0.3.2.0

Former-commit-id: 8431f1312204c78a829f269954161d7187245493

pom.xml

@@ -22,7 +22,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check</artifactId>
-    <version>0.3.1.1</version>
+    <version>0.3.2.0</version>
     <packaging>jar</packaging>
 
     <name>DependencyCheck</name>
@@ -37,13 +37,22 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
         <developer>
             <name>Jeremy Long</name>
             <email>jeremy.long@owasp.org</email>
-            <organization>owasp</organization>
+            <organization>OWASP</organization>
             <organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
             <roles>
                 <role>architect</role>
                 <role>developer</role>
             </roles>
         </developer>
+        <developer>
+            <name>Steve Springett</name>
+            <email>Steve.Springett@owasp.org</email>
+            <organization>OWASP</organization>
+            <organizationUrl>https://www.owasp.org/index.php/OWASP_Dependency_Check</organizationUrl>
+            <roles>
+                <role>contributor</role>
+            </roles>
+        </developer>
     </developers>
     <scm>
         <connection>scm:git:git@github.com:jeremylong/DependencyCheck.git</connection>
@@ -147,7 +156,6 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
                     </excludes>
                 </configuration>
             </plugin>
-
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
@@ -397,8 +405,13 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
             </plugin>
         </plugins>
     </build>
-
     <dependencies>
+        <dependency>
+            <groupId>com.google.code.findbugs</groupId>
+            <artifactId>annotations</artifactId>
+            <version>2.0.1</version>
+            <scope>provided</scope><!-- don't include this in the libs-->
+        </dependency>
         <dependency>
             <groupId>commons-cli</groupId>
             <artifactId>commons-cli</artifactId>
@@ -410,10 +423,9 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
             <version>2.4</version>
         </dependency>
         <dependency>
-            <!-- Using the same as Lucene-->
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
-            <version>2.4</version>
+            <version>2.5</version>
         </dependency>
         <dependency>
             <groupId>junit</groupId>
@@ -425,18 +437,17 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-core</artifactId>
-            <version>4.0.0</version>
+            <version>4.3.0</version>
-            <!--<version>3.5.0</version>-->
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-analyzers-common</artifactId>
-            <version>4.0.0</version>
+            <version>4.3.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-queryparser</artifactId>
-            <version>4.0.0</version>
+            <version>4.3.0</version>
         </dependency>
         <dependency>
             <groupId>org.apache.velocity</groupId>
@@ -490,7 +501,7 @@ along with DependencyCheck.  If not, see <http://www.gnu.org/licenses />.
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
-            <version>1.3.171</version>
+            <version>1.3.172</version>
         </dependency>
 
         <!-- The following dependencies are only scanned during integration testing -->

src/main/config/checkstyle-header.txt

@@ -14,6 +14,6 @@
 ^ \* You should have received a copy of the GNU General Public License along with\s*$
 ^ \* Dependency-Check\. If not, see http://www.gnu.org/licenses/\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 201[23] Jeremy Long\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[23] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package

src/main/java/org/owasp/dependencycheck/Engine.java

@@ -52,28 +52,28 @@ public class Engine {
     /**
      * The list of dependencies.
      */
-    private List<Dependency> dependencies = new ArrayList<Dependency>();
+    private final List<Dependency> dependencies = new ArrayList<Dependency>();
     /**
      * A Map of analyzers grouped by Analysis phase.
      */
-    private EnumMap<AnalysisPhase, List<Analyzer>> analyzers =
+    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers =
             new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
     /**
      * A set of extensions supported by the analyzers.
      */
-    private Set<String> extensions = new HashSet<String>();
+    private final Set<String> extensions = new HashSet<String>();
 
     /**
      * Creates a new Engine.
      */
     public Engine() {
-        boolean autoupdate = true;
+        boolean autoUpdate = true;
         try {
-            autoupdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
         } catch (InvalidSettingException ex) {
             Logger.getLogger(Engine.class.getName()).log(Level.WARNING, "Invalid setting for auto-update.");
         }
-        if (autoupdate) {
+        if (autoUpdate) {
             doUpdates();
         }
         loadAnalyzers();
@@ -161,11 +161,13 @@ public class Engine {
      */
     protected void scanDirectory(File dir) {
         final File[] files = dir.listFiles();
-        for (File f : files) {
+        if (files != null) {
-            if (f.isDirectory()) {
+            for (File f : files) {
-                scanDirectory(f);
+                if (f.isDirectory()) {
-            } else {
+                    scanDirectory(f);
-                scanFile(f);
+                } else {
+                    scanFile(f);
+                }
             }
         }
     }

src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -155,7 +155,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
 
