version 0.3.1.1

Former-commit-id: a47cc07a1a23ad75214fbedbe35c5e7cf72196f8

NOTICES.txt

@@ -1,6 +1,8 @@
 DependencyCheck
 Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
 
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
+
 This product includes software developed by
 The Apache Software Foundation (http://www.apache.org/).
 

README.md

@@ -1,7 +1,7 @@
 DependencyCheck
 =========
 
-DependencyCheck is a utility that attempts to detect publically disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+DependencyCheck is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries..
 
 More information can be found on the [wiki].
 
@@ -9,8 +9,11 @@ Usage
 -
 
 > $ mvn package
+
 > $ cd target
+
 > $ java -jar dependency-check-[version].jar -h
+
 > $ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
@@ -19,6 +22,7 @@ Mailing List
 -
 
 Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
+
 Post: [dependency-check@googlegroups.com] [post]
 
 Copyright & License

pom.xml

@@ -8,7 +8,7 @@ it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 
-DependencyCheck is distributed in the hope that it will be useful,
+Dependency-Check is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
@@ -20,14 +20,14 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
     <modelVersion>4.0.0</modelVersion>
 
-    <groupId>org.owasp.dependency-check</groupId>
+    <groupId>org.owasp</groupId>
     <artifactId>dependency-check</artifactId>
-    <version>0.3.0.0</version>
+    <version>0.3.1.1</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>
     <url>https://github.com/jeremylong/DependencyCheck.git</url>
-    <description>Dependency-Check is a utility that attempts to detect publically disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
     <inceptionYear>2012</inceptionYear>
     <organization>
         <name>owasp</name>
@@ -36,7 +36,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
     <developers>
         <developer>
             <name>Jeremy Long</name>
-            <email>jeremy.long@gmail.com</email>
+            <email>jeremy.long@owasp.org</email>
             <organization>owasp</organization>
             <organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
             <roles>
@@ -331,6 +331,25 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
                             <groupId>org.codehaus.mojo</groupId>
                             <artifactId>taglist-maven-plugin</artifactId>
                             <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
                         </plugin>
                         <plugin>
                             <groupId>org.apache.maven.plugins</groupId>
@@ -385,6 +404,17 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
             <artifactId>commons-cli</artifactId>
             <version>1.2</version>
         </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.4</version>
+        </dependency>
+        <dependency>
+            <!-- Using the same as Lucene-->
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.4</version>
+        </dependency>
         <dependency>
             <groupId>junit</groupId>
             <artifactId>junit</artifactId>
@@ -408,11 +438,6 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
             <artifactId>lucene-queryparser</artifactId>
             <version>4.0.0</version>
         </dependency>
-        <dependency>
-            <groupId>commons-io</groupId>
-            <artifactId>commons-io</artifactId>
-            <version>2.4</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.velocity</groupId>
             <artifactId>velocity</artifactId>

src/main/config/checkstyle-header.txt

@@ -1,19 +1,19 @@
 ^/\*\s*$
-^ \* This file is part of DependencyCheck\.\s*$
+^ \* This file is part of Dependency-Check\.\s*$
 ^ \*\s*$
-^ \* DependencyCheck is free software\: you can redistribute it and/or modify it\s*$
+^ \* Dependency-Check is free software\: you can redistribute it and/or modify it\s*$
 ^ \* under the terms of the GNU General Public License as published by the Free\s*$
 ^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
 ^ \* later version\.
 ^ \*\s*$
-^ \* DependencyCheck is distributed in the hope that it will be useful, but\s*$
+^ \* Dependency-Check is distributed in the hope that it will be useful, but\s*$
 ^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
 ^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
 ^ \* details\.\s*$
 ^ \*\s*$
 ^ \* You should have received a copy of the GNU General Public License along with\s*$
-^ \* DependencyCheck\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* Dependency-Check\. If not, see http://www.gnu.org/licenses/\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 2012 Jeremy Long\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[23] Jeremy Long\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package

src/main/java/org/owasp/dependencycheck/App.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -51,7 +51,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The command line interface for the DependencyCheck application.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class App {
 
@@ -75,17 +75,9 @@ public class App {
      * Configures the logger for use by the application.
      */
     private static void prepareLogger() {
-        //while java doc for JUL says to use preferences api - it throws an exception...
-        //Preferences.systemRoot().put("java.util.logging.config.file", "log.properties");
-        //System.getProperties().put("java.util.logging.config.file", "configuration/log.properties");
-
-        //removed the file handler. since this is a console app - just write to console.
-//        File dir = new File("logs");
-//        if (!dir.exists()) {
-//            dir.mkdir();
-//        }
+        InputStream in = null;
         try {
-            final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+            in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
             LogManager.getLogManager().reset();
             LogManager.getLogManager().readConfiguration(in);
         } catch (IOException ex) {
@@ -93,6 +85,13 @@ public class App {
             Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
         } catch (SecurityException ex) {
             Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
+        } finally {
+            try {
+                in.close();
+            } catch (Exception ex) {
+                //ignore
+                in = null;
+            }
         }
     }
 
@@ -121,8 +120,8 @@ public class App {
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(),
-                    cli.getScanFiles(), cli.isAutoUpdate(), cli.isDeepScan());
+            updateSettings(cli.isAutoUpdate(), cli.isDeepScan(), cli.getConnectionTimeout(), cli.getProxyUrl(), cli.getProxyPort());
+            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
         } else {
             cli.printHelp();
         }
@@ -137,12 +136,9 @@ public class App {
      * @param outputFormat the output format of the report
      * @param applicationName the application name for the report
      * @param files the files/directories to scan
-     * @param autoUpdate whether to auto-update the cached data from the Internet
-     * @param deepScan whether to perform a deep scan of the evidence in the project dependencies
      */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files, boolean autoUpdate, boolean deepScan) {
-        final Engine scanner = new Engine(autoUpdate);
-        Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
+        final Engine scanner = new Engine();
 
         for (String file : files) {
             scanner.scan(file);
@@ -160,4 +156,26 @@ public class App {
             Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
         }
     }
+
+    /**
+     * Updates the global Settings.
+     * @param autoUpdate whether or not to update cached web data sources
+     * @param deepScan whether or not to perform a deep scan (increases false positives, but may reduce false negatives)
+     * @param connectionTimeout the timeout to use when downloading resources (null or blank will use default)
+     * @param proxyUrl the proxy url (null or blank means no proxy will be used)
+     * @param proxyPort the proxy port (null or blank means no port will be used)
+     */
+    private void updateSettings(boolean autoUpdate, boolean deepScan, String connectionTimeout, String proxyUrl, String proxyPort) {
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
+        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        }
+    }
 }

src/main/java/org/owasp/dependencycheck/Engine.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,6 +36,8 @@ import org.owasp.dependencycheck.data.UpdateException;
 import org.owasp.dependencycheck.data.UpdateService;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Scans files, directories, etc. for Dependencies. Analyzers are loaded and
@@ -43,7 +45,7 @@ import org.owasp.dependencycheck.utils.FileUtils;
  * Analyzer is associated with the file type then the file is turned into a
  * dependency.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Engine {
 
@@ -65,7 +67,15 @@ public class Engine {
      * Creates a new Engine.
      */
     public Engine() {
-        doUpdates();
+        boolean autoupdate = true;
+        try {
+            autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, "Invalid setting for auto-update.");
+        }
+        if (autoupdate) {
+            doUpdates();
+        }
         loadAnalyzers();
     }
 
@@ -74,7 +84,10 @@ public class Engine {
      *
      * @param autoUpdate indicates whether or not data should be updated from
      * the Internet.
+     * @deprecated this function should no longer be used; the autoupdate flag should be set using
+     * <code>Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);</code>
      */
+    @Deprecated
     public Engine(boolean autoUpdate) {
         if (autoUpdate) {
             doUpdates();
@@ -217,7 +230,7 @@ public class Engine {
                     if (a.supportsExtension(d.getFileExtension())) {
                         try {
                             a.analyze(d, this);
-                          } catch (AnalysisException ex) {
+                        } catch (AnalysisException ex) {
                             d.addAnalysisException(ex);
                         }
                     }
@@ -232,14 +245,14 @@ public class Engine {
                 try {
                     a.close();
                 } catch (Exception ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(Engine.class.getName()).log(Level.WARNING, null, ex);
                 }
             }
         }
     }
 
