release 1.0.8

Former-commit-id: d84fcbf655179b64f75898bb5892c6bb5cf2f84a

.gitignore

@@ -1,4 +1,4 @@
-/target/
+*/target/**
 # Intellij project files
 *.iml
 *.ipr
@@ -6,4 +6,11 @@
 .idea/
 # Eclipse project files
 .classpath
-.project
+.project
+# Netbeans configuration
+nb-configuration.xml
+/target/
+#maven-shade-plugin generated pom
+dependency-reduced-pom.xml
+# vim files
+*.swp

NOTICE.txt

@@ -1,4 +1,5 @@
-DependencyCheck
+dependency-check
+
 Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
 
 The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
@@ -7,7 +8,7 @@ This product includes software developed by The Apache Software Foundation (http
 
 This product includes software developed by Jquery.com (http://jquery.com/).
 
-This product includs software developed by Jonathan Hedley (jsoup.org)
+This product includes software developed by Jonathan Hedley (jsoup.org)
 
 This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
 An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html

README.md

@@ -1,30 +1,98 @@
 Dependency-Check
-=========
+================
 
 Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
 
-More information can be found on the [wiki].
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/). Additionally, more information about the architecture and ways to extend dependency-check can be found on the [wiki].
 
-Usage
--
+Current Releases
+-------------
+### Jenkins Plugin
 
-> $ mvn package
+For instructions on the use of the Jenkins plugin please see the [Jenkins dependency-check page](http://wiki.jenkins-ci.org/x/CwDgAQ).
 
-> $ cd target
+### Command Line
 
-> $ java -jar dependency-check-[version].jar -h
+More detailed instructions can be found on the [dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+The latest CLI can be downloaded from bintray's [dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check). 
 
-> $ java -jar dependency-check-[version].jar -a Testing -out . -scan ./test-classes -scan ./lib
+On *nix
+```
+$ ./bin/dependency-check.sh -h
+$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+```
+On Windows
+```
+> bin/dependency-check.bat -h
+> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+```
 
-Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
+### Maven Plugin
+
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+The plugin can be configured using the following:
+
+```xml
+<project>
+    <build>
+        <plugins>
+            ...
+            <plugin>
+              <groupId>org.owasp</groupId>
+              <artifactId>dependency-check-maven</artifactId>
+              <version>1.0.2</version>
+              <executions>
+                  <execution>
+                      <goals>
+                          <goal>check</goal>
+                      </goals>
+                  </execution>
+              </executions>
+            </plugin>
+            ...
+        </plugins>
+        ...
+    </build>
+    ...
+</project>
+```
+
+### Ant Task
+
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+
+Development Usage
+-------------
+The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
+that the release versions listed above be used.
+
+Note, currently the install goal may take a long time to execute the integration tests. However, if this takes more then 30 minutes it is likely that the
+download of data from the NVD is having an issue. This issue is still being researched and a solution should be published soon.
+
+On *nix
+```
+$ mvn install
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+```
+On Windows
+```
+> mvn install
+> dependency-check-cli/target/release/bin/dependency-check.bat -h
+> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+```
+
+Then load the resulting 'DependencyCheck-Report.html' into your favourite browser.
 
 Mailing List
--
+------------
 
 Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
 
 Post: [dependency-check@googlegroups.com] [post]
 
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
+
 Copyright & License
 -
 

dependency-check-ant/LICENSE.txt

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE 
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.

dependency-check-ant/NOTICE.txt

@@ -0,0 +1,29 @@
+-----------------------------
+---begin dependency-check----
+-----------------------------
+dependency-check
+
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm
+
+-----------------------------
+---end dependency-check------
+-----------------------------
+
+Notices below are from dependent libraries and have been included via maven-shade-plugin.
+
+-----------------------------

dependency-check-ant/README.md

@@ -0,0 +1,25 @@
+Dependency-Check Ant Task
+=========
+
+Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+
+Copyright & License
+-------------------
+
+Dependency-Check is Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the GPLv3 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/LICENSE.txt) file for the full license.
+
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/NOTICES.txt) file for more information.

dependency-check-ant/config/checkstyle-checks.xml

@@ -15,7 +15,7 @@
   <property name="severity" value="error"/>
 
   <module name="SuppressionFilter">
-    <property name="file" value="src/main/config/checkstyle-suppressions.xml"/>
+    <property name="file" value="${checkstyle.suppressions.file}"/>
   </module>
 
   <module name="JavadocPackage">
@@ -40,7 +40,7 @@
   </module>
 
   <module name="RegexpHeader">
-    <property name="headerFile" value="src/main/config/checkstyle-header.txt"/>
+    <property name="headerFile" value="${checkstyle.header.file}"/>
     <property name="fileExtensions" value="java"/>
     <property name="id" value="header"/>
   </module>

dependency-check-ant/config/checkstyle-header.txt

@@ -0,0 +1,19 @@
+^/\*\s*$
+^ \* This file is part of dependency-check-ant\.\s*$
+^ \*\s*$
+^ \* Dependency-check-ant is free software\: you can redistribute it and/or modify it\s*$
+^ \* under the terms of the GNU General Public License as published by the Free\s*$
+^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
+^ \* later version\.
+^ \*\s*$
+^ \* Dependency-check-ant is distributed in the hope that it will be useful, but\s*$
+^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
+^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
+^ \* details\.\s*$
+^ \*\s*$
+^ \* You should have received a copy of the GNU General Public License along with\s*$
+^ \* dependency-check-ant\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \*\s*$
+^ \* Copyright \(c\) 2013 (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
+^ \*/\s*$
+^package

