+    }
+
+    /**
+     * Called when prefix mapping is started.
+     * @param prefix the prefix
+     * @param url the url
+     * @throws SAXException thrown if there is a SAXException
+     */
+    @Override
+    public void startPrefixMapping(String prefix, String url) throws SAXException {
+        if (!this.namespaceAdded) {
+            namespaceAdded = true;
+            super.startPrefixMapping("", NAMESPACE);
+        }
+    }
+
+}

src/main/java/org/owasp/dependencycheck/analyzer/pom/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.analyzer.pom</title>
+ * </head>
+ * <body>
+ * This package contains utility classes used to parse pom.xml files.
+ * </body>
+ * </html>
+*/
+
+package org.owasp.dependencycheck.analyzer.pom;

src/main/java/org/owasp/dependencycheck/data/CachedWebDataSource.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data;
  * Defines an Index who's data is retrieved from the Internet. This data can be
  * downloaded and the index updated.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public interface CachedWebDataSource {
 

src/main/java/org/owasp/dependencycheck/data/UpdateException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.io.IOException;
 /**
  * An exception used when an error occurs reading a setting.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class UpdateException extends IOException {
 

src/main/java/org/owasp/dependencycheck/data/UpdateService.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class UpdateService {
 

src/main/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -43,7 +43,7 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
  * to discern if there is an associated CPE. It uses the evidence contained
  * within the dependency to search the Lucene index.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CPEAnalyzer implements Analyzer {
 

src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import org.apache.lucene.document.Document;
 /**
  * A CPE entry containing the name, vendor, product, and version.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Entry implements Serializable {
 
@@ -49,7 +49,7 @@ public class Entry implements Serializable {
         try {
             entry.parseName(doc.get(Fields.NAME));
         } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(Entry.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(Entry.class.getName()).log(Level.FINE, null, ex);
             entry.name = doc.get(Fields.NAME);
         }
         return entry;
@@ -228,10 +228,7 @@ public class Entry implements Serializable {
             return false;
         }
         final Entry other = (Entry) obj;
-        if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
+        return !((this.name == null) ? (other.name != null) : !this.name.equals(other.name));
-            return false;
-        }
-        return true;
     }
 
     @Override

src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.cpe;
  * Fields is a collection of field names used within the Lucene index for CPE
  * entries.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class Fields {
 

src/main/java/org/owasp/dependencycheck/data/cpe/Index.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.data.cpe;
 
 import java.io.File;
 import java.io.IOException;
-import java.net.URLDecoder;
 import java.util.HashMap;
 import java.util.Map;
 import org.apache.lucene.analysis.Analyzer;
@@ -37,6 +36,7 @@ import org.apache.lucene.store.Directory;
 import org.apache.lucene.store.FSDirectory;
 import org.apache.lucene.util.Version;
 import org.owasp.dependencycheck.data.lucene.AbstractIndex;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
 import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.data.lucene.VersionAnalyzer;
 /**
  * The Index class is used to utilize and maintain the CPE Index.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Index extends AbstractIndex {
 
@@ -58,8 +58,7 @@ public class Index extends AbstractIndex {
      */
     public Directory getDirectory() throws IOException {
         final File path = getDataDirectory();
-        final Directory dir = FSDirectory.open(path);
+        return FSDirectory.open(path);
-        return dir;
     }
 
     /**
@@ -71,20 +70,9 @@ public class Index extends AbstractIndex {
      */
     public File getDataDirectory() throws IOException {
         final String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
-        final String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        final File path = FileUtils.getDataDirectory(fileName, Index.class);
-        final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
+        if (!path.exists() && !path.mkdirs()) {
-        File exePath = new File(decodedPath);
+            throw new IOException("Unable to create CPE Data directory");
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-        if (!path.exists()) {
-            if (!path.mkdirs()) {
-                throw new IOException("Unable to create CPE Data directory");
-            }
         }
         return path;
     }
@@ -102,10 +90,7 @@ public class Index extends AbstractIndex {
         fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
         fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
 
-        final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-                new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-
-        return wrapper;
     }
     /**
      * The search field analyzer for the product field.
@@ -133,10 +118,7 @@ public class Index extends AbstractIndex {
         fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
         fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
 
-        final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-                new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-
-        return wrapper;
     }
 
     /**
@@ -169,7 +151,6 @@ public class Index extends AbstractIndex {
      */
     public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
         final Document doc = convertEntryToDoc(entry);
-        //Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
         final Term term = new Term(Fields.NAME, entry.getName());
         getIndexWriter().updateDocument(term, doc);
     }
@@ -196,7 +177,7 @@ public class Index extends AbstractIndex {
 
         //TODO revision should likely be its own field
         if (entry.getVersion() != null) {
-            Field version = null;
+            Field version;
             if (entry.getRevision() != null) {
                 version = new TextField(Fields.VERSION, entry.getVersion() + " "
                         + entry.getRevision(), Field.Store.NO);

src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import java.util.logging.Logger;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class CweDB {
 
@@ -38,14 +38,14 @@ public final class CweDB {
         //empty
     }
     /**
-     * A hashmap of the CWE data.
+     * A HashMap of the CWE data.
      */
     private static final HashMap<String, String> CWE = loadData();
 
     /**
-     * Loads a hashmap containing the CWE data from a resource found in the jar.
+     * Loads a HashMap containing the CWE data from a resource found in the jar.
      *
-     * @return a hashmap of CWE data
+     * @return a HashMap of CWE data
      */
     private static HashMap<String, String> loadData() {
         ObjectInputStream oin = null;
@@ -53,19 +53,19 @@ public final class CweDB {
             final String filePath = "data/cwe.hashmap.serialized";
             final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
             oin = new ObjectInputStream(input);
-            @SuppressWarnings("unchecked")
+            return (HashMap<String, String>) oin.readObject();
-            final HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
-            return data;
         } catch (ClassNotFoundException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
+            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
         } catch (IOException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
+            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
         } finally {
             if (oin != null) {
                 try {
                     oin.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
                 }
             }
         }

src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,14 +26,14 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the CWE XML.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CweHandler extends DefaultHandler {
 
     /**
-     * a hashmap containing the CWE data.
+     * a HashMap containing the CWE data.
      */
-    private HashMap<String, String> cwe = new HashMap<String, String>();
+    private final HashMap<String, String> cwe = new HashMap<String, String>();
 
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).

src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -41,7 +41,7 @@ import org.apache.lucene.util.Version;
  * The base Index for other index objects. Implements the open and close
  * methods.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class AbstractIndex {
 
@@ -98,16 +98,24 @@ public abstract class AbstractIndex {
             try {
                 indexWriter.commit();
             } catch (CorruptIndexException ex) {
-                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
+                final String msg = "Unable to update database, there is a corrupt index.";
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
             } catch (IOException ex) {
-                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
+                final String msg = "Unable to update database due to an IO error.";
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
             }
             try {
                 indexWriter.close(true);
             } catch (CorruptIndexException ex) {
-                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
+                final String msg = "Unable to update database, there is a corrupt index.";
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
             } catch (IOException ex) {
-                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
+                final String msg = "Unable to update database due to an IO error.";
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
             } finally {
                 indexWriter = null;
             }
@@ -129,7 +137,9 @@ public abstract class AbstractIndex {
         try {
             directory.close();
         } catch (IOException ex) {
-            Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = "Unable to update database due to an IO error.";
+            Logger.getLogger(AbstractIndex.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(AbstractIndex.class.getName()).log(Level.FINE, null, ex);
         } finally {
             directory = null;
         }
@@ -250,14 +260,11 @@ public abstract class AbstractIndex {
      * @throws IOException is thrown if there is an issue with the underlying Index
      */
     public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
-
         final QueryParser parser = getQueryParser();
         final Query query = parser.parse(searchString);
         resetSearchingAnalyzer();
         final IndexSearcher is = getIndexSearcher();
-        final TopDocs docs = is.search(query, maxQueryResults);
+        return is.search(query, maxQueryResults);
-
-        return docs;
     }
 
     /**

src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DependencySimilarity extends DefaultSimilarity {
 

src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,14 +34,14 @@ import org.apache.lucene.util.Version;
  * LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is
  * to index the CPE fields vendor and product.</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FieldAnalyzer extends Analyzer {
 
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
 
     /**
      * Creates a new FieldAnalyzer.

src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.lucene;
  * <p>Lucene utils is a set of utilize written to make constructing Lucene
  * queries simpler.</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class LuceneUtils {
 
@@ -40,6 +40,9 @@ public final class LuceneUtils {
      * @param text the data to be escaped
      */
     @SuppressWarnings("fallthrough")
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    value = "SF_SWITCH_NO_DEFAULT",
+    justification = "The switch below does have a default.")
     public static void appendEscapedLuceneQuery(StringBuilder buf,
             final CharSequence text) {
 

src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,14 +32,14 @@ import org.apache.lucene.util.Version;
 /**
  * A Lucene field analyzer used to analyzer queries against the CPE data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class SearchFieldAnalyzer extends Analyzer {
 
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
     /**
      * A local reference to the TokenPairConcatenatingFilter so that we
      * can clear any left over state if this analyzer is re-used.

src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import org.apache.lucene.util.Version;
 /**
  * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class SearchVersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...
@@ -42,7 +42,7 @@ public class SearchVersionAnalyzer extends Analyzer {
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
 
     /**
      * Creates a new SearchVersionAnalyzer.

src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
  * <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
  * Framework FrameworkCore Core".</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class TokenPairConcatenatingFilter extends TokenFilter {
 
@@ -50,7 +50,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     /**
      * A list of words parsed.
      */
-    private LinkedList<String> words;
+    private final LinkedList<String> words;
 
     /**
      * Constructs a new TokenPairConcatenatingFilter.

src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import org.apache.lucene.util.Version;
 /**
  * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...
@@ -42,7 +42,7 @@ public class VersionAnalyzer extends Analyzer {
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
 