     /**
-     *
+     * Cycles through the cached web data sources and calls update on all of them.
      */
     private void doUpdates() {
         final UpdateService service = UpdateService.getInstance();
@@ -249,8 +262,11 @@ public class Engine {
             try {
                 source.update();
             } catch (UpdateException ex) {
-                Logger.getLogger(Engine.class.getName()).log(Level.SEVERE,
-                        "Unable to update " + source.getClass().getName(), ex);
+                Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
+                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
+                Logger.getLogger(Engine.class.getName()).log(Level.INFO,
+                        String.format("Unable to update details for %s",
+                        source.getClass().getName()), ex);
             }
         }
     }

src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,7 +24,7 @@ import java.util.Set;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class AbstractAnalyzer implements Analyzer {
 

src/main/java/org/owasp/dependencycheck/analyzer/AnalysisException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An exception thrown when the analysis of a dependency fails.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class AnalysisException extends Exception {
 

src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,36 +21,44 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An enumeration defining the phases of analysis.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public enum AnalysisPhase {
 
     /**
-     * The first phase of analysis.
+     * Initialization phase.
      */
     INITIAL,
     /**
-     * The second phase of analysis.
+     * Information collection phase.
      */
     INFORMATION_COLLECTION,
     /**
-     * The third phase of analysis.
+     * Pre identifier analysis phase.
      */
     PRE_IDENTIFIER_ANALYSIS,
     /**
-     * The fourth phase of analysis.
+     * Identifier analysis phase.
      */
     IDENTIFIER_ANALYSIS,
     /**
-     * The fifth phase of analysis.
+     * Post identifier analysis phase.
      */
     POST_IDENTIFIER_ANALYSIS,
     /**
-     * The sixth phase of analysis.
+     * Pre finding analysis phase.
+     */
+    PRE_FINDING_ANALYSIS,
+    /**
+     * Finding analysis phase.
      */
     FINDING_ANALYSIS,
     /**
-     * The seventh and final phase of analysis.
+     * Post analysis phase.
+     */
+    POST_FINDING_ANALYSIS,
+    /**
+     * The final analysis phase.
      */
     FINAL
 }

src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * An analyzer will collect information about the dependency in the form of
  * Evidence.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public interface Analyzer {
 

src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class AnalyzerService {
 

src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * <p>Note, this grouping only works on dependencies with identified CVE
  * entries</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
 
@@ -50,7 +50,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     /**
      * The phase that this analyzer is intended to run in.
      */
-    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
@@ -153,6 +153,32 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         }
     }
 
+    /**
+     * Attempts to trim a maven repo to a common base path. This is typically
+     * [drive]\[repolocation\repository\[path1]\[path2].
+     *
+     * @param path the path to trim
+     * @return a string representing the base path.
+     */
+    private String getBaseRepoPath(final String path) {
+        int pos = path.indexOf("repository" + File.separator) + 11;
+        if (pos < 0) {
+            return path;
+        }
+        int tmp = path.indexOf(File.separator, pos);
+        if (tmp <= 0) {
+            return path;
+        }
+        if (tmp > 0) {
+            pos = tmp + 1;
+        }
+        tmp = path.indexOf(File.separator, pos);
+        if (tmp > 0) {
+            pos = tmp + 1;
+        }
+        return path.substring(0, pos);
+    }
+
     /**
      * Returns true if the identifiers in the two supplied dependencies are equal.
      * @param dependency1 a dependency2 to compare
@@ -179,15 +205,22 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             return false;
         }
         final File lFile = new File(dependency1.getFilePath());
-        final String left = lFile.getParent();
+        String left = lFile.getParent();
         final File rFile = new File(dependency2.getFilePath());
-        final String right = rFile.getParent();
+        String right = rFile.getParent();
         if (left == null) {
             if (right == null) {
                 return true;
             }
             return false;
         }
+        if (left.equalsIgnoreCase(right)) {
+            return true;
+        }
+        if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
+            left = getBaseRepoPath(left);
+            right = getBaseRepoPath(right);
+        }
         return left.equalsIgnoreCase(right);
     }
 
@@ -195,7 +228,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * This is likely a very broken attempt at determining if the 'left'
      * dependency is the 'core' library in comparison to the 'right' library.
      *
-     * TODO - consider spliting on /\._-\s/ and checking if all of one side is fully contained in the other
+     * TODO - consider splitting on /\._-\s/ and checking if all of one side is fully contained in the other
      *  With the exception of the word "core". This might work even on groups when we don't have a CVE.
      *
      * @param left the dependency to test

src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -1,35 +1,43 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.UnsupportedEncodingException;
+import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
+import java.util.ListIterator;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.cpe.Entry;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * This analyzer attempts to remove some well known false positives -
  * specifically regarding the java runtime.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
@@ -94,7 +102,15 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         removeJreEntries(dependency);
-        removeVersions(dependency);
+        boolean deepScan = false;
+        try {
+            deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
+        } catch (InvalidSettingException ex) {
+            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
+        }
+        if (!deepScan) {
+            removeSpuriousCPE(dependency);
+        }
     }
 
     /**
@@ -102,18 +118,57 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      *
      * @param dependency the dependency being analyzed
      */
-    private void removeVersions(Dependency dependency) {
-        //todo implement this so that the following is corrected?
-        //cpe: cpe:/a:apache:axis2:1.4
-        //cpe: cpe:/a:apache:axis:1.4
-        /* the above was identified from the evidence below:
-         Source    Name            Value
-         Manifest  Bundle-Vendor   Apache Software Foundation
-         Manifest  Bundle-Version  1.4
-         file      name            axis2-kernel-1.4.1
-         pom       artifactid      axis2-kernel
-         pom       name            Apache Axis2 - Kernel
-         */
+    private void removeSpuriousCPE(Dependency dependency) {
+        final List<Identifier> ids = new ArrayList<Identifier>();
+        ids.addAll(dependency.getIdentifiers());
+        final ListIterator<Identifier> mainItr = ids.listIterator();
+        while (mainItr.hasNext()) {
+            final Identifier currentId = mainItr.next();
+            final Entry currentCpe = parseCpe(currentId.getType(), currentId.getValue());
+            if (currentCpe == null) {
+                continue;
+            }
+            final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
+            while (subItr.hasNext()) {
+                final Identifier nextId = subItr.next();
+                final Entry nextCpe = parseCpe(nextId.getType(), nextId.getValue());
+                if (nextCpe == null) {
+                    continue;
+                }
+                if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
+                    if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
+                        // see if one is contained in the other.. remove the contained one from dependency.getIdentifier
+                        final String mainVersion = currentCpe.getVersion();
+                        final String nextVersion = nextCpe.getVersion();
+                        if (mainVersion.length() < nextVersion.length()) {
+                            if (nextVersion.startsWith(mainVersion)) {
+                                //remove mainVersion
+                                dependency.getIdentifiers().remove(currentId);
+                            }
+                        } else {
+                            if (mainVersion.startsWith(nextVersion)) {
+                                //remove nextVersion
+                                dependency.getIdentifiers().remove(nextId);
+                            }
+                        }
+                    } else {
+                        if (currentCpe.getVersion().equals(nextCpe.getVersion())) {
+                            //same vendor and version - but different products
+                            // are we dealing with something like Axis & Axis2
+                            final String currentProd = currentCpe.getProduct();
+                            final String nextProd = nextCpe.getProduct();
+                            if (currentProd.startsWith(nextProd)) {
+                                dependency.getIdentifiers().remove(nextId);
+                            }
+                            if (nextProd.startsWith(currentProd)) {
+                                dependency.getIdentifiers().remove(currentId);
+                            }
+
+                        }
+                    }
+                }
+            }
+        }
     }
 
