updated to release version 1.2.1

Former-commit-id: d908eed4538f0928c8b108348d9d46ce6d2f57e0

.gitignore

@@ -1,4 +1,4 @@
-/target/
+*/target/**
 # Intellij project files
 *.iml
 *.ipr
@@ -6,4 +6,17 @@
 .idea/
 # Eclipse project files
 .classpath
-.project
+.project
+# Netbeans configuration
+nb-configuration.xml
+/target/
+#maven-shade-plugin generated pom
+dependency-reduced-pom.xml
+#ruby Gemfile, etc. This is a java project, Gemfile is here to check site problem with Jekyll
+Gemfile
+Gemfile.lock
+_site/**
+#unknown as to why these are showing up... but need to be ignored.
+.LCKpom.xml~
+#coverity
+/cov-int/

LICENSE.txt

@@ -1,674 +1,202 @@
-                    GNU GENERAL PUBLIC LICENSE 
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

NOTICE.txt

@@ -1,13 +1,14 @@
-DependencyCheck
+dependency-check
+
 Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
 
 The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
 
-This product includes software developed by
-The Apache Software Foundation (http://www.apache.org/).
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
 
-This product includes software developed by
-Jquery.com (http://jquery.com/).
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
 
 This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
 An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html

README.md

@@ -1,36 +1,104 @@
-DependencyCheck
-=========
+Dependency-Check
+================
 
-DependencyCheck is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries..
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
 
-More information can be found on the [wiki].
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
 
-Usage
--
+Current Releases
+-------------
+### Jenkins Plugin
 
-> $ mvn package
+For instructions on the use of the Jenkins plugin please see the [Jenkins dependency-check page](http://wiki.jenkins-ci.org/x/CwDgAQ).
 
-> $ cd target
+### Command Line
 
-> $ java -jar dependency-check-[version].jar -h
+More detailed instructions can be found on the [dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+The latest CLI can be downloaded from bintray's [dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
 
-> $ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
+On *nix
+```
+$ ./bin/dependency-check.sh -h
+$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Windows
+```
+> bin/dependency-check.bat -h
+> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+```
+
+### Maven Plugin
+
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html).
+The plugin can be configured using the following:
+
+```xml
+<project>
+    <build>
+        <plugins>
+            ...
+            <plugin>
+              <groupId>org.owasp</groupId>
+              <artifactId>dependency-check-maven</artifactId>
+              <version>1.0.2</version>
+              <executions>
+                  <execution>
+                      <goals>
+                          <goal>check</goal>
+                      </goals>
+                  </execution>
+              </executions>
+            </plugin>
+            ...
+        </plugins>
+        ...
+    </build>
+    ...
+</project>
+```
+
+### Ant Task
+
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+
+Development Usage
+-------------
+The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
+that the release versions listed above be used.
+
+Note, currently the install goal may take a long time to execute the integration tests. However, if this takes more then 30 minutes it is likely that the
+download of data from the NVD is having an issue. This issue is still being researched and a solution should be published soon.
+
+On *nix
+```
+$ mvn install
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+```
+On Windows
+```
+> mvn install
+> dependency-check-cli/target/release/bin/dependency-check.bat -h
+> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+```
 
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 
 Mailing List
--
+------------
 
 Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
 
 Post: [dependency-check@googlegroups.com] [post]
 
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
+
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Permission to modify and redistribute is granted under the terms of the GPLv3 license. See the [LICENSE.txt] [GPLv3] file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
 
 Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
 
@@ -38,5 +106,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
   [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
   [post]: mailto:dependency-check@googlegroups.com
-  [GPLv3]: https://github.com/jeremylong/DependencyCheck/blob/master/LICENSE.txt
   [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt

dependency-check-ant/NOTICE.txt

@@ -0,0 +1,29 @@
+-----------------------------
+---begin dependency-check----
+-----------------------------
+dependency-check
+
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm
+
+-----------------------------
+---end dependency-check------
+-----------------------------
+
+Notices below are from dependent libraries and have been included via maven-shade-plugin.
+
+-----------------------------

dependency-check-ant/README.md

@@ -0,0 +1,25 @@
+Dependency-Check Ant Task
+=========
+
+Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+
+Copyright & License
+-------------------
+
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/NOTICES.txt) file for more information.

dependency-check-ant/pom.xml

@@ -0,0 +1,461 @@
+<!--
+This file is part of dependency-check-ant.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.2.1</version>
+    </parent>
+
+    <artifactId>dependency-check-ant</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Ant Task</name>
+    <description>Dependency-check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
+    <distributionManagement>
+        <site>
+            <id>github-pages-site</id>
+            <name>Deployment through GitHub's site deployment plugin</name>
+            <url>${basedir}/../target/site/${project.version}/dependency-check-ant</url>
+        </site>
+    </distributionManagement>
+    <!-- end copy -->
+    <build>
+        <resources>
+            <resource>
+                <directory>${basedir}/src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+            <resource>
+                <directory>${basedir}</directory>
+                <targetPath>META-INF</targetPath>
+                <includes>
+                    <include>LICENSE.txt</include>
+                    <include>NOTICE.txt</include>
+                </includes>
+            </resource>
+        </resources>
+        <testResources>
+            <testResource>
+                <directory>${basedir}/src/test/resources</directory>
+                <includes>
+                    <include>**/*.xml</include>
+                </includes>
+                <filtering>true</filtering>
+            </testResource>
+        </testResources>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <escapeWindowsPaths>false</escapeWindowsPaths>
+                </configuration>
+                <executions>
+                    <!-- the following executions are solely to setup the test environment -->
+                    <execution>
+                        <id>copy-test-data.zip</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>data.zip</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-1</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/lib</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>org.mortbay.*.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-2</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/jars</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>axis-1.4.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-3</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/webroot</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>struts.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-4</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/list</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>org.mortbay.jetty.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-data</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>db.cve.zip</include>
+                                        <include>index.cpe.zip</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>2.1</version>
+                <configuration>
+                    <transformers>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                            <resource>META-INF/NOTICE.txt</resource>
+                        </transformer>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
+                            <resource>META-INF/NOTICE</resource>
+                        </transformer>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
+                            <resource>META-INF/LICENSE</resource>
+                        </transformer>
+                    </transformers>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                        </manifest>
+                    </archive>
+                    <excludes>
+                        <exclude>**/checkstyle*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <instrumentation>
+                        <ignoreTrivial>true</ignoreTrivial>
+                    </instrumentation>
+                    <check>
+                        <branchRate>85</branchRate>
+                        <lineRate>85</lineRate>
+                        <haltOnFailure>false</haltOnFailure>
+                        <totalBranchRate>85</totalBranchRate>
+                        <totalLineRate>85</totalLineRate>
+                        <packageLineRate>85</packageLineRate>
+                        <packageBranchRate>85</packageBranchRate>
+                        <regexes>
+                            <regex>
+                                <pattern>.*\$.*</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                        </regexes>
+                    </check>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>data.directory</name>
+                            <value>${project.build.directory}/dependency-check-data</value>
+                        </property>
+                    </systemProperties>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <showDeprecation>false</showDeprecation>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.3</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.doxia</groupId>
+                        <artifactId>doxia-module-markdown</artifactId>
+                        <version>1.5</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <skipDeploy>true</skipDeploy>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                            <version>2.7</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>index</report>
+                                        <report>summary</report>
+                                        <report>license</report>
+                                        <report>help</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <version>2.9.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <id>default</id>
+                                    <reports>
+                                        <report>javadoc</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <version>2.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <version>2.4</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>cobertura-maven-plugin</artifactId>
+                            <version>2.6</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <version>2.16</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>report-only</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-checkstyle-plugin</artifactId>
+                            <version>2.11</version>
+                            <configuration>
+                                <enableRulesSummary>false</enableRulesSummary>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-pmd-plugin</artifactId>
+                            <version>3.0.1</version>
+                            <configuration>
+                                <targetJdk>1.6</targetJdk>
+                                <linkXref>true</linkXref>
+                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>findbugs-maven-plugin</artifactId>
+                            <version>2.5.3</version>
+                        </plugin>
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.parent.version}</version>
+            <type>test-jar</type>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant</artifactId>
+            <version>1.9.3</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant-testutil</artifactId>
+            <version>1.9.3</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

dependency-check-ant/src/main/assembly/release.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<assembly
+    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd
+  "
+>
+    <id>release</id>
+    <formats>
+        <format>zip</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <fileSets>
+        <fileSet>
+            <outputDirectory>/</outputDirectory>
+            <directory>${project.build.directory}</directory>
+            <includes>
+                <include>dependency-check*.jar</include>
+            </includes>
+        </fileSet>
+    </fileSets>
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>/lib</outputDirectory>
+            <scope>runtime</scope>
+        </dependencySet>
+    </dependencySets>
+</assembly>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/package-info.java

@@ -0,0 +1,11 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.taskdefs</title>
+ * </head>
+ * <body>
+ * This package includes the Ant task definitions.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.taskdefs;

dependency-check-ant/src/main/resources/log.properties

@@ -1,13 +1,12 @@
-handlers=java.util.logging.ConsoleHandler
-#, java.util.logging.FileHandler
+handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler
 
 # logging levels
 # FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
 
 # Configure the ConsoleHandler.
-java.util.logging.ConsoleHandler.level=WARNING
+java.util.logging.ConsoleHandler.level=INFO
 
-org.owasp.dependencycheck.data.nvdcve.xml
+#org.owasp.dependencycheck.data.nvdcve.xml
 
 # Configure the FileHandler.
 #java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
@@ -21,4 +20,4 @@ org.owasp.dependencycheck.data.nvdcve.xml
 #   %g - generation number for rotating logs
 #   %u - unique number to avoid conflicts
 # FileHandler writes to %h/demo0.log by default.
-#java.util.logging.FileHandler.pattern=./logs/DependencyCheck%u.log
+#java.util.logging.FileHandler.pattern=./target/dependency-check.log

dependency-check-ant/src/main/resources/task.properties

@@ -0,0 +1,2 @@
+# the path to the data directory
+data.directory=dependency-check-data

dependency-check-ant/src/main/resources/taskdefs.properties

@@ -0,0 +1,3 @@
+# define custom tasks here
+
+dependencycheck=org.owasp.dependencycheck.taskdefs.DependencyCheckTask

dependency-check-ant/src/site/markdown/configuration.md

@@ -0,0 +1,77 @@
+Configuration
+====================
+To configure the dependency-check task you can add it to a target and include a
+file based [resource collection](http://ant.apache.org/manual/Types/resources.html#collection)
+such as a [FileSet](http://ant.apache.org/manual/Types/fileset.html), [DirSet](http://ant.apache.org/manual/Types/dirset.html),
+or [FileList](http://ant.apache.org/manual/Types/filelist.html) that includes
+the project's dependencies.
+
+```xml
+<target name="dependency-check" description="Dependency-Check Analysis">
+    <dependency-check applicationname="Hello World"
+                      reportoutputdirectory="${basedir}"
+                      reportformat="ALL">
+
+        <fileset dir="lib">
+            <include name="**/*.jar"/>
+        </fileset>
+    </dependency-check>
+</target>
+```
+
+Configuration
+====================
+The following properties can be set on the dependency-check-maven plugin.
+
+Property             | Description                        | Default Value
+---------------------|------------------------------------|------------------
+autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
+outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+logFile              | The file path to write verbose logging information. | &nbsp;
+suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
+proxyUrl             | The Proxy URL.                     | &nbsp;
+proxyPort            | The Proxy Port.                    | &nbsp;
+proxyUsername        | Defines the proxy user name.       | &nbsp;
+proxyPassword        | Defines the proxy password.        | &nbsp;
+connectionTimeout    | The URL Connection Timeout.        | &nbsp;
+
+Analyzer Configuration
+====================
+The following properties are used to configure the various file type analyzers.
+These properties can be used to turn off specific analyzers if it is not needed.
+Note, that specific analyzers will automatically disable themselves if no file
+types that they support are detected - so specifically disabling them may not
+be needed.
+
+Property                | Description                        | Default Value
+------------------------|------------------------------------|------------------
+archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                    | true
+zipExtensions           | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+jarAnalyzer             | Sets whether Jar Analyzer will be used.                            | true
+nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used.                          | true
+nexusUrl                | Defines the Nexus URL. | https://repository.sonatype.org/service/local/
+nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
+nuspecAnalyzerEnabled  | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.   | true
+assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.     | true
+pathToMono              | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp;
+
+Advanced Configuration
+====================
+The following properties can be configured in the plugin. However, they are less frequently changed. One exception
+may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
+
+Property             | Description                                                             | Default Value
+---------------------|-------------------------------------------------------------------------|------------------
+cveUrl12Modified     | URL for the modified CVE 1.2                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+dataDirectory        | Data directory to hold SQL CVEs contents. This should generally not be changed.             | &nbsp;
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    | &nbsp;
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
+connectionString     | The connection string used to connect to the database.                                      | &nbsp;
+databaseUser         | The username used when connecting to the database.                                          | &nbsp;
+databasePassword     | The password used when connecting to the database.                                          | &nbsp;

dependency-check-ant/src/site/markdown/installation.md.vm

@@ -0,0 +1,13 @@
+Installation
+====================
+Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
+To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
+the lib directory of your Ant instalation directory. Once installed you can add
+the taskdef to you build.xml and add the task to a new or existing target.
+
+It is important to understand that the first time this task is executed it may
+take 20 minutes or more as it downloads and processes the data from the National
+Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
+
+After the first batch download, as long as the task is executed at least once every
+seven days the update will only take a few seconds.

dependency-check-ant/src/site/markdown/usage.md

@@ -0,0 +1,25 @@
+Usage
+====================
+First, add the dependency-check-ant taskdef to your build.xml:
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
+```
+
+Next, add the task to a target of your choosing:
+
+```xml
+<target name="dependency-check" description="Dependency-Check Analysis">
+    <dependency-check applicationname="Hello World"
+                      autoupdate="true"
+                      reportoutputdirectory="${basedir}"
+                      reportformat="HTML">
+
+        <fileset dir="lib">
+            <include name="**/*.jar"/>
+        </fileset>
+    </dependency-check>
+</target>
+```
+
+See the [configuration guide](configuration.html) for more information.

dependency-check-ant/src/site/site.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+This file is part of dependency-check-ant.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project name="dependency-check-ant">
+    <bannerLeft>
+        <name>dependency-check-ant</name>
+    </bannerLeft>
+    <body>
+        <breadcrumbs>
+            <item name="dependency-check" href="../index.html"/>
+        </breadcrumbs>
+        <menu name="Getting Started">
+            <item name="Installation" href="installation.html"/>
+            <item name="Usage" href="usage.html"/>
+            <item name="Configuration" href="configuration.html"/>
+        </menu>
+        <menu ref="Project Documentation" />
+        <menu ref="reports" />
+    </body>
+</project>

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -0,0 +1,111 @@
+/*
+ * This file is part of dependency-check-ant.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.taskdefs;
+
+import java.io.File;
+import org.apache.tools.ant.BuildFileTest;
+import org.junit.After;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DependencyCheckTaskTest extends BuildFileTest {
+
+    @Before
+    @Override
+    public void setUp() throws Exception {
+        Settings.initialize();
+        BaseDBTestCase.ensureDBExists();
+        final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
+        configureProject(buildFile);
+    }
+
+    @After
+    @Override
+    public void tearDown() {
+        //no cleanup...
+        //executeTarget("cleanup");
+        Settings.cleanup(true);
+    }
+
+    /**
+     * Test of addFileSet method, of class DependencyCheckTask.
+     */
+    @Test
+    public void testAddFileSet() throws Exception {
+        File report = new File("target/dependency-check-report.html");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
+            }
+        }
+        executeTarget("test.fileset");
+
+        assertTrue("DependencyCheck report was not generated", report.exists());
+
+    }
+
+    /**
+     * Test of addFileList method, of class DependencyCheckTask.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testAddFileList() throws Exception {
+        File report = new File("target/dependency-check-report.xml");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
+            }
+        }
+        executeTarget("test.filelist");
+
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of addDirSet method, of class DependencyCheckTask.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testAddDirSet() throws Exception {
+        File report = new File("target/dependency-check-vulnerability.html");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
+            }
+        }
+        executeTarget("test.dirset");
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of getFailBuildOnCVSS method, of class DependencyCheckTask.
+     */
+    @Test
+    public void testGetFailBuildOnCVSS() {
+        expectBuildException("failCVSS", "asdfasdfscore");
+        System.out.println(this.getOutput());
+    }
+}

dependency-check-ant/src/test/resources/build.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project name="Dependency-Check Test Build" default="test.fileset" basedir=".">
+
+    <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask" />
+
+    <target name="test.fileset">
+        <dependency-check
+            applicationName="My Project"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="HTML">
+
+            <!-- Scan a single file -->
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
+
+            <!-- Scan for all jar/war/ear in the webroot dir and all sub directories -->
+            <fileset dir="${project.build.directory}/test-classes/webroot">
+                <include name="**/*.jar"/>
+                <include name="**/*.war"/>
+                <include name="**/*.ear"/>
+            </fileset>
+        </dependency-check>
+    </target>
+    <target name="test.filelist">
+        <dependency-check
+            applicationName="My Project"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="XML">
+            <!-- Scan specific files -->
+            <filelist
+                dir="${project.build.directory}/test-classes/list"
+                files="jetty-6.1.0.jar,org.mortbay.jetty.jar"/>
+        </dependency-check>
+    </target>
+    <target name="test.dirset">
+        <dependency-check
+            applicationName="My Project"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="VULN">
+
+            <!-- Scan a specific directory -->
+            <dirset dir="${project.build.directory}/test-classes">
+                <include name="lib"/>
+            </dirset>
+
+        </dependency-check>
+    </target>
+
+    <target name="formatBAD">
+        <dependency-check
+            applicationName="test formatBAD"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="BAD">
+        </dependency-check>
+    </target>
+
+    <target name="failCVSS">
+        <dependency-check
+            applicationName="test formatBAD"
+            reportOutputDirectory="${project.build.directory}"
+            reportFormat="XML"
+            autoupdate="false"
+            failBuildOnCVSS="8">
+        </dependency-check>
+    </target>
+</project>

dependency-check-cli/NOTICE.txt

@@ -0,0 +1,18 @@
+dependency-check-cli
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the licenses.
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm

dependency-check-cli/README.md

@@ -0,0 +1,24 @@
+Dependency-Check Command Line
+================
+Dependency-Check Command Line can be used to check project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+
+Copyright & License
+------------
+
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+
+Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/NOTICES.txt) file for more information.

dependency-check-cli/pom.xml

@@ -0,0 +1,345 @@
+<!--
+This file is part of Dependency-Check.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.2.1</version>
+    </parent>
+
+    <artifactId>dependency-check-cli</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Command Line</name>
+    <description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
+    <distributionManagement>
+        <site>
+            <id>github-pages-site</id>
+            <name>Deployment through GitHub's site deployment plugin</name>
+            <url>${basedir}/../target/site/${project.version}/dependency-check-cli</url>
+        </site>
+    </distributionManagement>
+    <!-- end copy -->
+    <build>
+        <finalName>dependency-check-${project.version}</finalName>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+            <resource>
+                <directory>${basedir}</directory>
+                <targetPath>META-INF</targetPath>
+                <includes>
+                    <include>LICENSE.txt</include>
+                    <include>NOTICE.txt</include>
+                </includes>
+            </resource>
+        </resources>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>org.owasp.dependencycheck.App</mainClass>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                        </manifest>
+                    </archive>
+                    <excludes>
+                        <exclude>**/checkstyle*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <instrumentation>
+                        <ignoreTrivial>true</ignoreTrivial>
+                    </instrumentation>
+                    <check>
+                        <branchRate>85</branchRate>
+                        <lineRate>85</lineRate>
+                        <haltOnFailure>false</haltOnFailure>
+                        <totalBranchRate>85</totalBranchRate>
+                        <totalLineRate>85</totalLineRate>
+                        <packageLineRate>85</packageLineRate>
+                        <packageBranchRate>85</packageBranchRate>
+                        <regexes>
+                            <regex>
+                                <pattern>.*\$.*</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                            <regex>
+                                <pattern>org.owasp.dependencycheck.App</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                        </regexes>
+                    </check>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>cpe</name>
+                            <value>data/cpe</value>
+                            <workingDirectory>target</workingDirectory>
+                        </property>
+                        <property>
+                            <name>cve</name>
+                            <value>data/cpe</value>
+                            <workingDirectory>target</workingDirectory>
+                        </property>
+                    </systemProperties>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <showDeprecation>false</showDeprecation>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.3</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.doxia</groupId>
+                        <artifactId>doxia-module-markdown</artifactId>
+                        <version>1.5</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <skipDeploy>true</skipDeploy>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                            <version>2.7</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>index</report>
+                                        <report>summary</report>
+                                        <report>license</report>
+                                        <report>help</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <version>2.9.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <id>default</id>
+                                    <reports>
+                                        <report>javadoc</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <version>2.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <version>2.4</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>cobertura-maven-plugin</artifactId>
+                            <version>2.6</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <version>2.16</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>report-only</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-checkstyle-plugin</artifactId>
+                            <version>2.11</version>
+                            <configuration>
+                                <enableRulesSummary>false</enableRulesSummary>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-pmd-plugin</artifactId>
+                            <version>3.1</version>
+                            <configuration>
+                                <targetJdk>1.6</targetJdk>
+                                <linkXref>true</linkXref>
+                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>findbugs-maven-plugin</artifactId>
+                            <version>2.5.3</version>
+                        </plugin>
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>appassembler-maven-plugin</artifactId>
+                <version>1.7</version>
+                <configuration>
+                    <programs>
+                        <program>
+                            <mainClass>org.owasp.dependencycheck.App</mainClass>
+                            <name>dependency-check</name>
+                        </program>
+                    </programs>
+                    <assembleDirectory>${project.build.directory}/release</assembleDirectory>
+                    <licenseHeaderFile>${basedir}/src/main/assembly/license.txt</licenseHeaderFile>
+                    <binFileExtensions>
+                        <unix>.sh</unix>
+                    </binFileExtensions>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>assemble</id>
+                        <goals>
+                            <goal>assemble</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <attach>false</attach> <!-- don't install/deploy this archive -->
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>create-distribution</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>src/main/assembly/release.xml</descriptor>
+                            </descriptors>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
+    </dependencies>
+</project>

dependency-check-cli/src/main/assembly/license.txt

@@ -0,0 +1,15 @@
+
+Copyright (c) 2012-2013 Jeremy Long.  All rights reserved.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+----------------------------------------------------------------------------

dependency-check-cli/src/main/assembly/release.xml

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<assembly
+    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd
+  "
+>
+    <id>release</id>
+    <formats>
+        <format>zip</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <fileSets>
+        <fileSet>
+            <outputDirectory>/</outputDirectory>
+            <directory>${project.build.directory}/release</directory>
+        </fileSet>
+        <fileSet>
+            <includes>
+                <include>LICENSE*</include>
+                <include>NOTICE*</include>
+            </includes>
+        </fileSet>
+        <fileSet>
+            <outputDirectory>licenses</outputDirectory>
+            <directory>${basedir}/src/main/resources/META-INF/licenses</directory>
+        </fileSet>
+        <fileSet>
+            <outputDirectory>licenses</outputDirectory>
+            <directory>${basedir}/../dependency-check-core/src/main/resources/META-INF/licenses</directory>
+        </fileSet>
+        <fileSet>
+            <outputDirectory>/</outputDirectory>
+            <directory>${basedir}</directory>
+            <includes>
+                <include>README.md</include>
+                <include>LICENSE.txt</include>
+            </includes>
+        </fileSet>
+    </fileSets>
+    <!--
+            <fileSets>
+            <fileSet>
+                <outputDirectory>/</outputDirectory>
+                <directory>${project.build.directory}</directory>
+                <includes>
+                    <include>dependency-check*.jar</include>
+                </includes>
+            </fileSet>
+        </fileSets>
+        <dependencySets>
+            <dependencySet>
+                <outputDirectory>/lib</outputDirectory>
+                <scope>runtime</scope>
+            </dependencySet>
+        </dependencySets>
+    -->
+</assembly>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -0,0 +1,267 @@
+/*
+ * This file is part of dependency-check-cli.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.cli.ParseException;
+import org.owasp.dependencycheck.cli.CliParser;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.LogUtils;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * The command line interface for the DependencyCheck application.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class App {
+
+    /**
+     * The location of the log properties configuration file.
+     */
+    private static final String LOG_PROPERTIES_FILE = "log.properties";
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(App.class.getName());
+
+    /**
+     * The main method for the application.
+     *
+     * @param args the command line arguments
+     */
+    public static void main(String[] args) {
+        try {
+            Settings.initialize();
+            final App app = new App();
+            app.run(args);
+        } finally {
+            Settings.cleanup(true);
+        }
+    }
+
+    /**
+     * Main CLI entry-point into the application.
+     *
+     * @param args the command line arguments
+     */
+    public void run(String[] args) {
+        final CliParser cli = new CliParser();
+
+        try {
+            cli.parse(args);
+        } catch (FileNotFoundException ex) {
+            System.err.println(ex.getMessage());
+            cli.printHelp();
+            return;
+        } catch (ParseException ex) {
+            System.err.println(ex.getMessage());
+            cli.printHelp();
+            return;
+        }
+
+        final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        LogUtils.prepareLogger(in, cli.getVerboseLog());
+
+        if (cli.isGetVersion()) {
+            cli.printVersionInfo();
+        } else if (cli.isRunScan()) {
+            populateSettings(cli);
+            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
+        } else {
+            cli.printHelp();
+        }
+    }
+
+    /**
+     * Scans the specified directories and writes the dependency reports to the reportDirectory.
+     *
+     * @param reportDirectory the path to the directory where the reports will be written
+     * @param outputFormat the output format of the report
+     * @param applicationName the application name for the report
+     * @param files the files/directories to scan
+     */
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
+        Engine scanner = null;
+        try {
+            scanner = new Engine();
+
+            for (String file : files) {
+                scanner.scan(file);
+            }
+
+            scanner.analyzeDependencies();
+            final List<Dependency> dependencies = scanner.getDependencies();
+            DatabaseProperties prop = null;
+            CveDB cve = null;
+            try {
+                cve = new CveDB();
+                cve.open();
+                prop = cve.getDatabaseProperties();
+            } catch (DatabaseException ex) {
+                LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
+            } finally {
+                if (cve != null) {
+                    cve.close();
+                }
+            }
+            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
+            try {
+                report.generateReports(reportDirectory, outputFormat);
+            } catch (IOException ex) {
+                LOGGER.log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+                LOGGER.log(Level.FINE, null, ex);
+            } catch (Throwable ex) {
+                LOGGER.log(Level.SEVERE, "There was an error while attempting to generate the report.");
+                LOGGER.log(Level.FINE, null, ex);
+            }
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
+        } finally {
+            if (scanner != null) {
+                scanner.cleanup();
+            }
+        }
+    }
+
+    /**
+     * Updates the global Settings.
+     *
+     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
+     * settings in the core engine.
+     */
+    private void populateSettings(CliParser cli) {
+
+        final boolean autoUpdate = cli.isAutoUpdate();
+        final String connectionTimeout = cli.getConnectionTimeout();
+        final String proxyUrl = cli.getProxyUrl();
+        final String proxyPort = cli.getProxyPort();
+        final String proxyUser = cli.getProxyUsername();
+        final String proxyPass = cli.getProxyPassword();
+        final String dataDirectory = cli.getDataDirectory();
+        final File propertiesFile = cli.getPropertiesFile();
+        final String suppressionFile = cli.getSuppressionFile();
+        final boolean jarDisabled = cli.isJarDisabled();
+        final boolean archiveDisabled = cli.isArchiveDisabled();
+        final boolean assemblyDisabled = cli.isAssemblyDisabled();
+        final boolean nuspecDisabled = cli.isNuspecDisabled();
+        final boolean nexusDisabled = cli.isNexusDisabled();
+        final String nexusUrl = cli.getNexusUrl();
+        final String databaseDriverName = cli.getDatabaseDriverName();
+        final String databaseDriverPath = cli.getDatabaseDriverPath();
+        final String connectionString = cli.getConnectionString();
+        final String databaseUser = cli.getDatabaseUser();
+        final String databasePassword = cli.getDatabasePassword();
+        final String additionalZipExtensions = cli.getAdditionalZipExtensions();
+        final String pathToMono = cli.getPathToMono();
+
+        if (propertiesFile != null) {
+            try {
+                Settings.mergeProperties(propertiesFile);
+            } catch (FileNotFoundException ex) {
+                final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
+            } catch (IOException ex) {
+                final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
+            }
+        }
+        // We have to wait until we've merged the properties before attempting to set whether we use
+        // the proxy for Nexus since it could be disabled in the properties, but not explicitly stated
+        // on the command line
+        final boolean nexusUsesProxy = cli.isNexusUsesProxy();
+        if (dataDirectory != null) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else if (System.getProperty("basedir") != null) {
+            final File dataDir = new File(System.getProperty("basedir"), "data");
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        } else {
+            final File jarPath = new File(App.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (proxyUser != null && !proxyUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
+        }
+        if (proxyPass != null && !proxyPass.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
+
+        //File Type Analyzer Settings
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
+
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
+        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        }
+        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        }
+        if (connectionString != null && !connectionString.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        }
+        if (databaseUser != null && !databaseUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
+        }
+        if (databasePassword != null && !databasePassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
+        }
+        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
+        }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+    }
+}