dependency-check-ant/config/checkstyle-suppressions.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+
+<!DOCTYPE suppressions PUBLIC
+     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
+     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
+
+<suppressions>
+    <suppress checks=".*" files=".*[\\/]package-info\.java" />
+</suppressions>

dependency-check-ant/pom.xml

@@ -0,0 +1,455 @@
+<!--
+This file is part of dependency-check-ant.
+
+Dependency-check-ant is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+Dependency-check is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with dependency-check-ant.  If not, see <http://www.gnu.org/licenses />.
+
+Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.0.8</version>
+    </parent>
+
+    <artifactId>dependency-check-ant</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Ant Task</name>
+    <description>Dependency-check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
+    <distributionManagement>
+        <site>
+            <id>github-pages-site</id>
+            <name>Deployment through GitHub's site deployment plugin</name>
+            <url>${basedir}/../target/site/${project.version}/dependency-check-ant</url>
+        </site>
+    </distributionManagement>
+    <!-- end copy -->
+    <build>
+        <resources>
+            <resource>
+                <directory>${basedir}/src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+            <resource>
+                <directory>${basedir}</directory>
+                <targetPath>META-INF</targetPath>
+                <includes>
+                    <include>LICENSE.txt</include>
+                    <include>NOTICE.txt</include>
+                </includes>
+            </resource>
+        </resources>
+        <testResources>
+            <testResource>
+                <directory>${basedir}/src/test/resources</directory>
+                <includes>
+                    <include>**/*.xml</include>
+                </includes>
+                <filtering>true</filtering>
+            </testResource>
+        </testResources>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <escapeWindowsPaths>false</escapeWindowsPaths>
+                </configuration>
+                <executions>
+                    <!-- the following executions are solely to setup the test environment -->
+                    <execution>
+                        <id>copy-test-data.zip</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>data.zip</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-1</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/lib</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>org.mortbay.*.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-2</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/jars</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>axis-1.4.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-3</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/webroot</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>struts.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-test-resources-4</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes/list</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>org.mortbay.jetty.jar</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>copy-data</id>
+                        <phase>validate</phase>
+                        <goals>
+                            <goal>copy-resources</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
+                            <resources>
+                                <resource>
+                                    <directory>${basedir}/../src/test/resources</directory>
+                                    <filtering>false</filtering>
+                                    <includes>
+                                        <include>db.cve.zip</include>
+                                        <include>index.cpe.zip</include>
+                                    </includes>
+                                </resource>
+                            </resources>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-shade-plugin</artifactId>
+                <version>2.1</version>
+                <configuration>
+                    <transformers>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                            <resource>META-INF/NOTICE.txt</resource>
+                        </transformer>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
+                            <resource>META-INF/NOTICE</resource>
+                        </transformer>
+                        <transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
+                            <resource>META-INF/LICENSE</resource>
+                        </transformer>
+                    </transformers>
+                </configuration>
+                <executions>
+                    <execution>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>shade</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                        </manifest>
+                    </archive>
+                    <excludes>
+                        <exclude>**/checkstyle*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.5.2</version>
+                <configuration>
+                    <check>
+                        <branchRate>85</branchRate>
+                        <lineRate>85</lineRate>
+                        <haltOnFailure>false</haltOnFailure>
+                        <totalBranchRate>85</totalBranchRate>
+                        <totalLineRate>85</totalLineRate>
+                        <packageLineRate>85</packageLineRate>
+                        <packageBranchRate>85</packageBranchRate>
+                        <regexes>
+                            <regex>
+                                <pattern>.*\$.*</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                        </regexes>
+                    </check>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>net.sourceforge.cobertura.datafile</name>
+                            <value>${project.build.directory}/cobertura/cobertura.ser</value>
+                            <workingDirectory>target</workingDirectory>
+                        </property>
+                        <property>
+                            <name>data.directory</name>
+                            <value>${project.build.directory}/dependency-check-data</value>
+                        </property>
+                    </systemProperties>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <showDeprecation>false</showDeprecation>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.3</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.doxia</groupId>
+                        <artifactId>doxia-module-markdown</artifactId>
+                        <version>1.5</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <skipDeploy>true</skipDeploy>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                            <version>2.7</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>index</report>
+                                        <report>summary</report>
+                                        <report>license</report>
+                                        <report>help</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <version>2.9.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <id>default</id>
+                                    <reports>
+                                        <report>javadoc</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <version>2.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <version>2.4</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>cobertura-maven-plugin</artifactId>
+                            <version>2.5.2</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <version>2.16</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>report-only</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-checkstyle-plugin</artifactId>
+                            <version>2.11</version>
+                            <configuration>
+                                <enableRulesSummary>false</enableRulesSummary>
+                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-pmd-plugin</artifactId>
+                            <version>3.0.1</version>
+                            <configuration>
+                                <targetJdk>1.6</targetJdk>
+                                <linkXref>true</linkXref>
+                                <sourceEncoding>utf-8</sourceEncoding>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>findbugs-maven-plugin</artifactId>
+                            <version>2.5.3</version>
+                        </plugin>
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.parent.version}</version>
+            <type>test-jar</type>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant</artifactId>
+            <version>1.9.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.ant</groupId>
+            <artifactId>ant-testutil</artifactId>
+            <version>1.9.1</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