     /**
@@ -123,7 +178,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      * @param dependency the dependency to remove JRE CPEs from
      */
     private void removeJreEntries(Dependency dependency) {
-        final List<Identifier> identifiers = dependency.getIdentifiers();
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
         final Iterator<Identifier> itr = identifiers.iterator();
         while (itr.hasNext()) {
             final Identifier i = itr.next();
@@ -135,4 +190,24 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
             }
         }
     }
+
+    /**
+     * Parses a CPE string into an Entry.
+     * @param type the type of identifier
+     * @param value the cpe identifier to parse
+     * @return an Entry constructed from the identifier
+     */
+    private Entry parseCpe(String type, String value) {
+        if (!"cpe".equals(type)) {
+            return null;
+        }
+        final Entry cpe = new Entry();
+        try {
+            cpe.parseName(value);
+        } catch (UnsupportedEncodingException ex) {
+            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            return null;
+        }
+        return cpe;
+    }
 }

src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.Engine;
  *
  * Takes a dependency and analyzes the filename and determines the hashes.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 

src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -25,7 +25,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
@@ -98,12 +98,24 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 "org.springframework.core",
                 Evidence.Confidence.HIGH);
 
-        final Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
+        final Evidence springTest3 = new Evidence("Manifest",
+                "Bundle-Vendor",
+                "SpringSource",
+                Evidence.Confidence.HIGH);
+
+
+        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
         if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
             dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
         }
 
+        evidence = dependency.getVendorEvidence().getEvidence();
+        if (evidence.contains(springTest3)) {
+            dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
+        }
+
     }
 }

src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.io.FileInputStream;
+import java.util.Enumeration;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.bind.JAXBException;
@@ -57,7 +58,7 @@ import org.owasp.dependencycheck.utils.Settings;
  * Used to load a JAR file and collect information that can be used to determine
  * the associated CPE.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
 
@@ -185,11 +186,23 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         boolean addPackagesAsEvidence = false;
+        //todo - catch should be more granular here, one for each call likely
+        //todo - think about sources/javadoc jars, should we remove or move to related dependency?
         try {
-            addPackagesAsEvidence ^= parseManifest(dependency);
-            addPackagesAsEvidence ^= analyzePOM(dependency);
-            addPackagesAsEvidence ^= Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
-            analyzePackageNames(dependency, addPackagesAsEvidence);
+            final boolean hasManifest = parseManifest(dependency);
+            final boolean hasPOM = analyzePOM(dependency);
+            final boolean deepScan = Settings.getBoolean(Settings.KEYS.PERFORM_DEEP_SCAN);
+            if ((!hasManifest && !hasPOM) || deepScan) {
+                addPackagesAsEvidence = true;
+            }
+            final boolean hasClasses = analyzePackageNames(dependency, addPackagesAsEvidence);
+            if (!hasClasses
+                    && (dependency.getFileName().toLowerCase().endsWith("-sources.jar")
+                    || dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
+                    || dependency.getFileName().toLowerCase().endsWith("-src.jar")
+                    || dependency.getFileName().toLowerCase().endsWith("-doc.jar"))) {
+                engine.getDependencies().remove(dependency);
+            }
         } catch (IOException ex) {
             throw new AnalysisException("Exception occurred reading the JAR file.", ex);
         }
@@ -282,6 +295,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             if (artifactid != null) {
                 foundSomething = true;
                 dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.HIGH);
+                dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Evidence.Confidence.LOW);
             }
             //version
             final String version = interpolateString(pom.getVersion(), pomProperties);
@@ -301,6 +315,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             if (pomName != null) {
                 foundSomething = true;
                 dependency.getProductEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
+                dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Evidence.Confidence.HIGH);
             }
 
             //Description
@@ -343,6 +358,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
         return foundSomething;
     }
+    /**
+     * Tracks whether the jar being analyzed contains classes.
+     */
+    private boolean hasClasses = false;
 
     /**
      * Analyzes the path information of the classes contained within the
@@ -353,76 +372,27 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @param dependency A reference to the dependency.
      * @param addPackagesAsEvidence a flag indicating whether or not package
      * names should be added as evidence.
+     * @return returns true or false depending on whether classes were identified in the JAR
      * @throws IOException is thrown if there is an error reading the JAR file.
      */
-    protected void analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
+    protected boolean analyzePackageNames(Dependency dependency, boolean addPackagesAsEvidence)
             throws IOException {
-
+        hasClasses = false;
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
-
-            final java.util.Enumeration en = jar.entries();
-
+            final Enumeration en = jar.entries();
             final HashMap<String, Integer> level0 = new HashMap<String, Integer>();
             final HashMap<String, Integer> level1 = new HashMap<String, Integer>();
             final HashMap<String, Integer> level2 = new HashMap<String, Integer>();
             final HashMap<String, Integer> level3 = new HashMap<String, Integer>();
-            int count = 0;
-            while (en.hasMoreElements()) {
-                final java.util.jar.JarEntry entry = (java.util.jar.JarEntry) en.nextElement();
-                if (entry.getName().endsWith(".class") && entry.getName().contains("/")) {
-                    final String[] path = entry.getName().toLowerCase().split("/");
-
-                    if ("java".equals(path[0])
-                            || "javax".equals(path[0])
-                            || ("com".equals(path[0]) && "sun".equals(path[0]))) {
-                        continue;
-                    }
-
-                    count += 1;
-                    String temp = path[0];
-                    if (level0.containsKey(temp)) {
-                        level0.put(temp, level0.get(temp) + 1);
-                    } else {
-                        level0.put(temp, 1);
-                    }
-
-                    if (path.length > 2) {
-                        temp += "/" + path[1];
-                        if (level1.containsKey(temp)) {
-                            level1.put(temp, level1.get(temp) + 1);
-                        } else {
-                            level1.put(temp, 1);
-                        }
-                    }
-                    if (path.length > 3) {
-                        temp += "/" + path[2];
-                        if (level2.containsKey(temp)) {
-                            level2.put(temp, level2.get(temp) + 1);
-                        } else {
-                            level2.put(temp, 1);
-                        }
-                    }
-
-                    if (path.length > 4) {
-                        temp += "/" + path[3];
-                        if (level3.containsKey(temp)) {
-                            level3.put(temp, level3.get(temp) + 1);
-                        } else {
-                            level3.put(temp, 1);
-                        }
-                    }
-
-                }
-            }
+            final int count = collectPackageNameInformation(en, level0, level1, level2, level3);
 
             if (count == 0) {
-                return;
+                return hasClasses;
             }
             final EvidenceCollection vendor = dependency.getVendorEvidence();
             final EvidenceCollection product = dependency.getProductEvidence();
-
             for (String s : level0.keySet()) {
                 if (!"org".equals(s) && !"com".equals(s)) {
                     vendor.addWeighting(s);
@@ -518,6 +488,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                 jar.close();
             }
         }
+        return hasClasses;
     }
 
     /**
@@ -541,8 +512,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             final Manifest manifest = jar.getManifest();
             if (manifest == null) {
                 Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE,
-                        "Jar file '{0}' does not contain a manifest.",
-                        dependency.getFileName());
+                        String.format("Jar file '%s' does not contain a manifest.",
+                        dependency.getFileName()));
                 return false;
             }
             final Attributes atts = manifest.getMainAttributes();
@@ -726,4 +697,72 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
         return false;
     }
+
+    /**
+     * Cycles through an enumeration of JarEntries and collects level 0-3 directory
+     * structure names. This is helpful when analyzing vendor/product as many times
+     * this is included in the package name. This does not analyze core Java package
+     * names.
+     *
+     * @param en an Enumeration of JarEntries
+     * @param level0 HashMap of level 0 package names (e.g. org)
+     * @param level1 HashMap of level 1 package names (e.g. owasp)
+     * @param level2 HashMap of level 2 package names (e.g. dependencycheck)
+     * @param level3 HashMap of level 3 package names (e.g. analyzer)
+     * @return the number of entries processed that were included in the above HashMaps
+     */
+    private int collectPackageNameInformation(Enumeration en, HashMap<String, Integer> level0,
+            HashMap<String, Integer> level1, HashMap<String, Integer> level2, HashMap<String, Integer> level3) {
+        int count = 0;
+        while (en.hasMoreElements()) {
+            final java.util.jar.JarEntry entry = (java.util.jar.JarEntry) en.nextElement();
+            if (entry.getName().endsWith(".class")) {
+                hasClasses = true;
+                String[] path = null;
+                if (entry.getName().contains("/")) {
+                    path = entry.getName().toLowerCase().split("/");
+                    if ("java".equals(path[0])
+                            || "javax".equals(path[0])
+                            || ("com".equals(path[0]) && "sun".equals(path[0]))) {
+                        continue;
+                    }
+                } else {
+                    path = new String[1];
+                    path[0] = entry.getName();
+                }
+                count += 1;
+                String temp = path[0];
+                if (level0.containsKey(temp)) {
+                    level0.put(temp, level0.get(temp) + 1);
+                } else {
+                    level0.put(temp, 1);
+                }
+                if (path.length > 2) {
+                    temp += "/" + path[1];
+                    if (level1.containsKey(temp)) {
+                        level1.put(temp, level1.get(temp) + 1);
+                    } else {
+                        level1.put(temp, 1);
+                    }
+                }
+                if (path.length > 3) {
+                    temp += "/" + path[2];
+                    if (level2.containsKey(temp)) {
+                        level2.put(temp, level2.get(temp) + 1);
+                    } else {
+                        level2.put(temp, 1);
+                    }
+                }
+                if (path.length > 4) {
+                    temp += "/" + path[3];
+                    if (level3.containsKey(temp)) {
+                        level3.put(temp, level3.get(temp) + 1);
+                    } else {
+                        level3.put(temp, 1);
+                    }
+                }
+            }
+        }
+        return count;
+    }
 }