     /**
      * Creates a new VersionAnalyzer.

src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
  * 3.0.0.RELEASE".</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class VersionTokenizingFilter extends TokenFilter {
 
@@ -41,7 +41,7 @@ public final class VersionTokenizingFilter extends TokenFilter {
     /**
      * A collection of tokens to add to the stream.
      */
-    private LinkedList<String> tokens;
+    private final LinkedList<String> tokens;
 
     /**
      * Constructs a new VersionTokenizingFilter.

src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.nvdcve;
  * An exception used to indicate the db4o database is corrupt.
  * This could be due to invalid data or a complete failure of the db.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 class CorruptDatabaseException extends DatabaseException {
 

src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,6 @@ package org.owasp.dependencycheck.data.nvdcve;
 import java.io.File;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.net.URLDecoder;
 import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.DriverManager;
@@ -37,12 +36,13 @@ import org.owasp.dependencycheck.data.cwe.CweDB;
 import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * The database holding information about the NVD CVE data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CveDB {
 
@@ -181,14 +181,19 @@ public class CveDB {
      * @throws IOException thrown if there is an IO Exception
      * @throws SQLException thrown if there is a SQL Exception
      * @throws DatabaseException thrown if there is an error initializing a new database
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
-    public void open() throws IOException, SQLException, DatabaseException {
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    value = "DMI_EMPTY_DB_PASSWORD",
+    justification = "Yes, I know... Blank password.")
+    public void open() throws IOException, SQLException, DatabaseException, ClassNotFoundException {
         final String fileName = CveDB.getDataDirectory().getCanonicalPath()
                 + File.separator
                 + "cve";
         final File f = new File(fileName);
         final boolean createTables = !f.exists();
         final String connStr = "jdbc:h2:file:" + fileName;
+        Class.forName("org.h2.Driver");
         conn = DriverManager.getConnection(connStr, "sa", "");
         if (createTables) {
             createTables();
@@ -215,16 +220,18 @@ public class CveDB {
             try {
                 conn.close();
             } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+                final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
+                Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg, ex);
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
             }
             conn = null;
         }
     }
 
     /**
-     * Retrieves the vulnerabilities associated with the specified CPE cpe.
+     * Retrieves the vulnerabilities associated with the specified CPE.
      *
-     * @param cpeStr the CPE cpe name
+     * @param cpeStr the CPE name
      * @return a list of Vulnerabilities
      * @throws DatabaseException thrown if there is an exception retrieving data
      */
@@ -234,7 +241,9 @@ public class CveDB {
         try {
             cpe.parseName(cpeStr);
         } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = "There was an encoding error parsing a vulerability, see the log for more details.";
+            Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, String.format("Error parsing '%s'", cpeStr), ex);
         }
         final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
 
@@ -254,7 +263,7 @@ public class CveDB {
                 try {
                     rs.close();
                 } catch (SQLException ex) {
-                    Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
                 }
             }
         }
@@ -305,11 +314,11 @@ public class CveDB {
                 rsS = selectSoftware.executeQuery();
                 while (rsS.next()) {
                     final String cpe = rsS.getString(1);
-                    final String prevVers = rsS.getString(2);
+                    final String prevVersion = rsS.getString(2);
-                    if (prevVers == null) {
+                    if (prevVersion == null) {
                         vuln.addVulnerableSoftware(cpe);
                     } else {
-                        vuln.addVulnerableSoftware(cpe, prevVers);
+                        vuln.addVulnerableSoftware(cpe, prevVersion);
                     }
                 }
             }
@@ -320,21 +329,21 @@ public class CveDB {
                 try {
                     rsV.close();
                 } catch (SQLException ex) {
-                    Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
                 }
             }
             if (rsR != null) {
                 try {
                     rsR.close();
                 } catch (SQLException ex) {
-                    Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
                 }
             }
             if (rsS != null) {
                 try {
                     rsS.close();
                 } catch (SQLException ex) {
-                    Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing RecordSet", ex);
                 }
             }
         }
@@ -393,8 +402,9 @@ public class CveDB {
             }
 
         } catch (SQLException ex) {
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = String.format("Error updating '%s'", vuln.getName());
-            throw new DatabaseException("Error updating '" + vuln.getName() + "'", ex);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException(msg, ex);
         }
     }
 
@@ -407,18 +417,7 @@ public class CveDB {
      */
     public static File getDataDirectory() throws IOException {
         final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
-        final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        final File path = FileUtils.getDataDirectory(fileName, CveDB.class);
-        final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        File exePath = new File(decodedPath);
-
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-
         if (!path.exists()) {
             if (!path.mkdirs()) {
                 throw new IOException("Unable to create NVD CVE Data directory");
@@ -449,7 +448,7 @@ public class CveDB {
                 try {
                     statement.close();
                 } catch (SQLException ex) {
-                    Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Error closing Statement", ex);
                 }
             }
         }

src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.data.nvdcve;
 /**
  * An exception thrown if an operation against the database fails.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DatabaseException extends Exception {
     /**

src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,12 +29,13 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and
  * attempts to discern if there is an associated CVEs. It uses the the
  * identifiers found by other analyzers to lookup the CVE data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCveAnalyzer implements Analyzer {
 
@@ -53,8 +54,9 @@ public class NvdCveAnalyzer implements Analyzer {
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
-    public void open() throws SQLException, IOException, DatabaseException {
+    public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }
@@ -105,7 +107,9 @@ public class NvdCveAnalyzer implements Analyzer {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
                     for (Vulnerability v : vulns) {
-                        dependency.addVulnerability(v);
+                        if (isValidMatch(dependency, v)) {
+                            dependency.addVulnerability(v);
+                        }
                     }
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
@@ -159,4 +163,52 @@ public class NvdCveAnalyzer implements Analyzer {
     public void initialize() throws Exception {
         this.open();
     }
+
+    /**
+     * <p>Determines if this is a valid vulnerability match for the given dependency.
+     * Specifically, this is concerned with ensuring the version numbers are correct.</p>
+     * <p>Currently, this is focused on the issues with the versions for Struts 1 and Struts 2.
+     * In the future this will due better matching on more version numbers.</p>
+     * @param dependency the dependency
+     * @param v the vulnerability
+     * @return returns true if the vulnerability is for the given dependency
+     */
+    private boolean isValidMatch(final Dependency dependency, final Vulnerability v) {
+        //right now I only know of the issue with Struts1/2
+        // start with fixing this problem.
+
+        //TODO extend this solution to do better version matching for the vulnerable software.
+        boolean struts1 = false;
+        boolean struts2 = false;
+        for (Identifier i : dependency.getIdentifiers()) {
+            if (i.getValue().startsWith("cpe:/a:apache:struts:")) {
+                final char version = i.getValue().charAt(21);
+                if (version == '1') {
+                    struts1 = true;
+                }
+                if (version == '2') {
+                    struts2 = true;
+                }
+            }
+        }
+        if (!struts1 && !struts2) {
+            return true; //we are not looking at struts, so return true.
+        }
+        if (struts1 && struts2) {
+            return true; //there is a mismatch here, but we can't solve it here so we return valid.
+        }
+        if (struts1) {
+            boolean hasStruts1Vuln = false;
+            boolean hasStruts2PreviousVersion = false;
+            for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
+                hasStruts2PreviousVersion |= vs.hasPreviousVersion() && vs.getName().charAt(21) == '2';
+                hasStruts1Vuln |= vs.getName().charAt(21) == '1';
+            }
+            if (!hasStruts1Vuln && hasStruts2PreviousVersion) {
+                return false;
+            }
+        }
+
+        return true;
+    }
 }

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -54,7 +54,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DatabaseUpdater implements CachedWebDataSource {
 
@@ -96,20 +96,20 @@ public class DatabaseUpdater implements CachedWebDataSource {
                 }
             }
             if (maxUpdates > 3) {
-                Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
+                Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
                         "NVD CVE requires several updates; this could take a couple of minutes.");
             }
             int count = 0;
             for (NvdCveUrl cve : update.values()) {
                 if (cve.getNeedsUpdate()) {
                     count += 1;
-                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
+                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
                             "Updating NVD CVE ({0} of {1})", new Object[]{count, maxUpdates});
                     URL url = new URL(cve.getUrl());
                     File outputPath = null;
                     File outputPath12 = null;
                     try {
-                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
+                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
                                 "Downloading {0}", cve.getUrl());
 
                         outputPath = File.createTempFile("cve" + cve.getId() + "_", ".xml");
@@ -119,11 +119,11 @@ public class DatabaseUpdater implements CachedWebDataSource {
                         outputPath12 = File.createTempFile("cve_1_2_" + cve.getId() + "_", ".xml");
                         Downloader.fetchFile(url, outputPath12, false);
 
-                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
+                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
                                 "Processing {0}", cve.getUrl());
                         importXML(outputPath, outputPath12);
 