dependency-check-ant/src/main/assembly/release.xml

@@ -0,0 +1,30 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<assembly
+    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd
+  "
+>
+    <id>release</id>
+    <formats>
+        <format>zip</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <fileSets>
+        <fileSet>
+            <outputDirectory>/</outputDirectory>
+            <directory>${project.build.directory}</directory>
+            <includes>
+                <include>dependency-check*.jar</include>
+            </includes>
+        </fileSet>
+    </fileSets>
+    <dependencySets>
+        <dependencySet>
+            <outputDirectory>/lib</outputDirectory>
+            <scope>runtime</scope>
+        </dependencySet>
+    </dependencySets>
+</assembly>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -0,0 +1,664 @@
+/*
+ * This file is part of dependency-check-ant.
+ *
+ * Dependency-check-ant is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-ant is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-ant. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.taskdefs;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.Task;
+import org.apache.tools.ant.types.EnumeratedAttribute;
+import org.apache.tools.ant.types.Reference;
+import org.apache.tools.ant.types.Resource;
+import org.apache.tools.ant.types.ResourceCollection;
+import org.apache.tools.ant.types.resources.FileProvider;
+import org.apache.tools.ant.types.resources.Resources;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
+import org.owasp.dependencycheck.utils.LogUtils;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * An Ant task definition to execute dependency-check during an Ant build.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DependencyCheckTask extends Task {
+
+    /**
+     * The properties file location.
+     */
+    private static final String PROPERTIES_FILE = "task.properties";
+    /**
+     * Name of the logging properties file.
+     */
+    private static final String LOG_PROPERTIES_FILE = "log.properties";
+    /**
+     * System specific new line character.
+     */
+    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+
+    /**
+     * Construct a new DependencyCheckTask.
+     */
+    public DependencyCheckTask() {
+        super();
+    }
+    //The following code was copied Apache Ant PathConvert
+    //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
+    /**
+     * Path to be converted
+     */
+    private Resources path = null;
+    /**
+     * Reference to path/fileset to convert
+     */
+    private Reference refid = null;
+
+    /**
+     * Add an arbitrary ResourceCollection.
+     *
+     * @param rc the ResourceCollection to add.
+     * @since Ant 1.7
+     */
+    public void add(ResourceCollection rc) {
+        if (isReference()) {
+            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
+        }
+        getPath().add(rc);
+    }
+
+    /**
+     * Returns the path. If the path has not been initialized yet, this class is
+     * synchronized, and will instantiate the path object.
+     *
+     * @return the path
+     */
+    private synchronized Resources getPath() {
+        if (path == null) {
+            path = new Resources(getProject());
+            path.setCache(true);
+        }
+        return path;
+    }
+
+    /**
+     * Learn whether the refid attribute of this element been set.
+     *
+     * @return true if refid is valid.
+     */
+    public boolean isReference() {
+        return refid != null;
+    }
+
+    /**
+     * Add a reference to a Path, FileSet, DirSet, or FileList defined
+     * elsewhere.
+     *
+     * @param r the reference to a path, fileset, dirset or filelist.
+     */
+    public void setRefid(Reference r) {
+        if (path != null) {
+            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
+        }
+        refid = r;
+    }
+
+    /**
+     * If this is a reference, this method will add the referenced resource
+     * collection to the collection of paths.
+     *
+     * @throws BuildException if the reference is not to a resource collection
+     */
+    private void dealWithReferences() throws BuildException {
+        if (isReference()) {
+            final Object o = refid.getReferencedObject(getProject());
+            if (!(o instanceof ResourceCollection)) {
+                throw new BuildException("refid '" + refid.getRefId()
+                        + "' does not refer to a resource collection.");
+            }
+            getPath().add((ResourceCollection) o);
+        }
+    }
+    // END COPY from org.apache.tools.ant.taskdefs
+    /**
+     * The application name for the report.
+     */
+    private String applicationName = "Dependency-Check";
+
+    /**
+     * Get the value of applicationName.
+     *
+     * @return the value of applicationName
+     */
+    public String getApplicationName() {
+        return applicationName;
+    }
+
+    /**
+     * Set the value of applicationName.
+     *
+     * @param applicationName new value of applicationName
+     */
+    public void setApplicationName(String applicationName) {
+        this.applicationName = applicationName;
+    }
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+
+    /**
+     * Get the value of dataDirectory.
+     *
+     * @return the value of dataDirectory
+     */
+    public String getDataDirectory() {
+        return dataDirectory;
+    }
+
+    /**
+     * Set the value of dataDirectory.
+     *
+     * @param dataDirectory new value of dataDirectory
+     */
+    public void setDataDirectory(String dataDirectory) {
+        this.dataDirectory = dataDirectory;
+    }
+    /**
+     * Specifies the destination directory for the generated Dependency-Check
+     * report.
+     */
+    private String reportOutputDirectory = ".";
+
+    /**
+     * Get the value of reportOutputDirectory.
+     *
+     * @return the value of reportOutputDirectory
+     */
+    public String getReportOutputDirectory() {
+        return reportOutputDirectory;
+    }
+
+    /**
+     * Set the value of reportOutputDirectory.
+     *
+     * @param reportOutputDirectory new value of reportOutputDirectory
+     */
+    public void setReportOutputDirectory(String reportOutputDirectory) {
+        this.reportOutputDirectory = reportOutputDirectory;
+    }
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified
+     * level is identified. The default is 11 which means since the CVSS scores
+     * are 0-10, by default the build will never fail and the CVSS score is set
+     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
+     * anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+
+    /**
+     * Get the value of failBuildOnCVSS.
+     *
+     * @return the value of failBuildOnCVSS
+     */
+    public float getFailBuildOnCVSS() {
+        return failBuildOnCVSS;
+    }
+
+    /**
+     * Set the value of failBuildOnCVSS.
+     *
+     * @param failBuildOnCVSS new value of failBuildOnCVSS
+     */
+    public void setFailBuildOnCVSS(float failBuildOnCVSS) {
+        this.failBuildOnCVSS = failBuildOnCVSS;
+    }
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
+     * recommended that this be turned to false. Default is true.
+     */
+    private boolean autoUpdate = true;
+
+    /**
+     * Get the value of autoUpdate.
+     *
+     * @return the value of autoUpdate
+     */
+    public boolean isAutoUpdate() {
+        return autoUpdate;
+    }
+
+    /**
+     * Set the value of autoUpdate.
+     *
+     * @param autoUpdate new value of autoUpdate
+     */
+    public void setAutoUpdate(boolean autoUpdate) {
+        this.autoUpdate = autoUpdate;
+    }
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This
+     * configuration option has no affect if using this within the Site plugin
+     * unless the externalReport is set to true. Default is HTML.
+     */
+    private String reportFormat = "HTML";
+
+    /**
+     * Get the value of reportFormat.
+     *
+     * @return the value of reportFormat
+     */
+    public String getReportFormat() {
+        return reportFormat;
+    }
+
+    /**
+     * Set the value of reportFormat.
+     *
+     * @param reportFormat new value of reportFormat
+     */
+    public void setReportFormat(ReportFormats reportFormat) {
+        this.reportFormat = reportFormat.getValue();
+    }
+    /**
+     * The Proxy URL.
+     */
+    private String proxyUrl;
+
+    /**
+     * Get the value of proxyUrl.
+     *
+     * @return the value of proxyUrl
+     */
+    public String getProxyUrl() {
+        return proxyUrl;
+    }
+
+    /**
+     * Set the value of proxyUrl.
+     *
+     * @param proxyUrl new value of proxyUrl
+     */
+    public void setProxyUrl(String proxyUrl) {
+        this.proxyUrl = proxyUrl;
+    }
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+
+    /**
+     * Get the value of proxyPort.
+     *
+     * @return the value of proxyPort
+     */
+    public String getProxyPort() {
+        return proxyPort;
+    }
+
+    /**
+     * Set the value of proxyPort.
+     *
+     * @param proxyPort new value of proxyPort