src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import java.util.regex.Pattern;
  * Used to load a JAR file and collect information that can be used to determine
  * the associated CPE.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
 

src/main/java/org/owasp/dependencycheck/analyzer/SpringCleaningAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,8 +31,10 @@ import org.owasp.dependencycheck.dependency.Identifier;
  * spring-core is in the scanned dependencies then only the spring-core will have a reference
  * to the CPE values (if there are any for the version of spring being used).
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ * @deprecated This class has been deprecated as it has been replaced by the BundlingAnalyzer
  */
+@Deprecated
 public class SpringCleaningAnalyzer extends AbstractAnalyzer implements Analyzer {
 
     /**

src/main/java/org/owasp/dependencycheck/data/CachedWebDataSource.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data;
  * Defines an Index who's data is retrieved from the Internet. This data can be
  * downloaded and the index updated.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public interface CachedWebDataSource {
 

src/main/java/org/owasp/dependencycheck/data/UpdateException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.io.IOException;
 /**
  * An exception used when an error occurs reading a setting.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class UpdateException extends IOException {
 

src/main/java/org/owasp/dependencycheck/data/UpdateService.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class UpdateService {
 

src/main/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -43,7 +43,7 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
  * to discern if there is an associated CPE. It uses the evidence contained
  * within the dependency to search the Lucene index.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CPEAnalyzer implements Analyzer {
 

src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import org.apache.lucene.document.Document;
 /**
  * A CPE entry containing the name, vendor, product, and version.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Entry implements Serializable {
 

src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.cpe;
  * Fields is a collection of field names used within the Lucene index for CPE
  * entries.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class Fields {
 

src/main/java/org/owasp/dependencycheck/data/cpe/Index.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.data.lucene.VersionAnalyzer;
 /**
  * The Index class is used to utilize and maintain the CPE Index.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Index extends AbstractIndex {
 

src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import java.util.logging.Logger;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class CweDB {
 
@@ -38,14 +38,14 @@ public final class CweDB {
         //empty
     }
     /**
-     * A hashmap of the CWE data.
+     * A HashMap of the CWE data.
      */
     private static final HashMap<String, String> CWE = loadData();
 
     /**
-     * Loads a hashmap containing the CWE data from a resource found in the jar.
+     * Loads a HashMap containing the CWE data from a resource found in the jar.
      *
-     * @return a hashmap of CWE data
+     * @return a HashMap of CWE data
      */
     private static HashMap<String, String> loadData() {
         ObjectInputStream oin = null;

src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,12 +26,12 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the CWE XML.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CweHandler extends DefaultHandler {
 
     /**
-     * a hashmap containing the CWE data.
+     * a HashMap containing the CWE data.
      */
     private HashMap<String, String> cwe = new HashMap<String, String>();
 

src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -41,7 +41,7 @@ import org.apache.lucene.util.Version;
  * The base Index for other index objects. Implements the open and close
  * methods.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class AbstractIndex {
 

src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DependencySimilarity extends DefaultSimilarity {
 

src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import org.apache.lucene.util.Version;
  * LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is
  * to index the CPE fields vendor and product.</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FieldAnalyzer extends Analyzer {
 

src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.lucene;
  * <p>Lucene utils is a set of utilize written to make constructing Lucene
  * queries simpler.</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class LuceneUtils {
 

src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,7 +32,7 @@ import org.apache.lucene.util.Version;
 /**
  * A Lucene field analyzer used to analyzer queries against the CPE data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class SearchFieldAnalyzer extends Analyzer {
 

src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import org.apache.lucene.util.Version;
 /**
  * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class SearchVersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...

src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
  * <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
  * Framework FrameworkCore Core".</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class TokenPairConcatenatingFilter extends TokenFilter {
 

src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import org.apache.lucene.util.Version;
 /**
  * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...

src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
  * 3.0.0.RELEASE".</p>
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class VersionTokenizingFilter extends TokenFilter {
 

src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.nvdcve;
  * An exception used to indicate the db4o database is corrupt.
  * This could be due to invalid data or a complete failure of the db.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 class CorruptDatabaseException extends DatabaseException {
 

src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -42,7 +42,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The database holding information about the NVD CVE data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CveDB {
 

src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.data.nvdcve;
 /**
  * An exception thrown if an operation against the database fails.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DatabaseException extends Exception {
     /**

src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
  * attempts to discern if there is an associated CVEs. It uses the the
  * identifiers found by other analyzers to lookup the CVE data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCveAnalyzer implements Analyzer {
 

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -54,7 +54,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DatabaseUpdater implements CachedWebDataSource {
 
@@ -165,8 +165,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
      *
      * @param file the file containing the NVD CVE XML
      * @param oldVersion contains the file containing the NVD CVE XML 1.2
-     * @throws ParserConfigurationException is thrown if there is a
-     * parserconfigurationexception
+     * @throws ParserConfigurationException is thrown if there is a parser configuration exception
      * @throws SAXException is thrown if there is a saxexception
      * @throws IOException is thrown if there is a ioexception
      * @throws SQLException is thrown if there is a sql exception

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/InvalidDataException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.nvdcve.xml;
  * An InvalidDataDataException is a generic exception used when trying to load
  * the nvd cve meta data.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class InvalidDataException extends Exception {
     /**

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import org.xml.sax.helpers.DefaultHandler;
  * specified. The previous version information is not in the 2.0 version of the
  * schema and is useful to ensure accurate identification (or at least complete).
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve12Handler extends DefaultHandler {
 

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -38,7 +38,7 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the NVD CVE XML (schema version 2.0).
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve20Handler extends DefaultHandler {
 

src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.FileUtils;
  * the form of evidence. The Evidence is then used to determine if there are any
  * known, published, vulnerabilities associated with the program dependency.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Dependency implements Comparable<Dependency> {
 
@@ -68,7 +68,7 @@ public class Dependency implements Comparable<Dependency> {
     /**
      * A list of Identifiers.
      */
-    private List<Identifier> identifiers;
+    private Set<Identifier> identifiers;
     /**
      * A collection of vendor evidence.
      */
@@ -89,7 +89,7 @@ public class Dependency implements Comparable<Dependency> {
         vendorEvidence = new EvidenceCollection();
         productEvidence = new EvidenceCollection();
         versionEvidence = new EvidenceCollection();
-        identifiers = new ArrayList<Identifier>();
+        identifiers = new TreeSet<Identifier>();
         vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
     }
 
@@ -222,7 +222,7 @@ public class Dependency implements Comparable<Dependency> {
      *
      * @return an ArrayList of Identifiers.
      */
-    public List<Identifier> getIdentifiers() {
+    public Set<Identifier> getIdentifiers() {
         return this.identifiers;
     }
 