-                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
+                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO,
                                 "Completed updated {0} of {1}", new Object[]{count, maxUpdates});
                     } catch (FileNotFoundException ex) {
                         throw new UpdateException(ex);
@@ -137,16 +137,29 @@ public class DatabaseUpdater implements CachedWebDataSource {
                         throw new UpdateException(ex);
                     } catch (DatabaseException ex) {
                         throw new UpdateException(ex);
+                    } catch (ClassNotFoundException ex) {
+                        throw new UpdateException(ex);
                     } finally {
+                        boolean deleted = false;
                         try {
                             if (outputPath != null && outputPath.exists()) {
-                                outputPath.delete();
+                                deleted = outputPath.delete();
                             }
                         } finally {
-                            if (outputPath != null && outputPath.exists()) {
+                            if (outputPath != null && (outputPath.exists() || !deleted)) {
                                 outputPath.deleteOnExit();
                             }
                         }
+                        try {
+                            deleted = false;
+                            if (outputPath12 != null && outputPath12.exists()) {
+                                deleted = outputPath12.delete();
+                            }
+                        } finally {
+                            if (outputPath12 != null && (outputPath12.exists() || !deleted)) {
+                                outputPath12.deleteOnExit();
+                            }
+                        }
                     }
                 }
             }
@@ -165,15 +178,15 @@ public class DatabaseUpdater implements CachedWebDataSource {
      *
      * @param file the file containing the NVD CVE XML
      * @param oldVersion contains the file containing the NVD CVE XML 1.2
-     * @throws ParserConfigurationException is thrown if there is a
+     * @throws ParserConfigurationException is thrown if there is a parser configuration exception
-     * parserconfigurationexception
+     * @throws SAXException is thrown if there is a SAXException
-     * @throws SAXException is thrown if there is a saxexception
      * @throws IOException is thrown if there is a ioexception
      * @throws SQLException is thrown if there is a sql exception
      * @throws DatabaseException is thrown if there is a database exception
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
     private void importXML(File file, File oldVersion)
-            throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
+            throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
         CveDB cveDB = null;
         Index cpeIndex = null;
 
@@ -197,12 +210,6 @@ public class DatabaseUpdater implements CachedWebDataSource {
             cve20Handler.setPrevVersionVulnMap(prevVersionVulnMap);
             cve20Handler.setCpeIndex(cpeIndex);
             saxParser.parse(file, cve20Handler);
-
-//            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING,
-//                    String.format("%d out of %d entries processed were application specific CVEs.",
-//                    cve20Handler.getTotalNumberOfApplicationEntries(),
-//                    cve20Handler.getTotalNumberOfEntries()));
-
             cve20Handler = null;
         } finally {
             if (cpeIndex != null) {
@@ -229,7 +236,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
         try {
             dir = CveDB.getDataDirectory().getCanonicalPath();
         } catch (IOException ex) {
-            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, "Error updating the databases propterty file.", ex);
             throw new UpdateException("Unable to locate last updated properties file.", ex);
         }
         final File cveProp = new File(dir + File.separatorChar + UPDATE_PROPERTIES_FILE);
@@ -246,17 +253,24 @@ public class DatabaseUpdater implements CachedWebDataSource {
             out = new OutputStreamWriter(os, "UTF-8");
             prop.store(out, dir);
         } catch (FileNotFoundException ex) {
-            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, null, ex);
             throw new UpdateException("Unable to find last updated properties file.", ex);
         } catch (IOException ex) {
-            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, null, ex);
             throw new UpdateException("Unable to update last updated properties file.", ex);
         } finally {
             if (out != null) {
                 try {
                     out.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+            if (os != null) {
+                try {
+                    os.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
                 }
             }
         }
@@ -282,11 +296,12 @@ public class DatabaseUpdater implements CachedWebDataSource {
         try {
             currentlyPublished = retrieveCurrentTimestampsFromWeb();
         } catch (InvalidDataException ex) {
-            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
-            throw new DownloadFailedException("Unable to retrieve valid timestamp from nvd cve downloads page", ex);
+            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, msg, ex);
+            throw new DownloadFailedException(msg, ex);
 
         } catch (InvalidSettingException ex) {
-            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
             throw new DownloadFailedException("Invalid settings", ex);
         }
 
@@ -297,7 +312,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
         try {
             dir = CveDB.getDataDirectory().getCanonicalPath();
         } catch (IOException ex) {
-            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINE, "CveDB data directory doesn't exist?", ex);
             throw new UpdateException("Unable to locate last updated properties file.", ex);
         }
 
@@ -312,7 +327,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
                     prop.load(is);
 
                     boolean deleteAndRecreate = false;
-                    float version = 0;
+                    float version;
 
                     if (prop.getProperty("version") == null) {
                         deleteAndRecreate = true;
@@ -328,14 +343,14 @@ public class DatabaseUpdater implements CachedWebDataSource {
                         }
                     }
                     if (deleteAndRecreate) {
-                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.WARNING, "Index version is old. Rebuilding the index.");
+                        Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.INFO, "The database version is old. Rebuilding the database.");
                         is.close();
                         //this is an old version of the lucene index - just delete it
                         FileUtils.delete(f);
 
                         //this importer also updates the CPE index and it is also using an old version
-                        final Index cpeid = new Index();
+                        final Index cpeId = new Index();
-                        final File cpeDir = cpeid.getDataDirectory();
+                        final File cpeDir = cpeId.getDataDirectory();
                         FileUtils.delete(cpeDir);
                         return currentlyPublished;
                     }
@@ -359,8 +374,8 @@ public class DatabaseUpdater implements CachedWebDataSource {
                             try {
                                 currentTimestamp = Long.parseLong(prop.getProperty(LAST_UPDATED_BASE + String.valueOf(i), "0"));
                             } catch (NumberFormatException ex) {
-                                Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, "Error parsing " + LAST_UPDATED_BASE
+                                final String msg = String.format("Error parsing '%s' '%s' from nvdcve.lastupdated", LAST_UPDATED_BASE, String.valueOf(i));
-                                        + String.valueOf(i) + " from nvdcve.lastupdated", ex);
+                                Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, msg, ex);
                             }
                             if (currentTimestamp == cve.getTimestamp()) {
                                 cve.setNeedsUpdate(false); //they default to true.
@@ -378,7 +393,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
                         try {
                             is.close();
                         } catch (IOException ex) {
-                            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+                            Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
                         }
                     }
                 }

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
  * An InvalidDataDataException is a generic exception used when trying to load
  * the nvd cve meta data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class InvalidDataException extends Exception {
     /**

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import org.xml.sax.helpers.DefaultHandler;
  * specified. The previous version information is not in the 2.0 version of the
  * schema and is useful to ensure accurate identification (or at least complete).
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve12Handler extends DefaultHandler {
 
@@ -69,7 +69,7 @@ public class NvdCve12Handler extends DefaultHandler {
     /**
      * The current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * a map of vulnerabilities.
      */

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -38,7 +38,7 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the NVD CVE XML (schema version 2.0).
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve20Handler extends DefaultHandler {
 
@@ -49,7 +49,7 @@ public class NvdCve20Handler extends DefaultHandler {
     /**
      * the current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * the text of the node.
      */
@@ -172,7 +172,8 @@ public class NvdCve20Handler extends DefaultHandler {
                 final float score = Float.parseFloat(nodeText.toString());
                 vulnerability.setCvssScore(score);
             } catch (NumberFormatException ex) {
-                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, null, ex);
+                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
+                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
             }
             nodeText = null;
         } else if (current.isCVSSAccessVectorNode()) {

src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.FileUtils;
  * the form of evidence. The Evidence is then used to determine if there are any
  * known, published, vulnerabilities associated with the program dependency.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Dependency implements Comparable<Dependency> {
 
@@ -68,19 +68,19 @@ public class Dependency implements Comparable<Dependency> {
     /**
      * A list of Identifiers.
      */
-    private List<Identifier> identifiers;
+    private Set<Identifier> identifiers;
     /**
      * A collection of vendor evidence.
      */
-    private EvidenceCollection vendorEvidence;
+    private final EvidenceCollection vendorEvidence;
     /**
      * A collection of product evidence.
      */
-    private EvidenceCollection productEvidence;
+    private final EvidenceCollection productEvidence;
     /**
      * A collection of version evidence.
      */
-    private EvidenceCollection versionEvidence;
+    private final EvidenceCollection versionEvidence;
 
     /**
      * Constructs a new Dependency object.
@@ -89,7 +89,7 @@ public class Dependency implements Comparable<Dependency> {
         vendorEvidence = new EvidenceCollection();
         productEvidence = new EvidenceCollection();
         versionEvidence = new EvidenceCollection();
-        identifiers = new ArrayList<Identifier>();
+        identifiers = new TreeSet<Identifier>();
         vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
     }
 
@@ -222,7 +222,7 @@ public class Dependency implements Comparable<Dependency> {
      *
      * @return an ArrayList of Identifiers.
      */
-    public List<Identifier> getIdentifiers() {
+    public Set<Identifier> getIdentifiers() {
         return this.identifiers;
     }
 
@@ -231,7 +231,7 @@ public class Dependency implements Comparable<Dependency> {
      *
      * @param identifiers A list of Identifiers.
      */
-    public void setIdentifiers(List<Identifier> identifiers) {
+    public void setIdentifiers(Set<Identifier> identifiers) {
         this.identifiers = identifiers;
     }
 