+     */
+    public void setProxyPort(String proxyPort) {
+        this.proxyPort = proxyPort;
+    }
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+
+    /**
+     * Get the value of proxyUsername.
+     *
+     * @return the value of proxyUsername
+     */
+    public String getProxyUsername() {
+        return proxyUsername;
+    }
+
+    /**
+     * Set the value of proxyUsername.
+     *
+     * @param proxyUsername new value of proxyUsername
+     */
+    public void setProxyUsername(String proxyUsername) {
+        this.proxyUsername = proxyUsername;
+    }
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+
+    /**
+     * Get the value of proxyPassword.
+     *
+     * @return the value of proxyPassword
+     */
+    public String getProxyPassword() {
+        return proxyPassword;
+    }
+
+    /**
+     * Set the value of proxyPassword.
+     *
+     * @param proxyPassword new value of proxyPassword
+     */
+    public void setProxyPassword(String proxyPassword) {
+        this.proxyPassword = proxyPassword;
+    }
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+
+    /**
+     * Get the value of connectionTimeout.
+     *
+     * @return the value of connectionTimeout
+     */
+    public String getConnectionTimeout() {
+        return connectionTimeout;
+    }
+
+    /**
+     * Set the value of connectionTimeout.
+     *
+     * @param connectionTimeout new value of connectionTimeout
+     */
+    public void setConnectionTimeout(String connectionTimeout) {
+        this.connectionTimeout = connectionTimeout;
+    }
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+
+    /**
+     * Get the value of logFile.
+     *
+     * @return the value of logFile
+     */
+    public String getLogFile() {
+        return logFile;
+    }
+
+    /**
+     * Set the value of logFile.
+     *
+     * @param logFile new value of logFile
+     */
+    public void setLogFile(String logFile) {
+        this.logFile = logFile;
+    }
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+
+    /**
+     * Get the value of suppressionFile.
+     *
+     * @return the value of suppressionFile
+     */
+    public String getSuppressionFile() {
+        return suppressionFile;
+    }
+
+    /**
+     * Set the value of suppressionFile.
+     *
+     * @param suppressionFile new value of suppressionFile
+     */
+    public void setSuppressionFile(String suppressionFile) {
+        this.suppressionFile = suppressionFile;
+    }
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+
+    /**
+     * Get the value of showSummary.
+     *
+     * @return the value of showSummary
+     */
+    public boolean isShowSummary() {
+        return showSummary;
+    }
+
+    /**
+     * Set the value of showSummary.
+     *
+     * @param showSummary new value of showSummary
+     */
+    public void setShowSummary(boolean showSummary) {
+        this.showSummary = showSummary;
+    }
+
+    @Override
+    public void execute() throws BuildException {
+        final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        LogUtils.prepareLogger(in, logFile);
+
+        dealWithReferences();
+        validateConfiguration();
+        populateSettings();
+
+        final Engine engine = new Engine();
+        for (Resource resource : path) {
+            final FileProvider provider = resource.as(FileProvider.class);
+            if (provider != null) {
+                final File file = provider.getFile();
+                if (file != null && file.exists()) {
+                    engine.scan(file);
+                }
+            }
+        }
+        try {
+            engine.analyzeDependencies();
+            final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers());
+            reporter.generateReports(reportOutputDirectory, reportFormat);
+
+            if (this.failBuildOnCVSS <= 10) {
+                checkForFailure(engine.getDependencies());
+            }
+            if (this.showSummary) {
+                showSummary(engine.getDependencies());
+            }
+        } catch (IOException ex) {
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
+            throw new BuildException("Unable to generate dependency-check report", ex);
+        } catch (Exception ex) {
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
+            throw new BuildException("An exception occurred; unable to continue task", ex);
+        }
+    }
+
+    /**
+     * Validate the configuration to ensure the parameters have been properly
+     * configured/initialized.
+     *
+     * @throws BuildException if the task was not configured correctly.
+     */
+    private void validateConfiguration() throws BuildException {
+        if (path == null) {
+            throw new BuildException("No project dependencies have been defined to analyze.");
+        }
+        if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
+            throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
+        }
+    }
+
+    /**
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy url, port, and connection timeout.
+     */
+    private void populateSettings() {
+        InputStream taskProperties = null;
+        try {
+            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
+            Settings.mergeProperties(taskProperties);
+        } catch (IOException ex) {
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
+        } finally {
+            if (taskProperties != null) {
+                try {
+                    taskProperties.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+        }
+        if (dataDirectory != null) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else {
+            final File jarPath = new File(DependencyCheckTask.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+
+        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        }
+        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
+    }
+
+    /**
+     * Checks to see if a vulnerability has been identified with a CVSS score
+     * that is above the threshold set in the configuration.
+     *
+     * @param dependencies the list of dependency objects
+     * @throws BuildException thrown if a CVSS score is found that is higher
+     * then the threshold set
+     */
+    private void checkForFailure(List<Dependency> dependencies) throws BuildException {
+        final StringBuilder ids = new StringBuilder();
+        for (Dependency d : dependencies) {
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (v.getCvssScore() >= failBuildOnCVSS) {
+                    if (ids.length() == 0) {
+                        ids.append(v.getName());
+                    } else {
+                        ids.append(", ").append(v.getName());
+                    }
+                }
+            }
+        }
+        if (ids.length() > 0) {
+            final String msg = String.format("%n%nDependency-Check Failure:%n"
+                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+            throw new BuildException(msg);
+        }
+    }
+
+    /**
+     * Generates a warning message listing a summary of dependencies and their
+     * associated CPE and CVE entries.
+     *
+     * @param dependencies a list of dependency objects
+     */
+    private void showSummary(List<Dependency> dependencies) {
+        final StringBuilder summary = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean firstEntry = true;
+            final StringBuilder ids = new StringBuilder();
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (firstEntry) {
+                    firstEntry = false;
+                } else {
+                    ids.append(", ");
+                }
+                ids.append(v.getName());
+            }
+            if (ids.length() > 0) {
+                summary.append(d.getFileName()).append(" (");
+                firstEntry = true;
+                for (Identifier id : d.getIdentifiers()) {
+                    if (firstEntry) {
+                        firstEntry = false;
+                    } else {
+                        summary.append(", ");
+                    }
+                    summary.append(id.getValue());
+                }
+                summary.append(") : ").append(ids).append(NEW_LINE);
+            }
+        }
+        if (summary.length() > 0) {
+            final String msg = String.format("%n%n"
+                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
+        }
+    }
+
+    /**
+     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
+     * etc..
+     */
+    public static class ReportFormats extends EnumeratedAttribute {
+
+        /**
+         * Returns the list of values for the report format.
+         *
+         * @return the list of values for the report format
+         */
+        @Override
+        public String[] getValues() {
+            int i = 0;
+            final Format[] formats = Format.values();
+            final String[] values = new String[formats.length];
+            for (Format format : formats) {
+                values[i++] = format.name();
+            }
+            return values;
+        }
+    }
+}