@@ -231,7 +231,7 @@ public class Dependency implements Comparable<Dependency> {
      *
      * @param identifiers A list of Identifiers.
      */
-    public void setIdentifiers(List<Identifier> identifiers) {
+    public void setIdentifiers(Set<Identifier> identifiers) {
         this.identifiers = identifiers;
     }
 
@@ -474,7 +474,7 @@ public class Dependency implements Comparable<Dependency> {
         relatedDependencies.add(dependency);
     }
     /**
-     * Implemenation of the Comparable<Dependency> interface. The comparison
+     * Implementation of the Comparable<Dependency> interface. The comparison
      * is solely based on the file name.
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -482,4 +482,93 @@ public class Dependency implements Comparable<Dependency> {
     public int compareTo(Dependency o) {
         return this.getFileName().compareToIgnoreCase(o.getFileName());
     }
+
+    /**
+     * Implementation of the equals method.
+     * @param obj the object to compare
+     * @return true if the objects are equal, otherwise false
+     */
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final Dependency other = (Dependency) obj;
+        if ((this.actualFilePath == null) ? (other.actualFilePath != null) : !this.actualFilePath.equals(other.actualFilePath)) {
+            return false;
+        }
+        if ((this.filePath == null) ? (other.filePath != null) : !this.filePath.equals(other.filePath)) {
+            return false;
+        }
+        if ((this.fileName == null) ? (other.fileName != null) : !this.fileName.equals(other.fileName)) {
+            return false;
+        }
+        if ((this.fileExtension == null) ? (other.fileExtension != null) : !this.fileExtension.equals(other.fileExtension)) {
+            return false;
+        }
+        if ((this.md5sum == null) ? (other.md5sum != null) : !this.md5sum.equals(other.md5sum)) {
+            return false;
+        }
+        if ((this.sha1sum == null) ? (other.sha1sum != null) : !this.sha1sum.equals(other.sha1sum)) {
+            return false;
+        }
+        if (this.identifiers != other.identifiers && (this.identifiers == null || !this.identifiers.equals(other.identifiers))) {
+            return false;
+        }
+        if (this.vendorEvidence != other.vendorEvidence && (this.vendorEvidence == null || !this.vendorEvidence.equals(other.vendorEvidence))) {
+            return false;
+        }
+        if (this.productEvidence != other.productEvidence && (this.productEvidence == null || !this.productEvidence.equals(other.productEvidence))) {
+            return false;
+        }
+        if (this.versionEvidence != other.versionEvidence && (this.versionEvidence == null || !this.versionEvidence.equals(other.versionEvidence))) {
+            return false;
+        }
+        if (this.analysisExceptions != other.analysisExceptions
+                && (this.analysisExceptions == null || !this.analysisExceptions.equals(other.analysisExceptions))) {
+            return false;
+        }
+        if ((this.description == null) ? (other.description != null) : !this.description.equals(other.description)) {
+            return false;
+        }
+        if ((this.license == null) ? (other.license != null) : !this.license.equals(other.license)) {
+            return false;
+        }
+        if (this.vulnerabilities != other.vulnerabilities && (this.vulnerabilities == null || !this.vulnerabilities.equals(other.vulnerabilities))) {
+            return false;
+        }
+        if (this.relatedDependencies != other.relatedDependencies
+                && (this.relatedDependencies == null || !this.relatedDependencies.equals(other.relatedDependencies))) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Generates the HashCode.
+     * @return the HashCode
+     */
+    @Override
+    public int hashCode() {
+        int hash = 3;
+        hash = 47 * hash + (this.actualFilePath != null ? this.actualFilePath.hashCode() : 0);
+        hash = 47 * hash + (this.filePath != null ? this.filePath.hashCode() : 0);
+        hash = 47 * hash + (this.fileName != null ? this.fileName.hashCode() : 0);
+        hash = 47 * hash + (this.fileExtension != null ? this.fileExtension.hashCode() : 0);
+        hash = 47 * hash + (this.md5sum != null ? this.md5sum.hashCode() : 0);
+        hash = 47 * hash + (this.sha1sum != null ? this.sha1sum.hashCode() : 0);
+        hash = 47 * hash + (this.identifiers != null ? this.identifiers.hashCode() : 0);
+        hash = 47 * hash + (this.vendorEvidence != null ? this.vendorEvidence.hashCode() : 0);
+        hash = 47 * hash + (this.productEvidence != null ? this.productEvidence.hashCode() : 0);
+        hash = 47 * hash + (this.versionEvidence != null ? this.versionEvidence.hashCode() : 0);
+        hash = 47 * hash + (this.analysisExceptions != null ? this.analysisExceptions.hashCode() : 0);
+        hash = 47 * hash + (this.description != null ? this.description.hashCode() : 0);
+        hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
+        hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);
+        hash = 47 * hash + (this.relatedDependencies != null ? this.relatedDependencies.hashCode() : 0);
+        return hash;
+    }
 }

src/main/java/org/owasp/dependencycheck/dependency/Evidence.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.dependency;
 /**
  * Evidence is a piece of information about a Dependency.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Evidence implements Comparable<Evidence> {
 

src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.utils.Filter;
 /**
  * Used to maintain a collection of Evidence.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class EvidenceCollection implements Iterable<Evidence> {
 
@@ -96,7 +96,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
      */
     private Set<Evidence> list;
     /**
-     * A collection of strings used to adjust lucene's term weighting.
+     * A collection of strings used to adjust Lucene's term weighting.
      */
     private Set<String> weightedStrings;
 

src/main/java/org/owasp/dependencycheck/dependency/Identifier.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.dependency;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Identifier implements Comparable<Identifier> {
 
@@ -31,7 +31,7 @@ public class Identifier implements Comparable<Identifier> {
      * @param value the identifier value.
      * @param url the identifier url.
      */
-    Identifier(String type, String value, String url) {
+    public Identifier(String type, String value, String url) {
         this.type = type;
         this.value = value;
         this.url = url;
@@ -45,7 +45,7 @@ public class Identifier implements Comparable<Identifier> {
      * @param url the identifier url.
      * @param description the description of the identifier.
      */
-    Identifier(String type, String value, String url, String description) {
+    public Identifier(String type, String value, String url, String description) {
         this(type, value, url);
         this.description = description;
     }

src/main/java/org/owasp/dependencycheck/dependency/Reference.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,7 +24,7 @@ import java.io.Serializable;
  * An external reference for a vulnerability. This contains a name, URL, and a
  * source.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Reference implements Serializable, Comparable<Reference> {
 

src/main/java/org/owasp/dependencycheck/dependency/Vulnerability.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,7 +26,7 @@ import java.util.TreeSet;
 /**
  * Contains the information about a vulnerability.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class Vulnerability implements Serializable, Comparable<Vulnerability> {
 

src/main/java/org/owasp/dependencycheck/dependency/VulnerabilityComparator.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.Comparator;
 
 /**
  * Comparator for Vulnerability objects.
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VulnerabilityComparator implements Comparator<Vulnerability>, Serializable {
     /**

src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import org.owasp.dependencycheck.data.cpe.Entry;
  * A record containing information about vulnerable software. This
  * is referenced from a vulnerability.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VulnerableSoftware extends Entry implements Serializable, Comparable<VulnerableSoftware> {
 

src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -44,10 +44,28 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * the generator uses the Velocity Templating Engine. The ReportGenerator exposes
  * a list of Dependencies to the template when generating the report.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class ReportGenerator {
 