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -0,0 +1,852 @@
+/*
+ * This file is part of dependency-check-cli.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.cli;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import org.apache.commons.cli.CommandLine;
+import org.apache.commons.cli.CommandLineParser;
+import org.apache.commons.cli.HelpFormatter;
+import org.apache.commons.cli.Option;
+import org.apache.commons.cli.OptionBuilder;
+import org.apache.commons.cli.OptionGroup;
+import org.apache.commons.cli.Options;
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.PosixParser;
+import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * A utility to parse command line arguments for the DependencyCheck.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class CliParser {
+
+    /**
+     * The command line.
+     */
+    private CommandLine line;
+    /**
+     * Indicates whether the arguments are valid.
+     */
+    private boolean isValid = true;
+
+    /**
+     * Parses the arguments passed in and captures the results for later use.
+     *
+     * @param args the command line arguments
+     * @throws FileNotFoundException is thrown when a 'file' argument does not point to a file that exists.
+     * @throws ParseException is thrown when a Parse Exception occurs.
+     */
+    public void parse(String[] args) throws FileNotFoundException, ParseException {
+        line = parseArgs(args);
+
+        if (line != null) {
+            validateArgs();
+        }
+    }
+
+    /**
+     * Parses the command line arguments.
+     *
+     * @param args the command line arguments
+     * @return the results of parsing the command line arguments
+     * @throws ParseException if the arguments are invalid
+     */
+    private CommandLine parseArgs(String[] args) throws ParseException {
+        final CommandLineParser parser = new PosixParser();
+        final Options options = createCommandLineOptions();
+        return parser.parse(options, args);
+    }
+
+    /**
+     * Validates that the command line arguments are valid.
+     *
+     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
+     * does not exist.
+     * @throws ParseException is thrown if there is an exception parsing the command line.
+     */
+    private void validateArgs() throws FileNotFoundException, ParseException {
+        if (isRunScan()) {
+            validatePathExists(getScanFiles(), ArgumentName.SCAN);
+            validatePathExists(getReportDirectory(), ArgumentName.OUT);
+            if (getPathToMono() != null) {
+                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
+            }
+            if (!line.hasOption(ArgumentName.APP_NAME)) {
+                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
+            }
+            if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
+                final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
+                try {
+                    Format.valueOf(format);
+                } catch (IllegalArgumentException ex) {
+                    final String msg = String.format("An invalid 'format' of '%s' was specified. "
+                            + "Supported output formats are XML, HTML, VULN, or ALL", format);
+                    throw new ParseException(msg);
+                }
+            }
+        }
+    }
+
+    /**
+     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
+     * file a FileNotFoundException is thrown.
+     *
+     * @param paths the paths to validate if they exists
+     * @param optType the option being validated (e.g. scan, out, etc.)
+     * @throws FileNotFoundException is thrown if one of the paths being validated does not exist.
+     */
+    private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
+        for (String path : paths) {
+            validatePathExists(path, optType);
+        }
+    }
+
+    /**
+     * Validates whether or not the path points at a file that exists; if the path does not point to an existing file a
+     * FileNotFoundException is thrown.
+     *
+     * @param path the paths to validate if they exists
+     * @param argumentName the argument being validated (e.g. scan, out, etc.)
+     * @throws FileNotFoundException is thrown if the path being validated does not exist.
+     */
+    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
+        if (!path.contains("*.")) {
+            final File f = new File(path);
+            if (!f.exists()) {
+                isValid = false;
+                final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                throw new FileNotFoundException(msg);
+            }
+        } // else { // TODO add a validation for *.zip extensions rather then relying on the engine to validate it.
+    }
+
+    /**
+     * Generates an Options collection that is used to parse the command line and to display the help message.
+     *
+     * @return the command line options used for parsing the command line
+     */
+    @SuppressWarnings("static-access")
+    private Options createCommandLineOptions() {
+
+        final Options options = new Options();
+        addStandardOptions(options);
+        addAdvancedOptions(options);
+
+        return options;
+    }
+
+    /**
+     * Adds the standard command line options to the given options collection.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addStandardOptions(final Options options) throws IllegalArgumentException {
+        final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
+                "Print this message.");
+
+        final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
+                .withDescription("Print the advanced help message.").create();
+
+        final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
+                false, "Print the version information.");
+
+        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+                false, "Disables the automatic updating of the CPE data.");
+
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
+                .withDescription("The name of the application being scanned. This is a required argument.")
+                .create(ArgumentName.APP_NAME_SHORT);
+
+        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
+                .withDescription("The path to scan - this option can be specified multiple times. To limit the scan"
+                        + " to specific file types *.[ext] can be added to the end of the path.")
+                .create(ArgumentName.SCAN_SHORT);
+
+        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
+                .withDescription("A property file to load.")
+                .create(ArgumentName.PROP_SHORT);
+
+        final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
+                .withDescription("The folder to write reports to. This defaults to the current directory.")
+                .create(ArgumentName.OUT_SHORT);
+
+        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+                .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
+                .create(ArgumentName.OUTPUT_FORMAT_SHORT);
+
+        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
+                .withDescription("The file path to write verbose logging information.")
+                .create(ArgumentName.VERBOSE_LOG_SHORT);
+
+        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESSION_FILE)
+                .withDescription("The file path to the suppression XML file.")
+                .create();
+
+        //This is an option group because it can be specified more then once.
+        final OptionGroup og = new OptionGroup();
+        og.addOption(path);
+
+        options.addOptionGroup(og)
+                .addOption(out)
+                .addOption(outputFormat)
+                .addOption(appName)
+                .addOption(version)
+                .addOption(help)
+                .addOption(advancedHelp)
+                .addOption(noUpdate)
+                .addOption(props)
+                .addOption(verboseLog)
+                .addOption(suppressionFile);
+    }
+
+    /**
+     * Adds the advanced command line options to the given options collection. These are split out for purposes of being
+     * able to display two different help messages.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
+
+        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
+                .withDescription("The location of the H2 Database file. This option should generally not be set.")
+                .create(ArgumentName.DATA_DIRECTORY_SHORT);
+
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
+                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+
+        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
+                .withDescription("The proxy url to use when downloading resources.")
+                .create(ArgumentName.PROXY_URL_SHORT);
+
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+                .withDescription("The proxy port to use when downloading resources.")
+                .create(ArgumentName.PROXY_PORT_SHORT);
+
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+                .withDescription("The proxy username to use when downloading resources.")
+                .create();
+
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+                .withDescription("The proxy password to use when downloading resources.")
+                .create();
+
+        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
+                .withDescription("The connection string to the database.")
+                .create();
+
+        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
+                .withDescription("The username used to connect to the database.")
+                .create();
+
+        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
+                .withDescription("The password for connecting to the database.")
+                .create();
+
+        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
+                .withDescription("The database driver name.")
+                .create();
+
+        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
+                .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
+                .create();
+
+        final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_JAR)
+                .withDescription("Disable the Jar Analyzer.")
+                .create();
+        final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ARCHIVE)
+                .withDescription("Disable the Archive Analyzer.")
+                .create();
+        final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NUSPEC)
+                .withDescription("Disable the Nuspec Analyzer.")
+                .create();
+        final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ASSEMBLY)
+                .withDescription("Disable the .NET Assembly Analyzer.")
+                .create();
+
+        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
+                .withDescription("Disable the Nexus Analyzer.")
+                .create();
+
+        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
+                .withDescription("The url to the Nexus Server.")
+                .create();
+
+        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
+                .create();
+
+        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
+                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
+                .withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
+                        + "(ZIP, EAR, WAR are already treated as zip files)")
+                .create();
+
+        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
+                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
+                .create();
+
+        options.addOption(proxyPort)
+                .addOption(proxyUrl)
+                .addOption(proxyUsername)
+                .addOption(proxyPassword)
+                .addOption(connectionTimeout)
+                .addOption(connectionString)
+                .addOption(dbUser)
+                .addOption(data)
+                .addOption(dbPassword)
+                .addOption(dbDriver)
+                .addOption(dbDriverPath)
+                .addOption(disableJarAnalyzer)
+                .addOption(disableArchiveAnalyzer)
+                .addOption(disableAssemblyAnalyzer)
+                .addOption(disableNuspecAnalyzer)
+                .addOption(disableNexusAnalyzer)
+                .addOption(nexusUrl)
+                .addOption(nexusUsesProxy)
+                .addOption(additionalZipExtensions)
+                .addOption(pathToMono);
+    }
+
+    /**
+     * Determines if the 'version' command line argument was passed in.
+     *
+     * @return whether or not the 'version' command line argument was passed in
+     */
+    public boolean isGetVersion() {
+        return (line != null) && line.hasOption(ArgumentName.VERSION);
+    }
+
+    /**
+     * Determines if the 'help' command line argument was passed in.
+     *
+     * @return whether or not the 'help' command line argument was passed in
+     */
+    public boolean isGetHelp() {
+        return (line != null) && line.hasOption(ArgumentName.HELP);
+    }
+
+    /**
+     * Determines if the 'scan' command line argument was passed in.
+     *
+     * @return whether or not the 'scan' command line argument was passed in
+     */
+    public boolean isRunScan() {
+        return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
+    }
+
+    /**
+     * Returns true if the disableJar command line argument was specified.
+     *
+     * @return true if the disableJar command line argument was specified; otherwise false
+     */
+    public boolean isJarDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_JAR);
+    }
+
+    /**
+     * Returns true if the disableArchive command line argument was specified.
+     *
+     * @return true if the disableArchive command line argument was specified; otherwise false
+     */
+    public boolean isArchiveDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_ARCHIVE);
+    }
+
+    /**
+     * Returns true if the disableNuspec command line argument was specified.
+     *
+     * @return true if the disableNuspec command line argument was specified; otherwise false
+     */
+    public boolean isNuspecDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_NUSPEC);
+    }
+
+    /**
+     * Returns true if the disableAssembly command line argument was specified.
+     *
+     * @return true if the disableAssembly command line argument was specified; otherwise false
+     */
+    public boolean isAssemblyDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_ASSEMBLY);
+    }
+
+    /**
+     * Returns true if the disableNexus command line argument was specified.
+     *
+     * @return true if the disableNexus command line argument was specified; otherwise false
+     */
+    public boolean isNexusDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
+    }
+
+    /**
+     * Returns the url to the nexus server if one was specified.
+     *
+     * @return the url to the nexus server; if none was specified this will return null;
+     */
+    public String getNexusUrl() {
+        if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
+            return null;
+        } else {
+            return line.getOptionValue(ArgumentName.NEXUS_URL);
+        }
+    }
+
+    /**
+     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
+     * returned.
+     *
+     * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
+     */
+    public boolean isNexusUsesProxy() {
+        // If they didn't specify whether Nexus needs to use the proxy, we should
+        // still honor the property if it's set.
+        if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
+            try {
+                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
+            } catch (InvalidSettingException ise) {
+                return true;
+            }
+        } else {
+            return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
+        }
+    }
+
+    /**
+     * Displays the command line help message to the standard output.
+     */
+    public void printHelp() {
+        final HelpFormatter formatter = new HelpFormatter();
+        final Options options = new Options();
+        addStandardOptions(options);
+        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
+            addAdvancedOptions(options);
+        }
+        final String helpMsg = String.format("%n%s"
+                + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
+                + "%s will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.%n%n",
+                Settings.getString("application.name", "DependencyCheck"),
+                Settings.getString("application.name", "DependencyCheck"));
+
+        formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
+                helpMsg,
+                options,
+                "",
+                true);
+
+    }
+
+    /**
+     * Retrieves the file command line parameter(s) specified for the 'scan' argument.
+     *
+     * @return the file paths specified on the command line for scan
+     */
+    public String[] getScanFiles() {
+        return line.getOptionValues(ArgumentName.SCAN);
+    }
+
+    /**
+     * Returns the directory to write the reports to specified on the command line.
+     *
+     * @return the path to the reports directory.
+     */
+    public String getReportDirectory() {
+        return line.getOptionValue(ArgumentName.OUT, ".");
+    }
+
+    /**
+     * Returns the path to Mono for .NET Assembly analysis on non-windows systems.
+     *
+     * @return the path to Mono
+     */
+    public String getPathToMono() {
+        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
+    }
+
+    /**
+     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
+     *
+     * @return the output format name.
+     */
+    public String getReportFormat() {
+        return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
+    }
+
+    /**
+     * Returns the application name specified on the command line.
+     *
+     * @return the application name.
+     */
+    public String getApplicationName() {
+        return line.getOptionValue(ArgumentName.APP_NAME);
+    }
+
+    /**
+     * Returns the connection timeout.
+     *
+     * @return the connection timeout
+     */
+    public String getConnectionTimeout() {
+        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+    }
+
+    /**
+     * Returns the proxy url.
+     *
+     * @return the proxy url
+     */
+    public String getProxyUrl() {
+        return line.getOptionValue(ArgumentName.PROXY_URL);
+    }
+
+    /**
+     * Returns the proxy port.
+     *
+     * @return the proxy port
+     */
+    public String getProxyPort() {
+        return line.getOptionValue(ArgumentName.PROXY_PORT);
+    }
+
+    /**
+     * Returns the proxy username.
+     *
+     * @return the proxy username
+     */
+    public String getProxyUsername() {
+        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
+    }
+
+    /**
+     * Returns the proxy password.
+     *
+     * @return the proxy password
+     */
+    public String getProxyPassword() {
+        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
+    }
+
+    /**
+     * Get the value of dataDirectory.
+     *
+     * @return the value of dataDirectory
+     */
+    public String getDataDirectory() {
+        return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
+    }
+
+    /**
+     * Returns the properties file specified on the command line.
+     *
+     * @return the properties file specified on the command line
+     */
+    public File getPropertiesFile() {
+        final String path = line.getOptionValue(ArgumentName.PROP);
+        if (path != null) {
+            return new File(path);
+        }
+        return null;
+    }
+
+    /**
+     * Returns the path to the verbose log file.
+     *
+     * @return the path to the verbose log file
+     */
+    public String getVerboseLog() {
+        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
+    }
+
+    /**
+     * Returns the path to the suppression file.
+     *
+     * @return the path to the suppression file
+     */
+    public String getSuppressionFile() {
+        return line.getOptionValue(ArgumentName.SUPPRESSION_FILE);
+    }
+
+    /**
+     * <p>
+     * Prints the manifest information to standard output.</p>
+     * <ul><li>Implementation-Title: ${pom.name}</li>
+     * <li>Implementation-Version: ${pom.version}</li></ul>
+     */
+    public void printVersionInfo() {
+        final String version = String.format("%s version %s",
+                Settings.getString("application.name", "DependencyCheck"),
+                Settings.getString("application.version", "Unknown"));
+        System.out.println(version);
+    }
+
+    /**
+     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
+     * return false.
+     *
+     * @return if auto-update is allowed.
+     */
+    public boolean isAutoUpdate() {
+        return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
+    }
+
+    /**
+     * Returns the database driver name if specified; otherwise null is returned.
+     *
+     * @return the database driver name if specified; otherwise null is returned
+     */
+    public String getDatabaseDriverName() {
+        return line.getOptionValue(ArgumentName.DB_DRIVER);
+    }
+
+    /**
+     * Returns the database driver path if specified; otherwise null is returned.
+     *
+     * @return the database driver name if specified; otherwise null is returned
+     */
+    public String getDatabaseDriverPath() {
+        return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
+    }
+
+    /**
+     * Returns the database connection string if specified; otherwise null is returned.
+     *
+     * @return the database connection string if specified; otherwise null is returned
+     */
+    public String getConnectionString() {
+        return line.getOptionValue(ArgumentName.CONNECTION_STRING);
+    }
+
+    /**
+     * Returns the database database user name if specified; otherwise null is returned.
+     *
+     * @return the database database user name if specified; otherwise null is returned
+     */
+    public String getDatabaseUser() {
+        return line.getOptionValue(ArgumentName.DB_NAME);
+    }
+
+    /**
+     * Returns the database database password if specified; otherwise null is returned.
+     *
+     * @return the database database password if specified; otherwise null is returned
+     */
+    public String getDatabasePassword() {
+        return line.getOptionValue(ArgumentName.DB_PASSWORD);
+    }
+
+    /**
+     * Returns the additional Extensions if specified; otherwise null is returned.
+     *
+     * @return the additional Extensions; otherwise null is returned
+     */
+    public String getAdditionalZipExtensions() {
+        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
+    }
+
+    /**
+     * A collection of static final strings that represent the possible command line arguments.
+     */
+    public static class ArgumentName {
+
+        /**
+         * The long CLI argument name specifying the directory/file to scan.
+         */
+        public static final String SCAN = "scan";
+        /**
+         * The short CLI argument name specifying the directory/file to scan.
+         */
+        public static final String SCAN_SHORT = "s";
+        /**
+         * The long CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+         */
+        public static final String DISABLE_AUTO_UPDATE = "noupdate";
+        /**
+         * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+         */
+        public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
+        /**
+         * The long CLI argument name specifying the directory to write the reports to.
+         */
+        public static final String OUT = "out";
+        /**
+         * The short CLI argument name specifying the directory to write the reports to.
+         */
+        public static final String OUT_SHORT = "o";
+        /**
+         * The long CLI argument name specifying the output format to write the reports to.
+         */
+        public static final String OUTPUT_FORMAT = "format";
+        /**
+         * The short CLI argument name specifying the output format to write the reports to.
+         */
+        public static final String OUTPUT_FORMAT_SHORT = "f";
+        /**
+         * The long CLI argument name specifying the name of the application to be scanned.
+         */
+        public static final String APP_NAME = "app";
+        /**
+         * The short CLI argument name specifying the name of the application to be scanned.
+         */
+        public static final String APP_NAME_SHORT = "a";
+        /**
+         * The long CLI argument name asking for help.
+         */
+        public static final String HELP = "help";
+        /**
+         * The long CLI argument name asking for advanced help.
+         */
+        public static final String ADVANCED_HELP = "advancedHelp";
+        /**
+         * The short CLI argument name asking for help.
+         */
+        public static final String HELP_SHORT = "h";
+        /**
+         * The long CLI argument name asking for the version.
+         */
+        public static final String VERSION_SHORT = "v";
+        /**
+         * The short CLI argument name asking for the version.
+         */
+        public static final String VERSION = "version";
+        /**
+         * The short CLI argument name indicating the proxy port.
+         */
+        public static final String PROXY_PORT_SHORT = "p";
+        /**
+         * The CLI argument name indicating the proxy port.
+         */
+        public static final String PROXY_PORT = "proxyport";
+        /**
+         * The short CLI argument name indicating the proxy url.
+         */
+        public static final String PROXY_URL_SHORT = "u";
+        /**
+         * The CLI argument name indicating the proxy url.
+         */
+        public static final String PROXY_URL = "proxyurl";
+        /**
+         * The CLI argument name indicating the proxy username.
+         */
+        public static final String PROXY_USERNAME = "proxyuser";
+        /**
+         * The CLI argument name indicating the proxy password.
+         */
+        public static final String PROXY_PASSWORD = "proxypass";
+        /**
+         * The short CLI argument name indicating the connection timeout.
+         */
+        public static final String CONNECTION_TIMEOUT_SHORT = "c";
+        /**
+         * The CLI argument name indicating the connection timeout.
+         */
+        public static final String CONNECTION_TIMEOUT = "connectiontimeout";
+        /**
+         * The short CLI argument name for setting the location of an additional properties file.
+         */
+        public static final String PROP_SHORT = "P";
+        /**
+         * The CLI argument name for setting the location of an additional properties file.
+         */
+        public static final String PROP = "propertyfile";
+        /**
+         * The CLI argument name for setting the location of the data directory.
+         */
+        public static final String DATA_DIRECTORY = "data";
+        /**
+         * The short CLI argument name for setting the location of the data directory.
+         */
+        public static final String DATA_DIRECTORY_SHORT = "d";
+        /**
+         * The CLI argument name for setting the location of the data directory.
+         */
+        public static final String VERBOSE_LOG = "log";
+        /**
+         * The short CLI argument name for setting the location of the data directory.
+         */
+        public static final String VERBOSE_LOG_SHORT = "l";
+        /**
+         * The CLI argument name for setting the location of the suppression file.
+         */
+        public static final String SUPPRESSION_FILE = "suppression";
+        /**
+         * Disables the Jar Analyzer.
+         */
+        public static final String DISABLE_JAR = "disableJar";
+        /**
+         * Disables the Archive Analyzer.
+         */
+        public static final String DISABLE_ARCHIVE = "disableArchive";
+        /**
+         * Disables the Assembly Analyzer.
+         */
+        public static final String DISABLE_ASSEMBLY = "disableAssembly";
+        /**
+         * Disables the Nuspec Analyzer.
+         */
+        public static final String DISABLE_NUSPEC = "disableNuspec";
+        /**
+         * Disables the Nexus Analyzer.
+         */
+        public static final String DISABLE_NEXUS = "disableNexus";
+        /**
+         * The URL of the nexus server.
+         */
+        public static final String NEXUS_URL = "nexus";
+        /**
+         * Whether or not the defined proxy should be used when connecting to Nexus.
+         */
+        public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
+        /**
+         * The CLI argument name for setting the connection string.
+         */
+        public static final String CONNECTION_STRING = "connectionString";
+        /**
+         * The CLI argument name for setting the database user name.
+         */
+        public static final String DB_NAME = "dbUser";
+        /**
+         * The CLI argument name for setting the database password.
+         */
+        public static final String DB_PASSWORD = "dbPassword";
+        /**
+         * The CLI argument name for setting the database driver name.
+         */
+        public static final String DB_DRIVER = "dbDriverName";
+        /**
+         * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
+         */
+        public static final String DB_DRIVER_PATH = "dbDriverPath";
+        /**
+         * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
+         */
+        public static final String PATH_TO_MONO = "mono";
+        /**
+         * The CLI argument name for setting extra extensions.
+         */
+        public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
+    }
+}

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.cli</title>
+ * </head>
+ * <body>
+ * Includes utility classes such as the CLI Parser,
+ * </body>
+ * </html>
+*/
+
+package org.owasp.dependencycheck.cli;

dependency-check-cli/src/main/resources/log.properties

@@ -0,0 +1,22 @@
+handlers=java.util.logging.ConsoleHandler
+#, java.util.logging.FileHandler
+
+# logging levels
+# FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
+
+# Configure the ConsoleHandler.
+java.util.logging.ConsoleHandler.level=INFO
+
+# Configure the FileHandler.
+java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
+java.util.logging.FileHandler.level=FINE
+
+# The following special tokens can be used in the pattern property
+# which specifies the location and name of the log file.
+#   / - standard path separator
+#   %t - system temporary directory
+#   %h - value of the user.home system property
+#   %g - generation number for rotating logs
+#   %u - unique number to avoid conflicts
+# FileHandler writes to %h/demo0.log by default.
+java.util.logging.FileHandler.pattern=./dependency-check.log

dependency-check-cli/src/site/markdown/arguments.md

@@ -0,0 +1,43 @@
+Command Line Arguments
+======================
+
+The following table lists the command line arguments:
+
+Short  | Argument Name         | Parameter       | Description | Requirement
+-------|-----------------------|-----------------|-------------|------------
+ \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
+ \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify specific file types that should be scanned by supplying a scan path of '[path]/[to]/[scan]/*.zip'. The wild card can only be used to denote any file-name with a specific extension. | Required
+ \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
+ \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
+ \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
+ \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
+       | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
+ \-h   | \-\-help              |                 | Print the help message. | Optional
+       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
+ \-v   | \-\-version           |                 | Print the version information. | Optional
+
+Advanced Options
+================
+Short  | Argument Name         | Parameter       | Description | Default Value
+-------|-----------------------|-----------------|-------------|---------------
+       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                      | false
+       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+       | \-\-disableJar        |                 | Sets whether Jar Analyzer will be used.                              | false
+       | \-\-disableNexus      |                 | Sets whether Nexus Analyzer will be used.                            | false
+       | \-\-disableNexus      |                 | Disable the Nexus Analyzer.                                          | &nbsp;
+       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | https://repository.sonatype.org/service/local/
+       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true
+       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.     | false
+       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.       | false
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.  | &nbsp;
+       | \-\-proxyurl          | \<url\>         | The proxy url to use when downloading resources. | &nbsp;
+       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | &nbsp;
+       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
+       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | &nbsp;
+       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | &nbsp;
+       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | &nbsp;
+       | \-\-dbDriverName      | \<driver\>      | The database driver name. | &nbsp;
+       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
+       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | &nbsp;
+       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | &nbsp;
+ \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;

dependency-check-cli/src/site/markdown/installation.md.vm

@@ -0,0 +1,25 @@
+Installation & Usage
+====================
+Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
+Extract the zip file to a location on your computer and put the 'bin' directory into the
+path environment variable. On \*nix systems you will likely need to make the shell
+script executable:
+
+    $ chmod +777 dependency-check.sh
+
+To scan a folder on the system you can run:
+#set( $H = '#' )
+
+$H$H$H Windows
+    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
+
+$H$H$H *nix
+    dependency-check.sh --app "My App Name" --scan "/java/application/lib"
+
+To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
+
+$H$H$H Windows
+    dependency-check.bat --help
+
+$H$H$H *nix
+    dependency-check.sh --help

dependency-check-cli/src/site/site.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+This file is part of dependency-check-cli.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project name="dependency-check-cli">
+    <bannerLeft>
+        <name>dependency-check-cli</name>
+    </bannerLeft>
+    <body>
+        <breadcrumbs>
+            <item name="dependency-check" href="../index.html"/>
+        </breadcrumbs>
+        <menu name="Getting Started">
+            <item name="Installation" href="installation.html"/>
+            <item name="Configuration" href="arguments.html"/>
+        </menu>
+        <menu ref="Project Documentation" />
+        <menu ref="reports" />
+    </body>
+</project>

dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java

@@ -1,24 +1,22 @@
 /*
  * This file is part of Dependency-Check.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.utils;
+package org.owasp.dependencycheck.cli;
 
-import org.owasp.dependencycheck.utils.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -31,19 +29,22 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class CliParserTest {
 
     @BeforeClass
     public static void setUpClass() throws Exception {
+        Settings.initialize();
     }
 
     @AfterClass
     public static void tearDownClass() throws Exception {
+        Settings.cleanup(true);
     }
 