     /**
      * Attempts to trim a maven repo to a common base path. This is typically
-     * [drive]\[repolocation\repository\[path1]\[path2].
+     * [drive]\[repo_location]\repository\[path1]\[path2].
      *
      * @param path the path to trim
      * @return a string representing the base path.

src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -219,6 +219,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
      * pom.
      * @return whether or not evidence was added to the dependency
      */
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    value = "OS_OPEN_STREAM",
+    justification = "The reader on line 259 is closed by closing the zipEntry")
     protected boolean analyzePOM(Dependency dependency) throws IOException, AnalysisException {
         boolean foundSomething = false;
         Properties pomProperties = null;
@@ -718,7 +721,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
             final java.util.jar.JarEntry entry = (java.util.jar.JarEntry) en.nextElement();
             if (entry.getName().endsWith(".class")) {
                 hasClasses = true;
-                String[] path = null;
+                String[] path;
                 if (entry.getName().contains("/")) {
                     path = entry.getName().toLowerCase().split("/");
                     if ("java".equals(path[0])

src/main/java/org/owasp/dependencycheck/data/cpe/Entry.java

@@ -228,10 +228,7 @@ public class Entry implements Serializable {
             return false;
         }
         final Entry other = (Entry) obj;
-        if ((this.name == null) ? (other.name != null) : !this.name.equals(other.name)) {
+        return !((this.name == null) ? (other.name != null) : !this.name.equals(other.name));
-            return false;
-        }
-        return true;
     }
 
     @Override

src/main/java/org/owasp/dependencycheck/data/cpe/Index.java

@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.data.cpe;
 
 import java.io.File;
 import java.io.IOException;
-import java.net.URLDecoder;
 import java.util.HashMap;
 import java.util.Map;
 import org.apache.lucene.analysis.Analyzer;
@@ -37,6 +36,7 @@ import org.apache.lucene.store.Directory;
 import org.apache.lucene.store.FSDirectory;
 import org.apache.lucene.util.Version;
 import org.owasp.dependencycheck.data.lucene.AbstractIndex;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
 import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
@@ -58,8 +58,7 @@ public class Index extends AbstractIndex {
      */
     public Directory getDirectory() throws IOException {
         final File path = getDataDirectory();
-        final Directory dir = FSDirectory.open(path);
+        return FSDirectory.open(path);
-        return dir;
     }
 
     /**
@@ -71,20 +70,9 @@ public class Index extends AbstractIndex {
      */
     public File getDataDirectory() throws IOException {
         final String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
-        final String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        final File path = FileUtils.getDataDirectory(fileName, Index.class);
-        final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
+        if (!path.exists() && !path.mkdirs()) {
-        File exePath = new File(decodedPath);
+            throw new IOException("Unable to create CPE Data directory");
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-        if (!path.exists()) {
-            if (!path.mkdirs()) {
-                throw new IOException("Unable to create CPE Data directory");
-            }
         }
         return path;
     }
@@ -102,10 +90,7 @@ public class Index extends AbstractIndex {
         fieldAnalyzers.put(Fields.VERSION, new VersionAnalyzer(Version.LUCENE_40));
         fieldAnalyzers.put(Fields.NAME, new KeywordAnalyzer());
 
-        final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-                new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-
-        return wrapper;
     }
     /**
      * The search field analyzer for the product field.
@@ -133,10 +118,7 @@ public class Index extends AbstractIndex {
         fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
         fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
 
-        final PerFieldAnalyzerWrapper wrapper = new PerFieldAnalyzerWrapper(
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-                new FieldAnalyzer(Version.LUCENE_40), fieldAnalyzers);
-
-        return wrapper;
     }
 