@@ -379,8 +379,8 @@ public class Dependency implements Comparable<Dependency> {
         if (str == null) {
             return false;
         }
-
+        return versionEvidence.containsUsedString(str) || productEvidence.containsUsedString(str) || vendorEvidence.containsUsedString(str);
-        if (vendorEvidence.containsUsedString(str)) {
+        /*if (vendorEvidence.containsUsedString(str)) {
             return true;
         }
         if (productEvidence.containsUsedString(str)) {
@@ -390,6 +390,7 @@ public class Dependency implements Comparable<Dependency> {
             return true;
         }
         return false;
+        */
     }
     /**
      * A list of vulnerabilities for this dependency.
@@ -426,9 +427,13 @@ public class Dependency implements Comparable<Dependency> {
             md5 = Checksum.getMD5Checksum(file);
             sha1 = Checksum.getSHA1Checksum(file);
         } catch (IOException ex) {
-            Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = String.format("Unable to read '%s' to determine hashes.", file.getName());
+            Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
         } catch (NoSuchAlgorithmException ex) {
-            Logger.getLogger(Dependency.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = "Unable to use MD5 of SHA1 checksums.";
+            Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
         }
         this.setMd5sum(md5);
         this.setSha1sum(sha1);
@@ -474,7 +479,7 @@ public class Dependency implements Comparable<Dependency> {
         relatedDependencies.add(dependency);
     }
     /**
-     * Implemenation of the Comparable<Dependency> interface. The comparison
+     * Implementation of the Comparable<Dependency> interface. The comparison
      * is solely based on the file name.
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -482,4 +487,93 @@ public class Dependency implements Comparable<Dependency> {
     public int compareTo(Dependency o) {
         return this.getFileName().compareToIgnoreCase(o.getFileName());
     }
+
+    /**
+     * Implementation of the equals method.
+     * @param obj the object to compare
+     * @return true if the objects are equal, otherwise false
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final Dependency other = (Dependency) obj;
+        if ((this.actualFilePath == null) ? (other.actualFilePath != null) : !this.actualFilePath.equals(other.actualFilePath)) {
+            return false;
+        }
+        if ((this.filePath == null) ? (other.filePath != null) : !this.filePath.equals(other.filePath)) {
+            return false;
+        }
+        if ((this.fileName == null) ? (other.fileName != null) : !this.fileName.equals(other.fileName)) {
+            return false;
+        }
+        if ((this.fileExtension == null) ? (other.fileExtension != null) : !this.fileExtension.equals(other.fileExtension)) {
+            return false;
+        }
+        if ((this.md5sum == null) ? (other.md5sum != null) : !this.md5sum.equals(other.md5sum)) {
+            return false;
+        }
+        if ((this.sha1sum == null) ? (other.sha1sum != null) : !this.sha1sum.equals(other.sha1sum)) {
+            return false;
+        }
+        if (this.identifiers != other.identifiers && (this.identifiers == null || !this.identifiers.equals(other.identifiers))) {
+            return false;
+        }
+        if (this.vendorEvidence != other.vendorEvidence && (this.vendorEvidence == null || !this.vendorEvidence.equals(other.vendorEvidence))) {
+            return false;
+        }
+        if (this.productEvidence != other.productEvidence && (this.productEvidence == null || !this.productEvidence.equals(other.productEvidence))) {
+            return false;
+        }
+        if (this.versionEvidence != other.versionEvidence && (this.versionEvidence == null || !this.versionEvidence.equals(other.versionEvidence))) {
+            return false;
+        }
+        if (this.analysisExceptions != other.analysisExceptions
+                && (this.analysisExceptions == null || !this.analysisExceptions.equals(other.analysisExceptions))) {
+            return false;
+        }
+        if ((this.description == null) ? (other.description != null) : !this.description.equals(other.description)) {
+            return false;
+        }
+        if ((this.license == null) ? (other.license != null) : !this.license.equals(other.license)) {
+            return false;
+        }
+        if (this.vulnerabilities != other.vulnerabilities && (this.vulnerabilities == null || !this.vulnerabilities.equals(other.vulnerabilities))) {
+            return false;
+        }
+        if (this.relatedDependencies != other.relatedDependencies
+                && (this.relatedDependencies == null || !this.relatedDependencies.equals(other.relatedDependencies))) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Generates the HashCode.
+     * @return the HashCode
+     */
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 47 * hash + (this.actualFilePath != null ? this.actualFilePath.hashCode() : 0);
+        hash = 47 * hash + (this.filePath != null ? this.filePath.hashCode() : 0);
+        hash = 47 * hash + (this.fileName != null ? this.fileName.hashCode() : 0);
+        hash = 47 * hash + (this.fileExtension != null ? this.fileExtension.hashCode() : 0);
+        hash = 47 * hash + (this.md5sum != null ? this.md5sum.hashCode() : 0);
+        hash = 47 * hash + (this.sha1sum != null ? this.sha1sum.hashCode() : 0);
+        hash = 47 * hash + (this.identifiers != null ? this.identifiers.hashCode() : 0);
+        hash = 47 * hash + (this.vendorEvidence != null ? this.vendorEvidence.hashCode() : 0);
+        hash = 47 * hash + (this.productEvidence != null ? this.productEvidence.hashCode() : 0);
+        hash = 47 * hash + (this.versionEvidence != null ? this.versionEvidence.hashCode() : 0);
+        hash = 47 * hash + (this.analysisExceptions != null ? this.analysisExceptions.hashCode() : 0);
+        hash = 47 * hash + (this.description != null ? this.description.hashCode() : 0);
+        hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
+        hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);
+        hash = 47 * hash + (this.relatedDependencies != null ? this.relatedDependencies.hashCode() : 0);
+        return hash;
+    }
 }

src/main/java/org/owasp/dependencycheck/dependency/Evidence.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.dependency;
 /**
  * Evidence is a piece of information about a Dependency.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Evidence implements Comparable<Evidence> {
 

src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.utils.Filter;
 /**
  * Used to maintain a collection of Evidence.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class EvidenceCollection implements Iterable<Evidence> {
 
@@ -80,7 +80,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
      *
      * @param confidence the confidence level for the evidence to be iterated
      * over.
-     * @return Iterable<Evidence>.
+     * @return Iterable<Evidence> an iterable collectoin of evidence
      */
     public final Iterable<Evidence> iterator(Evidence.Confidence confidence) {
         if (confidence == Evidence.Confidence.HIGH) {
@@ -94,11 +94,11 @@ public class EvidenceCollection implements Iterable<Evidence> {
     /**
      * A collection of evidence.
      */
-    private Set<Evidence> list;
+    private final Set<Evidence> list;
     /**
-     * A collection of strings used to adjust lucene's term weighting.
+     * A collection of strings used to adjust Lucene's term weighting.
      */
-    private Set<String> weightedStrings;
+    private final Set<String> weightedStrings;
 
     /**
      * Creates a new EvidenceCollection.

src/main/java/org/owasp/dependencycheck/dependency/Identifier.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.dependency;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Identifier implements Comparable<Identifier> {
 
@@ -31,7 +31,7 @@ public class Identifier implements Comparable<Identifier> {
      * @param value the identifier value.
      * @param url the identifier url.
      */
-    Identifier(String type, String value, String url) {
+    public Identifier(String type, String value, String url) {
         this.type = type;
         this.value = value;
         this.url = url;
@@ -45,7 +45,7 @@ public class Identifier implements Comparable<Identifier> {
      * @param url the identifier url.
      * @param description the description of the identifier.
      */
-    Identifier(String type, String value, String url, String description) {
+    public Identifier(String type, String value, String url, String description) {
         this(type, value, url);
         this.description = description;
     }

src/main/java/org/owasp/dependencycheck/dependency/Reference.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,7 +24,7 @@ import java.io.Serializable;
  * An external reference for a vulnerability. This contains a name, URL, and a
  * source.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Reference implements Serializable, Comparable<Reference> {
 

src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,7 +26,7 @@ import java.util.TreeSet;
 /**
  * Contains the information about a vulnerability.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Vulnerability implements Serializable, Comparable<Vulnerability> {
 

src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.Comparator;
 
 /**
  * Comparator for Vulnerability objects.
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
     /**

src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import org.owasp.dependencycheck.data.cpe.Entry;
  * A record containing information about vulnerable software. This
  * is referenced from a vulnerability.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VulnerableSoftware extends Entry implements Serializable, Comparable<VulnerableSoftware> {
 
@@ -46,7 +46,9 @@ public class VulnerableSoftware extends Entry implements Serializable, Comparabl
         try {
             parseName(cpe);
         } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
+            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
             setName(cpe);
         }
     }

src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -44,18 +44,40 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * the generator uses the Velocity Templating Engine. The ReportGenerator exposes
  * a list of Dependencies to the template when generating the report.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class ReportGenerator {
 
+    /**
+     * An enumeration of the report formats.
+     */
+    public enum Format {
+
+        /**
+         * Generate all reports.
+         */
+        ALL,
+        /**
+         * Generate XML report.
+         */
+        XML,
+        /**
+         * Generate HTML report.
+         */
+        HTML,
+        /**
+         * Generate HTML Vulnerability report.
+         */
+        VULN
+    }
     /**
      * The Velocity Engine.
      */
-    private VelocityEngine engine;
+    private final VelocityEngine engine;
     /**
      * The Velocity Engine Context.
      */
-    private Context context;
+    private final Context context;
 
     /**
      * Constructs a new ReportGenerator.
@@ -82,6 +104,7 @@ public class ReportGenerator {
      */
     private VelocityEngine createVelocityEngine() {
         final VelocityEngine ve = new VelocityEngine();
+        ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
         ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
         ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
         return ve;
@@ -92,6 +115,8 @@ public class ReportGenerator {
      *
      * @return a Velocity Context.
      */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "RV_RETURN_VALUE_IGNORED_INFERRED",
+    justification = "No plan to fix this style issue")
     private Context createContext() {
         final ToolManager manager = new ToolManager();
         final Context c = manager.createContext();
@@ -105,18 +130,48 @@ public class ReportGenerator {
     /**
      * Generates the Dependency Reports for the identified dependencies.
      *
-     * @param outputDir the path where the reports should be written.
+     * @param outputDir the path where the reports should be written
-     * @param outputFormat the format the report should be written in.
+     * @param format the format the report should be written in
-     * @throws IOException is thrown when the template file does not exist.
+     * @throws IOException is thrown when the template file does not exist
+     * @throws Exception is thrown if there is an error writing out the
+     * reports.
+     */
+    public void generateReports(String outputDir, Format format) throws IOException, Exception {
+        if (format == Format.XML || format == Format.ALL) {
+            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+        }
+        if (format == Format.HTML || format == Format.ALL) {
+            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+        }
+        if (format == Format.VULN || format == Format.ALL) {
+            generateReport("VulnerabilityReport", outputDir + File.separator + "DependencyCheck-Vulnerability.html");
+        }
+    }
+
+    /**
+     * Generates the Dependency Reports for the identified dependencies.
+     *
+     * @param outputDir the path where the reports should be written
+     * @param outputFormat the format the report should be written in (XML, HTML, ALL)
+     * @throws IOException is thrown when the template file does not exist
      * @throws Exception is thrown if there is an error writing out the
      * reports.
      */
     public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
-        if ("XML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
+        final String format = outputFormat.toUpperCase();
-            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+        if (format.matches("^(XML|HTML|VULN|ALL)$")) {
-        }
+            if ("XML".equalsIgnoreCase(format)) {
-        if ("HTML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
+                generateReports(outputDir, Format.XML);
-            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+            }
+            if ("HTML".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.HTML);
+            }
+            if ("VULN".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.VULN);
+            }
+            if ("ALL".equalsIgnoreCase(format)) {
+                generateReports(outputDir, Format.ALL);
+            }
         }
     }
 