     @Before
@@ -56,6 +57,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -77,6 +79,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with help arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -95,6 +98,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with version arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -112,6 +116,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with jar and cpe args, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -140,6 +145,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with scan arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -162,6 +168,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with jar arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -173,7 +180,7 @@ public class CliParserTest {
         try {
             instance.parse(args);
         } catch (FileNotFoundException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Invalid file argument"));
+            Assert.assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
         }
 
         Assert.assertFalse(instance.isGetVersion());
@@ -183,6 +190,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with jar arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -202,6 +210,7 @@ public class CliParserTest {
 
     /**
      * Test of printVersionInfo, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -230,6 +239,7 @@ public class CliParserTest {
 
     /**
      * Test of printHelp, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test

dependency-check-core/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

dependency-check-core/NOTICE.txt

@@ -0,0 +1,18 @@
+dependency-check
+
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm

dependency-check-core/README.md

@@ -0,0 +1,28 @@
+Dependency-Check-Core
+================
+
+Dependency-Check-Core is the main engine used by all of the other modules to do the analysis and reporting.
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
+
+Post: [dependency-check@googlegroups.com] [post]
+
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
+
+Copyright & License
+------------
+
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
+
+
+  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
+  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
+  [post]: mailto:dependency-check@googlegroups.com
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt

dependency-check-core/pom.xml

@@ -0,0 +1,723 @@
+<!--
+This file is part of dependency-check-core.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.2.1</version>
+    </parent>
+
+    <artifactId>dependency-check-core</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Core</name>
+    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
+    <distributionManagement>
+        <site>
+            <id>github-pages-site</id>
+            <name>Deployment through GitHub's site deployment plugin</name>
+            <url>${basedir}/../target/site/${project.version}/dependency-check-core</url>
+        </site>
+    </distributionManagement>
+    <!-- end copy -->
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                    <include>**/schema/*.xsd</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+            <resource>
+                <directory>${basedir}/..</directory>
+                <targetPath>META-INF</targetPath>
+                <includes>
+                    <include>LICENSE.txt</include>
+                    <include>NOTICE.txt</include>
+                </includes>
+            </resource>
+            <resource>
+                <directory>src/main/resources</directory>
+                <excludes>
+                    <exclude>**/*.properties</exclude>
+                    <exclude>**/*.gif</exclude>
+                    <exclude>**/*.js</exclude>
+                    <exclude>**/schema/**/*.xsd</exclude>
+                    <exclude>**/schema/**/*.xml</exclude>
+                    <exclude>**/schema/**/*.bat</exclude>
+                    <exclude>**/schema/**/*.sh</exclude>
+                </excludes>
+                <filtering>false</filtering>
+            </resource>
+        </resources>
+        <testResources>
+            <testResource>
+                <directory>src/test/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </testResource>
+            <testResource>
+                <directory>${basedir}/../src/test/resources</directory>
+                <filtering>false</filtering>
+            </testResource>
+            <testResource>
+                <directory>${basedir}/src/test/resources</directory>
+                <excludes>
+                    <exclude>**/mysql-connector-java-5.1.27-bin.jar</exclude>
+                </excludes>
+                <filtering>false</filtering>
+            </testResource>
+        </testResources>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <version>2.8</version>
+                <executions>
+                    <execution>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>copy-dependencies</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
+                            <includeScope>provided</includeScope>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.4</version>
+                <executions>
+                    <execution>
+                        <id>jar</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>jar</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>test-jar</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>test-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                        </manifest>
+                    </archive>
+                    <excludes>
+                        <exclude>**/checkstyle*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <instrumentation>
+                        <ignoreTrivial>true</ignoreTrivial>
+                        <ignores>
+                            <ignore>.*\$KEYS\.class</ignore>
+                            <ignore>.*\$Element\.class</ignore>
+                        </ignores>
+                        <excludes>
+                            <exclude>.*\$KEYS\.class</exclude>
+                            <exclude>.*\$Element\.class</exclude>
+                        </excludes>
+                    </instrumentation>
+                    <check>
+                        <branchRate>85</branchRate>
+                        <lineRate>85</lineRate>
+                        <haltOnFailure>false</haltOnFailure>
+                        <totalBranchRate>85</totalBranchRate>
+                        <totalLineRate>85</totalLineRate>
+                        <packageLineRate>85</packageLineRate>
+                        <packageBranchRate>85</packageBranchRate>
+                        <regexes>
+                            <regex>
+                                <pattern>.*\$.*</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                            <regex>
+                                <pattern>org.owasp.dependencycheck.data.cpe.Fields</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                            <regex>
+                                <pattern>org.owasp.dependencycheck.App</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                        </regexes>
+                    </check>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>data.directory</name>
+                            <value>${project.build.directory}/data</value>
+                        </property>
+                        <property>
+                            <name>temp.directory</name>
+                            <value>${project.build.directory}/temp</value>
+                        </property>
+                    </systemProperties>
+                    <excludes>
+                        <exclude>**/*IntegrationTest.java</exclude>
+                        <exclude>**/*MySQLTest.java</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>data.directory</name>
+                            <value>${project.build.directory}/data</value>
+                        </property>
+                    </systemProperties>
+                    <includes>
+                        <include>**/*IntegrationTest.java</include>
+                    </includes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>integration-test</goal>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.3</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.doxia</groupId>
+                        <artifactId>doxia-module-markdown</artifactId>
+                        <version>1.5</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <skipDeploy>true</skipDeploy>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                            <version>2.7</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>index</report>
+                                        <report>summary</report>
+                                        <report>license</report>
+                                        <report>help</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <version>2.9.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <id>default</id>
+                                    <reports>
+                                        <report>javadoc</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <version>2.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <version>2.4</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>cobertura-maven-plugin</artifactId>
+                            <version>2.6</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <version>2.16</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>report-only</report>
+                                    </reports>
+                                </reportSet>
+                                <reportSet>
+                                    <id>integration-tests</id>
+                                    <reports>
+                                        <report>report-only</report>
+                                        <report>failsafe-report-only</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-checkstyle-plugin</artifactId>
+                            <version>2.11</version>
+                            <configuration>
+                                <enableRulesSummary>false</enableRulesSummary>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-pmd-plugin</artifactId>
+                            <version>3.1</version>
+                            <configuration>
+                                <targetJdk>1.6</targetJdk>
+                                <linkXref>true</linkXref>
+                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>findbugs-maven-plugin</artifactId>
+                            <version>2.5.3</version>
+                        </plugin>
+                        <dependency>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>javancss-maven-plugin</artifactId>
+                            <version>2.0</version>
+                        </dependency>
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <showDeprecation>false</showDeprecation>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-test-framework</artifactId>
+            <version>4.3.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.google.code.findbugs</groupId>
+            <artifactId>annotations</artifactId>
+            <version>2.0.1</version>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.8</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.4</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.5</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-core</artifactId>
+            <version>4.5.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-analyzers-common</artifactId>
+            <version>4.5.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-queryparser</artifactId>
+            <version>4.5.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.velocity</groupId>
+            <artifactId>velocity</artifactId>
+            <version>1.7</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.velocity</groupId>
+            <artifactId>velocity-tools</artifactId>
+            <version>2.0</version>
+            <!-- very limited use of the velocity-tools, not all of the dependencies are needed-->
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-chain</groupId>
+                    <artifactId>commons-chain</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>javax.servlet</groupId>
+                    <artifactId>servlet-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-validator</groupId>
+                    <artifactId>commons-validator</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>dom4j</groupId>
+                    <artifactId>dom4j</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>sslext</groupId>
+                    <artifactId>sslext</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>antlr</groupId>
+                    <artifactId>antlr</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-taglib</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-tiles</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.3.172</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.7.2</version>
+            <type>jar</type>
+        </dependency>
+        <!-- The following dependencies are only used during testing -->
+        <dependency>
+            <groupId>org.apache.maven.scm</groupId>
+            <artifactId>maven-scm-provider-cvsexe</artifactId>
+            <version>1.8.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-webmvc</artifactId>
+            <version>2.5.5</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.hazelcast</groupId>
+            <artifactId>hazelcast</artifactId>
+            <version>2.5</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>net.sf.ehcache</groupId>
+            <artifactId>ehcache-core</artifactId>
+            <version>2.2.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.struts</groupId>
+            <artifactId>struts2-core</artifactId>
+            <version>2.1.2</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.mortbay.jetty</groupId>
+            <artifactId>jetty</artifactId>
+            <version>6.1.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-spring</artifactId>
+            <version>1.4.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-adb</artifactId>
+            <version>1.4.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.geronimo.daytrader</groupId>
+            <artifactId>daytrader-ear</artifactId>
+            <version>2.1.7</version>
+            <type>ear</type>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.main.admingui</groupId>
+            <artifactId>war</artifactId>
+            <version>4.0</version>
+            <type>war</type>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.dojotoolkit</groupId>
+            <artifactId>dojo-war</artifactId>
+            <version>1.3.0</version>
+            <type>war</type>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa</artifactId>
+            <version>2.0.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+            <version>3.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+    </dependencies>
+    <profiles>
+        <profile>
+            <id>MySQL-IntegrationTest</id>
+            <activation>
+                <property>
+                    <name>mysql</name>
+                    <!--value>test</value-->
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <version>2.16</version>
+                        <configuration>
+                            <skip>true</skip>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <version>2.16</version>
+                        <configuration>
+                            <systemProperties>
+                                <property>
+                                    <name>data.driver_path</name>
+                                    <value>${basedir}/${driver_path}</value>
+                                </property>
+                                <property>
+                                    <name>data.driver_name</name>
+                                    <value>${driver_name}</value>
+                                </property>
+                                <property>
+                                    <name>data.connection_string</name>
+                                    <value>${connection_string}</value>
+                                </property>
+                            </systemProperties>
+                            <includes>
+                                <include>**/*MySQLTest.java</include>
+                            </includes>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <!-- The following profile adds additional
+            dependencies that are only used during testing.
+            Additionally, these are only added when using "allTests" to
+            make the build slightly faster in most cases. -->
+            <id>False Positive Tests</id>
+            <activation>
+                <property>
+                    <name>allTests</name>
+                </property>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>org.apache.xmlgraphics</groupId>
+                    <artifactId>batik-util</artifactId>
+                    <version>1.7</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.thoughtworks.xstream</groupId>
+                    <artifactId>xstream</artifactId>
+                    <version>1.4.2</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.apache.ws.security</groupId>
+                    <artifactId>wss4j</artifactId>
+                    <version>1.5.7</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.ganyo</groupId>
+                    <artifactId>gcm-server</artifactId>
+                    <version>1.0.2</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.python</groupId>
+                    <artifactId>jython-standalone</artifactId>
+                    <version>2.7-b1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.jruby</groupId>
+                    <artifactId>jruby-complete</artifactId>
+                    <version>1.7.4</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.jruby</groupId>
+                    <artifactId>jruby</artifactId>
+                    <version>1.6.3</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+            </dependencies>
+        </profile>
+    </profiles>
+</project>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -0,0 +1,505 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.EnumMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.analyzer.AnalysisPhase;
+import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.analyzer.AnalyzerService;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
+import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.update.CachedWebDataSource;
+import org.owasp.dependencycheck.data.update.UpdateService;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.NoDataException;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the
+ * scan, if a file is encountered and an Analyzer is associated with the file type then the file is turned into a
+ * dependency.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class Engine {
+
+    /**
+     * The list of dependencies.
+     */
+    private List<Dependency> dependencies;
+    /**
+     * A Map of analyzers grouped by Analysis phase.
+     */
+    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
+    /**
+     * A Map of analyzers grouped by Analysis phase.
+     */
+    private final Set<FileTypeAnalyzer> fileTypeAnalyzers;
+    /**
+     * The ClassLoader to use when dynamically loading Analyzer and Update services.
+     */
+    private ClassLoader serviceClassLoader;
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = Logger.getLogger(Engine.class.getName());
+
+    /**
+     * Creates a new Engine.
+     *
+     * @throws DatabaseException thrown if there is an error connecting to the database
+     */
+    public Engine() throws DatabaseException {
+        this(Thread.currentThread().getContextClassLoader());
+    }
+
+    /**
+     * Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
+     *
+     * @param serviceClassLoader the ClassLoader to use when dynamically loading Analyzer and Update services
+     * @throws DatabaseException thrown if there is an error connecting to the database
+     */
+    public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
+        this.dependencies = new ArrayList<Dependency>();
+        this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+        this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
+        this.serviceClassLoader = serviceClassLoader;
+
+        ConnectionFactory.initialize();
+
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
+        }
+        if (autoUpdate) {
+            doUpdates();
+        }
+        loadAnalyzers();
+    }
+
+    /**
+     * Properly cleans up resources allocated during analysis.
+     */
+    public void cleanup() {
+        ConnectionFactory.cleanup();
+    }
+
+    /**
+     * Loads the analyzers specified in the configuration file (or system properties).
+     */
+    private void loadAnalyzers() {
+
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            analyzers.put(phase, new ArrayList<Analyzer>());
+        }
+
+        final AnalyzerService service = new AnalyzerService(serviceClassLoader);
+        final Iterator<Analyzer> iterator = service.getAnalyzers();
+        while (iterator.hasNext()) {
+            final Analyzer a = iterator.next();
+            analyzers.get(a.getAnalysisPhase()).add(a);
+            if (a instanceof FileTypeAnalyzer) {
+                this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
+            }
+        }
+    }
+
+    /**
+     * Get the List of the analyzers for a specific phase of analysis.
+     *
+     * @param phase the phase to get the configured analyzers.
+     * @return the analyzers loaded
+     */
+    public List<Analyzer> getAnalyzers(AnalysisPhase phase) {
+        return analyzers.get(phase);
+    }
+
+    /**
+     * Get the dependencies identified.
+     *
+     * @return the dependencies identified
+     */
+    public List<Dependency> getDependencies() {
+        return dependencies;
+    }
+
+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+        //for (Dependency dependency: dependencies) {
+        //    dependencies.add(dependency);
+        //}
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param paths an array of paths to files or directories to be analyzed.
+     */
+    public void scan(String[] paths) {
+        for (String path : paths) {
+            final File file = new File(path);
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
+     *
+     * @param path the path to a file or directory to be analyzed.
+     */
+    public void scan(String path) {
+        if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
+            final String[] parts = path.split("\\*\\.");
+            final String[] ext = new String[]{parts[parts.length - 1]};
+            final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
+            if (dir.isDirectory()) {
+                final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
+                scan(files);
+            } else {
+                final String msg = String.format("Invalid file path provided to scan '%s'", path);
+                LOGGER.log(Level.SEVERE, msg);
+            }
+        } else {
+            final File file = new File(path);
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param files an array of paths to files or directories to be analyzed.
+     */
+    public void scan(File[] files) {
+        for (File file : files) {
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param files a set of paths to files or directories to be analyzed.
+     */
+    public void scan(Set<File> files) {
+        for (File file : files) {
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param files a set of paths to files or directories to be analyzed.
+     */
+    public void scan(List<File> files) {
+        for (File file : files) {
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
+     *
+     * @since v0.3.2.4
+     *
+     * @param file the path to a file or directory to be analyzed.
+     */
+    public void scan(File file) {
+        if (file.exists()) {
+            if (file.isDirectory()) {
+                scanDirectory(file);
+            } else {
+                scanFile(file);
+            }
+        }
+    }
+
+    /**
+     * Recursively scans files and directories. Any dependencies identified are added to the dependency collection.
+     *
+     * @param dir the directory to scan.
+     */
+    protected void scanDirectory(File dir) {
+        final File[] files = dir.listFiles();
+        if (files != null) {
+            for (File f : files) {
+                if (f.isDirectory()) {
+                    scanDirectory(f);
+                } else {
+                    scanFile(f);
+                }
+            }
+        }
+    }
+
+    /**
+     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
+     *
+     * @param file The file to scan.
+     */
+    protected void scanFile(File file) {
+        if (!file.isFile()) {
+            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
+            LOGGER.log(Level.FINE, msg);
+            return;
+        }
+        final String fileName = file.getName();
+        final String extension = FileUtils.getFileExtension(fileName);
+        if (extension != null) {
+            if (supportsExtension(extension)) {
+                final Dependency dependency = new Dependency(file);
+                dependencies.add(dependency);
+            }
+        } else {
+            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
+                    file.toString());
+            LOGGER.log(Level.FINEST, msg);
+        }
+    }
+
+    /**
+     * Runs the analyzers against all of the dependencies.
+     */
+    public void analyzeDependencies() {
+        //need to ensure that data exists
+        try {
+            ensureDataExists();
+        } catch (NoDataException ex) {
+            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
+            return;
+        } catch (DatabaseException ex) {
+            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
+            return;
+
+        }
+
+        final String logHeader = String.format("%n"
+                + "----------------------------------------------------%n"
+                + "BEGIN ANALYSIS%n"
+                + "----------------------------------------------------");
+        LOGGER.log(Level.FINE, logHeader);
+        LOGGER.log(Level.INFO, "Analysis Starting");
+
+        // analysis phases
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+
+            for (Analyzer a : analyzerList) {
+                initializeAnalyzer(a);
+
+                /* need to create a copy of the collection because some of the
+                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
+                 * This is okay for adds/deletes because it happens per analyzer.
+                 */
+                final String msg = String.format("Begin Analyzer '%s'", a.getName());
+                LOGGER.log(Level.FINE, msg);
+                final Set<Dependency> dependencySet = new HashSet<Dependency>();
+                dependencySet.addAll(dependencies);
+                for (Dependency d : dependencySet) {
+                    boolean shouldAnalyze = true;
+                    if (a instanceof FileTypeAnalyzer) {
+                        final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
+                        shouldAnalyze = fAnalyzer.supportsExtension(d.getFileExtension());
+                    }
+                    if (shouldAnalyze) {
+                        final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
+                        LOGGER.log(Level.FINE, msgFile);
+                        try {
+                            a.analyze(d, this);
+                        } catch (AnalysisException ex) {
+                            final String exMsg = String.format("An error occurred while analyzing '%s'.", d.getActualFilePath());
+                            LOGGER.log(Level.WARNING, exMsg);
+                            LOGGER.log(Level.FINE, "", ex);
+                        } catch (Throwable ex) {
+                            final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
+                            //final AnalysisException ax = new AnalysisException(axMsg, ex);
+                            LOGGER.log(Level.WARNING, axMsg);
+                            LOGGER.log(Level.FINE, "", ex);
+                        }
+                    }
+                }
+            }
+        }
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+
+            for (Analyzer a : analyzerList) {
+                closeAnalyzer(a);
+            }
+        }
+
+        final String logFooter = String.format("%n"
+                + "----------------------------------------------------%n"
+                + "END ANALYSIS%n"
+                + "----------------------------------------------------");
+        LOGGER.log(Level.FINE, logFooter);
+        LOGGER.log(Level.INFO, "Analysis Complete");
+    }
+
+    /**
+     * Initializes the given analyzer.
+     *
+     * @param analyzer the analyzer to initialize
+     */
+    private void initializeAnalyzer(Analyzer analyzer) {
+        try {
+            final String msg = String.format("Initializing %s", analyzer.getName());
+            LOGGER.log(Level.FINE, msg);
+            analyzer.initialize();
+        } catch (Throwable ex) {
+            final String msg = String.format("Exception occurred initializing %s.", analyzer.getName());
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
+            try {
+                analyzer.close();
+            } catch (Throwable ex1) {
+                LOGGER.log(Level.FINEST, null, ex1);
+            }
+        }
+    }
+
+    /**
+     * Closes the given analyzer.
+     *
+     * @param analyzer the analyzer to close
+     */
+    private void closeAnalyzer(Analyzer analyzer) {
+        final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
+        LOGGER.log(Level.FINE, msg);
+        try {
+            analyzer.close();
+        } catch (Throwable ex) {
+            LOGGER.log(Level.FINEST, null, ex);
+        }
+    }
+
+    /**
+     * Cycles through the cached web data sources and calls update on all of them.
+     */
+    private void doUpdates() {
+        final UpdateService service = new UpdateService(serviceClassLoader);
+        final Iterator<CachedWebDataSource> iterator = service.getDataSources();
+        while (iterator.hasNext()) {
+            final CachedWebDataSource source = iterator.next();
+            try {
+                source.update();
+            } catch (UpdateException ex) {
+                LOGGER.log(Level.WARNING,
+                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
+                LOGGER.log(Level.FINE,
+                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
+            }
+        }
+    }
+
+    /**
+     * Returns a full list of all of the analyzers. This is useful for reporting which analyzers where used.
+     *
+     * @return a list of Analyzers
+     */
+    public List<Analyzer> getAnalyzers() {
+        final List<Analyzer> ret = new ArrayList<Analyzer>();
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+            ret.addAll(analyzerList);
+        }
+        return ret;
+    }
+
+    /**
+     * Checks all analyzers to see if an extension is supported.
+     *
+     * @param ext a file extension
+     * @return true or false depending on whether or not the file extension is supported
+     */
+    public boolean supportsExtension(String ext) {
+        if (ext == null) {
+            return false;
+        }
+        boolean scan = false;
+        for (FileTypeAnalyzer a : this.fileTypeAnalyzers) {
+            /* note, we can't break early on this loop as the analyzers need to know if
+             they have files to work on prior to initialization */
+            scan |= a.supportsExtension(ext);
+        }
+        return scan;
+    }
+
+    /**
+     * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
+     *
+     * @throws NoDataException thrown if no data exists in the CPE Index
+     * @throws DatabaseException thrown if there is an exception opening the database
+     */
+    private void ensureDataExists() throws NoDataException, DatabaseException {
+        final CpeMemoryIndex cpe = CpeMemoryIndex.getInstance();
+        final CveDB cve = new CveDB();
+
+        try {
+            cve.open();
+            cpe.open(cve);
+        } catch (IndexException ex) {
+            throw new NoDataException(ex.getMessage(), ex);
+        } catch (DatabaseException ex) {
+            throw new NoDataException(ex.getMessage(), ex);
+        } finally {
+            cve.close();
+        }
+        if (cpe.numDocs() <= 0) {
+            cpe.close();
+            throw new NoDataException("No documents exist");
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -0,0 +1,971 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.agent;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.ScanAgentException;
+import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting
+ * evidence from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it
+ * takes a list of dependencies that can be programmatically added from data in a spreadsheet, database or some other
+ * datasource and conduct a scan based on this pre-defined evidence.
+ *
+ * <h2>Example:</h2>
+ * <pre>
+ * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
+ * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
+ * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
+ * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
+ * dependencies.add(dependency);
+ *
+ * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
+ * scan.setDependencies(dependencies);
+ * scan.setReportFormat(ReportGenerator.Format.ALL);
+ * scan.setReportOutputDirectory(System.getProperty("user.home"));
+ * scan.execute();
+ * </pre>
+ *
+ * @author Steve Springett <steve.springett@owasp.org>
+ */
+@SuppressWarnings("unused")
+public class DependencyCheckScanAgent {
+
+    /**
+     * System specific new line character.
+     */
+    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+    /**
+     * Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyCheckScanAgent.class.getName());
+    /**
+     * The application name for the report.
+     */
+    private String applicationName = "Dependency-Check";
+
+    /**
+     * Get the value of applicationName.
+     *
+     * @return the value of applicationName
+     */
+    public String getApplicationName() {
+        return applicationName;
+    }
+
+    /**
+     * Set the value of applicationName.
+     *
+     * @param applicationName new value of applicationName
+     */
+    public void setApplicationName(String applicationName) {
+        this.applicationName = applicationName;
+    }
+
+    /**
+     * The pre-determined dependencies to scan
+     */
+    private List<Dependency> dependencies;
+
+    /**
+     * Returns a list of pre-determined dependencies.
+     *
+     * @return returns a list of dependencies
+     */
+    public List<Dependency> getDependencies() {
+        return dependencies;
+    }
+
+    /**
+     * Sets the list of dependencies to scan.
+     *
+     * @param dependencies new value of dependencies
+     */
+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+    }
+
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+
+    /**
+     * Get the value of dataDirectory.
+     *
+     * @return the value of dataDirectory
+     */
+    public String getDataDirectory() {
+        return dataDirectory;
+    }
+
+    /**
+     * Set the value of dataDirectory.
+     *
+     * @param dataDirectory new value of dataDirectory
+     */
+    public void setDataDirectory(String dataDirectory) {
+        this.dataDirectory = dataDirectory;
+    }
+
+    /**
+     * Specifies the destination directory for the generated Dependency-Check report.
+     */
+    private String reportOutputDirectory;
+
+    /**
+     * Get the value of reportOutputDirectory.
+     *
+     * @return the value of reportOutputDirectory
+     */
+    public String getReportOutputDirectory() {
+        return reportOutputDirectory;
+    }
+
+    /**
+     * Set the value of reportOutputDirectory.
+     *
+     * @param reportOutputDirectory new value of reportOutputDirectory
+     */
+    public void setReportOutputDirectory(String reportOutputDirectory) {
+        this.reportOutputDirectory = reportOutputDirectory;
+    }
+
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
+     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
+     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+
+    /**
+     * Get the value of failBuildOnCVSS.
+     *
+     * @return the value of failBuildOnCVSS
+     */
+    public float getFailBuildOnCVSS() {
+        return failBuildOnCVSS;
+    }
+
+    /**
+     * Set the value of failBuildOnCVSS.
+     *
+     * @param failBuildOnCVSS new value of failBuildOnCVSS
+     */
+    public void setFailBuildOnCVSS(float failBuildOnCVSS) {
+        this.failBuildOnCVSS = failBuildOnCVSS;
+    }
+
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
+     * false. Default is true.
+     */
+    private boolean autoUpdate = true;
+
+    /**
+     * Get the value of autoUpdate.
+     *
+     * @return the value of autoUpdate
+     */
+    public boolean isAutoUpdate() {
+        return autoUpdate;
+    }
+
+    /**
+     * Set the value of autoUpdate.
+     *
+     * @param autoUpdate new value of autoUpdate
+     */
+    public void setAutoUpdate(boolean autoUpdate) {
+        this.autoUpdate = autoUpdate;
+    }
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
+     * within the Site plugin unless the externalReport is set to true. Default is HTML.
+     */
+    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
+
+    /**
+     * Get the value of reportFormat.
+     *
+     * @return the value of reportFormat
+     */
+    public ReportGenerator.Format getReportFormat() {
+        return reportFormat;
+    }
+
+    /**
+     * Set the value of reportFormat.
+     *
+     * @param reportFormat new value of reportFormat
+     */
+    public void setReportFormat(ReportGenerator.Format reportFormat) {
+        this.reportFormat = reportFormat;
+    }
+
+    /**
+     * The Proxy URL.
+     */
+    private String proxyUrl;
+
+    /**
+     * Get the value of proxyUrl.
+     *
+     * @return the value of proxyUrl
+     */
+    public String getProxyUrl() {
+        return proxyUrl;
+    }
+
+    /**
+     * Set the value of proxyUrl.
+     *
+     * @param proxyUrl new value of proxyUrl
+     */
+    public void setProxyUrl(String proxyUrl) {
+        this.proxyUrl = proxyUrl;
+    }
+
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+
+    /**
+     * Get the value of proxyPort.
+     *
+     * @return the value of proxyPort
+     */
+    public String getProxyPort() {
+        return proxyPort;
+    }
+
+    /**
+     * Set the value of proxyPort.
+     *
+     * @param proxyPort new value of proxyPort
+     */
+    public void setProxyPort(String proxyPort) {
+        this.proxyPort = proxyPort;
+    }
+
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+
+    /**
+     * Get the value of proxyUsername.
+     *
+     * @return the value of proxyUsername
+     */
+    public String getProxyUsername() {
+        return proxyUsername;
+    }
+
+    /**
+     * Set the value of proxyUsername.
+     *
+     * @param proxyUsername new value of proxyUsername
+     */
+    public void setProxyUsername(String proxyUsername) {
+        this.proxyUsername = proxyUsername;
+    }
+
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+
+    /**
+     * Get the value of proxyPassword.
+     *
+     * @return the value of proxyPassword
+     */
+    public String getProxyPassword() {
+        return proxyPassword;
+    }
+
+    /**
+     * Set the value of proxyPassword.
+     *
+     * @param proxyPassword new value of proxyPassword
+     */
+    public void setProxyPassword(String proxyPassword) {
+        this.proxyPassword = proxyPassword;
+    }
+
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+
+    /**
+     * Get the value of connectionTimeout.
+     *
+     * @return the value of connectionTimeout
+     */
+    public String getConnectionTimeout() {
+        return connectionTimeout;
+    }
+
+    /**
+     * Set the value of connectionTimeout.
+     *
+     * @param connectionTimeout new value of connectionTimeout
+     */
+    public void setConnectionTimeout(String connectionTimeout) {
+        this.connectionTimeout = connectionTimeout;
+    }
+
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+
+    /**
+     * Get the value of logFile.
+     *
+     * @return the value of logFile
+     */
+    public String getLogFile() {
+        return logFile;
+    }
+
+    /**
+     * Set the value of logFile.
+     *
+     * @param logFile new value of logFile
+     */
+    public void setLogFile(String logFile) {
+        this.logFile = logFile;
+    }
+
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+
+    /**
+     * Get the value of suppressionFile.
+     *
+     * @return the value of suppressionFile
+     */
+    public String getSuppressionFile() {
+        return suppressionFile;
+    }
+
+    /**
+     * Set the value of suppressionFile.
+     *
+     * @param suppressionFile new value of suppressionFile
+     */
+    public void setSuppressionFile(String suppressionFile) {
+        this.suppressionFile = suppressionFile;
+    }
+
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+
+    /**
+     * Get the value of showSummary.
+     *
+     * @return the value of showSummary
+     */
+    public boolean isShowSummary() {
+        return showSummary;
+    }
+
+    /**
+     * Set the value of showSummary.
+     *
+     * @param showSummary new value of showSummary
+     */
+    public void setShowSummary(boolean showSummary) {
+        this.showSummary = showSummary;
+    }
+
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+
+    /**
+     * Get the value of nexusAnalyzerEnabled.
+     *
+     * @return the value of nexusAnalyzerEnabled
+     */
+    public boolean isNexusAnalyzerEnabled() {
+        return nexusAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of nexusAnalyzerEnabled.
+     *
+     * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
+     */
+    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+        this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
+    }
+
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+
+    /**
+     * Get the value of nexusUrl.
+     *
+     * @return the value of nexusUrl
+     */
+    public String getNexusUrl() {
+        return nexusUrl;
+    }
+
+    /**
+     * Set the value of nexusUrl.
+     *
+     * @param nexusUrl new value of nexusUrl
+     */
+    public void setNexusUrl(String nexusUrl) {
+        this.nexusUrl = nexusUrl;
+    }
+
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+
+    /**
+     * Get the value of nexusUsesProxy.
+     *
+     * @return the value of nexusUsesProxy
+     */
+    public boolean isNexusUsesProxy() {
+        return nexusUsesProxy;
+    }
+
+    /**
+     * Set the value of nexusUsesProxy.
+     *
+     * @param nexusUsesProxy new value of nexusUsesProxy
+     */
+    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+        this.nexusUsesProxy = nexusUsesProxy;
+    }
+
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+
+    /**
+     * Get the value of databaseDriverName.
+     *
+     * @return the value of databaseDriverName
+     */
+    public String getDatabaseDriverName() {
+        return databaseDriverName;
+    }
+
+    /**
+     * Set the value of databaseDriverName.
+     *
+     * @param databaseDriverName new value of databaseDriverName
+     */
+    public void setDatabaseDriverName(String databaseDriverName) {
+        this.databaseDriverName = databaseDriverName;
+    }
+
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+
+    /**
+     * Get the value of databaseDriverPath.
+     *
+     * @return the value of databaseDriverPath
+     */
+    public String getDatabaseDriverPath() {
+        return databaseDriverPath;
+    }
+
+    /**
+     * Set the value of databaseDriverPath.
+     *
+     * @param databaseDriverPath new value of databaseDriverPath
+     */
+    public void setDatabaseDriverPath(String databaseDriverPath) {
+        this.databaseDriverPath = databaseDriverPath;
+    }
+
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+
+    /**
+     * Get the value of connectionString.
+     *
+     * @return the value of connectionString
+     */
+    public String getConnectionString() {
+        return connectionString;
+    }
+
+    /**
+     * Set the value of connectionString.
+     *
+     * @param connectionString new value of connectionString
+     */
+    public void setConnectionString(String connectionString) {
+        this.connectionString = connectionString;
+    }
+
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+
+    /**
+     * Get the value of databaseUser.
+     *
+     * @return the value of databaseUser
+     */
+    public String getDatabaseUser() {
+        return databaseUser;
+    }
+
+    /**
+     * Set the value of databaseUser.
+     *
+     * @param databaseUser new value of databaseUser
+     */
+    public void setDatabaseUser(String databaseUser) {
+        this.databaseUser = databaseUser;
+    }
+
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+
+    /**
+     * Get the value of databasePassword.
+     *
+     * @return the value of databasePassword
+     */
+    public String getDatabasePassword() {
+        return databasePassword;
+    }
+
+    /**
+     * Set the value of databasePassword.
+     *
+     * @param databasePassword new value of databasePassword
+     */
+    public void setDatabasePassword(String databasePassword) {
+        this.databasePassword = databasePassword;
+    }
+
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
+     * like ZIP files.
+     */
+    private String zipExtensions;
+
+    /**
+     * Get the value of zipExtensions.
+     *
+     * @return the value of zipExtensions
+     */
+    public String getZipExtensions() {
+        return zipExtensions;
+    }
+
+    /**
+     * Set the value of zipExtensions.
+     *
+     * @param zipExtensions new value of zipExtensions
+     */
+    public void setZipExtensions(String zipExtensions) {
+        this.zipExtensions = zipExtensions;
+    }
+
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+
+    /**
+     * Get the value of cveUrl12Modified.
+     *
+     * @return the value of cveUrl12Modified
+     */
+    public String getCveUrl12Modified() {
+        return cveUrl12Modified;
+    }
+
+    /**
+     * Set the value of cveUrl12Modified.
+     *
+     * @param cveUrl12Modified new value of cveUrl12Modified
+     */
+    public void setCveUrl12Modified(String cveUrl12Modified) {
+        this.cveUrl12Modified = cveUrl12Modified;
+    }
+
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+
+    /**
+     * Get the value of cveUrl20Modified.
+     *
+     * @return the value of cveUrl20Modified
+     */
+    public String getCveUrl20Modified() {
+        return cveUrl20Modified;
+    }
+
+    /**
+     * Set the value of cveUrl20Modified.
+     *
+     * @param cveUrl20Modified new value of cveUrl20Modified
+     */
+    public void setCveUrl20Modified(String cveUrl20Modified) {
+        this.cveUrl20Modified = cveUrl20Modified;
+    }
+
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+
+    /**
+     * Get the value of cveUrl12Base.
+     *
+     * @return the value of cveUrl12Base
+     */
+    public String getCveUrl12Base() {
+        return cveUrl12Base;
+    }
+
+    /**
+     * Set the value of cveUrl12Base.
+     *
+     * @param cveUrl12Base new value of cveUrl12Base
+     */
+    public void setCveUrl12Base(String cveUrl12Base) {
+        this.cveUrl12Base = cveUrl12Base;
+    }
+
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+
+    /**
+     * Get the value of cveUrl20Base.
+     *
+     * @return the value of cveUrl20Base
+     */
+    public String getCveUrl20Base() {
+        return cveUrl20Base;
+    }
+
+    /**
+     * Set the value of cveUrl20Base.
+     *
+     * @param cveUrl20Base new value of cveUrl20Base
+     */
+    public void setCveUrl20Base(String cveUrl20Base) {
+        this.cveUrl20Base = cveUrl20Base;
+    }
+
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+
+    /**
+     * Get the value of pathToMono.
+     *
+     * @return the value of pathToMono
+     */
+    public String getPathToMono() {
+        return pathToMono;
+    }
+
+    /**
+     * Set the value of pathToMono.
+     *
+     * @param pathToMono new value of pathToMono
+     */
+    public void setPathToMono(String pathToMono) {
+        this.pathToMono = pathToMono;
+    }
+
+    /**
+     * Executes the Dependency-Check on the dependent libraries.
+     *
+     * @return the Engine used to scan the dependencies.
+     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the
+     * database
+     */
+    private Engine executeDependencyCheck() throws DatabaseException {
+        populateSettings();
+        Engine engine = null;
+        engine = new Engine();
+        engine.setDependencies(this.dependencies);
+        engine.analyzeDependencies();
+        return engine;
+    }
+
+    /**
+     * Generates the reports for a given dependency-check engine.
+     *
+     * @param engine a dependency-check engine
+     * @param outDirectory the directory to write the reports to
+     */
+    private void generateExternalReports(Engine engine, File outDirectory) {
+        DatabaseProperties prop = null;
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            prop = cve.getDatabaseProperties();
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+        final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+        try {
+            r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
+        } catch (IOException ex) {
+            LOGGER.log(Level.SEVERE,
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
+        } catch (Throwable ex) {
+            LOGGER.log(Level.SEVERE,
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
+        }
+    }
+
+    /**
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
+     * properties required to change the proxy url, port, and connection timeout.
+     */
+    private void populateSettings() {
+        Settings.initialize();
+        if (dataDirectory != null) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else {
+            final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+
+        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        }
+        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        }
+        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        }
+        if (connectionString != null && !connectionString.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        }
+        if (databaseUser != null && !databaseUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
+        }
+        if (databasePassword != null && !databasePassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
+        }
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
+        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        }
+        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        }
+        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        }
+        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+    }
+
+    /**
+     * Executes the dependency-check and generates the report.
+     *
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
+     * scan.
+     */
+    public void execute() throws ScanAgentException {
+        Engine engine = null;
+        try {
+            engine = executeDependencyCheck();
+            generateExternalReports(engine, new File(this.reportOutputDirectory));
+            if (this.showSummary) {
+                showSummary(engine.getDependencies());
+            }
+            if (this.failBuildOnCVSS <= 10) {
+                checkForFailure(engine.getDependencies());
+            }
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.SEVERE,
+                    "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
+        } finally {
+            Settings.cleanup(true);
+            if (engine != null) {
+                engine.cleanup();
+            }
+        }
+    }
+
+    /**
+     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * configuration.
+     *
+     * @param dependencies the list of dependency objects
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
+     * scan.
+     */
+    private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
+        final StringBuilder ids = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean addName = true;
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (v.getCvssScore() >= failBuildOnCVSS) {
+                    if (addName) {
+                        addName = false;
+                        ids.append(NEW_LINE).append(d.getFileName()).append(": ");
+                        ids.append(v.getName());
+                    } else {
+                        ids.append(", ").append(v.getName());
+                    }
+                }
+            }
+        }
+        if (ids.length() > 0) {
+            final String msg = String.format("%n%nDependency-Check Failure:%n"
+                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+
+            throw new ScanAgentException(msg);
+        }
+    }
+
+    /**
+     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     *
+     * @param dependencies a list of dependency objects
+     */
+    private void showSummary(List<Dependency> dependencies) {
+        final StringBuilder summary = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean firstEntry = true;
+            final StringBuilder ids = new StringBuilder();
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (firstEntry) {
+                    firstEntry = false;
+                } else {
+                    ids.append(", ");
+                }
+                ids.append(v.getName());
+            }
+            if (ids.length() > 0) {
+                summary.append(d.getFileName()).append(" (");
+                firstEntry = true;
+                for (Identifier id : d.getIdentifiers()) {
+                    if (firstEntry) {
+                        firstEntry = false;
+                    } else {
+                        summary.append(", ");
+                    }
+                    summary.append(id.getValue());
+                }
+                summary.append(") : ").append(ids).append(NEW_LINE);
+            }
+        }
+        if (summary.length() > 0) {
+            final String msg = String.format("%n%n"
+                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java