     /**
@@ -169,7 +151,6 @@ public class Index extends AbstractIndex {
      */
     public void saveEntry(Entry entry) throws CorruptIndexException, IOException {
         final Document doc = convertEntryToDoc(entry);
-        //Term term = new Term(Fields.NVDID, LuceneUtils.escapeLuceneQuery(entry.getNvdId()));
         final Term term = new Term(Fields.NAME, entry.getName());
         getIndexWriter().updateDocument(term, doc);
     }
@@ -196,7 +177,7 @@ public class Index extends AbstractIndex {
 
         //TODO revision should likely be its own field
         if (entry.getVersion() != null) {
-            Field version = null;
+            Field version;
             if (entry.getRevision() != null) {
                 version = new TextField(Fields.VERSION, entry.getVersion() + " "
                         + entry.getRevision(), Field.Store.NO);

src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -53,9 +53,7 @@ public final class CweDB {
             final String filePath = "data/cwe.hashmap.serialized";
             final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
             oin = new ObjectInputStream(input);
-            @SuppressWarnings("unchecked")
+            return (HashMap<String, String>) oin.readObject();
-            final HashMap<String, String> data = (HashMap<String, String>) oin.readObject();
-            return data;
         } catch (ClassNotFoundException ex) {
             Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
         } catch (IOException ex) {

src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -33,7 +33,7 @@ public class CweHandler extends DefaultHandler {
     /**
      * a HashMap containing the CWE data.
      */
-    private HashMap<String, String> cwe = new HashMap<String, String>();
+    private final HashMap<String, String> cwe = new HashMap<String, String>();
 
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).

src/main/java/org/owasp/dependencycheck/data/lucene/AbstractIndex.java

@@ -250,14 +250,11 @@ public abstract class AbstractIndex {
      * @throws IOException is thrown if there is an issue with the underlying Index
      */
     public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
-
         final QueryParser parser = getQueryParser();
         final Query query = parser.parse(searchString);
         resetSearchingAnalyzer();
         final IndexSearcher is = getIndexSearcher();
-        final TopDocs docs = is.search(query, maxQueryResults);
+        return is.search(query, maxQueryResults);
-
-        return docs;
     }
 
     /**

src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -41,7 +41,7 @@ public class FieldAnalyzer extends Analyzer {
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
 
     /**
      * Creates a new FieldAnalyzer.

src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -40,6 +40,9 @@ public final class LuceneUtils {
      * @param text the data to be escaped
      */
     @SuppressWarnings("fallthrough")
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    value = "SF_SWITCH_NO_DEFAULT",
+    justification = "The switch below does have a default.")
     public static void appendEscapedLuceneQuery(StringBuilder buf,
             final CharSequence text) {
 

src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -39,7 +39,7 @@ public class SearchFieldAnalyzer extends Analyzer {
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
     /**
      * A local reference to the TokenPairConcatenatingFilter so that we
      * can clear any left over state if this analyzer is re-used.

src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -42,7 +42,7 @@ public class SearchVersionAnalyzer extends Analyzer {
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
 
     /**
      * Creates a new SearchVersionAnalyzer.

src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -50,7 +50,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     /**
      * A list of words parsed.
      */
-    private LinkedList<String> words;
+    private final LinkedList<String> words;
 
     /**
      * Constructs a new TokenPairConcatenatingFilter.

src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -42,7 +42,7 @@ public class VersionAnalyzer extends Analyzer {
     /**
      * The Lucene Version used.
      */
-    private Version version;
+    private final Version version;
 
     /**
      * Creates a new VersionAnalyzer.

src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -41,7 +41,7 @@ public final class VersionTokenizingFilter extends TokenFilter {
     /**
      * A collection of tokens to add to the stream.
      */
-    private LinkedList<String> tokens;
+    private final LinkedList<String> tokens;
 
     /**
      * Constructs a new VersionTokenizingFilter.