@@ -130,7 +185,7 @@ public class ReportGenerator {
      * @throws IOException is thrown when the template file does not exist.
      * @throws Exception is thrown when an exception occurs.
      */
-    public void generateReport(String templateName, String outFileName) throws IOException, Exception {
+    protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
         InputStream input = null;
         String templatePath = null;
         final File f = new File(templateName);
@@ -139,7 +194,9 @@ public class ReportGenerator {
                 templatePath = templateName;
                 input = new FileInputStream(f);
             } catch (FileNotFoundException ex) {
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, null, ex);
+                final String msg = "Unable to generate the report, the report template file could not be found.";
+                Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINE, null, ex);
             }
         } else {
             templatePath = "templates/" + templateName + ".vsl";
@@ -154,9 +211,16 @@ public class ReportGenerator {
         OutputStream outputStream = null;
 
         try {
+            final File outDir = new File(outFileName).getParentFile();
+            if (!outDir.exists()) {
+                final boolean created = outDir.mkdirs();
+                if (!created) {
+                   throw new Exception("Unable to create directory '" + outDir.getAbsolutePath() + "'.");
+                }
+            }
+
             outputStream = new FileOutputStream(outFileName);
             writer = new OutputStreamWriter(outputStream, "UTF-8");
-            //writer = new BufferedWriter(oswriter);
 
             if (!engine.evaluate(context, writer, templatePath, reader)) {
                 throw new Exception("Failed to convert the template into html.");

src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -0,0 +1,103 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Steve Springett. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.reporting;
+
+import org.apache.velocity.app.Velocity;
+import org.apache.velocity.runtime.RuntimeServices;
+import org.apache.velocity.runtime.log.LogChute;
+
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * <p>DependencyCheck uses {@link java.util.logging.Logger} as a logging framework,
+ * and Apache Velocity uses a custom logging implementation that outputs to a
+ * file named velocity.log by default. This class is an implementation of a
+ * custom Velocity logger that redirects all velocity logging to the Java Logger
+ * class.
+ * </p><p>
+ * This class was written to address permission issues when using Dependency-Check
+ * in a server environment (such as the Jenkins plugin). In some circumstances,
+ * Velocity would attempt to create velocity.log in an un-writable directory.</p>
+ *
+ * @author Steve Springett (steve.springett@owasp.org)
+ */
+public class VelocityLoggerRedirect implements LogChute {
+
+    /**
+     * This will be invoked once by the LogManager.
+     * @param rsvc the RuntimeServices
+     */
+    public void init(RuntimeServices rsvc) {
+        // do nothing
+    }
+
+    /**
+     * Given a Velocity log level and message, this method will
+     * call the appropriate Logger level and log the specified values.
+     * @param level the logging level
+     * @param message the message to be logged
+     */
+    public void log(int level, String message) {
+        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
+    }
+
+    /**
+     * Given a Velocity log level, message and Throwable, this method will
+     * call the appropriate Logger level and log the specified values.
+     * @param level the logging level
+     * @param message the message to be logged
+     * @param t a throwable to log
+     */
+    public void log(int level, String message, Throwable t) {
+        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
+    }
+
+    /**
+     * Will always return true. The property file will decide what level to log.
+     * @param level the logging level
+     * @return true
+     */
+    public boolean isLevelEnabled(int level) {
+        return true;
+    }
+
+    /**
+     * Maps Velocity log levels to {@link Logger} values.
+     * @param velocityLevel the logging level
+     * @return the logging level
+     */
+    private Level getLevel(int velocityLevel) {
+        switch (velocityLevel) {
+            case TRACE_ID:
+                return Level.ALL;
+            case DEBUG_ID:
+                return Level.FINE;
+            case INFO_ID:
+                return Level.INFO;
+            case WARN_ID:
+                return Level.WARNING;
+            case ERROR_ID:
+                return Level.SEVERE;
+            default:
+                return Level.INFO;
+        }
+    }
+
+}

src/main/java/org/owasp/dependencycheck/utils/Checksum.java

@@ -51,7 +51,7 @@ public class Checksum {
                 try {
                     fis.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(Checksum.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(Checksum.class.getName()).log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
                 }
             }
         }

src/main/java/org/owasp/dependencycheck/utils/CliParser.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -33,7 +33,7 @@ import org.apache.commons.cli.PosixParser;
 /**
  * A utility to parse command line arguments for the DependencyCheck.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class CliParser {
 
@@ -44,7 +44,7 @@ public final class CliParser {
     /**
      * The options for the command line parser.
      */
-    private Options options = createCommandLineOptions();
+    private final Options options = createCommandLineOptions();
     /**
      * Indicates whether the arguments are valid.
      */
@@ -75,8 +75,7 @@ public final class CliParser {
      */
     private CommandLine parseArgs(String[] args) throws ParseException {
         final CommandLineParser parser = new PosixParser();
-        final CommandLine ln = parser.parse(options, args);
+        return parser.parse(options, args);
-        return ln;
     }
 
     /**
@@ -102,7 +101,7 @@ public final class CliParser {
                             + "the 'out' argument.");
                 }
             }
-            if (!line.hasOption(ArgumentName.APPNAME)) {
+            if (!line.hasOption(ArgumentName.APP_NAME)) {
                 throw new ParseException("Scan cannot be run without specifying an application "
                         + "name via the 'app' argument.");
             }
@@ -110,8 +109,9 @@ public final class CliParser {
                 final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
                 if (!("ALL".equalsIgnoreCase(format)
                         || "XML".equalsIgnoreCase(format)
-                        || "HTML".equalsIgnoreCase(format))) {
+                        || "HTML".equalsIgnoreCase(format)
-                    throw new ParseException("Supported output formats are XML, HTML, or ALL");
+                        || "VULN".equalsIgnoreCase(format))) {
+                    throw new ParseException("Supported output formats are XML, HTML, VULN, or ALL");
                 }
             }
         }
@@ -158,56 +158,65 @@ public final class CliParser {
     @SuppressWarnings("static-access")
     private Options createCommandLineOptions() {
         final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
-                "print this message.");
+                "Print this message.");
-
-        final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
-                "shows additional help regarding properties file.");
 
         final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
-                "extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
+                "Extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
 
         final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
-                false, "print the version information.");
+                false, "Print the version information.");
 
-        final Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
-                false, "disables the automatic updating of the CPE data.");
+                false, "Disables the automatic updating of the CPE data.");
 
-        final Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
-                .withDescription("the name of the application being scanned.")
+                .withDescription("The name of the application being scanned.")
-                .create(ArgumentName.APPNAME_SHORT);
+                .create(ArgumentName.APP_NAME_SHORT);
+
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
+                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+
+        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
+                .withDescription("The proxy url to use when downloading resources.")
+                .create(ArgumentName.PROXY_URL_SHORT);
+
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+                .withDescription("The proxy port to use when downloading resources.")
+                .create(ArgumentName.PROXY_PORT_SHORT);
 
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("the path to scan - this option can be specified multiple times.")
+                .withDescription("The path to scan - this option can be specified multiple times.")
                 .create(ArgumentName.SCAN_SHORT);
 
         final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
-                .withDescription("a property file to load.")
+                .withDescription("A property file to load.")
                 .create(ArgumentName.PROP_SHORT);
 
         final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
-                .withDescription("the folder to write reports to.")
+                .withDescription("The folder to write reports to.")
                 .create(ArgumentName.OUT_SHORT);
 
-        final Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
-                .withDescription("the output format to write to (XML, HTML, ALL).")
+                .withDescription("The output format to write to (XML, HTML, VULN, ALL).")
                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
 
-        //TODO add the ability to load a properties file to override the defaults...
-
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
 
         final Options opts = new Options();
         opts.addOptionGroup(og);
         opts.addOption(out);
-        opts.addOption(outputformat);
+        opts.addOption(outputFormat);
-        opts.addOption(appname);
+        opts.addOption(appName);
         opts.addOption(version);
         opts.addOption(help);
-        opts.addOption(noupdate);
+        opts.addOption(noUpdate);
         opts.addOption(deepScan);
         opts.addOption(props);
-        opts.addOption(advancedHelp);
+        opts.addOption(proxyPort);
+        opts.addOption(proxyUrl);
+        opts.addOption(connectionTimeout);
 
         return opts;
     }
@@ -245,16 +254,6 @@ public final class CliParser {
     public void printHelp() {
         final HelpFormatter formatter = new HelpFormatter();
         final String nl = System.getProperty("line.separator");
-        String advancedHelp = null;
-        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
-            advancedHelp = nl + nl
-                    + "Additionally, the following properties are supported and can be specified either"
-                    + "using the -p <file> argument or by passing them in as system properties." + nl
-                    + nl + " " + Settings.KEYS.PROXY_URL + "\t\t    the proxy URL to use when downloading resources."
-                    + nl + " " + Settings.KEYS.PROXY_PORT + "\t\t    the proxy port to use when downloading resources."
-                    + nl + " " + Settings.KEYS.CONNECTION_TIMEOUT + "\t    the connection timeout (in milliseconds) to use"
-                    + nl + "\t\t\t    when downloading resources.";
-        }
 
         formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
                 nl + Settings.getString("application.name", "DependencyCheck")
@@ -264,9 +263,6 @@ public final class CliParser {
                 options,
                 "",
                 true);
-        if (advancedHelp != null) {
-            System.out.println(advancedHelp);
-        }
     }
 