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/package-info.java

@@ -0,0 +1,11 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.taskdefs</title>
+ * </head>
+ * <body>
+ * This package includes the Ant task definitions.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.taskdefs;

dependency-check-ant/src/main/resources/log.properties

@@ -1,13 +1,12 @@
-handlers=java.util.logging.ConsoleHandler
-#, java.util.logging.FileHandler
+handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler
 
 # logging levels
 # FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
 
 # Configure the ConsoleHandler.
-java.util.logging.ConsoleHandler.level=WARNING
+java.util.logging.ConsoleHandler.level=INFO
 
-org.owasp.dependencycheck.data.nvdcve.xml
+#org.owasp.dependencycheck.data.nvdcve.xml
 
 # Configure the FileHandler.
 #java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
@@ -21,4 +20,4 @@ org.owasp.dependencycheck.data.nvdcve.xml
 #   %g - generation number for rotating logs
 #   %u - unique number to avoid conflicts
 # FileHandler writes to %h/demo0.log by default.
-#java.util.logging.FileHandler.pattern=./logs/DependencyCheck%u.log
+#java.util.logging.FileHandler.pattern=./target/dependency-check.log

dependency-check-ant/src/main/resources/task.properties

@@ -0,0 +1,2 @@
+# the path to the data directory
+data.directory=dependency-check-data

dependency-check-ant/src/main/resources/taskdefs.properties

@@ -0,0 +1,3 @@
+# define custom tasks here
+
+dependencycheck=org.owasp.dependencycheck.taskdefs.DependencyCheckTask