src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -21,7 +21,6 @@ package org.owasp.dependencycheck.data.nvdcve;
 import java.io.File;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
-import java.net.URLDecoder;
 import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.DriverManager;
@@ -37,6 +36,7 @@ import org.owasp.dependencycheck.data.cwe.CweDB;
 import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -181,14 +181,19 @@ public class CveDB {
      * @throws IOException thrown if there is an IO Exception
      * @throws SQLException thrown if there is a SQL Exception
      * @throws DatabaseException thrown if there is an error initializing a new database
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
-    public void open() throws IOException, SQLException, DatabaseException {
+    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    value = "DMI_EMPTY_DB_PASSWORD",
+    justification = "Yes, I know... Blank password.")
+    public void open() throws IOException, SQLException, DatabaseException, ClassNotFoundException {
         final String fileName = CveDB.getDataDirectory().getCanonicalPath()
                 + File.separator
                 + "cve";
         final File f = new File(fileName);
         final boolean createTables = !f.exists();
         final String connStr = "jdbc:h2:file:" + fileName;
+        Class.forName("org.h2.Driver");
         conn = DriverManager.getConnection(connStr, "sa", "");
         if (createTables) {
             createTables();
@@ -305,11 +310,11 @@ public class CveDB {
                 rsS = selectSoftware.executeQuery();
                 while (rsS.next()) {
                     final String cpe = rsS.getString(1);
-                    final String prevVers = rsS.getString(2);
+                    final String prevVersion = rsS.getString(2);
-                    if (prevVers == null) {
+                    if (prevVersion == null) {
                         vuln.addVulnerableSoftware(cpe);
                     } else {
-                        vuln.addVulnerableSoftware(cpe, prevVers);
+                        vuln.addVulnerableSoftware(cpe, prevVersion);
                     }
                 }
             }
@@ -407,18 +412,7 @@ public class CveDB {
      */
     public static File getDataDirectory() throws IOException {
         final String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
-        final String filePath = CveDB.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        final File path = FileUtils.getDataDirectory(fileName, CveDB.class);
-        final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        File exePath = new File(decodedPath);
-
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-
         if (!path.exists()) {
             if (!path.mkdirs()) {
                 throw new IOException("Unable to create NVD CVE Data directory");

src/main/java/org/owasp/dependencycheck/data/nvdcve/NvdCveAnalyzer.java

@@ -53,8 +53,9 @@ public class NvdCveAnalyzer implements Analyzer {
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
-    public void open() throws SQLException, IOException, DatabaseException {
+    public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
         cveDB.open();
     }

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/DatabaseUpdater.java

@@ -137,6 +137,8 @@ public class DatabaseUpdater implements CachedWebDataSource {
                         throw new UpdateException(ex);
                     } catch (DatabaseException ex) {
                         throw new UpdateException(ex);
+                    } catch (ClassNotFoundException ex) {
+                        throw new UpdateException(ex);
                     } finally {
                         try {
                             if (outputPath != null && outputPath.exists()) {
@@ -147,6 +149,15 @@ public class DatabaseUpdater implements CachedWebDataSource {
                                 outputPath.deleteOnExit();
                             }
                         }
+                        try {
+                            if (outputPath12 != null && outputPath12.exists()) {
+                                outputPath12.delete();
+                            }
+                        } finally {
+                            if (outputPath12 != null && outputPath12.exists()) {
+                                outputPath12.deleteOnExit();
+                            }
+                        }
                     }
                 }
             }
@@ -166,13 +177,14 @@ public class DatabaseUpdater implements CachedWebDataSource {
      * @param file the file containing the NVD CVE XML
      * @param oldVersion contains the file containing the NVD CVE XML 1.2
      * @throws ParserConfigurationException is thrown if there is a parser configuration exception
-     * @throws SAXException is thrown if there is a saxexception
+     * @throws SAXException is thrown if there is a SAXException
      * @throws IOException is thrown if there is a ioexception
      * @throws SQLException is thrown if there is a sql exception
      * @throws DatabaseException is thrown if there is a database exception
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
     private void importXML(File file, File oldVersion)
-            throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException {
+            throws ParserConfigurationException, SAXException, IOException, SQLException, DatabaseException, ClassNotFoundException {
         CveDB cveDB = null;
         Index cpeIndex = null;
 