     /**
@@ -305,7 +301,31 @@ public final class CliParser {
      * @return the application name.
      */
     public String getApplicationName() {
-        return line.getOptionValue(ArgumentName.APPNAME);
+        return line.getOptionValue(ArgumentName.APP_NAME);
+    }
+
+    /**
+     * Returns the connection timeout.
+     * @return the connection timeout
+     */
+    public String getConnectionTimeout() {
+        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+    }
+
+    /**
+     * Returns the proxy url.
+     * @return the proxy url
+     */
+    public String getProxyUrl() {
+        return line.getOptionValue(ArgumentName.PROXY_URL);
+    }
+
+    /**
+     * Returns the proxy port.
+     * @return the proxy port
+     */
+    public String getProxyPort() {
+        return line.getOptionValue(ArgumentName.PROXY_PORT);
     }
 
     /**
@@ -385,12 +405,12 @@ public final class CliParser {
          * The long CLI argument name specifying the name of the application to
          * be scanned.
          */
-        public static final String APPNAME = "app";
+        public static final String APP_NAME = "app";
         /**
          * The short CLI argument name specifying the name of the application to
          * be scanned.
          */
-        public static final String APPNAME_SHORT = "a";
+        public static final String APP_NAME_SHORT = "a";
         /**
          * The long CLI argument name asking for help.
          */
@@ -408,13 +428,29 @@ public final class CliParser {
          */
         public static final String VERSION = "version";
         /**
-         * The CLI argument name asking for advanced help.
+         * The short CLI argument name indicating the proxy port.
          */
-        public static final String ADVANCED_HELP_SHORT = "ah";
+        public static final String PROXY_PORT_SHORT = "p";
         /**
-         * The short CLI argument name asking for advanced help.
+         * The CLI argument name indicating the proxy port.
          */
-        public static final String ADVANCED_HELP = "advancedhelp";
+        public static final String PROXY_PORT = "proxyport";
+        /**
+         * The short CLI argument name indicating the proxy url.
+         */
+        public static final String PROXY_URL_SHORT = "u";
+        /**
+         * The CLI argument name indicating the proxy url.
+         */
+        public static final String PROXY_URL = "proxyurl";
+        /**
+         * The short CLI argument name indicating the proxy url.
+         */
+        public static final String CONNECTION_TIMEOUT_SHORT = "c";
+        /**
+         * The CLI argument name indicating the proxy url.
+         */
+        public static final String CONNECTION_TIMEOUT = "connectiontimeout";
         /**
          * The short CLI argument name indicating a deep scan of the dependencies
          * should be performed.

src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -0,0 +1,145 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * <p>Simple object to track the parts of a version number. The parts are
+ * contained in a List such that version 1.2.3 will be stored as:
+ * <code>versionParts[0] = 1;
+ * versionParts[1] = 2;
+ * versionParts[2] = 3;
+ * </code></p>
+ * <p>Note, the parser contained in this class expects the version numbers to be
+ * separated by periods. If a different separator is used the parser will likely
+ * fail.</p>
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class DependencyVersion implements Iterable {
+
+    /**
+     * Constructor for a empty DependencyVersion.
+     */
+    public DependencyVersion() {
+        versionParts = new ArrayList<String>();
+    }
+
+    /**
+     * Constructor for a DependencyVersion that will parse a version string.
+     * @param version the version number to parse
+     */
+    public DependencyVersion(String version) {
+        parseVersion(version);
+    }
+
+    /**
+     * Parses a version string into its sub parts: major, minor, revision, build, etc.
+     * @param version the version string to parse
+     */
+    public final void parseVersion(String version) {
+        versionParts = new ArrayList<String>();
+        if (version != null) {
+            final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)");
+            final Matcher matcher = rx.matcher(version.toLowerCase());
+            while (matcher.find()) {
+                versionParts.add(matcher.group());
+            }
+            if (versionParts.isEmpty()) {
+                versionParts.add(version);
+            }
+        }
+    }
+    /**
+     * A list of the version parts.
+     */
+    private List<String> versionParts;
+
+    /**
+     * Get the value of versionParts.
+     *
+     * @return the value of versionParts
+     */
+    public List<String> getVersionParts() {
+        return versionParts;
+    }
+
+    /**
+     * Set the value of versionParts.
+     *
+     * @param versionParts new value of versionParts
+     */
+    public void setVersionParts(List<String> versionParts) {
+        this.versionParts = versionParts;
+    }
+
+    /**
+     * Retrieves an iterator for the version parts.
+     *
+     * @return an iterator for the version parts
+     */
+    public Iterator iterator() {
+        return versionParts.iterator();
+    }
+
+    /**
+     * Reconstructs the version string from the split version parts.
+     * @return a string representing the version.
+     */
+    @Override
+    public String toString() {
+        return StringUtils.join(versionParts.toArray(), ".");
+    }
+
+    /**
+     * Compares the equality of this object to the one passed in as a parameter.
+     * @param obj the object to compare equality
+     * @return returns true only if the two objects are equal, otherwise false
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final DependencyVersion other = (DependencyVersion) obj;
+        if (this.versionParts != other.versionParts && (this.versionParts == null || !this.versionParts.equals(other.versionParts))) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Calculates the hashCode for this object.
+     * @return the hashCode
+     */
+    @Override
+    public int hashCode() {
+        int hash = 5;
+        hash = 71 * hash + (this.versionParts != null ? this.versionParts.hashCode() : 0);
+        return hash;
+    }
+}

src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * <p>A utility class to extract version numbers from file names (or other strings
+ * containing version numbers.</p>
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public final class DependencyVersionUtil {
+    /**
+     * Regular expression to extract version numbers from file names.
+     */
+    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?");
+
+    /**
+     * Private constructor for utility class.
+     */
+    private DependencyVersionUtil() {
+    }
+
+    /**
+     * <p>A utility class to extract version numbers from file names (or other strings
+     * containing version numbers.<br/>
+     * Example:<br/>
+     * Give the file name: library-name-1.4.1r2-release.jar<br/>
+     * This function would return: 1.4.1.r2</p>
+     *
+     * @param filename the filename being analyzed
+     * @return a DependencyVersion containing the version
+     */
+    public static DependencyVersion parseVersionFromFileName(String filename) {
+        if (filename == null) {
+            return null;
+        }
+        String version = null;
+        final Matcher matcher = RX_VERSION.matcher(filename);
+        if (matcher.find()) {
+            version = matcher.group();
+        }
+        //throw away the results if there are two things that look like version numbers
+        if (matcher.find()) {
+            return null;
+        }
+        if (version == null) {
+            return null;
+        }
+        return new DependencyVersion(version);
+    }
+}

src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.io.IOException;
 /**
  * An exception used when a download fails.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DownloadFailedException extends IOException {
 

src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,7 +36,7 @@ import java.util.zip.InflaterInputStream;
 /**
  * A utility to download files from the Internet.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class Downloader {
 
@@ -126,7 +126,7 @@ public final class Downloader {
 
             writer = new BufferedOutputStream(new FileOutputStream(outputPath));
             final byte[] buffer = new byte[4096];
-            int bytesRead = 0;
+            int bytesRead;
             while ((bytesRead = reader.read(buffer)) > 0) {
                 writer.write(buffer, 0, bytesRead);
             }

src/main/java/org/owasp/dependencycheck/utils/FileUtils.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,11 +21,12 @@ package org.owasp.dependencycheck.utils;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.URLDecoder;
 
 /**
  * A collection of utilities for processing information about files.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class FileUtils {
 
@@ -67,4 +68,34 @@ public final class FileUtils {
             throw new FileNotFoundException("Failed to delete file: " + file);
         }
     }
+
+    /**
+     * Returns the data directory. If a path was specified in dependencycheck.properties
+     * or was specified using the Settings object, and the path exists, that path will be
+     * returned as a File object. If it does not exist, then a File object will be created
+     * based on the file location of the JAR containing the specified class.
+     *
+     * @param configuredFilePath the configured relative or absolute path
+     * @param clazz the class whos path will be resolved
+     * @return a File object
+     * @throws IOException is thrown if the path could not be decoded
+     */
+    public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
+        final File file = new File(configuredFilePath);
+        if (file.exists() && file.isDirectory() && file.canWrite()) {
+             return new File(file.getCanonicalPath());
+        } else {
+            final String filePath = clazz.getProtectionDomain().getCodeSource().getLocation().getPath();
+            final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
+            File exePath = new File(decodedPath);
+            if (exePath.getName().toLowerCase().endsWith(".jar")) {
+                exePath = exePath.getParentFile();
+            } else {
+                exePath = new File(".");
+            }
+            final File path = new File(exePath.getCanonicalFile() + File.separator + configuredFilePath);
+            return new File(path.getCanonicalPath());
+        }
+    }
+
 }

src/main/java/org/owasp/dependencycheck/utils/Filter.java

@@ -31,7 +31,7 @@ public abstract class Filter<T> {
 
     private class FilterIterator implements Iterator<T> {
 
-        private Iterator<T> iterator;
+        private final Iterator<T> iterator;
         private T next;
 
         private FilterIterator(Iterator<T> iterator) {

src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.io.IOException;
 /**
  * An exception used when an error occurs reading a setting.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class InvalidSettingException extends IOException {
 

src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,7 +26,7 @@ import java.io.InputStream;
  * processes the stream from closing it. This is necessary when dealing with
  * things like JAXB and zipInputStreams.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NonClosingStream extends FilterInputStream {
 

src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import java.util.logging.Logger;
 /**
  * A simple settings container that wraps the dependencycheck.properties file.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class Settings {
 
@@ -39,12 +39,17 @@ public final class Settings {
     public static final class KEYS {
 