+    /**
+     * An enumeration of the report formats.
+     */
+    public enum Format {
+
+        /**
+         * Generate all reports.
+         */
+        ALL,
+        /**
+         * Generate XML report.
+         */
+        XML,
+        /**
+         * Generate HTML report.
+         */
+        HTML
+    }
     /**
      * The Velocity Engine.
      */
@@ -105,18 +123,39 @@ public class ReportGenerator {
     /**
      * Generates the Dependency Reports for the identified dependencies.
      *
-     * @param outputDir the path where the reports should be written.
-     * @param outputFormat the format the report should be written in.
-     * @throws IOException is thrown when the template file does not exist.
+     * @param outputDir the path where the reports should be written
+     * @param format the format the report should be written in
+     * @throws IOException is thrown when the template file does not exist
+     * @throws Exception is thrown if there is an error writing out the
+     * reports.
+     */
+    public void generateReports(String outputDir, Format format) throws IOException, Exception {
+        if (format == Format.XML || format == Format.ALL) {
+            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+        }
+        if (format == Format.HTML || format == Format.ALL) {
+            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+        }
+    }
+
+    /**
+     * Generates the Dependency Reports for the identified dependencies.
+     *
+     * @param outputDir the path where the reports should be written
+     * @param outputFormat the format the report should be written in (XML, HTML, ALL)
+     * @throws IOException is thrown when the template file does not exist
      * @throws Exception is thrown if there is an error writing out the
      * reports.
      */
     public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
-        if ("XML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
-            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+        if ("XML".equalsIgnoreCase(outputFormat)) {
+            generateReports(outputDir, Format.XML);
         }
-        if ("HTML".equalsIgnoreCase(outputFormat) || "ALL".equalsIgnoreCase(outputFormat)) {
-            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+        if ("HTML".equalsIgnoreCase(outputFormat)) {
+            generateReports(outputDir, Format.HTML);
+        }
+        if ("ALL".equalsIgnoreCase(outputFormat)) {
+            generateReports(outputDir, Format.ALL);
         }
     }
 
@@ -130,7 +169,7 @@ public class ReportGenerator {
      * @throws IOException is thrown when the template file does not exist.
      * @throws Exception is thrown when an exception occurs.
      */
-    public void generateReport(String templateName, String outFileName) throws IOException, Exception {
+    protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
         InputStream input = null;
         String templatePath = null;
         final File f = new File(templateName);
@@ -154,6 +193,11 @@ public class ReportGenerator {
         OutputStream outputStream = null;
 
         try {
+            File foutDir = new File(outFileName).getParentFile();
+            if (!foutDir.exists()) {
+                foutDir.mkdirs();
+            }
+
             outputStream = new FileOutputStream(outFileName);
             writer = new OutputStreamWriter(outputStream, "UTF-8");
             //writer = new BufferedWriter(oswriter);

src/main/java/org/owasp/dependencycheck/utils/CliParser.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -33,7 +33,7 @@ import org.apache.commons.cli.PosixParser;
 /**
  * A utility to parse command line arguments for the DependencyCheck.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class CliParser {
 
@@ -160,9 +160,6 @@ public final class CliParser {
         final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
                 "print this message.");
 
-        final Option advancedHelp = new Option(ArgumentName.ADVANCED_HELP_SHORT, ArgumentName.ADVANCED_HELP, false,
-                "shows additional help regarding properties file.");
-
         final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
                 "extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
 
@@ -176,6 +173,18 @@ public final class CliParser {
                 .withDescription("the name of the application being scanned.")
                 .create(ArgumentName.APPNAME_SHORT);
 
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+                .withDescription("the connection timeout (in milliseconds) to use when downloading resources.")
+                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+
+        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
+                .withDescription("the proxy url to use when downloading resources.")
+                .create(ArgumentName.PROXY_URL_SHORT);
+
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+                .withDescription("the proxy port to use when downloading resources.")
+                .create(ArgumentName.PROXY_PORT_SHORT);
+
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
                 .withDescription("the path to scan - this option can be specified multiple times.")
                 .create(ArgumentName.SCAN_SHORT);
@@ -192,8 +201,6 @@ public final class CliParser {
                 .withDescription("the output format to write to (XML, HTML, ALL).")
                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
 
-        //TODO add the ability to load a properties file to override the defaults...
-
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
 
@@ -207,7 +214,9 @@ public final class CliParser {
         opts.addOption(noupdate);
         opts.addOption(deepScan);
         opts.addOption(props);
-        opts.addOption(advancedHelp);
+        opts.addOption(proxyPort);
+        opts.addOption(proxyUrl);
+        opts.addOption(connectionTimeout);
 
         return opts;
     }
@@ -245,16 +254,6 @@ public final class CliParser {
     public void printHelp() {
         final HelpFormatter formatter = new HelpFormatter();
         final String nl = System.getProperty("line.separator");
-        String advancedHelp = null;
-        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
-            advancedHelp = nl + nl
-                    + "Additionally, the following properties are supported and can be specified either"
-                    + "using the -p <file> argument or by passing them in as system properties." + nl
-                    + nl + " " + Settings.KEYS.PROXY_URL + "\t\t    the proxy URL to use when downloading resources."
-                    + nl + " " + Settings.KEYS.PROXY_PORT + "\t\t    the proxy port to use when downloading resources."
-                    + nl + " " + Settings.KEYS.CONNECTION_TIMEOUT + "\t    the connection timeout (in milliseconds) to use"
-                    + nl + "\t\t\t    when downloading resources.";
-        }
 
         formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
                 nl + Settings.getString("application.name", "DependencyCheck")
@@ -264,9 +263,6 @@ public final class CliParser {
                 options,
                 "",
                 true);
-        if (advancedHelp != null) {
-            System.out.println(advancedHelp);
-        }
     }
 
     /**
@@ -308,6 +304,30 @@ public final class CliParser {
         return line.getOptionValue(ArgumentName.APPNAME);
     }
 
+    /**
+     * Returns the connection timeout.
+     * @return the connection timeout
+     */
+    public String getConnectionTimeout() {
+        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+    }
+
+    /**
+     * Returns the proxy url.
+     * @return the proxy url
+     */
+    public String getProxyUrl() {
+        return line.getOptionValue(ArgumentName.PROXY_URL);
+    }
+
+    /**
+     * Returns the proxy port.
+     * @return the proxy port
+     */
+    public String getProxyPort() {
+        return line.getOptionValue(ArgumentName.PROXY_PORT);
+    }
+
     /**
      * <p>Prints the manifest information to standard output.</p>
      * <ul><li>Implementation-Title: ${pom.name}</li>
@@ -408,13 +428,29 @@ public final class CliParser {
          */
         public static final String VERSION = "version";
         /**
-         * The CLI argument name asking for advanced help.
+         * The short CLI argument name indicating the proxy port.
          */
-        public static final String ADVANCED_HELP_SHORT = "ah";
+        public static final String PROXY_PORT_SHORT = "p";
         /**
-         * The short CLI argument name asking for advanced help.
+         * The CLI argument name indicating the proxy port.
          */
-        public static final String ADVANCED_HELP = "advancedhelp";
+        public static final String PROXY_PORT = "proxyport";
+        /**
+         * The short CLI argument name indicating the proxy url.
+         */
+        public static final String PROXY_URL_SHORT = "u";
+        /**
+         * The CLI argument name indicating the proxy url.
+         */
+        public static final String PROXY_URL = "proxyurl";
+        /**
+         * The short CLI argument name indicating the proxy url.
+         */
+        public static final String CONNECTION_TIMEOUT_SHORT = "c";
+        /**
+         * The CLI argument name indicating the proxy url.
+         */
+        public static final String CONNECTION_TIMEOUT = "connectiontimeout";
         /**
          * The short CLI argument name indicating a deep scan of the dependencies
          * should be performed.