@@ -255,7 +267,14 @@ public class DatabaseUpdater implements CachedWebDataSource {
                 try {
                     out.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+            if (os != null) {
+                try {
+                    os.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(DatabaseUpdater.class.getName()).log(Level.FINEST, null, ex);
                 }
             }
         }
@@ -311,7 +330,7 @@ public class DatabaseUpdater implements CachedWebDataSource {
                     prop.load(is);
 
                     boolean deleteAndRecreate = false;
-                    float version = 0;
+                    float version;
 
                     if (prop.getProperty("version") == null) {
                         deleteAndRecreate = true;
@@ -333,8 +352,8 @@ public class DatabaseUpdater implements CachedWebDataSource {
                         FileUtils.delete(f);
 
                         //this importer also updates the CPE index and it is also using an old version
-                        final Index cpeid = new Index();
+                        final Index cpeId = new Index();
-                        final File cpeDir = cpeid.getDataDirectory();
+                        final File cpeDir = cpeId.getDataDirectory();
                         FileUtils.delete(cpeDir);
                         return currentlyPublished;
                     }

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve12Handler.java

@@ -69,7 +69,7 @@ public class NvdCve12Handler extends DefaultHandler {
     /**
      * The current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * a map of vulnerabilities.
      */

src/main/java/org/owasp/dependencycheck/data/nvdcve/xml/NvdCve20Handler.java

@@ -49,7 +49,7 @@ public class NvdCve20Handler extends DefaultHandler {
     /**
      * the current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * the text of the node.
      */

src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -72,15 +72,15 @@ public class Dependency implements Comparable<Dependency> {
     /**
      * A collection of vendor evidence.
      */
-    private EvidenceCollection vendorEvidence;
+    private final EvidenceCollection vendorEvidence;
     /**
      * A collection of product evidence.
      */
-    private EvidenceCollection productEvidence;
+    private final EvidenceCollection productEvidence;
     /**
      * A collection of version evidence.
      */
-    private EvidenceCollection versionEvidence;
+    private final EvidenceCollection versionEvidence;
 
     /**
      * Constructs a new Dependency object.
@@ -379,8 +379,8 @@ public class Dependency implements Comparable<Dependency> {
         if (str == null) {
             return false;
         }
-
+        return versionEvidence.containsUsedString(str) || productEvidence.containsUsedString(str) || vendorEvidence.containsUsedString(str);
-        if (vendorEvidence.containsUsedString(str)) {
+        /*if (vendorEvidence.containsUsedString(str)) {
             return true;
         }
         if (productEvidence.containsUsedString(str)) {
@@ -390,6 +390,7 @@ public class Dependency implements Comparable<Dependency> {
             return true;
         }
         return false;
+        */
     }
     /**
      * A list of vulnerabilities for this dependency.

src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -80,7 +80,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
      *
      * @param confidence the confidence level for the evidence to be iterated
      * over.
-     * @return Iterable<Evidence>.
+     * @return Iterable<Evidence> an iterable collectoin of evidence
      */
     public final Iterable<Evidence> iterator(Evidence.Confidence confidence) {
         if (confidence == Evidence.Confidence.HIGH) {
@@ -94,11 +94,11 @@ public class EvidenceCollection implements Iterable<Evidence> {
     /**
      * A collection of evidence.
      */
-    private Set<Evidence> list;
+    private final Set<Evidence> list;
     /**
      * A collection of strings used to adjust Lucene's term weighting.
      */
-    private Set<String> weightedStrings;
+    private final Set<String> weightedStrings;
 
     /**
      * Creates a new EvidenceCollection.

src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java

@@ -69,11 +69,11 @@ public class ReportGenerator {
     /**
      * The Velocity Engine.
      */
-    private VelocityEngine engine;
+    private final VelocityEngine engine;
     /**
      * The Velocity Engine Context.
      */
-    private Context context;
+    private final Context context;
 