         /**
-         * private constructor because this is a "utility" class containing constants
+         * private constructor because this is a "utility" class containing
+         * constants
          */
         private KEYS() {
             //do nothing
         }
-
+        /**
+         * The properties key indicating whether or not the cached data sources
+         * should be updated.
+         */
+        public static final String AUTO_UPDATE = "autoupdate";
         /**
          * The properties key for the path where the CPE Lucene Index will be
          * stored.
@@ -102,8 +107,6 @@ public final class Settings {
          * The properties key for the CVE schema version 2.0.
          */
         public static final String CVE_SCHEMA_2_0 = "2.0.";
-
-
         /**
          * The properties key for the proxy url.
          */
@@ -121,6 +124,10 @@ public final class Settings {
          * The properties key indicating a deep scan should be performed.
          */
         public static final String PERFORM_DEEP_SCAN = "perform.deepscan";
+        /**
+         * The location of the temporary directory.
+         */
+        public static final String TEMP_DIRECTORY = "temp.directory";
     }
     /**
      * The properties file location.
@@ -145,24 +152,26 @@ public final class Settings {
         try {
             props.load(in);
         } catch (IOException ex) {
-            Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, "Unable to load default settings.");
+            Logger.getLogger(Settings.class.getName()).log(Level.FINE, null, ex);
         }
     }
 
     /**
      * Sets a property value.
      *
-     * @param key the key for the property.
+     * @param key the key for the property
-     * @param value the value for the property.
+     * @param value the value for the property
      */
     public static void setString(String key, String value) {
         INSTANCE.props.setProperty(key, value);
     }
+
     /**
      * Sets a property value.
      *
-     * @param key the key for the property.
+     * @param key the key for the property
-     * @param value the value for the property.
+     * @param value the value for the property
      */
     public static void setBoolean(String key, boolean value) {
         if (value) {
@@ -180,9 +189,9 @@ public final class Settings {
      *
      * @param filePath the path to the properties file to merge.
      * @throws FileNotFoundException is thrown when the filePath points to a
-     * non-existent file.
+     * non-existent file
      * @throws IOException is thrown when there is an exception loading/merging
-     * the properties.
+     * the properties
      */
     public static void mergeProperties(String filePath) throws FileNotFoundException, IOException {
         final FileInputStream fis = new FileInputStream(filePath);
@@ -195,7 +204,7 @@ public final class Settings {
      * Note: even if using this method - system properties will be loaded before
      * properties loaded from files.
      *
-     * @param stream an Input Stream pointing at a properties file to merge.
+     * @param stream an Input Stream pointing at a properties file to merge
      * @throws IOException is thrown when there is an exception loading/merging
      * the properties
      */
@@ -209,9 +218,9 @@ public final class Settings {
      * will return the value from the system properties before the values in the
      * contained configuration file.
      *
-     * @param key the key to lookup within the properties file.
+     * @param key the key to lookup within the properties file
-     * @param defaultValue the default value for the requested property.
+     * @param defaultValue the default value for the requested property
-     * @return the property from the properties file.
+     * @return the property from the properties file
      */
     public static String getString(String key, String defaultValue) {
         String str = System.getProperty(key, INSTANCE.props.getProperty(key));
@@ -227,8 +236,8 @@ public final class Settings {
      * will return the value from the system properties before the values in the
      * contained configuration file.
      *
-     * @param key the key to lookup within the properties file.
+     * @param key the key to lookup within the properties file
-     * @return the property from the properties file.
+     * @return the property from the properties file
      */
     public static String getString(String key) {
         return System.getProperty(key, INSTANCE.props.getProperty(key));
@@ -240,10 +249,10 @@ public final class Settings {
      * method will return the value from the system properties before the values
      * in the contained configuration file.
      *
-     * @param key the key to lookup within the properties file.
+     * @param key the key to lookup within the properties file
-     * @return the property from the properties file.
+     * @return the property from the properties file
      * @throws InvalidSettingException is thrown if there is an error retrieving
-     * the setting.
+     * the setting
      */
     public static int getInt(String key) throws InvalidSettingException {
         int value;
@@ -255,16 +264,39 @@ public final class Settings {
         return value;
     }
 
+    /**
+     * Returns an int value from the properties file. If the value was specified
+     * as a system property or passed in via the -Dprop=value argument - this
+     * method will return the value from the system properties before the values
+     * in the contained configuration file.
+     *
+     * @param key the key to lookup within the properties file
+     * @param defaultValue the default value to return
+     * @return the property from the properties file or the defaultValue if the
+     * property does not exist or cannot be converted to an integer
+     */
+    public static int getInt(String key, int defaultValue) {
+        int value;
+        try {
+            value = Integer.parseInt(Settings.getString(key));
+        } catch (NumberFormatException ex) {
+            final String msg = String.format("Could not convert property '%s' to an int.", key);
+            Logger.getLogger(Settings.class.getName()).log(Level.FINEST, msg, ex);
+            value = defaultValue;
+        }
+        return value;
+    }
+
     /**
      * Returns a long value from the properties file. If the value was specified
      * as a system property or passed in via the -Dprop=value argument - this
      * method will return the value from the system properties before the values
      * in the contained configuration file.
      *
-     * @param key the key to lookup within the properties file.
+     * @param key the key to lookup within the properties file
-     * @return the property from the properties file.
+     * @return the property from the properties file
      * @throws InvalidSettingException is thrown if there is an error retrieving
-     * the setting.
+     * the setting
      */
     public static long getLong(String key) throws InvalidSettingException {
         long value;
@@ -278,14 +310,15 @@ public final class Settings {
 
     /**
      * Returns a boolean value from the properties file. If the value was
-     * specified as a system property or passed in via the -Dprop=value argument
+     * specified as a system property or passed in via the
-     * - this method will return the value from the system properties before the
+     * <code>-Dprop=value</code> argument this method will return the value from
-     * values in the contained configuration file.
+     * the system properties before the values in the contained configuration
+     * file.
      *
-     * @param key the key to lookup within the properties file.
+     * @param key the key to lookup within the properties file
-     * @return the property from the properties file.
+     * @return the property from the properties file
      * @throws InvalidSettingException is thrown if there is an error retrieving
-     * the setting.
+     * the setting
      */
     public static boolean getBoolean(String key) throws InvalidSettingException {
         boolean value;

src/main/resources/META-INF/licenses/StupidTablePlugin/LICENSE.txt

@@ -0,0 +1,19 @@
+Copyright (c) 2012 Joseph McCullough
+
+Permission is hereby granted, free of charge, to any person obtaining a copy   
+of this software and associated documentation files (the "Software"), to deal   
+in the Software without restriction, including without limitation the rights   
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell   
+copies of the Software, and to permit persons to whom the Software is   
+furnished to do so, subject to the following conditions:  
+
+The above copyright notice and this permission notice shall be included in all  
+copies or substantial portions of the Software.  
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR   
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,  
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE  
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER  
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,  
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE  
+SOFTWARE.

src/main/resources/META-INF/licenses/jsoup/LICENSE.txt

@@ -0,0 +1,21 @@
+The MIT License
+
+Copyright (c) 2009, 2010, 2011, 2012, 2013 Jonathan Hedley <jonathan@hedley.net>
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

src/main/resources/configuration/dependencycheck.properties

@@ -1,5 +1,9 @@
 application.name=${pom.name}
 application.version=${pom.version}
+autoupdate=true
+
+#temp.directory defaults to System.getProperty("java.io.tmpdir")
+#temp.directory=[path to temp directory]
 
 # the path to the lucene index to store the cpe data
 cpe=data/cpe
@@ -8,7 +12,6 @@ cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction
 # the path to the cpe meta data file.
 cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
 
-
 # the path to the lucene index to store the nvd cve data
 cve=data/cve
 # the path to the nvd cve "meta" page where the timestamps for the last update files can be found.

src/main/resources/configuration/log.properties

@@ -5,13 +5,13 @@ handlers=java.util.logging.ConsoleHandler
 # FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
 
 # Configure the ConsoleHandler.
-java.util.logging.ConsoleHandler.level=WARNING
+java.util.logging.ConsoleHandler.level=INFO
 
 org.owasp.dependencycheck.data.nvdcve.xml
 
 # Configure the FileHandler.
-#java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
+java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
-#java.util.logging.FileHandler.level=FINEST
+java.util.logging.FileHandler.level=FINE
 
 # The following special tokens can be used in the pattern property
 # which specifies the location and name of the log file.
@@ -21,4 +21,4 @@ org.owasp.dependencycheck.data.nvdcve.xml
 #   %g - generation number for rotating logs
 #   %u - unique number to avoid conflicts
 # FileHandler writes to %h/demo0.log by default.
-#java.util.logging.FileHandler.pattern=./logs/DependencyCheck%u.log
+java.util.logging.FileHandler.pattern=./logs/DependencyCheck.log

src/main/resources/templates/HtmlReport.vsl

@@ -1,22 +1,22 @@
 #**
-This file is part of DependencyCheck.
+This file is part of Dependency-Check.
 