src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -0,0 +1,114 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.apache.commons.lang.StringUtils;
+
+/**
+ * <p>Simple object to track the parts of a version number. The parts are
+ * contained in a List such that version 1.2.3 will be stored as:
+ * <code>versionParts[0] = 1;
+ * versionParts[1] = 2;
+ * versionParts[2] = 3;
+ * </code></p>
+ * <p>Note, the parser contained in this class expects the version numbers to be
+ * separated by periods. If a different seperator is used the parser will likely
+ * fail.</p>
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class DependencyVersion implements Iterable {
+
+    /**
+     * Constructor for a empty DependencyVersion.
+     */
+    public DependencyVersion() {
+        versionParts = new ArrayList<String>();
+    }
+
+    /**
+     * Constructor for a DependencyVersion that will parse a version string.
+     * @param version the version number to parse
+     */
+    public DependencyVersion(String version) {
+        parseVersion(version);
+    }
+
+    /**
+     * Parses a version string into its sub parts: major, minor, revision, build, etc.
+     * @param version the version string to parse
+     */
+    public final void parseVersion(String version) {
+        versionParts = new ArrayList<String>();
+        if (version != null) {
+            final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+)");
+            final Matcher matcher = rx.matcher(version.toLowerCase());
+            while (matcher.find()) {
+                versionParts.add(matcher.group());
+            }
+            if (versionParts.isEmpty()) {
+                versionParts.add(version);
+            }
+        }
+    }
+    /**
+     * A list of the version parts.
+     */
+    private List<String> versionParts;
+
+    /**
+     * Get the value of versionParts.
+     *
+     * @return the value of versionParts
+     */
+    public List<String> getVersionParts() {
+        return versionParts;
+    }
+
+    /**
+     * Set the value of versionParts.
+     *
+     * @param versionParts new value of versionParts
+     */
+    public void setVersionParts(List<String> versionParts) {
+        this.versionParts = versionParts;
+    }
+
+    /**
+     * Retrieves an iterator for the version parts.
+     *
+     * @return an iterator for the version parts
+     */
+    public Iterator iterator() {
+        return versionParts.iterator();
+    }
+
+    /**
+     * Reconstructs the version string from the split version parts.
+     * @return a string representing the version.
+     */
+    @Override
+    public String toString() {
+        return StringUtils.join(versionParts.toArray(), ".");
+    }
+}

src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+/**
+ * <p>A utility class to extract version numbers from file names (or other strings
+ * containing version numbers.</p>
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public final class DependencyVersionUtil {
+    /**
+     * Regular expression to extract version numbers from file names.
+     */
+    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d+)+(\\.?[a-zA-Z_-]{1,3}\\d+)?");
+
+    /**
+     * Private constructor for utility class.
+     */
+    private DependencyVersionUtil() {
+    }
+
+    /**
+     * <p>A utility class to extract version numbers from file names (or other strings
+     * containing version numbers.<br/>
+     * Example:<br/>
+     * Give the file name: library-name-1.4.1r2-release.jar<br/>
+     * This function would return: 1.4.1.r2</p>
+     *
+     * @param filename the filename being analyzed
+     * @return a DependencyVersion containing the version
+     */
+    public static DependencyVersion parseVersionFromFileName(String filename) {
+        if (filename == null) {
+            return null;
+        }
+        String version = null;
+        final Matcher matcher = RX_VERSION.matcher(filename);
+        if (matcher.find()) {
+            version = matcher.group();
+        }
+        //throw away the results if there are two things that look like version numbers
+        if (matcher.find()) {
+            return null;
+        }
+        if (version == null) {
+            return null;
+        }
+        return new DependencyVersion(version);
+    }
+}

src/main/java/org/owasp/dependencycheck/utils/DownloadFailedException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.io.IOException;
 /**
  * An exception used when a download fails.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DownloadFailedException extends IOException {
 

src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,7 +36,7 @@ import java.util.zip.InflaterInputStream;
 /**
  * A utility to download files from the Internet.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class Downloader {
 

src/main/java/org/owasp/dependencycheck/utils/FileUtils.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -25,7 +25,7 @@ import java.io.IOException;
 /**
  * A collection of utilities for processing information about files.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class FileUtils {
 

src/main/java/org/owasp/dependencycheck/utils/InvalidSettingException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.io.IOException;
 /**
  * An exception used when an error occurs reading a setting.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class InvalidSettingException extends IOException {
 

src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,7 +26,7 @@ import java.io.InputStream;
  * processes the stream from closing it. This is necessary when dealing with
  * things like JAXB and zipInputStreams.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NonClosingStream extends FilterInputStream {
 

src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import java.util.logging.Logger;
 /**
  * A simple settings container that wraps the dependencycheck.properties file.
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public final class Settings {
 
@@ -37,7 +37,6 @@ public final class Settings {
      * The collection of keys used within the properties file.
      */
     public static final class KEYS {
-
         /**
          * private constructor because this is a "utility" class containing constants
          */
@@ -45,6 +44,12 @@ public final class Settings {
             //do nothing
         }
 
+        /**
+         * The properties key indicating whether or not the cached data sources
+         * should be updated.
+         */
+        public static final String AUTO_UPDATE = "autoupdate";
+
         /**
          * The properties key for the path where the CPE Lucene Index will be
          * stored.
@@ -145,7 +150,7 @@ public final class Settings {
         try {
             props.load(in);
         } catch (IOException ex) {
-            Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(Settings.class.getName()).log(Level.SEVERE, "Unable to load default settings.", ex);
         }
     }
 

src/main/resources/configuration/dependencycheck.properties

@@ -1,5 +1,6 @@
 application.name=${pom.name}
 application.version=${pom.version}
+autoupdate=true
 
 # the path to the lucene index to store the cpe data
 cpe=data/cpe
@@ -8,7 +9,6 @@ cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-diction
 # the path to the cpe meta data file.
 cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
 
-
 # the path to the lucene index to store the nvd cve data
 cve=data/cve
 # the path to the nvd cve "meta" page where the timestamps for the last update files can be found.

src/main/resources/templates/HtmlReport.vsl

@@ -1,22 +1,22 @@
 #**
-This file is part of DependencyCheck.
+This file is part of Dependency-Check.
 
-DependencyCheck is free software: you can redistribute it and/or modify
+Dependency-Check is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 
-DependencyCheck is distributed in the hope that it will be useful,
+Dependency-Check is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
-@author Jeremy Long (jeremy.long@gmail.com)
+@author Jeremy Long (jeremy.long@owasp.org)
 @version 1
 *#
 
@@ -25,7 +25,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 <!DOCTYPE html>
 <html>
     <head>
-        <title></title>
+        <title>Dependency-Check Report</title>
         <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
         <link rel="shortcut icon" href="data:;base64,iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsMAAA7DAcdvqGQAAAAadEVYdFNvZnR3YXJlAFBhaW50Lk5FVCB2My41LjEwMPRyoQAAANVJREFUOE9jYKAi+A80Cxn/APLnA7EQsXaANB9BUiwJZD8C4ktAzEKMIegGgPRYQl0VTq4BfFADJpBlgIHjfxNV45P/gTQMnwOyPXAZhuIFoEJHkEZB8ej/DIysR4FsDiAugRqG1UtwA4CKWID4hZ7997VQL0wlyQtAzaYgm5QN9rSTFYhAzeEgA/hFAs5Bo5LoaAQnJAGxcHCgCYpHbSclIcG9CdRsBw2sFGL8jqEGFohAegVZBoA0waIRSEdDDUSOxgSiDAYlJCAGJR6iEhJRhqIrAgDHLHfYX71qMgAAAABJRU5ErkJggg==" />
         <script type="text/javascript">
@@ -314,7 +314,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                         #end
                         <p>
                         #if ($dependency.license)
+                            #if ($dependency.license.startsWith("http://"))
+                            <b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
+                            #else
                             <b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
+                            #end
                         #end
                             <b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
                             <b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
@@ -368,7 +372,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                             #foreach($related in $dependency.getRelatedDependencies())
                                 <li>$esc.html($related.FileName)
                                     <ul>
-                                        <li>File Path:&nbsp;$esc.html($dependency.FilePath)</li>
+                                        <li>File Path:&nbsp;$esc.html($related.FilePath)</li>
                                         <li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
                                         <li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
                                      </ul>
@@ -394,7 +398,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                             #foreach($id in $dependency.getIdentifiers())
                                 ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
                                 <li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
-                                #if( $id.descrription )
+                                #if( $id.description )
                                     <br/>$esc.html($id.description)
                                 #end
                                 </li>

src/main/resources/templates/XmlReport.vsl

@@ -1,22 +1,22 @@
 #**
-This file is part of DependencyCheck.
+This file is part of Dependency-Check.
 
-DependencyCheck is free software: you can redistribute it and/or modify
+Dependency-Check is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
 the Free Software Foundation, either version 3 of the License, or
 (at your option) any later version.
 
-DependencyCheck is distributed in the hope that it will be useful,
+Dependency-Check is distributed in the hope that it will be useful,
 but WITHOUT ANY WARRANTY; without even the implied warranty of
 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 GNU General Public License for more details.
 
 You should have received a copy of the GNU General Public License
-along with DependencyCheck. If not, see http://www.gnu.org/licenses/.
+along with Dependency-Check. If not, see http://www.gnu.org/licenses/.
 