dependency-check-ant/src/site/markdown/configuration.md

@@ -0,0 +1,39 @@
+Configuration
+====================
+To configure the dependency-check task you can add it to a target and include a
+file based [resource collection](http://ant.apache.org/manual/Types/resources.html#collection)
+such as a [FileSet](http://ant.apache.org/manual/Types/fileset.html), [DirSet](http://ant.apache.org/manual/Types/dirset.html),
+or [FileList](http://ant.apache.org/manual/Types/filelist.html) that includes
+the project's dependencies.
+
+```xml
+<target name="dependency-check" description="Dependency-Check Analysis">
+    <dependency-check applicationname="Hello World"
+                      reportoutputdirectory="${basedir}"
+                      reportformat="ALL">
+
+        <fileset dir="lib">
+            <include name="**/*.jar"/>
+        </fileset>
+    </dependency-check>
+</target>
+```
+The following table lists the configurable properties:
+
+Property              | Description | Requirement
+----------------------|-------------|---------
+ApplicationName       | The name of the application to use in the generated report. | Required
+ReportFormat          | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional
+ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional
+FailBuildOn           | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional
+AutoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional
+DataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional
+LogFile               | The file path to write verbose logging information. | Optional
+SuppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional
+ProxyUrl              | Defines the proxy used to connect to the Internet. | Optional
+ProxyPort             | Defines the port for the proxy. | Optional
+ProxyUsername         | Defines the proxy user name. | Optional
+ProxyPassword         | Defines the proxy password. | Optional
+ConnectionTimeout     | The connection timeout used when downloading data files from the Internet. | Optional
+
+

dependency-check-ant/src/site/markdown/installation.md.vm

@@ -0,0 +1,13 @@
+Installation
+====================
+Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
+To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
+the lib directory of your Ant instalation directory. Once installed you can add
+the taskdef to you build.xml and add the task to a new or existing target.
+
+It is important to understand that the first time this task is executed it may
+take 20 minutes or more as it downloads and processes the data from the National
+Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
+
+After the first batch download, as long as the task is executed at least once every
+seven days the update will only take a few seconds.

dependency-check-ant/src/site/markdown/usage.md

@@ -0,0 +1,25 @@
+Usage
+====================
+First, add the dependency-check-ant taskdef to your build.xml:
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
+```
+
+Next, add the task to a target of your choosing:
+
+```xml
+<target name="dependency-check" description="Dependency-Check Analysis">
+    <dependency-check applicationname="Hello World"
+                      autoupdate="true"
+                      reportoutputdirectory="${basedir}"
+                      reportformat="HTML">
+
+        <fileset dir="lib">
+            <include name="**/*.jar"/>
+        </fileset>
+    </dependency-check>
+</target>
+```
+
+See the [configuration guide](configuration.html) for more information.

dependency-check-ant/src/site/site.xml

@@ -0,0 +1,36 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+This file is part of dependency-check-ant.
+
+Dependency-check-ant is free software: you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the Free
+Software Foundation, either version 3 of the License, or (at your option) any
+later version.
+
+Dependency-check-ant is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along with
+dependency-check-ant. If not, see http://www.gnu.org/licenses/.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project name="dependency-check-ant">
+    <bannerLeft>
+        <name>dependency-check-ant</name>
+    </bannerLeft>
+    <body>
+        <breadcrumbs>
+            <item name="dependency-check" href="../index.html"/>
+        </breadcrumbs>
+        <menu name="Getting Started">
+            <item name="Installation" href="installation.html"/>
+            <item name="Usage" href="usage.html"/>
+            <item name="Configuration" href="configuration.html"/>
+        </menu>
+        <menu ref="Project Documentation" />
+        <menu ref="reports" />
+    </body>
+</project>

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -0,0 +1,123 @@
+/*
+ * This file is part of dependency-check-ant.
+ *
+ * Dependency-check-ant is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-ant is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-ant. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.taskdefs;
+
+import java.io.File;
+import static junit.framework.TestCase.assertTrue;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.apache.tools.ant.BuildFileTest;
+import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DependencyCheckTaskTest extends BuildFileTest {
+
+    public DependencyCheckTaskTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    @Override
+    public void setUp() throws Exception {
+        BaseDBTestCase.ensureDBExists();
+        final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
+        configureProject(buildFile);
+    }
+
+    @After
+    @Override
+    public void tearDown() {
+        //no cleanup...
+        //executeTarget("cleanup");
+    }
+
+    /**
+     * Test of addFileSet method, of class DependencyCheckTask.
+     */
+    @Test
+    public void testAddFileSet() throws Exception {
+        File report = new File("target/DependencyCheck-Report.html");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
+            }
+        }
+        executeTarget("test.fileset");
+
+        assertTrue("DependencyCheck report was not generated", report.exists());
+
+    }
+
+    /**
+     * Test of addFileList method, of class DependencyCheckTask.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testAddFileList() throws Exception {
+        File report = new File("target/DependencyCheck-Report.xml");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
+            }
+        }
+        executeTarget("test.filelist");
+
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of addDirSet method, of class DependencyCheckTask.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testAddDirSet() throws Exception {
+        File report = new File("target/DependencyCheck-Vulnerability.html");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
+            }
+        }
+        executeTarget("test.dirset");
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of getFailBuildOnCVSS method, of class DependencyCheckTask.
+     */
+    @Test
+    public void testGetFailBuildOnCVSS() {
+        expectBuildException("failCVSS", "asdfasdfscore");
+        System.out.println(this.getOutput());
+    }
+}