@@ -0,0 +1,13 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.agent</title>
+ * </head>
+ * <body>
+ * The agent package holds an agent API that can be used by other applications that have information about dependencies;
+ * but would rather implement something in their code directly rather then spawn a process to run the entire
+ * dependency-check engine. This basically provides programmatic access to running a scan.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.agent;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -0,0 +1,45 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractAnalyzer implements Analyzer {
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
+     */
+    @Override
+    public void initialize() throws Exception {
+        //do nothing
+    }
+
+    /**
+     * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
+     */
+    @Override
+    public void close() throws Exception {
+        //do nothing
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -0,0 +1,229 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Constructor">
+    /**
+     * Base constructor that all children must call. This checks the configuration to determine if the analyzer is
+     * enabled.
+     */
+    public AbstractFileTypeAnalyzer() {
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            enabled = Settings.getBoolean(key, true);
+        } catch (InvalidSettingException ex) {
+            String msg = String.format("Invalid setting for property '%s'", key);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            msg = String.format("%s has been disabled", getName());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Field definitions">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractFileTypeAnalyzer.class.getName());
+    /**
+     * Whether the file type analyzer detected any files it needs to analyze.
+     */
+    private boolean filesMatched = false;
+
+    /**
+     * Get the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @return the value of filesMatched
+     */
+    protected boolean isFilesMatched() {
+        return filesMatched;
+    }
+
+    /**
+     * Set the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @param filesMatched new value of filesMatched
+     */
+    protected void setFilesMatched(boolean filesMatched) {
+        this.filesMatched = filesMatched;
+    }
+
+    /**
+     * A flag indicating whether or not the analyzer is enabled.
+     */
+    private boolean enabled = true;
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Set the value of enabled.
+     *
+     * @param enabled new value of enabled
+     */
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
+    /**
+     * <p>
+     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
+     * getSupportedExtensions function would return a set with a single element "jar".</p>
+     *
+     * <p>
+     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
+     *
+     * @return The file extensions supported by this analyzer.
+     *
+     * <p>
+     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
+     * file loaded</p>
+     */
+    protected abstract Set<String> getSupportedExtensions();
+
+    /**
+     * Initializes the file type analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    protected abstract void initializeFileTypeAnalyzer() throws Exception;
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    protected abstract String getAnalyzerEnabledSettingKey();
+
+//</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
+    /**
+     * Initializes the analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    @Override
+    public final void initialize() throws Exception {
+        if (filesMatched) {
+            initializeFileTypeAnalyzer();
+        } else {
+            enabled = false;
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (enabled) {
+            analyzeFileType(dependency, engine);
+        }
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    @Override
+    public final boolean supportsExtension(String extension) {
+        if (!enabled) {
+            return false;
+        }
+        final Set<String> ext = getSupportedExtensions();
+        if (ext == null) {
+            final String msg = String.format("The '%s' analyzer is misconfigured and does not have any file extensions;"
+                    + " it will be disabled", getName());
+            LOGGER.log(Level.SEVERE, msg);
+            return false;
+        } else {
+            final boolean match = ext.contains(extension);
+            if (match) {
+                filesMatched = match;
+            }
+            return match;
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Static utility methods">
+    /**
+     * <p>
+     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
+     * final static declaration.</p>
+     *
+     * <p>
+     * This implementation was copied from
+     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
+     *
+     * @param strings a list of strings to add to the set.
+     * @return a Set of strings.
+     */
+    protected static Set<String> newHashSet(String... strings) {
+        final Set<String> set = new HashSet<String>();
+
+        Collections.addAll(set, strings);
+        return set;
+    }
+//</editor-fold>
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -0,0 +1,172 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+import org.owasp.dependencycheck.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.suppression.SuppressionParser;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Abstract base suppression analyzer that contains methods for parsing the suppression xml file.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractSuppressionAnalyzer.class.getName());
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return null;
+    }
+
+    //</editor-fold>
+    /**
+     * The initialize method loads the suppression XML file.
+     *
+     * @throws Exception thrown if there is an exception
+     */
+    @Override
+    public void initialize() throws Exception {
+        super.initialize();
+        loadSuppressionData();
+    }
+
+    /**
+     * The list of suppression rules
+     */
+    private List<SuppressionRule> rules;
+
+    /**
+     * Get the value of rules.
+     *
+     * @return the value of rules
+     */
+    public List<SuppressionRule> getRules() {
+        return rules;
+    }
+
+    /**
+     * Set the value of rules.
+     *
+     * @param rules new value of rules
+     */
+    public void setRules(List<SuppressionRule> rules) {
+        this.rules = rules;
+    }
+
+    /**
+     * Loads the suppression rules file.
+     *
+     * @throws SuppressionParseException thrown if the XML cannot be parsed.
+     */
+    private void loadSuppressionData() throws SuppressionParseException {
+        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
+        if (suppressionFilePath == null) {
+            return;
+        }
+        File file = null;
+        boolean deleteTempFile = false;
+        try {
+            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
+            if (uriRx.matcher(suppressionFilePath).matches()) {
+                deleteTempFile = true;
+                file = FileUtils.getTempFile("suppression", "xml");
+                final URL url = new URL(suppressionFilePath);
+                try {
+                    Downloader.fetchFile(url, file, false);
+                } catch (DownloadFailedException ex) {
+                    Downloader.fetchFile(url, file, true);
+                }
+            } else {
+                file = new File(suppressionFilePath);
+                if (!file.exists()) {
+                    final InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
+                    if (suppressionsFromClasspath != null) {
+                        deleteTempFile = true;
+                        file = FileUtils.getTempFile("suppression", "xml");
+                        try {
+                            org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
+                        } catch (IOException ex) {
+                            throwSuppressionParseException("Unable to locate suppressions file in classpath", ex);
+                        }
+                    }
+                }
+            }
+
+            if (file != null) {
+                final SuppressionParser parser = new SuppressionParser();
+                try {
+                    rules = parser.parseSuppressionRules(file);
+                    LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
+                } catch (SuppressionParseException ex) {
+                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
+                    LOGGER.log(Level.WARNING, msg);
+                    LOGGER.log(Level.WARNING, ex.getMessage());
+                    LOGGER.log(Level.FINE, "", ex);
+                    throw ex;
+                }
+            }
+        } catch (DownloadFailedException ex) {
+            throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
+        } catch (MalformedURLException ex) {
+            throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
+        } catch (IOException ex) {
+            throwSuppressionParseException("Unable to create temp file for suppressions", ex);
+        } finally {
+            if (deleteTempFile && file != null) {
+                FileUtils.delete(file);
+            }
+        }
+    }
+
+    /**
+     * Utility method to throw parse exceptions.
+     *
+     * @param message the exception message
+     * @param exception the cause of the exception
+     * @throws SuppressionParseException throws the generated SuppressionParseException
+     */
+    private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
+        LOGGER.log(Level.WARNING, message);
+        LOGGER.log(Level.FINE, "", exception);
+        throw new SuppressionParseException(message, exception);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +20,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An enumeration defining the phases of analysis.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public enum AnalysisPhase {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -0,0 +1,71 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+
+/**
+ * An interface that defines an Analyzer that is used to identify Dependencies. An analyzer will collect information
+ * about the dependency in the form of Evidence.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public interface Analyzer {
+
+    /**
+     * Analyzes the given dependency. The analysis could be anything from identifying an Identifier for the dependency,
+     * to finding vulnerabilities, etc. Additionally, if the analyzer collects enough information to add a description
+     * or license information for the dependency it should be added.
+     *
+     * @param dependency a dependency to analyze.
+     * @param engine the engine that is scanning the dependencies - this is useful if we need to check other
+     * dependencies
+     * @throws AnalysisException is thrown if there is an error analyzing the dependency file
+     */
+    void analyze(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    String getName();
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    AnalysisPhase getAnalysisPhase();
+
+    /**
+     * The initialize method is called (once) prior to the analyze method being called on all of the dependencies.
+     *
+     * @throws Exception is thrown if an exception occurs initializing the analyzer.
+     */
+    void initialize() throws Exception;
+
+    /**
+     * The close method is called after all of the dependencies have been analyzed.
+     *
+     * @throws Exception is thrown if an exception occurs closing the analyzer.
+     */
+    void close() throws Exception;
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -0,0 +1,53 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Iterator;
+import java.util.ServiceLoader;
+
+/**
+ * The Analyzer Service Loader. This class loads all services that implement
+ * org.owasp.dependencycheck.analyzer.Analyzer.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class AnalyzerService {
+
+    /**
+     * The service loader for analyzers.
+     */
+    private final ServiceLoader<Analyzer> loader;
+
+    /**
+     * Creates a new instance of AnalyzerService.
+     *
+     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
+     */
+    public AnalyzerService(ClassLoader classLoader) {
+        loader = ServiceLoader.load(Analyzer.class, classLoader);
+    }
+
+    /**
+     * Returns an Iterator for all instances of the Analyzer interface.
+     *
+     * @return an iterator of Analyzers.
+     */
+    public Iterator<Analyzer> getAnalyzers() {
+        return loader.iterator();
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -0,0 +1,490 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.Enumeration;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipFile;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * <p>
+ * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
+ * to the dependency list.</p>
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ArchiveAnalyzer.class.getName());
+    /**
+     * The buffer size to use when extracting files from the archive.
+     */
+    private static final int BUFFER_SIZE = 4096;
+    /**
+     * The count of directories created during analysis. This is used for creating temporary directories.
+     */
+    private static int dirCount = 0;
+    /**
+     * The parent directory for the individual directories per archive.
+     */
+    private File tempFileLocation = null;
+    /**
+     * The max scan depth that the analyzer will recursively extract nested archives.
+     */
+    private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
+    /**
+     * Tracks the current scan/extraction depth for nested archives.
+     */
+    private int scanDepth = 0;
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Archive Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
+    /**
+     * The set of things we can handle with Zip methods
+     */
+    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
+    /**
+     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
+     * to be explicitly handled in extractFiles().
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
+
+    /**
+     * The set of file extensions to remove from the engine's collection of dependencies.
+     */
+    private static final Set<String> REMOVE_FROM_ANALYSIS = newHashSet("zip", "tar", "gz", "tgz"); //TODO add nupkg, apk, sar?
+
+    static {
+        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
+        if (additionalZipExt != null) {
+            final HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            ZIPPABLES.addAll(ext);
+        }
+        EXTENSIONS.addAll(ZIPPABLES);
+    }
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ARCHIVE_ENABLED;
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception is thrown if there is an exception deleting or creating temporary files
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        final File baseDir = Settings.getTempDirectory();
+        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
+        if (!tempFileLocation.delete()) {
+            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+        if (!tempFileLocation.mkdirs()) {
+            final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+    }
+
+    /**
+     * The close method deletes any temporary files and directories created during analysis.
+     *
+     * @throws Exception thrown if there is an exception deleting temporary files
+     */
+    @Override
+    public void close() throws Exception {
+        if (tempFileLocation != null && tempFileLocation.exists()) {
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
+            final boolean success = FileUtils.delete(tempFileLocation);
+            if (!success && tempFileLocation != null & tempFileLocation.exists()) {
+                LOGGER.log(Level.WARNING, "Failed to delete some temporary files, see the log for more details");
+            }
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        final File f = new File(dependency.getActualFilePath());
+        final File tmpDir = getNextTempDirectory();
+        extractFiles(f, tmpDir, engine);
+
+        //make a copy
+        List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
+        engine.scan(tmpDir);
+        List<Dependency> newDependencies = engine.getDependencies();
+        if (dependencies.size() != newDependencies.size()) {
+            //get the new dependencies
+            final Set<Dependency> dependencySet = new HashSet<Dependency>();
+            dependencySet.addAll(newDependencies);
+            dependencySet.removeAll(dependencies);
+
+            for (Dependency d : dependencySet) {
+                //fix the dependency's display name and path
+                final String displayPath = String.format("%s%s",
+                        dependency.getFilePath(),
+                        d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
+                final String displayName = String.format("%s%s%s",
+                        dependency.getFileName(),
+                        File.separator,
+                        d.getFileName());
+                d.setFilePath(displayPath);
+                d.setFileName(displayName);
+
+                //TODO - can we get more evidence from the parent? EAR contains module name, etc.
+                //analyze the dependency (i.e. extract files) if it is a supported type.
+                if (this.supportsExtension(d.getFileExtension()) && scanDepth < MAX_SCAN_DEPTH) {
+                    scanDepth += 1;
+                    analyze(d, engine);
+                    scanDepth -= 1;
+                }
+            }
+        }
+        if (this.REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) {
+            if ("zip".equals(dependency.getFileExtension()) && isZipFileActuallyJarFile(dependency)) {
+                final File tdir = getNextTempDirectory();
+                final String fileName = dependency.getFileName();
+
+                LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a deep copy and analyzing it as a JAR.", fileName));
+
+                final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
+                try {
+                    org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
+                    dependencies = new ArrayList<Dependency>(engine.getDependencies());
+                    engine.scan(tmpLoc);
+                    newDependencies = engine.getDependencies();
+                    if (dependencies.size() != newDependencies.size()) {
+                        //get the new dependencies
+                        final Set<Dependency> dependencySet = new HashSet<Dependency>();
+                        dependencySet.addAll(newDependencies);
+                        dependencySet.removeAll(dependencies);
+                        if (dependencySet.size() != 1) {
+                            LOGGER.info("Deep copy of ZIP to JAR file resulted in more then one dependency?");
+                        }
+                        for (Dependency d : dependencySet) {
+                            //fix the dependency's display name and path
+                            d.setFilePath(dependency.getFilePath());
+                            d.setDisplayFileName(dependency.getFileName());
+                        }
+                    }
+                } catch (IOException ex) {
+                    final String msg = String.format("Unable to perform deep copy on '%s'", dependency.getActualFile().getPath());
+                    LOGGER.log(Level.FINE, msg, ex);
+                }
+            }
+            engine.getDependencies().remove(dependency);
+        }
+        Collections.sort(engine.getDependencies());
+    }
+
+    /**
+     * Retrieves the next temporary directory to extract an archive too.
+     *
+     * @return a directory
+     * @throws AnalysisException thrown if unable to create temporary directory
+     */
+    private File getNextTempDirectory() throws AnalysisException {
+        dirCount += 1;
+        final File directory = new File(tempFileLocation, String.valueOf(dirCount));
+        //getting an exception for some directories not being able to be created; might be because the directory already exists?
+        if (directory.exists()) {
+            return getNextTempDirectory();
+        }
+        if (!directory.mkdirs()) {
+            final String msg = String.format("Unable to create temp directory '%s'.", directory.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+        return directory;
+    }
+
+    /**
+     * Extracts the contents of an archive into the specified directory.
+     *
+     * @param archive an archive file such as a WAR or EAR
+     * @param destination a directory to extract the contents to
+     * @param engine the scanning engine
+     * @throws AnalysisException thrown if the archive is not found
+     */
+    private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
+        if (archive == null || destination == null) {
+            return;
+        }
+
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(archive);
+        } catch (FileNotFoundException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new AnalysisException("Archive file was not found.", ex);
+        }
+        final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
+        try {
+            if (ZIPPABLES.contains(archiveExt)) {
+                extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+            } else if ("tar".equals(archiveExt)) {
+                extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+            } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
+                final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
+                final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
+                if (engine.supportsExtension(uncompressedExt)) {
+                    decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
+                }
+            }
+        } catch (ArchiveExtractionException ex) {
+            final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
+        } catch (IOException ex) {
+            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
+        } finally {
+            try {
+                fis.close();
+            } catch (IOException ex) {
+                LOGGER.log(Level.FINEST, null, ex);
+            }
+        }
+    }
+
+    /**
+     * Extracts files from an archive.
+     *
+     * @param input the archive to extract files from
+     * @param destination the location to write the files too
+     * @param engine the dependency-check engine
+     * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
+     */
+    private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
+        ArchiveEntry entry;
+        try {
+            while ((entry = input.getNextEntry()) != null) {
+                if (entry.isDirectory()) {
+                    final File d = new File(destination, entry.getName());
+                    if (!d.exists()) {
+                        if (!d.mkdirs()) {
+                            final String msg = String.format("Unable to create directory '%s'.", d.getAbsolutePath());
+                            throw new AnalysisException(msg);
+                        }
+                    }
+                } else {
+                    final File file = new File(destination, entry.getName());
+                    final String ext = FileUtils.getFileExtension(file.getName());
+                    if (engine.supportsExtension(ext)) {
+                        BufferedOutputStream bos = null;
+                        FileOutputStream fos;
+                        try {
+                            final File parent = file.getParentFile();
+                            if (!parent.isDirectory()) {
+                                if (!parent.mkdirs()) {
+                                    final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
+                                    throw new AnalysisException(msg);
+                                }
+                            }
+                            fos = new FileOutputStream(file);
+                            bos = new BufferedOutputStream(fos, BUFFER_SIZE);
+                            int count;
+                            final byte data[] = new byte[BUFFER_SIZE];
+                            while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
+                                bos.write(data, 0, count);
+                            }
+                            bos.flush();
+                        } catch (FileNotFoundException ex) {
+                            LOGGER.log(Level.FINE, null, ex);
+                            final String msg = String.format("Unable to find file '%s'.", file.getName());
+                            throw new AnalysisException(msg, ex);
+                        } catch (IOException ex) {
+                            LOGGER.log(Level.FINE, null, ex);
+                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
+                            throw new AnalysisException(msg, ex);
+                        } finally {
+                            if (bos != null) {
+                                try {
+                                    bos.close();
+                                } catch (IOException ex) {
+                                    LOGGER.log(Level.FINEST, null, ex);
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (IOException ex) {
+            throw new ArchiveExtractionException(ex);
+        } catch (Throwable ex) {
+            throw new ArchiveExtractionException(ex);
+        } finally {
+            if (input != null) {
+                try {
+                    input.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Decompresses a file.
+     *
+     * @param inputStream the compressed file
+     * @param outputFile the location to write the decompressed file
+     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
+     */
+    private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
+        FileOutputStream out = null;
+        try {
+            out = new FileOutputStream(outputFile);
+            final byte[] buffer = new byte[BUFFER_SIZE];
+            int n = 0;
+            while (-1 != (n = inputStream.read(buffer))) {
+                out.write(buffer, 0, n);
+            }
+        } catch (FileNotFoundException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new ArchiveExtractionException(ex);
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new ArchiveExtractionException(ex);
+        } finally {
+            if (out != null) {
+                try {
+                    out.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Attempts to determine if a zip file is actually a JAR file.
+     *
+     * @param dependency the dependency to check
+     * @return true if the dependency appears to be a JAR file; otherwise false
+     */
+    private boolean isZipFileActuallyJarFile(Dependency dependency) {
+        boolean isJar = false;
+        ZipFile zip = null;
+        try {
+            zip = new ZipFile(dependency.getActualFilePath());
+            if (zip.getEntry("META-INF/MANIFEST.MF") != null
+                    || zip.getEntry("META-INF/maven") != null) {
+                final Enumeration<ZipArchiveEntry> entries = zip.getEntries();
+                while (entries.hasMoreElements()) {
+                    final ZipArchiveEntry entry = entries.nextElement();
+                    if (!entry.isDirectory()) {
+                        final String name = entry.getName().toLowerCase();
+                        if (name.endsWith(".class")) {
+                            isJar = true;
+                            break;
+                        }
+                    }
+                }
+            }
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, String.format("Unable to unzip zip file '%s'", dependency.getFilePath()), ex);
+        } finally {
+            ZipFile.closeQuietly(zip);
+        }
+
+        return isJar;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -0,0 +1,319 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.utils.Settings;
+import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
+
+/**
+ * Analyzer for getting company, product, and version information from a .NET assembly.
+ *
+ * @author colezlaw
+ *
+ */
+public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The analyzer name
+     */
+    private static final String ANALYZER_NAME = "Assembly Analyzer";
+    /**
+     * The analysis phase
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+    /**
+     * The list of supported extensions
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("dll", "exe");
+    /**
+     * The temp value for GrokAssembly.exe
+     */
+    private File grokAssemblyExe = null;
+    /**
+     * The DocumentBuilder for parsing the XML
+     */
+    private DocumentBuilder builder;
+    /**
+     * Logger
+     */
+    private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzer.class.getName(), "dependencycheck-resources");
+
+    /**
+     * Builds the beginnings of a List for ProcessBuilder
+     *
+     * @return the list of arguments to begin populating the ProcessBuilder
+     */
+    private List<String> buildArgumentList() {
+        // Use file.separator as a wild guess as to whether this is Windows
+        final List<String> args = new ArrayList<String>();
+        if (!"\\".equals(System.getProperty("file.separator"))) {
+            if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
+                args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
+            } else {
+                args.add("mono");
+            }
+        }
+        args.add(grokAssemblyExe.getPath());
+
+        return args;
+    }
+
+    /**
+     * Performs the analysis on a single Dependency.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine to perform the analysis under
+     * @throws AnalysisException if anything goes sideways
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        if (grokAssemblyExe == null) {
+            LOGGER.warning("analyzer.AssemblyAnalyzer.notdeployed");
+            return;
+        }
+
+        final List<String> args = buildArgumentList();
+        args.add(dependency.getActualFilePath());
+        final ProcessBuilder pb = new ProcessBuilder(args);
+        BufferedReader rdr = null;
+        Document doc = null;
+        try {
+            final Process proc = pb.start();
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
+            String line = null;
+            while (rdr.ready() && (line = rdr.readLine()) != null) {
+                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
+            }
+            int rc = 0;
+            doc = builder.parse(proc.getInputStream());
+
+            try {
+                rc = proc.waitFor();
+            } catch (InterruptedException ie) {
+                return;
+            }
+            if (rc == 3) {
+                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.notassembly", dependency.getActualFilePath());
+                return;
+            } else if (rc != 0) {
+                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.rc", rc);
+            }
+
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+
+            // First, see if there was an error
+            final String error = xpath.evaluate("/assembly/error", doc);
+            if (error != null && !"".equals(error)) {
+                throw new AnalysisException(error);
+            }
+
+            final String version = xpath.evaluate("/assembly/version", doc);
+            if (version != null) {
+                dependency.getVersionEvidence().addEvidence(new Evidence("grokassembly", "version",
+                        version, Confidence.HIGHEST));
+            }
+
+            final String vendor = xpath.evaluate("/assembly/company", doc);
+            if (vendor != null) {
+                dependency.getVendorEvidence().addEvidence(new Evidence("grokassembly", "vendor",
+                        vendor, Confidence.HIGH));
+            }
+
+            final String product = xpath.evaluate("/assembly/product", doc);
+            if (product != null) {
+                dependency.getProductEvidence().addEvidence(new Evidence("grokassembly", "product",
+                        product, Confidence.HIGH));
+            }
+
+        } catch (IOException ioe) {
+            throw new AnalysisException(ioe);
+        } catch (SAXException saxe) {
+            throw new AnalysisException("Couldn't parse GrokAssembly result", saxe);
+        } catch (XPathExpressionException xpe) {
+            // This shouldn't happen
+            throw new AnalysisException(xpe);
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     *
+     * @throws Exception if anything goes wrong
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
+        FileOutputStream fos = null;
+        InputStream is = null;
+        try {
+            fos = new FileOutputStream(tempFile);
+            is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
+            final byte[] buff = new byte[4096];
+            int bread = -1;
+            while ((bread = is.read(buff)) >= 0) {
+                fos.write(buff, 0, bread);
+            }
+            grokAssemblyExe = tempFile;
+            // Set the temp file to get deleted when we're done
+            grokAssemblyExe.deleteOnExit();
+            LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.deployed", grokAssemblyExe.getPath());
+        } catch (IOException ioe) {
+            LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.notdeployed", ioe.getMessage());
+            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
+        } finally {
+            if (fos != null) {
+                try {
+                    fos.close();
+                } catch (Throwable e) {
+                    LOGGER.fine("Error closing output stream");
+                }
+            }
+            if (is != null) {
+                try {
+                    is.close();
+                } catch (Throwable e) {
+                    LOGGER.fine("Error closing input stream");
+                }
+            }
+        }
+
+        // Now, need to see if GrokAssembly actually runs from this location.
+        final List<String> args = buildArgumentList();
+        BufferedReader rdr = null;
+        try {
+            final ProcessBuilder pb = new ProcessBuilder(args);
+            final Process p = pb.start();
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            while (rdr.ready() && rdr.readLine() != null) {
+                // We expect this to complain
+            }
+            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+            final String error = xpath.evaluate("/assembly/error", doc);
+            if (p.waitFor() != 1 || error == null || "".equals(error)) {
+                LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
+                LOGGER.fine("GrokAssembly.exe is not working properly");
+                grokAssemblyExe = null;
+                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
+            }
+        } catch (Throwable e) {
+            if (e instanceof AnalysisException) {
+                throw (AnalysisException) e;
+            } else {
+                LOGGER.warning("analyzer.AssemblyAnalyzer.grokassembly.initialization.failed");
+                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.initialization.message", e.getMessage());
+                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+            }
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+        }
+
+        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+    }
+
+    @Override
+    public void close() throws Exception {
+        super.close();
+        try {
+            if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
+                grokAssemblyExe.deleteOnExit();
+            }
+        } catch (SecurityException se) {
+            LOGGER.fine("analyzer.AssemblyAnalyzer.grokassembly.notdeleted");
+        }
+    }
+
+    /**
+     * Gets the set of extensions supported by this analyzer.
+     *
+     * @return the list of supported extensions
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Gets this analyzer's name.
+     *
+     * @return the analyzer name
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase this analyzer runs under.
+     *
+     * @return the phase this runs under
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -0,0 +1,760 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.lucene.document.Document;
+import org.apache.lucene.index.CorruptIndexException;
+import org.apache.lucene.queryparser.classic.ParseException;
+import org.apache.lucene.search.ScoreDoc;
+import org.apache.lucene.search.TopDocs;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
+import org.owasp.dependencycheck.data.cpe.Fields;
+import org.owasp.dependencycheck.data.cpe.IndexEntry;
+import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.lucene.LuceneUtils;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+
+/**
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
+ * It uses the evidence contained within the dependency to search the Lucene index.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class CPEAnalyzer implements Analyzer {
+
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CPEAnalyzer.class.getName());
+    /**
+     * The maximum number of query results to return.
+     */
+    static final int MAX_QUERY_RESULTS = 25;
+    /**
+     * The weighting boost to give terms when constructing the Lucene query.
+     */
+    static final String WEIGHTING_BOOST = "^5";
+    /**
+     * A string representation of a regular expression defining characters utilized within the CPE Names.
+     */
+    static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
+    /**
+     * A string representation of a regular expression used to remove all but alpha characters.
+     */
+    static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
+    /**
+     * The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
+     */
+    static final int STRING_BUILDER_BUFFER = 20;
+    /**
+     * The CPE in memory index.
+     */
+    private CpeMemoryIndex cpe;
+    /**
+     * The CVE Database.
+     */
+    private CveDB cve;
+
+    /**
+     * The URL to perform a search of the NVD CVE data at NIST.
+     */
+    public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
+
+    /**
+     * Returns the name of this analyzer.
+     *
+     * @return the name of this analyzer.
+     */
+    @Override
+    public String getName() {
+        return "CPE Analyzer";
+    }
+
+    /**
+     * Returns the analysis phase that this analyzer should run in.
+     *
+     * @return the analysis phase that this analyzer should run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.IDENTIFIER_ANALYSIS;
+    }
+
+    /**
+     * Creates the CPE Lucene Index.
+     *
+     * @throws Exception is thrown if there is an issue opening the index.
+     */
+    @Override
+    public void initialize() throws Exception {
+        this.open();
+    }
+
+    /**
+     * Opens the data source.
+     *
+     * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
+     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
+     * by another process.
+     */
+    public void open() throws IOException, DatabaseException {
+        LOGGER.log(Level.FINE, "Opening the CVE Database");
+        cve = new CveDB();
+        cve.open();
+        LOGGER.log(Level.FINE, "Creating the Lucene CPE Index");
+        cpe = CpeMemoryIndex.getInstance();
+        try {
+            cpe.open(cve);
+        } catch (IndexException ex) {
+            LOGGER.log(Level.FINE, "IndexException", ex);
+            throw new DatabaseException(ex);
+        }
+    }
+
+    /**
+     * Closes the data sources.
+     */
+    @Override
+    public void close() {
+        if (cpe != null) {
+            cpe.close();
+        }
+        if (cve != null) {
+            cve.close();
+        }
+    }
+
+    /**
+     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
+     * contained within. The dependency passed in is updated with any identified CPE values.
+     *
+     * @param dependency the dependency to search for CPE entries on.
+     * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
+     * @throws IOException is thrown when an IOException occurs.
+     * @throws ParseException is thrown when the Lucene query cannot be parsed.
+     */
+    protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
+        Confidence confidence = Confidence.HIGHEST;
+
+        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
+        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
+        /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+         * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+        addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+
+        int ctr = 0;
+        do {
+            if (!vendors.isEmpty() && !products.isEmpty()) {
+                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
+                        dependency.getVendorEvidence().getWeighting());
+
+                for (IndexEntry e : entries) {
+                    if (verifyEntry(e, dependency)) {
+                        final String vendor = e.getVendor();
+                        final String product = e.getProduct();
+                        determineIdentifiers(dependency, vendor, product);
+                    }
+                }
+            }
+            confidence = reduceConfidence(confidence);
+            if (dependency.getVendorEvidence().contains(confidence)) {
+                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
+            }
+            if (dependency.getProductEvidence().contains(confidence)) {
+                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
+            }
+            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+            if (dependency.getVersionEvidence().contains(confidence)) {
+                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+            }
+        } while ((++ctr) < 4);
+    }
+
+    /**
+     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
+     * specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
+     * is longer then 200 characters it will be truncated.
+     *
+     * @param text the base text.
+     * @param ec an EvidenceCollection
+     * @param confidenceFilter a Confidence level to filter the evidence by.
+     * @return the new evidence text
+     */
+    private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
+        final String txt = (text == null) ? "" : text;
+        final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
+        sb.append(' ').append(txt).append(' ');
+        for (Evidence e : ec.iterator(confidenceFilter)) {
+            String value = e.getValue();
+
+            //hack to get around the fact that lucene does a really good job of recognizing domains and not
+            // splitting them. TODO - put together a better lucene analyzer specific to the domain.
+            if (value.startsWith("http://")) {
+                value = value.substring(7).replaceAll("\\.", " ");
+            }
+            if (value.startsWith("https://")) {
+                value = value.substring(8).replaceAll("\\.", " ");
+            }
+            if (sb.indexOf(" " + value + " ") < 0) {
+                sb.append(value).append(' ');
+            }
+        }
+        return sb.toString().trim();
+    }
+
+    /**
+     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
+     *
+     * @param c the confidence to reduce.
+     * @return One less then the confidence passed in.
+     */
+    private Confidence reduceConfidence(final Confidence c) {
+        if (c == Confidence.HIGHEST) {
+            return Confidence.HIGH;
+        } else if (c == Confidence.HIGH) {
+            return Confidence.MEDIUM;
+        } else {
+            return Confidence.LOW;
+        }
+    }
+
+    /**
+     * <p>
+     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
+     * version.</p>
+     *
+     * <p>
+     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
+     * factors to the search.</p>
+     *
+     * @param vendor the text used to search the vendor field
+     * @param product the text used to search the product field
+     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
+     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
+     * @return a list of possible CPE values
+     * @throws CorruptIndexException when the Lucene index is corrupt
+     * @throws IOException when the Lucene index is not found
+     * @throws ParseException when the generated query is not valid
+     */
+    protected List<IndexEntry> searchCPE(String vendor, String product,
+            Set<String> vendorWeightings, Set<String> productWeightings)
+            throws CorruptIndexException, IOException, ParseException {
+        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+
+        final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
+        if (searchString == null) {
+            return ret;
+        }
+
+        final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
+        for (ScoreDoc d : docs.scoreDocs) {
+            if (d.score >= 0.08) {
+                final Document doc = cpe.getDocument(d.doc);
+                final IndexEntry entry = new IndexEntry();
+                entry.setVendor(doc.get(Fields.VENDOR));
+                entry.setProduct(doc.get(Fields.PRODUCT));
+//                if (d.score < 0.08) {
+//                    System.out.print(entry.getVendor());
+//                    System.out.print(":");
+//                    System.out.print(entry.getProduct());
+//                    System.out.print(":");
+//                    System.out.println(d.score);
+//                }
+                entry.setSearchScore(d.score);
+                if (!ret.contains(entry)) {
+                    ret.add(entry);
+                }
+            }
+        }
+        return ret;
+    }
+
+    /**
+     * <p>
+     * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
+     *
+     * <p>
+     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
+     * factors to the search string generated.</p>
+     *
+     * @param vendor text to search the vendor field
+     * @param product text to search the product field
+     * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
+     * @param productWeightings a list of strings to apply to the product to boost the terms weight
+     * @return the Lucene query
+     */
+    protected String buildSearch(String vendor, String product,
+            Set<String> vendorWeighting, Set<String> productWeightings) {
+        final String v = vendor; //.replaceAll("[^\\w\\d]", " ");
+        final String p = product; //.replaceAll("[^\\w\\d]", " ");
+        final StringBuilder sb = new StringBuilder(v.length() + p.length()
+                + Fields.PRODUCT.length() + Fields.VENDOR.length() + STRING_BUILDER_BUFFER);
+
+        if (!appendWeightedSearch(sb, Fields.PRODUCT, p, productWeightings)) {
+            return null;
+        }
+        sb.append(" AND ");
+        if (!appendWeightedSearch(sb, Fields.VENDOR, v, vendorWeighting)) {
+            return null;
+        }
+        return sb.toString();
+    }
+
+    /**
+     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
+     * word is within the list of weighted words then an additional weighting is applied to the term as it is appended
+     * into the query.
+     *
+     * @param sb a StringBuilder that the query text will be appended to.
+     * @param field the field within the Lucene index that the query is searching.
+     * @param searchText text used to construct the query.
+     * @param weightedText a list of terms that will be considered higher importance when searching.
+     * @return if the append was successful.
+     */
+    private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
+        sb.append(" ").append(field).append(":( ");
+
+        final String cleanText = cleanseText(searchText);
+
+        if ("".equals(cleanText)) {
+            return false;
+        }
+
+        if (weightedText == null || weightedText.isEmpty()) {
+            LuceneUtils.appendEscapedLuceneQuery(sb, cleanText);
+        } else {
+            final StringTokenizer tokens = new StringTokenizer(cleanText);
+            while (tokens.hasMoreElements()) {
+                final String word = tokens.nextToken();
+                String temp = null;
+                for (String weighted : weightedText) {
+                    final String weightedStr = cleanseText(weighted);
+                    if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
+                        temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
+                        if (!word.equalsIgnoreCase(weightedStr)) {
+                            temp += " " + LuceneUtils.escapeLuceneQuery(weightedStr) + WEIGHTING_BOOST;
+                        }
+                    }
+                }
+                if (temp == null) {
+                    temp = LuceneUtils.escapeLuceneQuery(word);
+                }
+                sb.append(" ").append(temp);
+            }
+        }
+        sb.append(" ) ");
+        return true;
+    }
+
+    /**
+     * Removes characters from the input text that are not used within the CPE index.
+     *
+     * @param text is the text to remove the characters from.
+     * @return the text having removed some characters.
+     */
+    private String cleanseText(String text) {
+        return text.replaceAll(CLEANSE_CHARACTER_RX, " ");
+    }
+
+    /**
+     * Compares two strings after lower casing them and removing the non-alpha characters.
+     *
+     * @param l string one to compare.
+     * @param r string two to compare.
+     * @return whether or not the two strings are similar.
+     */
+    private boolean equalsIgnoreCaseAndNonAlpha(String l, String r) {
+        if (l == null || r == null) {
+            return false;
+        }
+
+        final String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
+        final String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
+        return left.equalsIgnoreCase(right);
+    }
+
+    /**
+     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
+     * information for the CPE are contained within the dependencies evidence.
+     *
+     * @param entry a CPE entry.
+     * @param dependency the dependency that the CPE entries could be for.
+     * @return whether or not the entry is valid.
+     */
+    private boolean verifyEntry(final IndexEntry entry, final Dependency dependency) {
+        boolean isValid = false;
+
+        if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
+                && collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())) {
+            //&& collectionContainsVersion(dependency.getVersionEvidence(), entry.getVersion())
+            isValid = true;
+        }
+        return isValid;
+    }
+
+    /**
+     * Used to determine if the EvidenceCollection contains a specific string.
+     *
+     * @param ec an EvidenceCollection
+     * @param text the text to search for
+     * @return whether or not the EvidenceCollection contains the string
+     */
+    private boolean collectionContainsString(EvidenceCollection ec, String text) {
+
+        //<editor-fold defaultstate="collapsed" desc="This code fold contains an old version of the code, delete once more testing is done">
+        //        String[] splitText = text.split("[\\s_-]");
+        //
+        //        for (String search : splitText) {
+        //            //final String search = text.replaceAll("[\\s_-]", "").toLowerCase();
+        //            if (ec.containsUsedString(search)) {
+        //                return true;
+        //            }
+        //        }
+        //</editor-fold>
+        //TODO - likely need to change the split... not sure if this will work for CPE with special chars
+        if (text == null) {
+            return false;
+        }
+        final String[] words = text.split("[\\s_-]");
+        final List<String> list = new ArrayList<String>();
+        String tempWord = null;
+        for (String word : words) {
+            /*
+             single letter words should be concatenated with the next word.
+             so { "m", "core", "sample" } -> { "mcore", "sample" }
+             */
+            if (tempWord != null) {
+                list.add(tempWord + word);
+                tempWord = null;
+            } else if (word.length() <= 2) {
+                tempWord = word;
+            } else {
+                list.add(word);
+            }
+        }
+        if (tempWord != null && !list.isEmpty()) {
+            final String tmp = list.get(list.size() - 1) + tempWord;
+            list.add(tmp);
+        }
+        boolean contains = true;
+        for (String word : list) {
+            contains &= ec.containsUsedString(word);
+        }
+        return contains;
+    }
+
+    /**
+     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
+     *
+     * @param dependency The Dependency to analyze.
+     * @param engine The analysis engine
+     * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        try {
+            determineCPE(dependency);
+        } catch (CorruptIndexException ex) {
+            throw new AnalysisException("CPE Index is corrupt.", ex);
+        } catch (IOException ex) {
+            throw new AnalysisException("Failure opening the CPE Index.", ex);
+        } catch (ParseException ex) {
+            throw new AnalysisException("Unable to parse the generated Lucene query for this dependency.", ex);
+        }
+    }
+
+    /**
+     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
+     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
+     * best effort "guess" based on the vendor, product, and version information.
+     *
+     * @param dependency the Dependency being analyzed
+     * @param vendor the vendor for the CPE being analyzed
+     * @param product the product for the CPE being analyzed
+     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
+     */
+    private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
+        final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
+        DependencyVersion bestGuess = new DependencyVersion("-");
+        Confidence bestGuessConf = null;
+        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
+        for (Confidence conf : Confidence.values()) {
+            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
+                final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
+                if (evVer == null) {
+                    continue;
+                }
+                for (VulnerableSoftware vs : cpes) {
+                    DependencyVersion dbVer;
+                    if (vs.getRevision() != null && !vs.getRevision().isEmpty()) {
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getRevision());
+                    } else {
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
+                    }
+                    if (dbVer == null //special case, no version specified - everything is vulnerable
+                            || evVer.equals(dbVer)) { //yeah! exact match
+
+                        //final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
+                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
+                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
+                        collected.add(match);
+                    } else {
+                        //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
+                        if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
+                                && evVer.matchesAtLeastThreeLevels(dbVer)) {
+                            if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                                if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
+                                    bestGuess = dbVer;
+                                    bestGuessConf = conf;
+                                }
+                            }
+                        }
+                    }
+                }
+                if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                    if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
+                        bestGuess = evVer;
+                        bestGuessConf = conf;
+                    }
+                }
+            }
+        }
+        final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
+        final String url = null;
+        if (bestGuessConf == null) {
+            bestGuessConf = Confidence.LOW;
+        }
+        final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf);
+        collected.add(match);
+
+        Collections.sort(collected);
+        final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
+        final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
+        for (IdentifierMatch m : collected) {
+            if (bestIdentifierQuality.equals(m.getConfidence())
+                    && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
+                final Identifier i = m.getIdentifier();
+                if (bestIdentifierQuality == IdentifierConfidence.BEST_GUESS) {
+                    i.setConfidence(Confidence.LOW);
+                } else {
+                    i.setConfidence(bestEvidenceQuality);
+                }
+                dependency.addIdentifier(i);
+            }
+        }
+    }
+
+    /**
+     * The confidence whether the identifier is an exact match, or a best guess.
+     */
+    private enum IdentifierConfidence {
+
+        /**
+         * An exact match for the CPE.
+         */
+        EXACT_MATCH,
+        /**
+         * A best guess for the CPE.
+         */
+        BEST_GUESS
+    }
+
+    /**
+     * A simple object to hold an identifier and carry information about the confidence in the identifier.
+     */
+    private static class IdentifierMatch implements Comparable<IdentifierMatch> {
+
+        /**
+         * Constructs an IdentifierMatch.
+         *
+         * @param type the type of identifier (such as CPE)
+         * @param value the value of the identifier
+         * @param url the URL of the identifier
+         * @param identifierConfidence the confidence in the identifier: best guess or exact match
+         * @param evidenceConfidence the confidence of the evidence used to find the identifier
+         */
+        IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
+            this.identifier = new Identifier(type, value, url);
+            this.confidence = identifierConfidence;
+            this.evidenceConfidence = evidenceConfidence;
+        }
+        //<editor-fold defaultstate="collapsed" desc="Property implementations: evidenceConfidence, confidence, identifier">
+        /**
+         * The confidence in the evidence used to identify this match.
+         */
+        private Confidence evidenceConfidence;
+
+        /**
+         * Get the value of evidenceConfidence
+         *
+         * @return the value of evidenceConfidence
+         */
+        public Confidence getEvidenceConfidence() {
+            return evidenceConfidence;
+        }
+
+        /**
+         * Set the value of evidenceConfidence
+         *
+         * @param evidenceConfidence new value of evidenceConfidence
+         */
+        public void setEvidenceConfidence(Confidence evidenceConfidence) {
+            this.evidenceConfidence = evidenceConfidence;
+        }
+        /**
+         * The confidence whether this is an exact match, or a best guess.
+         */
+        private IdentifierConfidence confidence;
+
+        /**
+         * Get the value of confidence.
+         *
+         * @return the value of confidence
+         */
+        public IdentifierConfidence getConfidence() {
+            return confidence;
+        }
+
+        /**
+         * Set the value of confidence.
+         *
+         * @param confidence new value of confidence
+         */
+        public void setConfidence(IdentifierConfidence confidence) {
+            this.confidence = confidence;
+        }
+        /**
+         * The CPE identifier.
+         */
+        private Identifier identifier;
+
+        /**
+         * Get the value of identifier.
+         *
+         * @return the value of identifier
+         */
+        public Identifier getIdentifier() {
+            return identifier;
+        }
+
+        /**
+         * Set the value of identifier.
+         *
+         * @param identifier new value of identifier
+         */
+        public void setIdentifier(Identifier identifier) {
+            this.identifier = identifier;
+        }
+        //</editor-fold>
+        //<editor-fold defaultstate="collapsed" desc="Standard implementations of toString, hashCode, and equals">
+
+        /**
+         * Standard toString() implementation.
+         *
+         * @return the string representation of the object
+         */
+        @Override
+        public String toString() {
+            return "IdentifierMatch{" + "evidenceConfidence=" + evidenceConfidence
+                    + ", confidence=" + confidence + ", identifier=" + identifier + '}';
+        }
+
+        /**
+         * Standard hashCode() implementation.
+         *
+         * @return the hashCode
+         */
+        @Override
+        public int hashCode() {
+            int hash = 5;
+            hash = 97 * hash + (this.evidenceConfidence != null ? this.evidenceConfidence.hashCode() : 0);
+            hash = 97 * hash + (this.confidence != null ? this.confidence.hashCode() : 0);
+            hash = 97 * hash + (this.identifier != null ? this.identifier.hashCode() : 0);
+            return hash;
+        }
+
+        /**
+         * Standard equals implementation.
+         *
+         * @param obj the object to compare
+         * @return true if the objects are equal, otherwise false
+         */
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == null) {
+                return false;
+            }
+            if (getClass() != obj.getClass()) {
+                return false;
+            }
+            final IdentifierMatch other = (IdentifierMatch) obj;
+            if (this.evidenceConfidence != other.evidenceConfidence) {
+                return false;
+            }
+            if (this.confidence != other.confidence) {
+                return false;
+            }
+            if (this.identifier != other.identifier && (this.identifier == null || !this.identifier.equals(other.identifier))) {
+                return false;
+            }
+            return true;
+        }
+        //</editor-fold>
+
+        /**
+         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
+         * identifier.
+         *
+         * @param o the IdentifierMatch to compare to
+         * @return the natural ordering of IdentifierMatch
+         */
+        @Override
+        public int compareTo(IdentifierMatch o) {
+            int conf = this.confidence.compareTo(o.confidence);
+            if (conf == 0) {
+                conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
+                if (conf == 0) {
+                    conf = identifier.compareTo(o.identifier);
+                }
+            }
+            return conf;
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -0,0 +1,75 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+
+/**
+ * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
+ * Any identified CPE entries within the dependencies that match will be removed.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Cpe Suppression Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    @Override
+    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
+
+        if (getRules() == null || getRules().size() <= 0) {
+            return;
+        }
+
+        for (final SuppressionRule rule : getRules()) {
+            rule.process(dependency);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -0,0 +1,393 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.ListIterator;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.LogUtils;
+
+/**
+ * <p>
+ * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
+ * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
+ * same relative path then these should be grouped into a single dependency under the core/main library.</p>
+ * <p>
+ * Note, this grouping only works on dependencies with identified CVE entries</p>
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
+
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyBundlingAnalyzer.class.getName());
+
+    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
+    /**
+     * A pattern for obtaining the first part of a filename.
+     */
+    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
+    /**
+     * a flag indicating if this analyzer has run. This analyzer only runs once.
+     */
+    private boolean analyzed = false;
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Dependency Bundling Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
+     * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
+     *
+     * @param ignore this analyzer ignores the dependency being analyzed
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     */
+    @Override
+    public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
+        if (!analyzed) {
+            analyzed = true;
+            final Set<Dependency> dependenciesToRemove = new HashSet<Dependency>();
+            final ListIterator<Dependency> mainIterator = engine.getDependencies().listIterator();
+            //for (Dependency nextDependency : engine.getDependencies()) {
+            while (mainIterator.hasNext()) {
+                final Dependency dependency = mainIterator.next();
+                if (mainIterator.hasNext()) {
+                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
+                    while (subIterator.hasNext()) {
+                        final Dependency nextDependency = subIterator.next();
+                        if (hashesMatch(dependency, nextDependency)) {
+                            if (isCore(dependency, nextDependency)) {
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                            } else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                            }
+                        } else if (isShadedJar(dependency, nextDependency)) {
+                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
+                                dependenciesToRemove.add(dependency);
+                            } else {
+                                dependenciesToRemove.add(nextDependency);
+                            }
+                        } else if (cpeIdentifiersMatch(dependency, nextDependency)
+                                && hasSameBasePath(dependency, nextDependency)
+                                && fileNameMatch(dependency, nextDependency)) {
+
+                            if (isCore(dependency, nextDependency)) {
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                            } else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                            }
+                        }
+                    }
+                }
+            }
+            //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
+            // was difficult because of the inner iterator.
+            for (Dependency d : dependenciesToRemove) {
+                engine.getDependencies().remove(d);
+            }
+        }
+    }
+
+    /**
+     * Adds the relatedDependency to the dependency's related dependencies.
+     *
+     * @param dependency the main dependency
+     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
+     * source of dependencies to remove
+     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
+     * function adds to this collection
+     */
+    private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
+        dependency.addRelatedDependency(relatedDependency);
+        final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
+        while (i.hasNext()) {
+            dependency.addRelatedDependency(i.next());
+            i.remove();
+        }
+        dependenciesToRemove.add(relatedDependency);
+    }
+
+    /**
+     * Attempts to trim a maven repo to a common base path. This is typically
+     * [drive]\[repo_location]\repository\[path1]\[path2].
+     *
+     * @param path the path to trim
+     * @return a string representing the base path.
+     */
+    private String getBaseRepoPath(final String path) {
+        int pos = path.indexOf("repository" + File.separator) + 11;
+        if (pos < 0) {
+            return path;
+        }
+        int tmp = path.indexOf(File.separator, pos);
+        if (tmp <= 0) {
+            return path;
+        }
+        if (tmp > 0) {
+            pos = tmp + 1;
+        }
+        tmp = path.indexOf(File.separator, pos);
+        if (tmp > 0) {
+            pos = tmp + 1;
+        }
+        return path.substring(0, pos);
+    }
+
+    /**
+     * Returns true if the file names (and version if it exists) of the two dependencies are sufficiently similar.
+     *
+     * @param dependency1 a dependency2 to compare
+     * @param dependency2 a dependency2 to compare
+     * @return true if the identifiers in the two supplied dependencies are equal
+     */
+    private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency1.getFileName() == null
+                || dependency2 == null || dependency2.getFileName() == null) {
+            return false;
+        }
+        String fileName1 = dependency1.getFileName();
+        String fileName2 = dependency2.getFileName();
+
+        //update to deal with archive analyzer, the starting name maybe the same
+        // as this is incorrectly looking at the starting path
+        final File one = new File(fileName1);
+        final File two = new File(fileName2);
+        final String oneParent = one.getParent();
+        final String twoParent = two.getParent();
+        if (oneParent != null) {
+            if (oneParent.equals(twoParent)) {
+                fileName1 = one.getName();
+                fileName2 = two.getName();
+            } else {
+                return false;
+            }
+        } else if (twoParent != null) {
+            return false;
+        }
+
+        //version check
+        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
+        final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
+        if (version1 != null && version2 != null) {
+            if (!version1.equals(version2)) {
+                return false;
+            }
+        }
+
+        //filename check
+        final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
+        final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
+        if (match1.find() && match2.find()) {
+            return match1.group().equals(match2.group());
+        }
+
+        return false;
+    }
+
+    /**
+     * Returns true if the CPE identifiers in the two supplied dependencies are equal.
+     *
+     * @param dependency1 a dependency2 to compare
+     * @param dependency2 a dependency2 to compare
+     * @return true if the identifiers in the two supplied dependencies are equal
+     */
+    private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency1.getIdentifiers() == null
+                || dependency2 == null || dependency2.getIdentifiers() == null) {
+            return false;
+        }
+        boolean matches = false;
+        int cpeCount1 = 0;
+        int cpeCount2 = 0;
+        for (Identifier i : dependency1.getIdentifiers()) {
+            if ("cpe".equals(i.getType())) {
+                cpeCount1 += 1;
+            }
+        }
+        for (Identifier i : dependency2.getIdentifiers()) {
+            if ("cpe".equals(i.getType())) {
+                cpeCount2 += 1;
+            }
+        }
+        if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
+            for (Identifier i : dependency1.getIdentifiers()) {
+                matches |= dependency2.getIdentifiers().contains(i);
+                if (!matches) {
+                    break;
+                }
+            }
+        }
+        if (LogUtils.isVerboseLoggingEnabled()) {
+            final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
+            LOGGER.log(Level.FINE, msg);
+        }
+        return matches;
+    }
+
+    /**
+     * Determines if the two dependencies have the same base path.
+     *
+     * @param dependency1 a Dependency object
+     * @param dependency2 a Dependency object
+     * @return true if the base paths of the dependencies are identical
+     */
+    private boolean hasSameBasePath(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency2 == null) {
+            return false;
+        }
+        final File lFile = new File(dependency1.getFilePath());
+        String left = lFile.getParent();
+        final File rFile = new File(dependency2.getFilePath());
+        String right = rFile.getParent();
+        if (left == null) {
+            return right == null;
+        }
+        if (left.equalsIgnoreCase(right)) {
+            return true;
+        }
+        if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
+            left = getBaseRepoPath(left);
+            right = getBaseRepoPath(right);
+        }
+        if (left.equalsIgnoreCase(right)) {
+            return true;
+        }
+        //new code
+        for (Dependency child : dependency2.getRelatedDependencies()) {
+            if (hasSameBasePath(dependency1, child)) {
+                return true;
+            }
+        }
+        return false;
+    }
+
+    /**
+     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
+     * to the 'right' library.
+     *
+     * @param left the dependency to test
+     * @param right the dependency to test against
+     * @return a boolean indicating whether or not the left dependency should be considered the "core" version.
+     */
+    boolean isCore(Dependency left, Dependency right) {
+        final String leftName = left.getFileName().toLowerCase();
+        final String rightName = right.getFileName().toLowerCase();
+
+        final boolean returnVal;
+        if (!rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
+                || rightName.contains("core") && !leftName.contains("core")
+                || rightName.contains("kernel") && !leftName.contains("kernel")) {
+            returnVal = false;
+        } else if (rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && !leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
+                || !rightName.contains("core") && leftName.contains("core")
+                || !rightName.contains("kernel") && leftName.contains("kernel")) {
+            returnVal = true;
+        } else {
+            /*
+             * considered splitting the names up and comparing the components,
+             * but decided that the file name length should be sufficient as the
+             * "core" component, if this follows a normal naming protocol should
+             * be shorter:
+             * axis2-saaj-1.4.1.jar
+             * axis2-1.4.1.jar       <-----
+             * axis2-kernel-1.4.1.jar
+             */
+            returnVal = leftName.length() <= rightName.length();
+        }
+        if (LogUtils.isVerboseLoggingEnabled()) {
+            final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
+            LOGGER.log(Level.FINE, msg);
+        }
+        return returnVal;
+    }
+
+    /**
+     * Compares the SHA1 hashes of two dependencies to determine if they are equal.
+     *
+     * @param dependency1 a dependency object to compare
+     * @param dependency2 a dependency object to compare
+     * @return true if the sha1 hashes of the two dependencies match; otherwise false
+     */
+    private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency2 == null || dependency1.getSha1sum() == null || dependency2.getSha1sum() == null) {
+            return false;
+        }
+        return dependency1.getSha1sum().equals(dependency2.getSha1sum());
+    }
+
+    /**
+     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
+     * dependency should be removed.
+     *
+     * @param dependency a dependency to check
+     * @param nextDependency another dependency to check
+     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
+     * otherwise false
+     */
+    private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
+        final String mainName = dependency.getFileName().toLowerCase();
+        final String nextName = nextDependency.getFileName().toLowerCase();
+        if (mainName.endsWith(".jar") && nextName.endsWith("pom.xml")) {
+            return dependency.getIdentifiers().containsAll(nextDependency.getIdentifiers());
+        } else if (nextName.endsWith(".jar") && mainName.endsWith("pom.xml")) {
+            return nextDependency.getIdentifiers().containsAll(dependency.getIdentifiers());
+        }
+        return false;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -0,0 +1,412 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+
+/**
+ * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class FalsePositiveAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(FalsePositiveAnalyzer.class.getName());
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "False Positive Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        removeJreEntries(dependency);
+        removeBadMatches(dependency);
+        removeWrongVersionMatches(dependency);
+        removeSpuriousCPE(dependency);
+        removeDuplicativeEntriesFromJar(dependency, engine);
+        addFalseNegativeCPEs(dependency);
+    }
+
+    /**
+     * <p>
+     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
+     * <p>
+     * Example:</p>
+     * <code>
+     * cpe:/a:some-vendor:some-product
+     * cpe:/a:some-vendor:some-product:1.5
+     * cpe:/a:some-vendor:some-product:1.5.2
+     * </code>
+     * <p>
+     * Should be trimmed to:</p>
+     * <code>
+     * cpe:/a:some-vendor:some-product:1.5.2
+     * </code>
+     *
+     * @param dependency the dependency being analyzed
+     */
+    @SuppressWarnings("null")
+    private void removeSpuriousCPE(Dependency dependency) {
+        final List<Identifier> ids = new ArrayList<Identifier>();
+        ids.addAll(dependency.getIdentifiers());
+        Collections.sort(ids);
+        final ListIterator<Identifier> mainItr = ids.listIterator();
+        while (mainItr.hasNext()) {
+            final Identifier currentId = mainItr.next();
+            final VulnerableSoftware currentCpe = parseCpe(currentId.getType(), currentId.getValue());
+            if (currentCpe == null) {
+                continue;
+            }
+            final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
+            while (subItr.hasNext()) {
+                final Identifier nextId = subItr.next();
+                final VulnerableSoftware nextCpe = parseCpe(nextId.getType(), nextId.getValue());
+                if (nextCpe == null) {
+                    continue;
+                }
+                //TODO fix the version problem below
+                if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
+                    if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
+                        // see if one is contained in the other.. remove the contained one from dependency.getIdentifier
+                        final String currentVersion = currentCpe.getVersion();
+                        final String nextVersion = nextCpe.getVersion();
+                        if (currentVersion == null && nextVersion == null) {
+                            //how did we get here?
+                            LOGGER.log(Level.FINE, "currentVersion and nextVersion are both null?");
+                        } else if (currentVersion == null && nextVersion != null) {
+                            dependency.getIdentifiers().remove(currentId);
+                        } else if (nextVersion == null && currentVersion != null) {
+                            dependency.getIdentifiers().remove(nextId);
+                        } else if (currentVersion.length() < nextVersion.length()) {
+                            if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) {
+                                dependency.getIdentifiers().remove(currentId);
+                            }
+                        } else {
+                            if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
+                                dependency.getIdentifiers().remove(nextId);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    /**
+     * Regex to identify core java libraries and a few other commonly misidentified ones.
+     */
+    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+            + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+            + "jdk|jre|jsf|jsse)($|:.*)");
+    /**
+     * Regex to identify core java library files. This is currently incomplete.
+     */
+    public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+
+    /**
+     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
+     *
+     * @param dependency the dependency to remove JRE CPEs from
+     */
+    private void removeJreEntries(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            final Matcher coreCPE = CORE_JAVA.matcher(i.getValue());
+            final Matcher coreFiles = CORE_FILES.matcher(dependency.getFileName());
+            if (coreCPE.matches() && !coreFiles.matches()) {
+                itr.remove();
+            }
+        }
+    }
+
+    /**
+     * Parses a CPE string into an IndexEntry.
+     *
+     * @param type the type of identifier
+     * @param value the cpe identifier to parse
+     * @return an VulnerableSoftware object constructed from the identifier
+     */
+    private VulnerableSoftware parseCpe(String type, String value) {
+        if (!"cpe".equals(type)) {
+            return null;
+        }
+        final VulnerableSoftware cpe = new VulnerableSoftware();
+        try {
+            cpe.parseName(value);
+        } catch (UnsupportedEncodingException ex) {
+            LOGGER.log(Level.FINEST, null, ex);
+            return null;
+        }
+        return cpe;
+    }
+
+    /**
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific
+     * problems identified when testing this on a LARGE volume of jar files.
+     *
+     * @param dependency the dependency to analyze
+     */
+    private void removeBadMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+
+        /* TODO - can we utilize the pom's groupid and artifactId to filter??? most of
+         * these are due to low quality data.  Other idea would be to say any CPE
+         * found based on LOW confidence evidence should have a different CPE type? (this
+         * might be a better solution then just removing the URL for "best-guess" matches).
+         */
+        //Set<Evidence> groupId = dependency.getVendorEvidence().getEvidence("pom", "groupid");
+        //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            //TODO move this startsWith expression to a configuration file?
+            if ("cpe".equals(i.getType())) {
+                if ((i.getValue().matches(".*c\\+\\+.*")
+                        || i.getValue().startsWith("cpe:/a:file:file")
+                        || i.getValue().startsWith("cpe:/a:mozilla:mozilla")
+                        || i.getValue().startsWith("cpe:/a:cvs:cvs")
+                        || i.getValue().startsWith("cpe:/a:ftp:ftp")
+                        || i.getValue().startsWith("cpe:/a:tcp:tcp")
+                        || i.getValue().startsWith("cpe:/a:ssh:ssh")
+                        || i.getValue().startsWith("cpe:/a:lookup:lookup"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                        || dependency.getFileName().toLowerCase().endsWith(".dll")
+                        || dependency.getFileName().toLowerCase().endsWith(".exe")
+                        || dependency.getFileName().toLowerCase().endsWith(".nuspec")
+                        || dependency.getFileName().toLowerCase().endsWith(".nupkg"))) {
+                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:jquery:jquery")
+                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
+                        || i.getValue().startsWith("cpe:/a:yahoo:yui"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                        || dependency.getFileName().toLowerCase().endsWith(".dll")
+                        || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
+                    itr.remove();
+                } else if (i.getValue().startsWith("cpe:/a:apache:maven")
+                        && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
+                    itr.remove();
+                } else if (i.getValue().startsWith("cpe:/a:m-core:m-core")
+                        && !dependency.getEvidenceUsed().containsUsedString("m-core")) {
+                    itr.remove();
+                } else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
+                        && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
+                    itr.remove();
+                }
+            }
+        }
+    }
+
+    /**
+     * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
+     *
+     * @param dependency the dependency to analyze
+     */
+    private void removeWrongVersionMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+
+        final String fileName = dependency.getFileName();
+        if (fileName != null && fileName.contains("axis2")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        } else if (fileName != null && fileName.contains("axis")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        }
+    }
+
+    /**
+     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and
+     * changes in product names, that based on given evidence we can add the related CPE entries to ensure a complete
+     * list of CVE entries.
+     *
+     * @param dependency the dependency being analyzed
+     */
+    private void addFalseNegativeCPEs(Dependency dependency) {
+        //TODO move this to the hint analyzer
+        final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            if ("cpe".equals(i.getType()) && i.getValue() != null
+                    && (i.getValue().startsWith("cpe:/a:oracle:opensso:")
+                    || i.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
+                    || i.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
+                    || i.getValue().startsWith("cpe:/a:sun:opensso:"))) {
+                final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", i.getValue().substring(22));
+                final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", i.getValue().substring(22));
+                final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", i.getValue().substring(22));
+                final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", i.getValue().substring(22));
+                try {
+                    dependency.addIdentifier("cpe",
+                            newCpe,
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe, "UTF-8")));
+                    dependency.addIdentifier("cpe",
+                            newCpe2,
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe2, "UTF-8")));
+                    dependency.addIdentifier("cpe",
+                            newCpe3,
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe3, "UTF-8")));
+                    dependency.addIdentifier("cpe",
+                            newCpe4,
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe4, "UTF-8")));
+                } catch (UnsupportedEncodingException ex) {
+                    LOGGER.log(Level.FINE, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM
+     * entries or other types of files (such as DLLs and EXEs) being contained within the JAR.
+     *
+     * @param dependency the dependency that might be a duplicate
+     * @param engine the engine used to scan all dependencies
+     */
+    private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
+        if (dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                || "dll".equals(dependency.getFileExtension())
+                || "exe".equals(dependency.getFileExtension())) {
+            String parentPath = dependency.getFilePath().toLowerCase();
+            if (parentPath.contains(".jar")) {
+                parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4);
+                final Dependency parent = findDependency(parentPath, engine.getDependencies());
+                if (parent != null) {
+                    boolean remove = false;
+                    for (Identifier i : dependency.getIdentifiers()) {
+                        if ("cpe".equals(i.getType())) {
+                            final String trimmedCPE = trimCpeToVendor(i.getValue());
+                            for (Identifier parentId : parent.getIdentifiers()) {
+                                if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) {
+                                    remove |= true;
+                                }
+                            }
+                        }
+                        if (!remove) { //we can escape early
+                            return;
+                        }
+                    }
+                    if (remove) {
+                        engine.getDependencies().remove(dependency);
+                    }
+                }
+            }
+
+        }
+    }
+
+    /**
+     * Retrieves a given dependency, based on a given path, from a list of dependencies.
+     *
+     * @param dependencyPath the path of the dependency to return
+     * @param dependencies the collection of dependencies to search
+     * @return the dependency object for the given path, otherwise null
+     */
+    private Dependency findDependency(String dependencyPath, List<Dependency> dependencies) {
+        for (Dependency d : dependencies) {
+            if (d.getFilePath().equalsIgnoreCase(dependencyPath)) {
+                return d;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Takes a full CPE and returns the CPE trimmed to include only vendor and product.
+     *
+     * @param value the CPE value to trim
+     * @return a CPE value that only includes the vendor and product
+     */
+    private String trimCpeToVendor(String value) {
+        //cpe:/a:jruby:jruby:1.0.8
+        final int pos1 = value.indexOf(":", 7); //right of vendor
+        final int pos2 = value.indexOf(":", pos1 + 1); //right of product
+        if (pos2 < 0) {
+            return value;
+        } else {
+            return value.substring(0, pos2);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -0,0 +1,115 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+
+/**
+ *
+ * Takes a dependency and analyzes the filename and determines the hashes.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "File Name Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * Collects information about the file name.
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+
+        //strip any path information that may get added by ArchiveAnalyzer, etc.
+        final File f = new File(dependency.getFileName());
+        String fileName = f.getName();
+
+        //remove file extension
+        final int pos = fileName.lastIndexOf(".");
+        if (pos > 0) {
+            fileName = fileName.substring(0, pos);
+        }
+
+        //add version evidence
+        final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
+        if (version != null) {
+            // If the version number is just a number like 2 or 23, reduce the confidence
+            // a shade. This should hopefully correct for cases like log4j.jar or
+            // struts2-core.jar
+            if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
+                dependency.getVersionEvidence().addEvidence("file", "name",
+                        version.toString(), Confidence.MEDIUM);
+            } else {
+                dependency.getVersionEvidence().addEvidence("file", "name",
+                        version.toString(), Confidence.HIGHEST);
+            }
+            dependency.getVersionEvidence().addEvidence("file", "name",
+                    fileName, Confidence.MEDIUM);
+        }
+
+        //add as vendor and product evidence
+        if (fileName.contains("-")) {
+            dependency.getProductEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGHEST);
+            dependency.getVendorEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGHEST);
+        } else {
+            dependency.getProductEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("file", "name",
+                    fileName, Confidence.HIGH);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java