     /**
      * Constructs a new ReportGenerator.
@@ -100,6 +100,7 @@ public class ReportGenerator {
      */
     private VelocityEngine createVelocityEngine() {
         final VelocityEngine ve = new VelocityEngine();
+        ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
         ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
         ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
         return ve;
@@ -193,14 +194,13 @@ public class ReportGenerator {
         OutputStream outputStream = null;
 
         try {
-            File foutDir = new File(outFileName).getParentFile();
+            final File outDir = new File(outFileName).getParentFile();
-            if (!foutDir.exists()) {
+            if (!outDir.exists()) {
-                foutDir.mkdirs();
+                outDir.mkdirs();
             }
 
             outputStream = new FileOutputStream(outFileName);
             writer = new OutputStreamWriter(outputStream, "UTF-8");
-            //writer = new BufferedWriter(oswriter);
 
             if (!engine.evaluate(context, writer, templatePath, reader)) {
                 throw new Exception("Failed to convert the template into html.");

src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -0,0 +1,103 @@
+/*
+ * This file is part of Dependency-Check.
+ *
+ * Dependency-Check is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-Check is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Steve Springett. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.reporting;
+
+import org.apache.velocity.app.Velocity;
+import org.apache.velocity.runtime.RuntimeServices;
+import org.apache.velocity.runtime.log.LogChute;
+
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * <p>DependencyCheck uses {@link java.util.logging.Logger} as a logging framework,
+ * and Apache Velocity uses a custom logging implementation that outputs to a
+ * file named velocity.log by default. This class is an implementation of a
+ * custom Velocity logger that redirects all velocity logging to the Java Logger
+ * class.
+ * </p><p>
+ * This class was written to address permission issues when using Dependency-Check
+ * in a server environment (such as the Jenkins plugin). In some circumstances,
+ * Velocity would attempt to create velocity.log in an un-writable directory.</p>
+ *
+ * @author Steve Springett (steve.springett@owasp.org)
+ */
+public class VelocityLoggerRedirect implements LogChute {
+
+    /**
+     * This will be invoked once by the LogManager.
+     * @param rsvc the RuntimeServices
+     */
+    public void init(RuntimeServices rsvc) {
+        // do nothing
+    }
+
+    /**
+     * Given a Velocity log level and message, this method will
+     * call the appropriate Logger level and log the specified values.
+     * @param level the logging level
+     * @param message the message to be logged
+     */
+    public void log(int level, String message) {
+        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
+    }
+
+    /**
+     * Given a Velocity log level, message and Throwable, this method will
+     * call the appropriate Logger level and log the specified values.
+     * @param level the logging level
+     * @param message the message to be logged
+     * @param t a throwable to log
+     */
+    public void log(int level, String message, Throwable t) {
+        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
+    }
+
+    /**
+     * Will always return true. The property file will decide what level to log.
+     * @param level the logging level
+     * @return true
+     */
+    public boolean isLevelEnabled(int level) {
+        return true;
+    }
+
+    /**
+     * Maps Velocity log levels to {@link Logger} values.
+     * @param velocityLevel the logging level
+     * @return the logging level
+     */
+    private Level getLevel(int velocityLevel) {
+        switch (velocityLevel) {
+            case TRACE_ID:
+                return Level.ALL;
+            case DEBUG_ID:
+                return Level.FINE;
+            case INFO_ID:
+                return Level.INFO;
+            case WARN_ID:
+                return Level.WARNING;
+            case ERROR_ID:
+                return Level.SEVERE;
+            default:
+                return Level.INFO;
+        }
+    }
+
+}

src/main/java/org/owasp/dependencycheck/utils/CliParser.java

@@ -44,7 +44,7 @@ public final class CliParser {
     /**
      * The options for the command line parser.
      */
-    private Options options = createCommandLineOptions();
+    private final Options options = createCommandLineOptions();
     /**
      * Indicates whether the arguments are valid.
      */
@@ -75,8 +75,7 @@ public final class CliParser {
      */
     private CommandLine parseArgs(String[] args) throws ParseException {
         final CommandLineParser parser = new PosixParser();
-        final CommandLine ln = parser.parse(options, args);
+        return parser.parse(options, args);
-        return ln;
     }
 
     /**
@@ -102,7 +101,7 @@ public final class CliParser {
                             + "the 'out' argument.");
                 }
             }
-            if (!line.hasOption(ArgumentName.APPNAME)) {
+            if (!line.hasOption(ArgumentName.APP_NAME)) {
                 throw new ParseException("Scan cannot be run without specifying an application "
                         + "name via the 'app' argument.");
             }
@@ -166,12 +165,12 @@ public final class CliParser {
         final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
                 false, "print the version information.");
 