dependency-check-ant/src/test/resources/build.xml

@@ -0,0 +1,71 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project name="Dependency-Check Test Build" default="test.fileset" basedir=".">
+
+    <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask" />
+
+    <target name="test.fileset">
+        <dependency-check
+            applicationName="My Project"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="HTML">
+
+            <!-- Scan a single file -->
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
+
+            <!-- Scan for all jar/war/ear in the webroot dir and all sub directories -->
+            <fileset dir="${project.build.directory}/test-classes/webroot">
+                <include name="**/*.jar"/>
+                <include name="**/*.war"/>
+                <include name="**/*.ear"/>
+            </fileset>
+        </dependency-check>
+    </target>
+    <target name="test.filelist">
+        <dependency-check
+            applicationName="My Project"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="XML">
+            <!-- Scan specific files -->
+            <filelist
+                dir="${project.build.directory}/test-classes/list"
+                files="jetty-6.1.0.jar,org.mortbay.jetty.jar"/>
+        </dependency-check>
+    </target>
+    <target name="test.dirset">
+        <dependency-check
+            applicationName="My Project"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="VULN">
+
+            <!-- Scan a specific directory -->
+            <dirset dir="${project.build.directory}/test-classes">
+                <include name="lib"/>
+            </dirset>
+
+        </dependency-check>
+    </target>
+
+    <target name="formatBAD">
+        <dependency-check
+            applicationName="test formatBAD"
+            reportOutputDirectory="${project.build.directory}"
+            autoupdate="false"
+            reportFormat="BAD">
+        </dependency-check>
+    </target>
+
+    <target name="failCVSS">
+        <dependency-check
+            applicationName="test formatBAD"
+            reportOutputDirectory="${project.build.directory}"
+            reportFormat="XML"
+            autoupdate="false"
+            failBuildOnCVSS="8">
+        </dependency-check>
+    </target>
+</project>