@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ * An Analyzer that scans specific file types.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public interface FileTypeAnalyzer extends Analyzer {
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    boolean supportsExtension(String extension);
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -0,0 +1,120 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.ArrayList;
+import java.util.Iterator;
+import java.util.Set;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Hint Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
+     * identifiers or vulnerabilities.
+     *
+     * @param dependency The dependency being analyzed
+     * @param engine The scanning engine
+     * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        final Evidence springTest1 = new Evidence("Manifest",
+                "Implementation-Title",
+                "Spring Framework",
+                Confidence.HIGH);
+
+        final Evidence springTest2 = new Evidence("Manifest",
+                "Implementation-Title",
+                "org.springframework.core",
+                Confidence.HIGH);
+
+        final Evidence springTest3 = new Evidence("Manifest",
+                "Bundle-Vendor",
+                "SpringSource",
+                Confidence.HIGH);
+
+        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
+        if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+        }
+
+        evidence = dependency.getVendorEvidence().getEvidence();
+        if (evidence.contains(springTest3)) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+        }
+        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
+        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        while (itr.hasNext()) {
+            final Evidence e = itr.next();
+            if ("sun".equalsIgnoreCase(e.getValue(false))) {
+                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
+                newEntries.add(newEvidence);
+            } else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
+                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
+                newEntries.add(newEvidence);
+            }
+        }
+        for (Evidence e : newEntries) {
+            dependency.getVendorEvidence().addEvidence(e);
+        }
+
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -0,0 +1,141 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * Used to analyze a JavaScript file to gather information to aid in identification of a CPE identifier.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(JavaScriptAnalyzer.class.getName());
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "JavaScript Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("js");
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_JAVASCRIPT_ENABLED;
+    }
+
+    /**
+     * Loads a specified JavaScript file and collects information from the copyright information contained within.
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JavaScript file.
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        BufferedReader fin = null;
+        try {
+            //  /\*([^\*][^/]|[\r\n\f])+?\*/
+            final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);
+            File file = dependency.getActualFile();
+            fin = new BufferedReader(new FileReader(file));
+            StringBuilder sb = new StringBuilder(2000);
+            String text;
+            while ((text = fin.readLine()) != null) {
+                sb.append(text);
+            }
+        } catch (FileNotFoundException ex) {
+            final String msg = String.format("Dependency file not found: '%s'", dependency.getActualFilePath());
+            throw new AnalysisException(msg, ex);
+        } catch (IOException ex) {
+            LOGGER.log(Level.SEVERE, null, ex);
+        } finally {
+            if (fin != null) {
+                try {
+                    fin.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -0,0 +1,178 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.data.nexus.NexusSearch;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
+ *
+ * There are two settings which govern this behavior:
+ *
+ * <ul>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
+ * even enabled. This can be overridden by setting the system property.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
+ * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
+ * </ul>
+ *
+ * @author colezlaw
+ */
+public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Nexus Analyzer";
+
+    /**
+     * The phase in which the analyzer runs.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The types of files on which this will work.
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
+
+    /**
+     * The Nexus Search to be set up for this analyzer.
+     */
+    private NexusSearch searcher;
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @throws Exception if there's an error during initialization
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        LOGGER.fine("Initializing Nexus Analyzer");
+        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
+        if (isEnabled()) {
+            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
+            LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
+            try {
+                searcher = new NexusSearch(new URL(searchUrl));
+                if (!searcher.preflightRequest()) {
+                    LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
+                    setEnabled(false);
+                }
+            } catch (MalformedURLException mue) {
+                // I know that initialize can throw an exception, but we'll
+                // just disable the analyzer if the URL isn't valid
+                LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
+                setEnabled(false);
+            }
+        }
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which this analyzer runs
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the extensions for which this Analyzer runs.
+     *
+     * @return the extensions for which this Analyzer runs
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        try {
+            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
+            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
+                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
+            }
+            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
+                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
+            }
+            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
+                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
+            }
+            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
+                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
+            }
+        } catch (IllegalArgumentException iae) {
+            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
+            LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
+        } catch (FileNotFoundException fnfe) {
+            //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
+            LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
+            LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
+        } catch (IOException ioe) {
+            //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
+            LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java