-        final Option noupdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
                 false, "disables the automatic updating of the CPE data.");
 
-        final Option appname = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APPNAME)
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
                 .withDescription("the name of the application being scanned.")
-                .create(ArgumentName.APPNAME_SHORT);
+                .create(ArgumentName.APP_NAME_SHORT);
 
         final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
                 .withDescription("the connection timeout (in milliseconds) to use when downloading resources.")
@@ -197,7 +196,7 @@ public final class CliParser {
                 .withDescription("the folder to write reports to.")
                 .create(ArgumentName.OUT_SHORT);
 
-        final Option outputformat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
                 .withDescription("the output format to write to (XML, HTML, ALL).")
                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
 
@@ -207,11 +206,11 @@ public final class CliParser {
         final Options opts = new Options();
         opts.addOptionGroup(og);
         opts.addOption(out);
-        opts.addOption(outputformat);
+        opts.addOption(outputFormat);
-        opts.addOption(appname);
+        opts.addOption(appName);
         opts.addOption(version);
         opts.addOption(help);
-        opts.addOption(noupdate);
+        opts.addOption(noUpdate);
         opts.addOption(deepScan);
         opts.addOption(props);
         opts.addOption(proxyPort);
@@ -301,7 +300,7 @@ public final class CliParser {
      * @return the application name.
      */
     public String getApplicationName() {
-        return line.getOptionValue(ArgumentName.APPNAME);
+        return line.getOptionValue(ArgumentName.APP_NAME);
     }
 
     /**
@@ -405,12 +404,12 @@ public final class CliParser {
          * The long CLI argument name specifying the name of the application to
          * be scanned.
          */
-        public static final String APPNAME = "app";
+        public static final String APP_NAME = "app";
         /**
          * The short CLI argument name specifying the name of the application to
          * be scanned.
          */
-        public static final String APPNAME_SHORT = "a";
+        public static final String APP_NAME_SHORT = "a";
         /**
          * The long CLI argument name asking for help.
          */

src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -33,7 +33,7 @@ import org.apache.commons.lang.StringUtils;
  * versionParts[2] = 3;
  * </code></p>
  * <p>Note, the parser contained in this class expects the version numbers to be
- * separated by periods. If a different seperator is used the parser will likely
+ * separated by periods. If a different separator is used the parser will likely
  * fail.</p>
  * @author Jeremy Long (jeremy.long@owasp.org)
  */

src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -126,7 +126,7 @@ public final class Downloader {
 
             writer = new BufferedOutputStream(new FileOutputStream(outputPath));
             final byte[] buffer = new byte[4096];
-            int bytesRead = 0;
+            int bytesRead;
             while ((bytesRead = reader.read(buffer)) > 0) {
                 writer.write(buffer, 0, bytesRead);
             }

src/main/java/org/owasp/dependencycheck/utils/FileUtils.java

@@ -21,6 +21,7 @@ package org.owasp.dependencycheck.utils;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.URLDecoder;
 
 /**
  * A collection of utilities for processing information about files.
@@ -67,4 +68,34 @@ public final class FileUtils {
             throw new FileNotFoundException("Failed to delete file: " + file);
         }
     }
+
+    /**
+     * Returns the data directory. If a path was specified in dependencycheck.properties
+     * or was specified using the Settings object, and the path exists, that path will be
+     * returned as a File object. If it does not exist, then a File object will be created
+     * based on the file location of the JAR containing the specified class.
+     *
+     * @param configuredFilePath the configured relative or absolute path
+     * @param clazz the class whos path will be resolved
+     * @return a File object
+     * @throws IOException is thrown if the path could not be decoded
+     */
+    public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
+        final File file = new File(configuredFilePath);
+        if (file.exists() && file.isDirectory() && file.canWrite()) {
+             return new File(file.getCanonicalPath());
+        } else {
+            final String filePath = clazz.getProtectionDomain().getCodeSource().getLocation().getPath();
+            final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
+            File exePath = new File(decodedPath);
+            if (exePath.getName().toLowerCase().endsWith(".jar")) {
+                exePath = exePath.getParentFile();
+            } else {
+                exePath = new File(".");
+            }
+            final File path = new File(exePath.getCanonicalFile() + File.separator + configuredFilePath);
+            return new File(path.getCanonicalPath());
+        }
+    }
+
 }