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
-@author Jeremy Long (jeremy.long@gmail.com)
+@author Jeremy Long (jeremy.long@owasp.org)
 @version 1
 *#<?xml version="1.0"?>
 <analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check">

src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class EngineIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,7 +29,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class AbstractAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class AnalyzerServiceTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FileNameAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class JarAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/data/cpe/BaseIndexTestCase.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -36,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class BaseIndexTestCase {
 

src/test/java/org/owasp/dependencycheck/data/cpe/CPEAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,10 +31,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.analyzer.JarAnalyzer;
 import org.junit.Assert;
 import org.junit.Test;
+import org.owasp.dependencycheck.dependency.Identifier;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CPEAnalyzerTest extends BaseIndexTestCase {
 
@@ -110,6 +111,7 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
         String expResult = "cpe:/a:apache:struts:2.1.2";
+        Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
         String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
         String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";
         instance.determineCPE(depends);
@@ -117,7 +119,9 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
         instance.determineCPE(spring3);
         instance.close();
         Assert.assertTrue("Incorrect match size - struts", depends.getIdentifiers().size() >= 1);
-        Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().get(0).getValue().equals(expResult));
+
+
+        Assert.assertTrue("Incorrect match - struts", depends.getIdentifiers().contains(expIdentifier));
         //the following two only work if the HintAnalyzer is used.
         //Assert.assertTrue("Incorrect match size - spring", spring.getIdentifiers().size() == 1);
         //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));

src/test/java/org/owasp/dependencycheck/data/cpe/EntryTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import org.junit.Assert;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class EntryTest {
 

src/test/java/org/owasp/dependencycheck/data/cpe/IndexIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class IndexIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/data/cpe/IndexTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,7 +32,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class IndexTest {
 

src/test/java/org/owasp/dependencycheck/data/cwe/CweDBTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CweDBTest {
 
@@ -54,7 +54,7 @@ public class CweDBTest {
     /**
      * Method to serialize the CWE HashMap. This is not used in
      * production; this is only used once during dev to create
-     * the serialized hashmap.
+     * the serialized HashMap.
      */
 //    @Test
 //    public void testUpdate() throws Exception {

src/test/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -49,7 +49,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FieldAnalyzerTest {
 

src/test/java/org/owasp/dependencycheck/data/lucene/LuceneUtilsTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,7 +28,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class LuceneUtilsTest {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -33,7 +33,7 @@ import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public abstract class BaseDBTestCase extends TestCase {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdaterIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DatabaseUpdaterIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_1_2_HandlerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve_1_2_HandlerTest {
 

src/test/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve_2_0_HandlerTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class NvdCve_2_0_HandlerTest {
 

src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -1,5 +1,24 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
 package org.owasp.dependencycheck.dependency;
 
+import java.util.Set;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -15,7 +34,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DependencyTest {
 
@@ -208,7 +227,7 @@ public class DependencyTest {
     public void testGetIdentifiers() {
         Dependency instance = new Dependency();
         List expResult = null;
-        List result = instance.getIdentifiers();
+        Set<Identifier> result = instance.getIdentifiers();
 
         assertTrue(true); //this is just a getter setter pair.
     }
@@ -218,7 +237,7 @@ public class DependencyTest {
      */
     @Test
     public void testSetIdentifiers() {
-        List<Identifier> identifiers = null;
+        Set<Identifier> identifiers = null;
         Dependency instance = new Dependency();
         instance.setIdentifiers(identifiers);
         assertTrue(true); //this is just a getter setter pair.
@@ -232,13 +251,12 @@ public class DependencyTest {
         String type = "cpe";
         String value = "cpe:/a:apache:struts:2.1.2";
         String url = "http://somewhere";
+        Identifier expResult = new Identifier(type,value,url);
+
         Dependency instance = new Dependency();
         instance.addIdentifier(type, value, url);
         assertEquals(1,instance.getIdentifiers().size());
-        Identifier i = instance.getIdentifiers().get(0);
-        assertEquals(type,i.getType());
-        assertEquals(value, i.getValue());
-        assertEquals(url, i.getUrl());
+        assertTrue("Identifier doesn't contain expected result.", instance.getIdentifiers().contains(expResult));
     }
 
     /**

src/test/java/org/owasp/dependencycheck/dependency/VulnerableSoftwareTest.java

@@ -1,6 +1,20 @@
 /*
- * To change this template, choose Tools | Templates
- * and open the template in the editor.
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.dependency;
 
@@ -13,7 +27,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class VulnerableSoftwareTest {
 

src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class ReportGeneratorTest {
 

src/test/java/org/owasp/dependencycheck/utils/ChecksumTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,7 +31,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class ChecksumTest {
 

src/test/java/org/owasp/dependencycheck/utils/CliParserTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,7 +34,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class CliParserTest {
 

src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java

@@ -0,0 +1,80 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class DependencyVersionUtilTest {
+
+    public DependencyVersionUtilTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+    }
+
+    @AfterClass
+    public static void tearDownClass() throws Exception {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of parseVersionFromFileName method, of class DependencyVersionUtil.
+     */
+    @Test
+    public void testParseVersionFromFileName() {
+        final String[] fileName = {"something-0.9.5.jar", "lib2-1.1.jar", "lib1.5r4-someflag-R26.jar",
+            "lib-1.2.5-dev-20050313.jar", "testlib_V4.4.0.jar", "lib-core-2.0.0-RC1-SNAPSHOT.jar",
+            "lib-jsp-2.0.1_R114940.jar", "dev-api-2.3.11_R121413.jar", "lib-api-3.7-SNAPSHOT.jar"};
+        final String[] expResult = {"0.9.5", "1.1", "1.5.r4", "1.2.5", "4.4.0", "2.0.0.rc1",
+            "2.0.1.r114940", "2.3.11.r121413", "3.7"};
+
+        for (int i = 0; i < fileName.length; i++) {
+            final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(fileName[i]);
+            String result = null;
+            if (version != null) {
+                result = version.toString();
+            }
+            assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
+        }
+
+        String[] failingNames = { "no-version-identified.jar", "somelib-04aug2000r7-dev.jar", "no.version15.jar",
+            "lib_1.0_spec-1.1.jar", "lib-api_1.0_spec-1.0.1.jar" };
+        for (int i = 0; i < failingNames.length; i++) {
+            final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(failingNames[i]);
+            assertNull("Found version in name that should have failed \"" + failingNames[i] + "\".", version);
+        }
+    }
+}

src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class DownloaderIntegrationTest {
 

src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java

@@ -0,0 +1,81 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.File;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+
+/**
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class FileUtilsTest {
+
+    public FileUtilsTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+    }
+
+    @AfterClass
+    public static void tearDownClass() throws Exception {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of getFileExtension method, of class FileUtils.
+     */
+    @Test
+    public void testGetFileExtension() {
+        String[] fileName = { "something-0.9.5.jar", "lib2-1.1.js" };
+        String[] expResult = { "jar", "js" };
+
+        for (int i = 0; i < fileName.length; i++) {
+            String result = FileUtils.getFileExtension(fileName[i]);
+            assertEquals("Failed extraction on \"" + fileName[i] + "\".", expResult[i], result);
+        }
+    }
+
+    /**
+     * Test of delete method, of class FileUtils.
+     */
+    @Test
+    public void testDelete() throws Exception {
+
+        File file = File.createTempFile("tmp", "deleteme");
+        if (!file.exists()) {
+            fail("Unable to create a temporary file.");
+        }
+        FileUtils.delete(file);
+        assertFalse("Temporary file exists after attempting deletion", file.exists());
+    }
+}

src/test/java/org/owasp/dependencycheck/utils/FilterTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,7 +30,7 @@ import static org.junit.Assert.*;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class FilterTest {
 

src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of DependencyCheck.
+ * This file is part of Dependency-Check.
  *
- * DependencyCheck is free software: you can redistribute it and/or modify it
+ * Dependency-Check is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * DependencyCheck is distributed in the hope that it will be useful, but
+ * Dependency-Check is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * DependencyCheck. If not, see http://www.gnu.org/licenses/.
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,7 +32,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@gmail.com)
+ * @author Jeremy Long (jeremy.long@owasp.org)
  */
 public class SettingsTest {