@@ -0,0 +1,156 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nuget.NugetPackage;
+import org.owasp.dependencycheck.data.nuget.NuspecParseException;
+import org.owasp.dependencycheck.data.nuget.NuspecParser;
+import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Analyzer which will parse a Nuspec file to gather module information.
+ *
+ * @author colezlaw
+ */
+public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NuspecAnalyzer.class.getName());
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Nuspec Analyzer";
+
+    /**
+     * The phase in which the analyzer runs.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The types of files on which this will work.
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("nuspec");
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @throws Exception if there's an error during initialization
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NUSPEC_ENABLED;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which this analyzer runs
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the extensions for which this Analyzer runs.
+     *
+     * @return the extensions for which this Analyzer runs
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        LOGGER.log(Level.FINE, "Checking Nuspec file {0}", dependency.toString());
+        try {
+            final NuspecParser parser = new XPathNuspecParser();
+            NugetPackage np = null;
+            FileInputStream fis = null;
+            try {
+                fis = new FileInputStream(dependency.getActualFilePath());
+                np = parser.parse(fis);
+            } catch (NuspecParseException ex) {
+                throw new AnalysisException(ex);
+            } catch (FileNotFoundException ex) {
+                throw new AnalysisException(ex);
+            } finally {
+                if (fis != null) {
+                    try {
+                        fis.close();
+                    } catch (IOException e) {
+                        LOGGER.fine("Error closing input stream");
+                    }
+                }
+            }
+
+            if (np.getOwners() != null) {
+                dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST);
+            }
+            dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH);
+            dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST);
+            dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST);
+            if (np.getTitle() != null) {
+                dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM);
+            }
+        } catch (Throwable e) {
+            throw new AnalysisException(e);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -1,40 +1,38 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.data.nvdcve;
+package org.owasp.dependencycheck.analyzer;
 