src/main/java/org/owasp/dependencycheck/utils/Filter.java

@@ -31,7 +31,7 @@ public abstract class Filter<T> {
 
     private class FilterIterator implements Iterator<T> {
 
-        private Iterator<T> iterator;
+        private final Iterator<T> iterator;
         private T next;
 
         private FilterIterator(Iterator<T> iterator) {

src/test/java/org/owasp/dependencycheck/data/cpe/BaseIndexTestCase.java

@@ -18,20 +18,19 @@
  */
 package org.owasp.dependencycheck.data.cpe;
 
-import org.owasp.dependencycheck.data.cpe.Index;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.net.URLDecoder;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -59,17 +58,7 @@ public abstract class BaseIndexTestCase {
 
     protected static File getDataDirectory() throws IOException {
         String fileName = Settings.getString(Settings.KEYS.CPE_INDEX);
-        String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        return FileUtils.getDataDirectory(fileName, Index.class);
-        String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        File exePath = new File(decodedPath);
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-        return path;
     }
 
     public static void ensureIndexExists() throws Exception {

src/test/java/org/owasp/dependencycheck/data/cpe/IndexTest.java

@@ -28,6 +28,7 @@ import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import static org.junit.Assert.*;
 
 
 /**
@@ -61,7 +62,8 @@ public class IndexTest {
         try {
             instance.open();
         } catch (IOException ex) {
-            Assert.fail(ex.getMessage());
+            assertNull(ex.getMessage(), ex);
+            //Assert.fail(ex.getMessage());
         }
         instance.close();
     }
@@ -76,6 +78,6 @@ public class IndexTest {
         Directory result = index.getDirectory();
 
         String exp = File.separatorChar + "target" + File.separatorChar + "data" + File.separatorChar + "cpe";
-        Assert.assertTrue(result.toString().contains(exp));
+        assertTrue(result.toString().contains(exp));
     }
 }

src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java

@@ -25,10 +25,10 @@ import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.net.URLDecoder;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import junit.framework.TestCase;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -49,17 +49,7 @@ public abstract class BaseDBTestCase extends TestCase {
 
     protected static File getDataDirectory() throws IOException {
         String fileName = Settings.getString(Settings.KEYS.CVE_INDEX);
-        String filePath = Index.class.getProtectionDomain().getCodeSource().getLocation().getPath();
+        return FileUtils.getDataDirectory(fileName, Index.class);
-        String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        File exePath = new File(decodedPath);
-        if (exePath.getName().toLowerCase().endsWith(".jar")) {
-            exePath = exePath.getParentFile();
-        } else {
-            exePath = new File(".");
-        }
-        File path = new File(exePath.getCanonicalFile() + File.separator + fileName);
-        path = new File(path.getCanonicalPath());
-        return path;
     }
 
     public static void ensureDBExists() throws Exception {

src/test/java/org/owasp/dependencycheck/utils/DependencyVersionUtilTest.java

@@ -72,9 +72,9 @@ public class DependencyVersionUtilTest {
 
         String[] failingNames = { "no-version-identified.jar", "somelib-04aug2000r7-dev.jar", "no.version15.jar",
             "lib_1.0_spec-1.1.jar", "lib-api_1.0_spec-1.0.1.jar" };
-        for (int i = 0; i < failingNames.length; i++) {
+        for (String failingName : failingNames) {
-            final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(failingNames[i]);
+            final DependencyVersion version = DependencyVersionUtil.parseVersionFromFileName(failingName);
-            assertNull("Found version in name that should have failed \"" + failingNames[i] + "\".", version);
+            assertNull("Found version in name that should have failed \"" + failingName + "\".", version);
         }
     }
 }

src/test/resources/nvdcve-2.0-2012.xml.REMOVED.git-id

@@ -1 +0,0 @@
-9b5390434d0c6bbf79b5b64c94bff06f497f780c

src/test/resources/nvdcve-2012.xml.REMOVED.git-id

@@ -1 +0,0 @@
-f2ff6066ee3da30900f068dae7819e3bbf5a0618