-DependencyCheck is free software: you can redistribute it and/or modify
+Dependency-Check is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 
-DependencyCheck is distributed in the hope that it will be useful,
+Dependency-Check is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
-@author Jeremy Long (jeremy.long@gmail.com)
+@author Jeremy Long (jeremy.long@owasp.org)
 @version 1
 *#
 
@@ -25,7 +25,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 <!DOCTYPE html>
 <html>
     <head>
-        <title></title>
+        <title>Dependency-Check Report</title>
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
         <link rel="shortcut icon" href="data:;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAadEVYdFNvZnR3YXJlAFBhaW50Lk5FVCB2My41LjEwMPRyoQAAANVJREFUOE9jYKAi+A80Cxn/APLnA7EQsXaANB9BUiwJZD8C4ktAzEKMIegGgPRYQl0VTq4BfFADJpBlgIHjfxNV45P/gTQMnwOyPXAZhuIFoEJHkEZB8ej/DIysR4FsDiAugRqG1UtwA4CKWID4hZ7997VQL0wlyQtAzaYgm5QN9rSTFYhAzeEgA/hFAs5Bo5LoaAQnJAGxcHCgCYpHbSclIcG9CdRsBw2sFGL8jqEGFohAegVZBoA0waIRSEdDDUSOxgSiDAYlJCAGJR6iEhJRhqIrAgDHLHfYX71qMgAAAABJRU5ErkJggg==" />
         <script type="text/javascript">
@@ -284,10 +284,16 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2>
             <div class="sectioncontent">Report Generated On: $date<br/><br/>
                 #set($depCount=$dependencies.size())
+                #set($vulnCount=0)
+
                 #foreach($dependency in $dependencies)
                     #set($depCount=$depCount+$dependency.getRelatedDependencies().size())
+                    #if($dependency.getVulnerabilities().size()>0)
+                        #set($vulnCount=$vulnCount+1)
+                    #end
                 #end
-                Dependencies Scanned:&nbsp;$depCount<br/><br/>
+                Dependencies Scanned:&nbsp;$depCount<br/>
+                Vulnerable Dependencies:&nbsp;$vulnCount<br/><br/>
                 <div class="indent">
                 #set($lnkcnt=0)
                 #foreach($dependency in $dependencies)
@@ -314,7 +320,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                         #end
                         <p>
                         #if ($dependency.license)
+                            #if ($dependency.license.startsWith("http://"))
+                            <b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
+                            #else
                             <b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
+                            #end
                         #end
                             <b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
                             <b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
@@ -368,7 +378,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                             #foreach($related in $dependency.getRelatedDependencies())
                                 <li>$esc.html($related.FileName)
                                     <ul>
-                                        <li>File Path:&nbsp;$esc.html($dependency.FilePath)</li>
+                                        <li>File Path:&nbsp;$esc.html($related.FilePath)</li>
                                         <li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
                                         <li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
                                      </ul>
@@ -394,7 +404,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                             #foreach($id in $dependency.getIdentifiers())
                                 ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
                                 <li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
-                                #if( $id.descrription )
+                                #if( $id.description )
                                     <br/>$esc.html($id.description)
                                 #end
                                 </li>

src/main/resources/templates/XmlReport.vsl

@@ -1,22 +1,22 @@
 #**
-This file is part of DependencyCheck.
+This file is part of Dependency-Check.
 
-DependencyCheck is free software: you can redistribute it and/or modify
+Dependency-Check is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 
-DependencyCheck is distributed in the hope that it will be useful,
+Dependency-Check is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
-@author Jeremy Long (jeremy.long@gmail.com)
+@author Jeremy Long (jeremy.long@owasp.org)
 @version 1
 *#<?xml version="1.0"?>
 <analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check">

src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class EngineIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class AbstractAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class AnalyzerServiceTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FileNameAnalyzerTest {
 
@@ -116,7 +116,7 @@ public class FileNameAnalyzerTest {
      * Test of initialize method, of class FileNameAnalyzer.
      */
     @Test
-    public void testInitialize() {
+    public void testInitialize() throws Exception {
         FileNameAnalyzer instance = new FileNameAnalyzer();
         instance.initialize();
         assertTrue(true); //initialize does nothing.
@@ -126,7 +126,7 @@ public class FileNameAnalyzerTest {
      * Test of close method, of class FileNameAnalyzer.
      */
     @Test
-    public void testClose() {
+    public void testClose() throws Exception {
         FileNameAnalyzer instance = new FileNameAnalyzer();
         instance.close();
         assertTrue(true); //close does nothing.

src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class JarAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/data/cpe/BaseIndexTestCase.java

@@ -1,42 +1,41 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.cpe;
 
-import org.owasp.dependencycheck.data.cpe.Index;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.net.URLDecoder;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class BaseIndexTestCase {
 
@@ -59,17 +58,7 @@ public abstract class BaseIndexTestCase {
 
     protected static File getDataDirectory() throws IOException {
         String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
-        String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        return FileUtils.getDataDirectory(fileName, Index.class);
-        String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        File exePath = new File(decodedPath);
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-        return path;
     }
 
     public static void ensureIndexExists() throws Exception {

src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,10 +31,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.junit.Assert;
 import org.junit.Test;
+import org.owasp.dependencycheck.dependency.Identifier;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CPEAnalyzerTest extends BaseIndexTestCase {
 
@@ -110,6 +111,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
         String expResult = "cpe:/a:apache:struts:2.1.2";
+        Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
         instance.determineCPE(depends);
@@ -117,7 +119,9 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         instance.determineCPE(spring3);
         instance.close();
         Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1);
-        Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
+
+
+        Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().contains(expIdentifier));
         //the following two only work if the HintAnalyzer is used.
         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));

src/test/java/org/owasp/dependencycheck/data/cpe/EntryTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import org.junit.Assert;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class EntryTest {
 

src/test/java/org/owasp/dependencycheck/data/cpe/IndexIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class IndexIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/data/cpe/IndexTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,11 +28,12 @@ import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import static org.junit.Assert.*;
 
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class IndexTest {
 
@@ -61,7 +62,8 @@ public class IndexTest {
         try {
             instance.open();
         } catch (IOException ex) {
-            Assert.fail(ex.getMessage());
+            assertNull(ex.getMessage(), ex);
+            //Assert.fail(ex.getMessage());
         }
         instance.close();
     }
@@ -76,6 +78,6 @@ public class IndexTest {
         Directory result = index.getDirectory();
 
         String exp = File.separatorChar + "target" + File.separatorChar + "data" + File.separatorChar + "cpe";
-        Assert.assertTrue(result.toString().contains(exp));
+        assertTrue(result.toString().contains(exp));
     }
 }

src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CweDBTest {
 
@@ -54,7 +54,7 @@ public class CweDBTest {
     /**
      * Method to serialize the CWE HashMap. This is not used in
      * production; this is only used once during dev to create
-     * the serialized hashmap.
+     * the serialized HashMap.
      */
 //    @Test
 //    public void testUpdate() throws Exception {

src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -49,7 +49,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FieldAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class LuceneUtilsTest {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -25,15 +25,15 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.net.URLDecoder;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import junit.framework.TestCase;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class BaseDBTestCase extends TestCase {
 
@@ -49,17 +49,7 @@ public abstract class BaseDBTestCase extends TestCase {
 
     protected static File getDataDirectory() throws IOException {
         String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
-        String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        return FileUtils.getDataDirectory(fileName, Index.class);
-        String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        File exePath = new File(decodedPath);
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-        return path;
     }
 
     public static void ensureDBExists() throws Exception {

src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdaterIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DatabaseUpdaterIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_1_2_HandlerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve_1_2_HandlerTest {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_2_0_HandlerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve_2_0_HandlerTest {
 

src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -1,5 +1,24 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
 package org.owasp.dependencycheck.dependency;
 
+import java.util.Set;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -15,7 +34,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DependencyTest {
 
@@ -208,7 +227,7 @@ public class DependencyTest {
     public void testGetIdentifiers() {
         Dependency instance = new Dependency();
         List expResult = null;
-        List result = instance.getIdentifiers();
+        Set<Identifier> result = instance.getIdentifiers();
 
         assertTrue(true); //this is just a getter setter pair.
     }
@@ -218,7 +237,7 @@ public class DependencyTest {
      */
     @Test
     public void testSetIdentifiers() {
-        List<Identifier> identifiers = null;
+        Set<Identifier> identifiers = null;
         Dependency instance = new Dependency();
         instance.setIdentifiers(identifiers);
         assertTrue(true); //this is just a getter setter pair.
@@ -232,13 +251,12 @@ public class DependencyTest {
         String type = "cpe";
         String value = "cpe:/a:apache:struts:2.1.2";
         String url = "http://somewhere";
+        Identifier expResult = new Identifier(type,value,url);
+
         Dependency instance = new Dependency();
         instance.addIdentifier(type, value, url);
         assertEquals(1,instance.getIdentifiers().size());
-        Identifier i = instance.getIdentifiers().get(0);
+        assertTrue("Identifier doesn't contain expected result.", instance.getIdentifiers().contains(expResult));
-        assertEquals(type,i.getType());
-        assertEquals(value, i.getValue());
-        assertEquals(url, i.getUrl());
     }
 
     /**

src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java

@@ -1,6 +1,20 @@
 /*
- * To change this template, choose Tools | Templates
+ * This file is part of Dependency-Check.
- * and open the template in the editor.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.dependency;
 
@@ -13,7 +27,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VulnerableSoftwareTest {
 

src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class ReportGeneratorTest {
 

src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class ChecksumTest {
 

src/test/java/org/owasp/dependencycheck/utils/CliParserTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CliParserTest {
 

src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java

@@ -0,0 +1,80 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class DependencyVersionUtilTest {
+
+    public DependencyVersionUtilTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+    }
+
+    @AfterClass
+    public static void tearDownClass() throws Exception {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of parseVersionFromFileName method, of class DependencyVersionUtil.
+     */
+    @Test
+    public void testParseVersionFromFileName() {
+        final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
+            "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
+            "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar"};
+        final String[] expResult = {"0.9.5", "1.1", "1.5.r4", "1.2.5", "4.4.0", "2.0.0.rc1",
+            "2.0.1.r114940", "2.3.11.r121413", "3.7"};
+
+        for (int i = 0; i < fileName.length; i++) {
+            final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(fileName[i]);
+            String result = null;
+            if (version != null) {
+                result = version.toString();
+            }
+            assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
+        }
+
+        String[] failingNames = { "no-version-identified.jar", "somelib-04aug2000r7-dev.jar", "no.version15.jar",
+            "lib_1.0_spec-1.1.jar", "lib-api_1.0_spec-1.0.1.jar" };
+        for (String failingName : failingNames) {
+            final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(failingName);
+            assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
+        }
+    }
+}

src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DownloaderIntegrationTest {