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.AnalysisException;
-import org.owasp.dependencycheck.analyzer.AnalysisPhase;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.Identifier;
-import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+
 /**
- * NvdCveAnalyzer is a utility class that takes a project dependency and
- * attempts to discern if there is an associated CVEs. It uses the the
- * identifiers found by other analyzers to lookup the CVE data.
+ * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
+ * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class NvdCveAnalyzer implements Analyzer {
 
@@ -63,6 +61,7 @@ public class NvdCveAnalyzer implements Analyzer {
     /**
      * Closes the data source.
      */
+    @Override
     public void close() {
         cveDB.close();
         cveDB = null;
@@ -91,23 +90,31 @@ public class NvdCveAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes a dependency and attempts to determine if there are any CPE
-     * identifiers for this dependency.
+     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the
-     * dependency
+     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
      */
+    @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
-                    for (Vulnerability v : vulns) {
-                        dependency.addVulnerability(v);
-                    }
+                    dependency.getVulnerabilities().addAll(vulns);
+                } catch (DatabaseException ex) {
+                    throw new AnalysisException(ex);
+                }
+            }
+        }
+        for (Identifier id : dependency.getSuppressedIdentifiers()) {
+            if ("cpe".equals(id.getType())) {
+                try {
+                    final String value = id.getValue();
+                    final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
+                    dependency.getSuppressedVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
@@ -115,48 +122,32 @@ public class NvdCveAnalyzer implements Analyzer {
         }
     }
 
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    public Set<String> getSupportedExtensions() {
-        return null;
-    }
-
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
+    @Override
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
-     * Opens the NVD CVE Lucene Index.
+     * Opens the database used to gather NVD CVE data.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
+    @Override
     public void initialize() throws Exception {
         this.open();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -0,0 +1,75 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+
+/**
+ * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
+ * Any identified Vulnerability entries within the dependencies that match will be removed.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Vulnerability Suppression Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    @Override
+    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
+
+        if (getRules() == null || getRules().size() <= 0) {
+            return;
+        }
+
+        for (final SuppressionRule rule : getRules()) {
+            rule.process(dependency);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/AnalysisException.java

@@ -1,27 +1,26 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.analyzer;
+package org.owasp.dependencycheck.analyzer.exception;
 
 /**
  * An exception thrown when the analysis of a dependency fails.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class AnalysisException extends Exception {
 
@@ -56,7 +55,7 @@ public class AnalysisException extends Exception {
     }
 
     /**
-     * Creates a new DownloadFailedException.
+     * Creates a new AnalysisException.
      *
      * @param msg a message for the exception.
      * @param ex the cause of the failure.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/ArchiveExtractionException.java

@@ -0,0 +1,66 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer.exception;
+
+/**
+ * An exception thrown when files in an archive cannot be extracted.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class ArchiveExtractionException extends Exception {
+
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     */
+    public ArchiveExtractionException() {
+        super();
+    }
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     *
+     * @param msg a message for the exception.
+     */
+    public ArchiveExtractionException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     *
+     * @param ex the cause of the failure.
+     */
+    public ArchiveExtractionException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the failure.
+     */
+    public ArchiveExtractionException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.analyzer.exception</title>
+ * </head>
+ * <body>
+ * <p>
+ * A collection of exception classes used within the analyzers.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.analyzer.exception;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/package-info.java

@@ -0,0 +1,13 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.analyzer</title>
+ * </head>
+ * <body>
+ * Analyzers are used to inspect the identified dependencies, collect Evidence,
+ * and process the dependencies.
+ * </body>
+ * </html>
+*/
+
+package org.owasp.dependencycheck.analyzer;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -0,0 +1,327 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+import java.io.IOException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.lucene.analysis.Analyzer;
+import org.apache.lucene.analysis.core.KeywordAnalyzer;
+import org.apache.lucene.analysis.miscellaneous.PerFieldAnalyzerWrapper;
+import org.apache.lucene.document.Document;
+import org.apache.lucene.document.Field;
+import org.apache.lucene.document.TextField;
+import org.apache.lucene.index.CorruptIndexException;
+import org.apache.lucene.index.DirectoryReader;
+import org.apache.lucene.index.IndexReader;
+import org.apache.lucene.index.IndexWriter;
+import org.apache.lucene.index.IndexWriterConfig;
+import org.apache.lucene.queryparser.classic.ParseException;
+import org.apache.lucene.queryparser.classic.QueryParser;
+import org.apache.lucene.search.IndexSearcher;
+import org.apache.lucene.search.Query;
+import org.apache.lucene.search.TopDocs;
+import org.apache.lucene.store.RAMDirectory;
+import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
+import org.owasp.dependencycheck.data.lucene.LuceneUtils;
+import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.utils.Pair;
+
+/**
+ * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
+ * the NVD CVE data.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class CpeMemoryIndex {
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CpeMemoryIndex.class.getName());
+    /**
+     * singleton instance.
+     */
+    private static CpeMemoryIndex instance = new CpeMemoryIndex();
+
+    /**
+     * private constructor for singleton.
+     */
+    private CpeMemoryIndex() {
+    }
+
+    /**
+     * Gets the singleton instance of the CpeMemoryIndex.
+     *
+     * @return the instance of the CpeMemoryIndex
+     */
+    public static CpeMemoryIndex getInstance() {
+        return instance;
+    }
+    /**
+     * The in memory Lucene index.
+     */
+    private RAMDirectory index;
+    /**
+     * The Lucene IndexReader.
+     */
+    private IndexReader indexReader;
+    /**
+     * The Lucene IndexSearcher.
+     */
+    private IndexSearcher indexSearcher;
+    /**
+     * The Lucene Analyzer used for Searching.
+     */
+    private Analyzer searchingAnalyzer;
+    /**
+     * The Lucene QueryParser used for Searching.
+     */
+    private QueryParser queryParser;
+    /**
+     * The search field analyzer for the product field.
+     */
+    private SearchFieldAnalyzer productSearchFieldAnalyzer;
+    /**
+     * The search field analyzer for the vendor field.
+     */
+    private SearchFieldAnalyzer vendorSearchFieldAnalyzer;
+
+    /**
+     * Creates and loads data into an in memory index.
+     *
+     * @param cve the data source to retrieve the cpe data
+     * @throws IndexException thrown if there is an error creating the index
+     */
+    public void open(CveDB cve) throws IndexException {
+        if (!openState) {
+            index = new RAMDirectory();
+            buildIndex(cve);
+            try {
+                indexReader = DirectoryReader.open(index);
+            } catch (IOException ex) {
+                throw new IndexException(ex);
+            }
+            indexSearcher = new IndexSearcher(indexReader);
+            searchingAnalyzer = createSearchingAnalyzer();
+            queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
+            openState = true;
+        }
+    }
+    /**
+     * A flag indicating whether or not the index is open.
+     */
+    private boolean openState = false;
+
+    /**
+     * returns whether or not the index is open.
+     *
+     * @return whether or not the index is open
+     */
+    public boolean isOpen() {
+        return openState;
+    }
+
+    /**
+     * Creates the indexing analyzer for the CPE Index.
+     *
+     * @return the CPE Analyzer.
+     */
+    @SuppressWarnings("unchecked")
+    private Analyzer createIndexingAnalyzer() {
+        final Map fieldAnalyzers = new HashMap();
+        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
+    }
+
+    /**
+     * Creates an Analyzer for searching the CPE Index.
+     *
+     * @return the CPE Analyzer.
+     */
+    @SuppressWarnings("unchecked")
+    private Analyzer createSearchingAnalyzer() {
+        final Map fieldAnalyzers = new HashMap();
+        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
+        productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
+        vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
+        fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
+        fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
+
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
+    }
+
+    /**
+     * Saves a CPE IndexEntry into the Lucene index.
+     *
+     * @param vendor the vendor to index
+     * @param product the product to index
+     * @param indexWriter the index writer to write the entry into
+     * @throws CorruptIndexException is thrown if the index is corrupt
+     * @throws IOException is thrown if an IOException occurs
+     */
+    public void saveEntry(String vendor, String product, IndexWriter indexWriter) throws CorruptIndexException, IOException {
+        final Document doc = new Document();
+        final Field v = new TextField(Fields.VENDOR, vendor, Field.Store.YES);
+        final Field p = new TextField(Fields.PRODUCT, product, Field.Store.YES);
+        doc.add(v);
+        doc.add(p);
+        indexWriter.addDocument(doc);
+    }
+
+    /**
+     * Closes the CPE Index.
+     */
+    public void close() {
+        if (searchingAnalyzer != null) {
+            searchingAnalyzer.close();
+            searchingAnalyzer = null;
+        }
+        if (indexReader != null) {
+            try {
+                indexReader.close();
+            } catch (IOException ex) {
+                LOGGER.log(Level.FINEST, null, ex);
+            }
+            indexReader = null;
+        }
+        queryParser = null;
+        indexSearcher = null;
+        if (index != null) {
+            index.close();
+            index = null;
+        }
+        openState = false;
+    }
+
+    /**
+     * Builds the CPE Lucene Index based off of the data within the CveDB.
+     *
+     * @param cve the data base containing the CPE data
+     * @throws IndexException thrown if there is an issue creating the index
+     */
+    private void buildIndex(CveDB cve) throws IndexException {
+        Analyzer analyzer = null;
+        IndexWriter indexWriter = null;
+        try {
+            analyzer = createIndexingAnalyzer();
+            final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
+            indexWriter = new IndexWriter(index, conf);
+            try {
+                final Set<Pair<String, String>> data = cve.getVendorProductList();
+                for (Pair<String, String> pair : data) {
+                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
+                }
+            } catch (DatabaseException ex) {
+                LOGGER.log(Level.FINE, null, ex);
+                throw new IndexException("Error reading CPE data", ex);
+            }
+        } catch (CorruptIndexException ex) {
+            throw new IndexException("Unable to close an in-memory index", ex);
+        } catch (IOException ex) {
+            throw new IndexException("Unable to close an in-memory index", ex);
+        } finally {
+            if (indexWriter != null) {
+                try {
+                    try {
+                        indexWriter.commit();
+                    } finally {
+                        indexWriter.close(true);
+                    }
+                } catch (CorruptIndexException ex) {
+                    throw new IndexException("Unable to close an in-memory index", ex);
+                } catch (IOException ex) {
+                    throw new IndexException("Unable to close an in-memory index", ex);
+                }
+                if (analyzer != null) {
+                    analyzer.close();
+                }
+            }
+        }
+    }
+
+    /**
+     * Resets the searching analyzers
+     */
+    private void resetSearchingAnalyzer() {
+        if (productSearchFieldAnalyzer != null) {
+            productSearchFieldAnalyzer.clear();
+        }
+        if (vendorSearchFieldAnalyzer != null) {
+            vendorSearchFieldAnalyzer.clear();
+        }
+    }
+
+    /**
+     * Searches the index using the given search string.
+     *
+     * @param searchString the query text
+     * @param maxQueryResults the maximum number of documents to return
+     * @return the TopDocs found by the search
+     * @throws ParseException thrown when the searchString is invalid
+     * @throws IOException is thrown if there is an issue with the underlying Index
+     */
+    public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
+        if (searchString == null || searchString.trim().isEmpty()) {
+            throw new ParseException("Query is null or empty");
+        }
+        final Query query = queryParser.parse(searchString);
+        return indexSearcher.search(query, maxQueryResults);
+    }
+
+    /**
+     * Searches the index using the given query.
+     *
+     * @param query the query used to search the index
+     * @param maxQueryResults the max number of results to return
+     * @return the TopDocs found be the query
+     * @throws CorruptIndexException thrown if the Index is corrupt
+     * @throws IOException thrown if there is an IOException
+     */
+    public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
+        resetSearchingAnalyzer();
+        return indexSearcher.search(query, maxQueryResults);
+    }
+
+    /**
+     * Retrieves a document from the Index.
+     *
+     * @param documentId the id of the document to retrieve
+     * @return the Document
+     * @throws IOException thrown if there is an IOException
+     */
+    public Document getDocument(int documentId) throws IOException {
+        return indexSearcher.doc(documentId);
+    }
+
+    /**
+     * Returns the number of CPE entries stored in the index.
+     *
+     * @return the number of CPE entries stored in the index
+     */
+    public int numDocs() {
+        if (indexReader == null) {
+            return -1;
+        }
+        return indexReader.numDocs();
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -0,0 +1,42 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+/**
+ * Fields is a collection of field names used within the Lucene index for CPE entries.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class Fields {
+
+    /**
+     * The key for the name document id.
+     */
+    public static final String DOCUMENT_KEY = "id";
+    /**
+     * The key for the vendor field.
+     */
+    public static final String VENDOR = "vendor";
+    /**
+     * The key for the product field.
+     */
+    public static final String PRODUCT = "product";
+    /**
+     * The key for the version field.
+     */
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -0,0 +1,190 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+import java.io.Serializable;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+
+/**
+ * A CPE entry containing the name, vendor, product, and version.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class IndexEntry implements Serializable {
+
+    /**
+     * the serial version uid.
+     */
+    static final long serialVersionUID = 8011924485946326934L;
+    /**
+     * The vendor name.
+     */
+    private String vendor;
+    /**
+     * The documentId.
+     */
+    private String documentId;
+
+    /**
+     * Get the value of documentId.
+     *
+     * @return the value of documentId
+     */
+    public String getDocumentId() {
+        if (documentId == null && vendor != null && product != null) {
+            documentId = vendor + ":" + product;
+        }
+        return documentId;
+    }
+
+    /**
+     * Set the value of documentId.
+     *
+     * @param documentId new value of documentId
+     */
+    public void setDocumentId(String documentId) {
+        this.documentId = documentId;
+    }
+
+    /**
+     * Get the value of vendor.
+     *
+     * @return the value of vendor
+     */
+    public String getVendor() {
+        return vendor;
+    }
+
+    /**
+     * Set the value of vendor.
+     *
+     * @param vendor new value of vendor
+     */
+    public void setVendor(String vendor) {
+        this.vendor = vendor;
+    }
+    /**
+     * The product name.
+     */
+    private String product;
+
+    /**
+     * Get the value of product.
+     *
+     * @return the value of product
+     */
+    public String getProduct() {
+        return product;
+    }
+
+    /**
+     * Set the value of product.
+     *
+     * @param product new value of product
+     */
+    public void setProduct(String product) {
+        this.product = product;
+    }
+    /**
+     * The search score.
+     */
+    private float searchScore;
+
+    /**
+     * Get the value of searchScore.
+     *
+     * @return the value of searchScore
+     */
+    public float getSearchScore() {
+        return searchScore;
+    }
+
+    /**
+     * Set the value of searchScore.
+     *
+     * @param searchScore new value of searchScore
+     */
+    public void setSearchScore(float searchScore) {
+        this.searchScore = searchScore;
+    }
+
+    /**
+     * <p>
+     * Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product.</p>
+     * <p>
+     * Example:</p>
+     * <code>nbsp;nbsp;nbsp;cpe:/a:apache:struts:1.1:rc2</code>
+     *
+     * <p>
+     * Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
+     * </ul>
+     * <p>
+     * If it is necessary to parse the CPE into more parts (i.e. to include version and revision) then you should use
+     * the {@link org.owasp.dependencycheck.dependency.VulnerableSoftware#parseName VulnerableSoftware.parseName()}.
+     *
+     * @param cpeName the cpe name
+     * @throws UnsupportedEncodingException should never be thrown...
+     */
+    public void parseName(String cpeName) throws UnsupportedEncodingException {
+        if (cpeName != null && cpeName.length() > 7) {
+            final String[] data = cpeName.substring(7).split(":");
+            if (data.length >= 1) {
+                vendor = URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8");
+                if (data.length >= 2) {
+                    product = URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8");
+                }
+            }
+        }
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 7;
+        hash = 97 * hash + (this.getDocumentId() != null ? this.getDocumentId().hashCode() : 0);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final IndexEntry other = (IndexEntry) obj;
+        if ((this.vendor == null) ? (other.vendor != null) : !this.vendor.equals(other.vendor)) {
+            return false;
+        }
+        if ((this.product == null) ? (other.product != null) : !this.product.equals(other.product)) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Standard implementation of toString showing vendor and product.
+     *
+     * @return the string representation of the object
+     */
+    @Override
+    public String toString() {
+        return "IndexEntry{" + "vendor=" + vendor + ", product=" + product + '}';
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexException.java

@@ -0,0 +1,66 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+/**
+ * An exception thrown when the there is an issue using the in-memory CPE Index.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class IndexException extends Exception {
+
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new IndexException.
+     */
+    public IndexException() {
+        super();
+    }
+
+    /**
+     * Creates a new IndexException.
+     *
+     * @param msg a message for the exception.
+     */
+    public IndexException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new IndexException.
+     *
+     * @param ex the cause of the failure.
+     */
+    public IndexException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new IndexException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the failure.
+     */
+    public IndexException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,10 +26,13 @@ import java.util.logging.Logger;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class CweDB {
-
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CweDB.class.getName());
     /**
      * Empty private constructor as this is a utility class.
      */
@@ -55,15 +57,17 @@ public final class CweDB {
             oin = new ObjectInputStream(input);
             return (HashMap<String, String>) oin.readObject();
         } catch (ClassNotFoundException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
+            LOGGER.log(Level.FINE, null, ex);
         } catch (IOException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
+            LOGGER.log(Level.FINE, null, ex);
         } finally {
             if (oin != null) {
                 try {
                     oin.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                 }
             }
         }
@@ -71,7 +75,9 @@ public final class CweDB {
     }
 
     /**
-     * <p>Returns the full CWE name from the CWE ID.</p>
+     * <p>
+     * Returns the full CWE name from the CWE ID.</p>
+     *
      * @param cweId the CWE ID
      * @return the full name of the CWE
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,7 +25,7 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the CWE XML.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class CweHandler extends DefaultHandler {
 
@@ -37,6 +36,7 @@ public class CweHandler extends DefaultHandler {
 
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
+     *
      * @return a HashMap of CWE entries <String, String>
      */
     public HashMap<String, String> getCwe() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -0,0 +1,83 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.util.LinkedList;
+import org.apache.lucene.analysis.TokenFilter;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
+
+/**
+ * An abstract tokenizing filter that can be used as the base for a tokenizing filter.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractTokenizingFilter extends TokenFilter {
+
+    /**
+     * The char term attribute.
+     */
+    private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
+
+    /**
+     * Gets the CharTermAttribute.
+     *
+     * @return the CharTermAttribute
+     */
+    protected CharTermAttribute getTermAtt() {
+        return termAtt;
+    }
+    /**
+     * A collection of tokens to add to the stream.
+     */
+    private final LinkedList<String> tokens;
+
+    /**
+     * Gets the list of tokens.
+     *
+     * @return the list of tokens
+     */
+    protected LinkedList<String> getTokens() {
+        return tokens;
+    }
+
+    /**
+     * Constructs a new AbstractTokenizingFilter.
+     *
+     * @param stream the TokenStream that this filter will process
+     */
+    public AbstractTokenizingFilter(TokenStream stream) {
+        super(stream);
+        tokens = new LinkedList<String>();
+    }
+
+    /**
+     * Adds a term, if one exists, from the tokens collection.
+     *
+     * @return whether or not a new term was added
+     */
+    protected boolean addTerm() {
+        final boolean termAdded = tokens.size() > 0;
+        if (termAdded) {
+            final String term = tokens.pop();
+            clearAttributes();
+            termAtt.append(term);
+        }
+        return termAdded;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AlphaNumericTokenizer.java

@@ -0,0 +1,62 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.io.Reader;
+import org.apache.lucene.analysis.util.CharTokenizer;
+import org.apache.lucene.util.Version;
+
+/**
+ * Tokenizes the input breaking it into tokens when non-alpha/numeric characters are found.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class AlphaNumericTokenizer extends CharTokenizer {
+
+    /**
+     * Constructs a new AlphaNumericTokenizer.
+     *
+     * @param matchVersion the lucene version
+     * @param in the Reader
+     */
+    public AlphaNumericTokenizer(Version matchVersion, Reader in) {
+        super(matchVersion, in);
+    }
+
+    /**
+     * Constructs a new AlphaNumericTokenizer.
+     *
+     * @param matchVersion the lucene version
+     * @param factory the AttributeFactory
+     * @param in the Reader
+     */
+    public AlphaNumericTokenizer(Version matchVersion, AttributeFactory factory, Reader in) {
+        super(matchVersion, factory, in);
+    }
+
+    /**
+     * Determines if the char passed in is part of a token.
+     *
+     * @param c the char being analyzed
+     * @return true if the char is a letter or digit, otherwise false
+     */
+    @Override
+    protected boolean isTokenChar(int c) {
+        return Character.isLetter(c) || Character.isDigit(c);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -0,0 +1,47 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import org.apache.lucene.search.similarities.DefaultSimilarity;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DependencySimilarity extends DefaultSimilarity {
+
+    /**
+     * the serial version uid.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * <p>
+     * Override the default idf implementation so that frequency within all document is ignored.</p>
+     *
+     * See <a href="http://www.lucenetutorial.com/advanced-topics/scoring.html">this article</a> for more details.
+     *
+     * @param docFreq - the number of documents which contain the term
+     * @param numDocs - the total number of documents in the collection
+     * @return 1
+     */
+    @Override
+    public float idf(long docFreq, long numDocs) {
+        return 1;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +21,6 @@ import java.io.Reader;
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.analysis.core.LowerCaseFilter;
 import org.apache.lucene.analysis.core.StopAnalyzer;
 import org.apache.lucene.analysis.core.StopFilter;
@@ -30,11 +28,11 @@ import org.apache.lucene.analysis.miscellaneous.WordDelimiterFilter;
 import org.apache.lucene.util.Version;
 
 /**
- * <p>A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter,
- * LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is
- * to index the CPE fields vendor and product.</p>
+ * <p>
+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
+ * intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class FieldAnalyzer extends Analyzer {
 
@@ -61,7 +59,7 @@ public class FieldAnalyzer extends Analyzer {
      */
     @Override
     protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
+        final Tokenizer source = new AlphaNumericTokenizer(version, reader);
 
         TokenStream stream = source;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -1,31 +1,38 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.lucene;
 
+import org.apache.lucene.util.Version;
+
 /**
- * <p>Lucene utils is a set of utilize written to make constructing Lucene
- * queries simpler.</p>
+ * <p>
+ * Lucene utils is a set of utilize written to make constructing Lucene queries simpler.</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class LuceneUtils {
 
+    /**
+     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
+     * the code base.
+     */
+    public static final Version CURRENT_VERSION = Version.LUCENE_45;
+
     /**
      * Private constructor as this is a utility class.
      */
@@ -33,16 +40,15 @@ public final class LuceneUtils {
     }
 
     /**
-     * Appends the text to the supplied StringBuilder escaping Lucene control
-     * characters in the process.
+     * Appends the text to the supplied StringBuilder escaping Lucene control characters in the process.
      *
      * @param buf a StringBuilder to append the escaped text to
      * @param text the data to be escaped
      */
     @SuppressWarnings("fallthrough")
     @edu.umd.cs.findbugs.annotations.SuppressWarnings(
-    value = "SF_SWITCH_NO_DEFAULT",
-    justification = "The switch below does have a default.")
+            value = "SF_SWITCH_NO_DEFAULT",
+            justification = "The switch below does have a default.")
     public static void appendEscapedLuceneQuery(StringBuilder buf,
             final CharSequence text) {
 
@@ -80,8 +86,7 @@ public final class LuceneUtils {
     }
 
     /**
-     * Escapes the text passed in so that it is treated as data instead of
-     * control characters.
+     * Escapes the text passed in so that it is treated as data instead of control characters.
      *
      * @param text data to be escaped
      * @return the escaped text.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +21,6 @@ import java.io.Reader;
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.analysis.core.LowerCaseFilter;
 import org.apache.lucene.analysis.core.StopAnalyzer;
 import org.apache.lucene.analysis.core.StopFilter;
@@ -32,7 +30,7 @@ import org.apache.lucene.util.Version;
 /**
  * A Lucene field analyzer used to analyzer queries against the CPE data.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class SearchFieldAnalyzer extends Analyzer {
 
@@ -41,8 +39,8 @@ public class SearchFieldAnalyzer extends Analyzer {
      */
     private final Version version;
     /**
-     * A local reference to the TokenPairConcatenatingFilter so that we
-     * can clear any left over state if this analyzer is re-used.
+     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
+     * is re-used.
      */
     private TokenPairConcatenatingFilter concatenatingFilter;
 
@@ -57,13 +55,14 @@ public class SearchFieldAnalyzer extends Analyzer {
 
     /**
      * Creates a the TokenStreamComponents used to analyze the stream.
+     *
      * @param fieldName the field that this lucene analyzer will process
      * @param reader a reader containing the tokens
      * @return the token stream filter chain
      */
     @Override
     protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
+        final Tokenizer source = new AlphaNumericTokenizer(version, reader);
 
         TokenStream stream = source;
 
@@ -76,6 +75,7 @@ public class SearchFieldAnalyzer extends Analyzer {
                 | WordDelimiterFilter.STEM_ENGLISH_POSSESSIVE, null);
 
         stream = new LowerCaseFilter(version, stream);
+        stream = new UrlTokenizingFilter(stream);
         concatenatingFilter = new TokenPairConcatenatingFilter(stream);
         stream = concatenatingFilter;
         stream = new StopFilter(version, stream, StopAnalyzer.ENGLISH_STOP_WORDS_SET);
@@ -84,11 +84,15 @@ public class SearchFieldAnalyzer extends Analyzer {
     }
 
     /**
-     * <p>Resets the analyzer and clears any internal state data that may
-     * have been left-over from previous uses of the analyzer.</p>
-     * <p><b>If this analyzer is re-used this method must be called between uses.</b></p>
+     * <p>
+     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
+     * analyzer.</p>
+     * <p>
+     * <b>If this analyzer is re-used this method must be called between uses.</b></p>
      */
     public void clear() {
-        concatenatingFilter.clear();
+        if (concatenatingFilter != null) {
+            concatenatingFilter.clear();
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,8 +28,10 @@ import org.apache.lucene.util.Version;
 /**
  * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ * @deprecated version information is no longer stored in lucene
  */
+@Deprecated
 public class SearchVersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...
     // use custom attributes for major, minor, x, x, x, rcx

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,15 +22,14 @@ import java.util.LinkedList;
 import org.apache.lucene.analysis.TokenFilter;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
-import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
 
 /**
- * <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
- * words.</p>
- * <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
- * Framework FrameworkCore Core".</p>
+ * <p>
+ * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
+ * <p>
+ * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class TokenPairConcatenatingFilter extends TokenFilter {
 
@@ -39,10 +37,6 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
      * The char term attribute.
      */
     private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
-    /**
-     * The position increment attribute.
-     */
-    private final PositionIncrementAttribute posIncAtt = addAttribute(PositionIncrementAttribute.class);
     /**
      * The previous word parsed.
      */
@@ -52,6 +46,24 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
      */
     private final LinkedList<String> words;
 
+    /**
+     * Returns the previous word. This is needed in the test cases.
+     *
+     * @return te previous word
+     */
+    protected String getPreviousWord() {
+        return previousWord;
+    }
+
+    /**
+     * Returns the words list. This is needed in the test cases.
+     *
+     * @return the words list
+     */
+    protected LinkedList<String> getWords() {
+        return words;
+    }
+
     /**
      * Constructs a new TokenPairConcatenatingFilter.
      *
@@ -63,9 +75,8 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
-     * construct an expanded set of tokens by concatenating tokens with the
-     * previous token.
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * concatenating tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs
@@ -85,7 +96,6 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
             final String word = words.getFirst();
             clearAttributes();
             termAtt.append(previousWord).append(word);
-            posIncAtt.setPositionIncrement(0);
             previousWord = null;
             return true;
         }
@@ -101,10 +111,11 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     }
 
     /**
-     * <p>Resets the Filter and clears any internal state data that may have
-     * been left-over from previous uses of the Filter.</p>
-     * <p><b>If this Filter is re-used this method must be called between
-     * uses.</b></p>
+     * <p>
+     * Resets the Filter and clears any internal state data that may have been left-over from previous uses of the
+     * Filter.</p>
+     * <p>
+     * <b>If this Filter is re-used this method must be called between uses.</b></p>
      */
     public void clear() {
         previousWord = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -0,0 +1,86 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
+import org.owasp.dependencycheck.utils.UrlStringUtils;
+
+/**
+ * <p>
+ * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
+ * <p>
+ * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(UrlTokenizingFilter.class.getName());
+    /**
+     * Constructs a new VersionTokenizingFilter.
+     *
+     * @param stream the TokenStream that this filter will process
+     */
+    public UrlTokenizingFilter(TokenStream stream) {
+        super(stream);
+    }
+
+    /**
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * concatenating tokens with the previous token.
+     *
+     * @return whether or not we have hit the end of the TokenStream
+     * @throws IOException is thrown when an IOException occurs
+     */
+    @Override
+    public boolean incrementToken() throws IOException {
+        final LinkedList<String> tokens = getTokens();
+        final CharTermAttribute termAtt = getTermAtt();
+        if (tokens.size() == 0 && input.incrementToken()) {
+            final String text = new String(termAtt.buffer(), 0, termAtt.length());
+            if (UrlStringUtils.containsUrl(text)) {
+                final String[] parts = text.split("\\s");
+                for (String part : parts) {
+                    if (UrlStringUtils.isUrl(part)) {
+                        try {
+                            final List<String> data = UrlStringUtils.extractImportantUrlData(part);
+                            tokens.addAll(data);
+                        } catch (MalformedURLException ex) {
+                            LOGGER.log(Level.FINE, "error parsing " + part, ex);
+                            tokens.add(part);
+                        }
+                    } else {
+                        tokens.add(part);
+                    }
+                }
+            } else {
+                tokens.add(text);
+            }
+        }
+        return addTerm();
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,8 +28,10 @@ import org.apache.lucene.util.Version;
 /**
  * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ * @deprecated version information is no longer stored in lucene
  */
+@Deprecated
 public class VersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...
     // use custom attributes for major, minor, x, x, x, rcx

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -0,0 +1,98 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.io.IOException;
+import java.util.LinkedList;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
+
+/**
+ * <p>
+ * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
+ * <p>
+ * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ * @deprecated version information is no longer stored in lucene
+ */
+@Deprecated
+public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
+
+    /**
+     * Constructs a new VersionTokenizingFilter.
+     *
+     * @param stream the TokenStream that this filter will process
+     */
+    public VersionTokenizingFilter(TokenStream stream) {
+        super(stream);
+    }
+
+    /**
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * concatenating tokens with the previous token.
+     *
+     * @return whether or not we have hit the end of the TokenStream
+     * @throws IOException is thrown when an IOException occurs
+     */
+    @Override
+    public boolean incrementToken() throws IOException {
+        final LinkedList<String> tokens = getTokens();
+        final CharTermAttribute termAtt = getTermAtt();
+        if (tokens.size() == 0 && input.incrementToken()) {
+            final String version = new String(termAtt.buffer(), 0, termAtt.length());
+            final String[] toAnalyze = version.split("[_-]");
+            //ensure we analyze the whole string as one too
+            analyzeVersion(version);
+            for (String str : toAnalyze) {
+                analyzeVersion(str);
+            }
+        }
+        return addTerm();
+    }
+
+    /**
+     * <p>
+     * Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
+     * would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
+     * or build number will throw off the version identification.</p>
+     *
+     * <p>
+     * expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
+     *
+     * @param version the version to analyze
+     */
+    private void analyzeVersion(String version) {
+        //todo should we also be splitting on dash or underscore? we would need
+        //  to incorporate the dash or underscore back in...
+        final LinkedList<String> tokens = getTokens();
+        final String[] versionParts = version.split("\\.");
+        String dottedVersion = null;
+        for (String current : versionParts) {
+            if (!current.matches("^/d+$")) {
+                tokens.add(current);
+            }
+            if (dottedVersion == null) {
+                dottedVersion = current;
+            } else {
+                dottedVersion = dottedVersion + "." + current;
+            }
+            tokens.add(dottedVersion);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -0,0 +1,164 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nexus;
+
+/**
+ * Simple bean representing a Maven Artifact.
+ *
+ * @author colezlaw
+ */
+public class MavenArtifact {
+
+    /**
+     * The groupId
+     */
+    private String groupId;
+
+    /**
+     * The artifactId
+     */
+    private String artifactId;
+
+    /**
+     * The version
+     */
+    private String version;
+
+    /**
+     * The artifact url. This may change depending on which Nexus server the search took place.
+     */
+    private String artifactUrl;
+
+    /**
+     * Creates an empty MavenArtifact.
+     */
+    public MavenArtifact() {
+    }
+
+    /**
+     * Creates a MavenArtifact with the given attributes.
+     *
+     * @param groupId the groupId
+     * @param artifactId the artifactId
+     * @param version the version
+     */
+    public MavenArtifact(String groupId, String artifactId, String version) {
+        setGroupId(groupId);
+        setArtifactId(artifactId);
+        setVersion(version);
+    }
+
+    /**
+     * Creates a MavenArtifact with the given attributes.
+     *
+     * @param groupId the groupId
+     * @param artifactId the artifactId
+     * @param version the version
+     * @param url the artifactLink url
+     */
+    public MavenArtifact(String groupId, String artifactId, String version, String url) {
+        setGroupId(groupId);
+        setArtifactId(artifactId);
+        setVersion(version);
+        setArtifactUrl(url);
+    }
+
+    /**
+     * Returns the Artifact coordinates as a String.
+     *
+     * @return the String representation of the artifact coordinates
+     */
+    @Override
+    public String toString() {
+        return String.format("%s:%s:%s", groupId, artifactId, version);
+    }
+
+    /**
+     * Sets the groupId.
+     *
+     * @param groupId the groupId
+     */
+    public void setGroupId(String groupId) {
+        this.groupId = groupId;
+    }
+
+    /**
+     * Gets the groupId.
+     *
+     * @return the groupId
+     */
+    public String getGroupId() {
+        return groupId;
+    }
+
+    /**
+     * Sets the artifactId.
+     *
+     * @param artifactId the artifactId
+     */
+    public void setArtifactId(String artifactId) {
+        this.artifactId = artifactId;
+    }
+
+    /**
+     * Gets the artifactId.
+     *
+     * @return the artifactId
+     */
+    public String getArtifactId() {
+        return artifactId;
+    }
+
+    /**
+     * Sets the version.
+     *
+     * @param version the version
+     */
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    /**
+     * Gets the version.
+     *
+     * @return the version
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * Sets the artifactUrl.
+     *
+     * @param artifactUrl the artifactUrl
+     */
+    public void setArtifactUrl(String artifactUrl) {
+        this.artifactUrl = artifactUrl;
+    }
+
+    /**
+     * Gets the artifactUrl.
+     *
+     * @return the artifactUrl
+     */
+    public String getArtifactUrl() {
+        return artifactUrl;
+    }
+}
+
+// vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -0,0 +1,178 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nexus;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.w3c.dom.Document;
+
+/**
+ * Class of methods to search Nexus repositories.
+ *
+ * @author colezlaw
+ */
+public class NexusSearch {
+
+    /**
+     * The root URL for the Nexus repository service
+     */
+    private final URL rootURL;
+
+    /**
+     * Whether to use the Proxy when making requests
+     */
+    private boolean useProxy;
+
+    /**
+     * Used for logging.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NexusSearch.class
+            .getName());
+
+    /**
+     * Creates a NexusSearch for the given repository URL.
+     *
+     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
+     * relative to this URL, so it should end with a /
+     */
+    public NexusSearch(URL rootURL) {
+        this.rootURL = rootURL;
+        try {
+            if (null != Settings.getString(Settings.KEYS.PROXY_URL)
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
+                useProxy = true;
+                LOGGER.fine("Using proxy");
+            } else {
+                useProxy = false;
+                LOGGER.fine("Not using proxy");
+            }
+        } catch (InvalidSettingException ise) {
+            useProxy = false;
+        }
+    }
+
+    /**
+     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
+     * <code>MavenArtifact</code> is populated with the coordinate information.
+     *
+     * @param sha1 The SHA-1 hash string for which to search
+     * @return the populated Maven coordinates
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
+     * found.
+     */
+    public MavenArtifact searchSha1(String sha1) throws IOException {
+        if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
+            throw new IllegalArgumentException("Invalid SHA1 format");
+        }
+
+        final URL url = new URL(rootURL, String.format("identify/sha1/%s",
+                sha1.toLowerCase()));
+
+        LOGGER.fine(String.format("Searching Nexus url %s", url.toString()));
+
+        // Determine if we need to use a proxy. The rules:
+        // 1) If the proxy is set, AND the setting is set to true, use the proxy
+        // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
+        // or proxy is specifically
+        // set to false
+        final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+
+        conn.setDoOutput(true);
+
+        // JSON would be more elegant, but there's not currently a dependency
+        // on JSON, so don't want to add one just for this
+        conn.addRequestProperty("Accept", "application/xml");
+        conn.connect();
+
+        if (conn.getResponseCode() == 200) {
+            try {
+                final DocumentBuilder builder = DocumentBuilderFactory
+                        .newInstance().newDocumentBuilder();
+                final Document doc = builder.parse(conn.getInputStream());
+                final XPath xpath = XPathFactory.newInstance().newXPath();
+                final String groupId = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
+                                doc);
+                final String artifactId = xpath.evaluate(
+                        "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
+                        doc);
+                final String version = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/version",
+                                doc);
+                final String link = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
+                                doc);
+                return new MavenArtifact(groupId, artifactId, version, link);
+            } catch (Throwable e) {
+                // Anything else is jacked-up XML stuff that we really can't recover
+                // from well
+                throw new IOException(e.getMessage(), e);
+            }
+        } else if (conn.getResponseCode() == 404) {
+            throw new FileNotFoundException("Artifact not found in Nexus");
+        } else {
+            final String msg = String.format("Could not connect to Nexus received response code: %d %s",
+                    conn.getResponseCode(), conn.getResponseMessage());
+            LOGGER.fine(msg);
+            throw new IOException(msg);
+        }
+    }
+
+    /**
+     * Do a preflight request to see if the repository is actually working.
+     *
+     * @return whether the repository is listening and returns the /status URL correctly
+     */
+    public boolean preflightRequest() {
+        try {
+            final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy);
+            conn.addRequestProperty("Accept", "application/xml");
+            conn.connect();
+            if (conn.getResponseCode() != 200) {
+                LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode());
+                return false;
+            }
+            final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            final Document doc = builder.parse(conn.getInputStream());
+            if (!"status".equals(doc.getDocumentElement().getNodeName())) {
+                LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName());
+                return false;
+            }
+        } catch (Throwable e) {
+            return false;
+        }
+
+        return true;
+    }
+}
+
+// vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -0,0 +1,14 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.data.nexus</title>
+ * </head>
+ * <body>
+ * <p>
+ * Contains classes related to searching a Nexus repository.</p>
+ * <p>
+ * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.data.nexus;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java

@@ -0,0 +1,186 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+/**
+ * Represents the contents of a Nuspec manifest.
+ *
+ * @author colezlaw
+ */
+public class NugetPackage {
+    /**
+     * The id.
+     */
+    private String id;
+
+    /**
+     * The version.
+     */
+    private String version;
+
+    /**
+     * The title.
+     */
+    private String title;
+
+    /**
+     * The authors.
+     */
+    private String authors;
+
+    /**
+     * The owners.
+     */
+    private String owners;
+
+    /**
+     * The licenseUrl.
+     */
+    private String licenseUrl;
+
+    /**
+     * Creates an empty NugetPackage.
+     */
+    public NugetPackage() {
+    }
+
+    /**
+     * Sets the id.
+     * @param id the id
+     */
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    /**
+     * Gets the id.
+     * @return the id
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the version.
+     * @param version the version
+     */
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    /**
+     * Gets the version.
+     * @return the version
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * Sets the title.
+     * @param title the title
+     */
+    public void setTitle(String title) {
+        this.title = title;
+    }
+
+    /**
+     * Gets the title.
+     * @return the title
+     */
+    public String getTitle() {
+        return title;
+    }
+
+    /**
+     * Sets the authors.
+     * @param authors the authors
+     */
+    public void setAuthors(String authors) {
+        this.authors = authors;
+    }
+
+    /**
+     * Gets the authors.
+     * @return the authors
+     */
+    public String getAuthors() {
+        return authors;
+    }
+
+    /**
+     * Sets the owners.
+     * @param owners the owners
+     */
+    public void setOwners(String owners) {
+        this.owners = owners;
+    }
+
+    /**
+     * Gets the owners.
+     * @return the owners
+     */
+    public String getOwners() {
+        return owners;
+    }
+
+    /**
+     * Sets the licenseUrl.
+     * @param licenseUrl the licenseUrl
+     */
+    public void setLicenseUrl(String licenseUrl) {
+        this.licenseUrl = licenseUrl;
+    }
+
+    /**
+     * Gets the licenseUrl.
+     * @return the licenseUrl
+     */
+    public String getLicenseUrl() {
+        return licenseUrl;
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        if (this == other) {
+            return true;
+        }
+        if (other == null || other.getClass() != this.getClass()) {
+            return false;
+        }
+        final NugetPackage o = (NugetPackage) other;
+        return o.getId().equals(id)
+                && o.getVersion().equals(version)
+                && o.getTitle().equals(title)
+                && o.getAuthors().equals(authors)
+                && o.getOwners().equals(owners)
+                && o.getLicenseUrl().equals(licenseUrl);
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 7;
+        hash = 31 * hash + (null == id ? 0 : id.hashCode());
+        hash = 31 * hash + (null == version ? 0 : version.hashCode());
+        hash = 31 * hash + (null == title ? 0 : title.hashCode());
+        hash = 31 * hash + (null == authors ? 0 : authors.hashCode());
+        hash = 31 * hash + (null == owners ? 0 : owners.hashCode());
+        hash = 31 * hash + (null == licenseUrl ? 0 : licenseUrl.hashCode());
+        return hash;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+/**
+ * Exception during the parsing of a Nuspec file.
+ *
+ * @author colezlaw
+ */
+public class NuspecParseException extends Exception {
+
+    /**
+     * The serialVersionUID
+     */
+    private static final long serialVersionUID = 1;
+
+    /**
+     * Constructs a new exception with <code>null</code> as its detail message.
+     *
+     * The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
+     */
+    public NuspecParseException() {
+        super();
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently
+     * be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
+     *
+     * @param message the detail message. The detail message is saved for later retrieval by the
+     * {@link java.lang.Throwable#getMessage()} method.
+     */
+    public NuspecParseException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * Note that the detail message associated with <code>cause</code> is <em>not</em>
+     * automatically incorporated in this exception's detail message.
+     *
+     * @param message the detail message (which is saved for later retrieval by the
+     * {@link java.lang.Throwable#getMessage()} method.
+     * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
+     * (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).
+     */
+    public NuspecParseException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java

@@ -0,0 +1,37 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+import java.io.InputStream;
+
+/**
+ * Interface defining methods for parsing a Nuspec file.
+ *
+ * @author colezlaw
+ *
+ */
+public interface NuspecParser {
+    /**
+     * Parse an input stream and return the resulting {@link NugetPackage}.
+     *
+     * @param stream the input stream to parse
+     * @return the populated bean
+     * @throws NuspecParseException when an exception occurs
+     */
+    NugetPackage parse(InputStream stream) throws NuspecParseException;
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java

@@ -0,0 +1,81 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+import java.io.InputStream;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+
+/**
+ * Parse a Nuspec file using XPath.
+ *
+ * @author colezlaw
+ */
+public class XPathNuspecParser implements NuspecParser {
+
+    /**
+     * Gets the string value of a node or null if it's not present
+     *
+     * @param n the node to test
+     * @return the string content of the node, or null if the node itself is null
+     */
+    private String getOrNull(Node n) {
+        if (n != null) {
+            return n.getTextContent();
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Parse an input stream and return the resulting {@link NugetPackage}.
+     *
+     * @param stream the input stream to parse
+     * @return the populated bean
+     * @throws NuspecParseException when an exception occurs
+     */
+    @Override
+    public NugetPackage parse(InputStream stream) throws NuspecParseException {
+        try {
+            final Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+            final NugetPackage nuspec = new NugetPackage();
+
+            if (xpath.evaluate("/package/metadata/id", d, XPathConstants.NODE) == null
+                    || xpath.evaluate("/package/metadata/version", d, XPathConstants.NODE) == null
+                    || xpath.evaluate("/package/metadata/authors", d, XPathConstants.NODE) == null
+                    || xpath.evaluate("/package/metadata/description", d, XPathConstants.NODE) == null) {
+                throw new NuspecParseException("Invalid Nuspec format");
+            }
+
+            nuspec.setId(xpath.evaluate("/package/metadata/id", d));
+            nuspec.setVersion(xpath.evaluate("/package/metadata/version", d));
+            nuspec.setAuthors(xpath.evaluate("/package/metadata/authors", d));
+            nuspec.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE)));
+            nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE)));
+            nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE)));
+            return nuspec;
+        } catch (Throwable e) {
+            throw new NuspecParseException("Unable to parse nuspec", e);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -0,0 +1,15 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.data.nuget</title>
+ * </head>
+ * <body>
+ * <p>
+ * Contains classes related to parsing Nuget related files</p>
+ * <p>
+ * These are used to abstract away Nuget-related handling from Dependency Check
+ * so they can be used elsewhere.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -0,0 +1,339 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.sql.CallableStatement;
+import java.sql.Connection;
+import java.sql.Driver;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.utils.DBUtils;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Loads the configured database driver and returns the database connection. If the embedded H2 database is used
+ * obtaining a connection will ensure the database file exists and that the appropriate table structure has been
+ * created.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class ConnectionFactory {
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ConnectionFactory.class.getName());
+    /**
+     * The version of the current DB Schema.
+     */
+    public static final String DB_SCHEMA_VERSION = "2.9";
+    /**
+     * Resource location for SQL file used to create the database schema.
+     */
+    public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
+    /**
+     * The database driver used to connect to the database.
+     */
+    private static Driver driver = null;
+    /**
+     * The database connection string.
+     */
+    private static String connectionString = null;
+    /**
+     * The username to connect to the database.
+     */
+    private static String userName = null;
+    /**
+     * The password for the database.
+     */
+    private static String password = null;
+
+    /**
+     * Private constructor for this factory class; no instance is ever needed.
+     */
+    private ConnectionFactory() {
+    }
+
+    /**
+     * Initializes the connection factory. Ensuring that the appropriate drivers are loaded and that a connection can be
+     * made successfully.
+     *
+     * @throws DatabaseException thrown if we are unable to connect to the database
+     */
+    public static synchronized void initialize() throws DatabaseException {
+        //this only needs to be called once.
+        if (connectionString != null) {
+            return;
+        }
+        Connection conn = null;
+        try {
+            //load the driver if necessary
+            final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
+            if (!driverName.isEmpty()) { //likely need to load the correct driver
+                LOGGER.log(Level.FINE, "Loading driver: {0}", driverName);
+                final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
+                try {
+                    if (!driverPath.isEmpty()) {
+                        LOGGER.log(Level.FINE, "Loading driver from: {0}", driverPath);
+                        driver = DriverLoader.load(driverName, driverPath);
+                    } else {
+                        driver = DriverLoader.load(driverName);
+                    }
+                } catch (DriverLoadException ex) {
+                    LOGGER.log(Level.FINE, "Unable to load database driver", ex);
+                    throw new DatabaseException("Unable to load database driver");
+                }
+            }
+            userName = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
+            //yes, yes - hard-coded password - only if there isn't one in the properties file.
+            password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
+            try {
+                connectionString = getConnectionString();
+            } catch (IOException ex) {
+                LOGGER.log(Level.FINE,
+                        "Unable to retrieve the database connection string", ex);
+                throw new DatabaseException("Unable to retrieve the database connection string");
+            }
+            boolean shouldCreateSchema = false;
+            try {
+                if (connectionString.startsWith("jdbc:h2:file:")) { //H2
+                    shouldCreateSchema = !dbSchemaExists();
+                    LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
+                }
+            } catch (IOException ioex) {
+                LOGGER.log(Level.FINE, "Unable to verify database exists", ioex);
+                throw new DatabaseException("Unable to verify database exists");
+            }
+            LOGGER.log(Level.FINE, "Loading database connection");
+            LOGGER.log(Level.FINE, "Connection String: {0}", connectionString);
+            LOGGER.log(Level.FINE, "Database User: {0}", userName);
+
+            try {
+                conn = DriverManager.getConnection(connectionString, userName, password);
+            } catch (SQLException ex) {
+                if (ex.getMessage().contains("java.net.UnknownHostException") && connectionString.contains("AUTO_SERVER=TRUE;")) {
+                    connectionString = connectionString.replace("AUTO_SERVER=TRUE;", "");
+                    try {
+                        conn = DriverManager.getConnection(connectionString, userName, password);
+                        Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+                        LOGGER.log(Level.FINE,
+                                "Unable to start the database in server mode; reverting to single user mode");
+                    } catch (SQLException sqlex) {
+                        LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
+                        throw new DatabaseException("Unable to connect to the database");
+                    }
+                } else {
+                    LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
+                    throw new DatabaseException("Unable to connect to the database");
+                }
+            }
+
+            if (shouldCreateSchema) {
+                try {
+                    createTables(conn);
+                } catch (DatabaseException dex) {
+                    LOGGER.log(Level.FINE, null, dex);
+                    throw new DatabaseException("Unable to create the database structure");
+                }
+            } else {
+                try {
+                    ensureSchemaVersion(conn);
+                } catch (DatabaseException dex) {
+                    LOGGER.log(Level.FINE, null, dex);
+                    throw new DatabaseException("Database schema does not match this version of dependency-check");
+                }
+            }
+        } finally {
+            if (conn != null) {
+                try {
+                    conn.close();
+                } catch (SQLException ex) {
+                    LOGGER.log(Level.FINE, "An error occurred closing the connection", ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Cleans up resources and unloads any registered database drivers. This needs to be called to ensure the driver is
+     * unregistered prior to the finalize method being called as during shutdown the class loader used to load the
+     * driver may be unloaded prior to the driver being de-registered.
+     */
+    public static synchronized void cleanup() {
+        if (driver != null) {
+            try {
+                DriverManager.deregisterDriver(driver);
+            } catch (SQLException ex) {
+                LOGGER.log(Level.FINE, "An error occurred unloading the database driver", ex);
+            } catch (Throwable unexpected) {
+                LOGGER.log(Level.FINE,
+                        "An unexpected throwable occurred unloading the database driver", unexpected);
+            }
+            driver = null;
+        }
+        connectionString = null;
+        userName = null;
+        password = null;
+    }
+
+    /**
+     * Constructs a new database connection object per the database configuration.
+     *
+     * @return a database connection object
+     * @throws DatabaseException thrown if there is an exception loading the database connection
+     */
+    public static Connection getConnection() throws DatabaseException {
+        initialize();
+        Connection conn = null;
+        try {
+            conn = DriverManager.getConnection(connectionString, userName, password);
+        } catch (SQLException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to connect to the database");
+        }
+        return conn;
+    }
+
+    /**
+     * Returns the configured connection string. If using the embedded H2 database this function will also ensure the
+     * data directory exists and if not create it.
+     *
+     * @return the connection string
+     * @throws IOException thrown the data directory cannot be created
+     */
+    private static String getConnectionString() throws IOException {
+        final String connStr = Settings.getString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:h2:file:%s;AUTO_SERVER=TRUE");
+        if (connStr.contains("%s")) {
+            final String directory = getDataDirectory().getCanonicalPath();
+            final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
+            LOGGER.log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
+            return String.format(connStr, dataFile.getAbsolutePath());
+        }
+        return connStr;
+    }
+
+    /**
+     * Retrieves the directory that the JAR file exists in so that we can ensure we always use a common data directory
+     * for the embedded H2 database. This is public solely for some unit tests; otherwise this should be private.
+     *
+     * @return the data directory to store data files
+     * @throws IOException is thrown if an IOException occurs of course...
+     */
+    public static File getDataDirectory() throws IOException {
+        final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
+        if (!path.exists()) {
+            if (!path.mkdirs()) {
+                throw new IOException("Unable to create NVD CVE Data directory");
+            }
+        }
+        return path;
+    }
+
+    /**
+     * Determines if the H2 database file exists. If it does not exist then the data structure will need to be created.
+     *
+     * @return true if the H2 database file does not exist; otherwise false
+     * @throws IOException thrown if the data directory does not exist and cannot be created
+     */
+    private static boolean dbSchemaExists() throws IOException {
+        final File dir = getDataDirectory();
+        final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
+        final File file = new File(dir, name);
+        return file.exists();
+    }
+
+    /**
+     * Creates the database structure (tables and indexes) to store the CVE data.
+     *
+     * @param conn the database connection
+     * @throws DatabaseException thrown if there is a Database Exception
+     */
+    private static void createTables(Connection conn) throws DatabaseException {
+        LOGGER.log(Level.FINE, "Creating database structure");
+        InputStream is;
+        InputStreamReader reader;
+        BufferedReader in = null;
+        try {
+            is = ConnectionFactory.class.getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE);
+            reader = new InputStreamReader(is, "UTF-8");
+            in = new BufferedReader(reader);
+            final StringBuilder sb = new StringBuilder(2110);
+            String tmp;
+            while ((tmp = in.readLine()) != null) {
+                sb.append(tmp);
+            }
+            Statement statement = null;
+            try {
+                statement = conn.createStatement();
+                statement.execute(sb.toString());
+            } catch (SQLException ex) {
+                LOGGER.log(Level.FINE, null, ex);
+                throw new DatabaseException("Unable to create database statement", ex);
+            } finally {
+                DBUtils.closeStatement(statement);
+            }
+        } catch (IOException ex) {
+            throw new DatabaseException("Unable to create database schema", ex);
+        } finally {
+            if (in != null) {
+                try {
+                    in.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Uses the provided connection to check the specified schema version within the database.
+     *
+     * @param conn the database connection object
+     * @throws DatabaseException thrown if the schema version is not compatible with this version of dependency-check
+     */
+    private static void ensureSchemaVersion(Connection conn) throws DatabaseException {
+        ResultSet rs = null;
+        CallableStatement cs = null;
+        try {
+            cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
+            rs = cs.executeQuery();
+            if (rs.next()) {
+                final boolean isWrongSchema = !DB_SCHEMA_VERSION.equals(rs.getString(1));
+                if (isWrongSchema) {
+                    throw new DatabaseException("Incorrect database schema; unable to continue");
+                }
+            } else {
+                throw new DatabaseException("Database schema is missing");
+            }
+        } catch (SQLException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to check the database schema version");
+        } finally {
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(cs);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -0,0 +1,51 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+/**
+ * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
+ * of the db.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+class CorruptDatabaseException extends DatabaseException {
+
+    /**
+     * the serial version uid.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates an CorruptDatabaseException
+     *
+     * @param msg the exception message
+     */
+    public CorruptDatabaseException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates an CorruptDatabaseException
+     *
+     * @param msg the exception message
+     * @param ex the cause of the exception
+     */
+    public CorruptDatabaseException(String msg, Exception ex) {
+        super(msg, ex);
+    }
+}