dependency-check-cli/LICENSE.txt

@@ -0,0 +1,674 @@
+                    GNU GENERAL PUBLIC LICENSE 
+                       Version 3, 29 June 2007
+
+ Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
+ Everyone is permitted to copy and distribute verbatim copies
+ of this license document, but changing it is not allowed.
+
+                            Preamble
+
+  The GNU General Public License is a free, copyleft license for
+software and other kinds of works.
+
+  The licenses for most software and other practical works are designed
+to take away your freedom to share and change the works.  By contrast,
+the GNU General Public License is intended to guarantee your freedom to
+share and change all versions of a program--to make sure it remains free
+software for all its users.  We, the Free Software Foundation, use the
+GNU General Public License for most of our software; it applies also to
+any other work released this way by its authors.  You can apply it to
+your programs, too.
+
+  When we speak of free software, we are referring to freedom, not
+price.  Our General Public Licenses are designed to make sure that you
+have the freedom to distribute copies of free software (and charge for
+them if you wish), that you receive source code or can get it if you
+want it, that you can change the software or use pieces of it in new
+free programs, and that you know you can do these things.
+
+  To protect your rights, we need to prevent others from denying you
+these rights or asking you to surrender the rights.  Therefore, you have
+certain responsibilities if you distribute copies of the software, or if
+you modify it: responsibilities to respect the freedom of others.
+
+  For example, if you distribute copies of such a program, whether
+gratis or for a fee, you must pass on to the recipients the same
+freedoms that you received.  You must make sure that they, too, receive
+or can get the source code.  And you must show them these terms so they
+know their rights.
+
+  Developers that use the GNU GPL protect your rights with two steps:
+(1) assert copyright on the software, and (2) offer you this License
+giving you legal permission to copy, distribute and/or modify it.
+
+  For the developers' and authors' protection, the GPL clearly explains
+that there is no warranty for this free software.  For both users' and
+authors' sake, the GPL requires that modified versions be marked as
+changed, so that their problems will not be attributed erroneously to
+authors of previous versions.
+
+  Some devices are designed to deny users access to install or run
+modified versions of the software inside them, although the manufacturer
+can do so.  This is fundamentally incompatible with the aim of
+protecting users' freedom to change the software.  The systematic
+pattern of such abuse occurs in the area of products for individuals to
+use, which is precisely where it is most unacceptable.  Therefore, we
+have designed this version of the GPL to prohibit the practice for those
+products.  If such problems arise substantially in other domains, we
+stand ready to extend this provision to those domains in future versions
+of the GPL, as needed to protect the freedom of users.
+
+  Finally, every program is threatened constantly by software patents.
+States should not allow patents to restrict development and use of
+software on general-purpose computers, but in those that do, we wish to
+avoid the special danger that patents applied to a free program could
+make it effectively proprietary.  To prevent this, the GPL assures that
+patents cannot be used to render the program non-free.
+
+  The precise terms and conditions for copying, distribution and
+modification follow.
+
+                       TERMS AND CONDITIONS
+
+  0. Definitions.
+
+  "This License" refers to version 3 of the GNU General Public License.
+
+  "Copyright" also means copyright-like laws that apply to other kinds of
+works, such as semiconductor masks.
+
+  "The Program" refers to any copyrightable work licensed under this
+License.  Each licensee is addressed as "you".  "Licensees" and
+"recipients" may be individuals or organizations.
+
+  To "modify" a work means to copy from or adapt all or part of the work
+in a fashion requiring copyright permission, other than the making of an
+exact copy.  The resulting work is called a "modified version" of the
+earlier work or a work "based on" the earlier work.
+
+  A "covered work" means either the unmodified Program or a work based
+on the Program.
+
+  To "propagate" a work means to do anything with it that, without
+permission, would make you directly or secondarily liable for
+infringement under applicable copyright law, except executing it on a
+computer or modifying a private copy.  Propagation includes copying,
+distribution (with or without modification), making available to the
+public, and in some countries other activities as well.
+
+  To "convey" a work means any kind of propagation that enables other
+parties to make or receive copies.  Mere interaction with a user through
+a computer network, with no transfer of a copy, is not conveying.
+
+  An interactive user interface displays "Appropriate Legal Notices"
+to the extent that it includes a convenient and prominently visible
+feature that (1) displays an appropriate copyright notice, and (2)
+tells the user that there is no warranty for the work (except to the
+extent that warranties are provided), that licensees may convey the
+work under this License, and how to view a copy of this License.  If
+the interface presents a list of user commands or options, such as a
+menu, a prominent item in the list meets this criterion.
+
+  1. Source Code.
+
+  The "source code" for a work means the preferred form of the work
+for making modifications to it.  "Object code" means any non-source
+form of a work.
+
+  A "Standard Interface" means an interface that either is an official
+standard defined by a recognized standards body, or, in the case of
+interfaces specified for a particular programming language, one that
+is widely used among developers working in that language.
+
+  The "System Libraries" of an executable work include anything, other
+than the work as a whole, that (a) is included in the normal form of
+packaging a Major Component, but which is not part of that Major
+Component, and (b) serves only to enable use of the work with that
+Major Component, or to implement a Standard Interface for which an
+implementation is available to the public in source code form.  A
+"Major Component", in this context, means a major essential component
+(kernel, window system, and so on) of the specific operating system
+(if any) on which the executable work runs, or a compiler used to
+produce the work, or an object code interpreter used to run it.
+
+  The "Corresponding Source" for a work in object code form means all
+the source code needed to generate, install, and (for an executable
+work) run the object code and to modify the work, including scripts to
+control those activities.  However, it does not include the work's
+System Libraries, or general-purpose tools or generally available free
+programs which are used unmodified in performing those activities but
+which are not part of the work.  For example, Corresponding Source
+includes interface definition files associated with source files for
+the work, and the source code for shared libraries and dynamically
+linked subprograms that the work is specifically designed to require,
+such as by intimate data communication or control flow between those
+subprograms and other parts of the work.
+
+  The Corresponding Source need not include anything that users
+can regenerate automatically from other parts of the Corresponding
+Source.
+
+  The Corresponding Source for a work in source code form is that
+same work.
+
+  2. Basic Permissions.
+
+  All rights granted under this License are granted for the term of
+copyright on the Program, and are irrevocable provided the stated
+conditions are met.  This License explicitly affirms your unlimited
+permission to run the unmodified Program.  The output from running a
+covered work is covered by this License only if the output, given its
+content, constitutes a covered work.  This License acknowledges your
+rights of fair use or other equivalent, as provided by copyright law.
+
+  You may make, run and propagate covered works that you do not
+convey, without conditions so long as your license otherwise remains
+in force.  You may convey covered works to others for the sole purpose
+of having them make modifications exclusively for you, or provide you
+with facilities for running those works, provided that you comply with
+the terms of this License in conveying all material for which you do
+not control copyright.  Those thus making or running the covered works
+for you must do so exclusively on your behalf, under your direction
+and control, on terms that prohibit them from making any copies of
+your copyrighted material outside their relationship with you.
+
+  Conveying under any other circumstances is permitted solely under
+the conditions stated below.  Sublicensing is not allowed; section 10
+makes it unnecessary.
+
+  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
+
+  No covered work shall be deemed part of an effective technological
+measure under any applicable law fulfilling obligations under article
+11 of the WIPO copyright treaty adopted on 20 December 1996, or
+similar laws prohibiting or restricting circumvention of such
+measures.
+
+  When you convey a covered work, you waive any legal power to forbid
+circumvention of technological measures to the extent such circumvention
+is effected by exercising rights under this License with respect to
+the covered work, and you disclaim any intention to limit operation or
+modification of the work as a means of enforcing, against the work's
+users, your or third parties' legal rights to forbid circumvention of
+technological measures.
+
+  4. Conveying Verbatim Copies.
+
+  You may convey verbatim copies of the Program's source code as you
+receive it, in any medium, provided that you conspicuously and
+appropriately publish on each copy an appropriate copyright notice;
+keep intact all notices stating that this License and any
+non-permissive terms added in accord with section 7 apply to the code;
+keep intact all notices of the absence of any warranty; and give all
+recipients a copy of this License along with the Program.
+
+  You may charge any price or no price for each copy that you convey,
+and you may offer support or warranty protection for a fee.
+
+  5. Conveying Modified Source Versions.
+
+  You may convey a work based on the Program, or the modifications to
+produce it from the Program, in the form of source code under the
+terms of section 4, provided that you also meet all of these conditions:
+
+    a) The work must carry prominent notices stating that you modified
+    it, and giving a relevant date.
+
+    b) The work must carry prominent notices stating that it is
+    released under this License and any conditions added under section
+    7.  This requirement modifies the requirement in section 4 to
+    "keep intact all notices".
+
+    c) You must license the entire work, as a whole, under this
+    License to anyone who comes into possession of a copy.  This
+    License will therefore apply, along with any applicable section 7
+    additional terms, to the whole of the work, and all its parts,
+    regardless of how they are packaged.  This License gives no
+    permission to license the work in any other way, but it does not
+    invalidate such permission if you have separately received it.
+
+    d) If the work has interactive user interfaces, each must display
+    Appropriate Legal Notices; however, if the Program has interactive
+    interfaces that do not display Appropriate Legal Notices, your
+    work need not make them do so.
+
+  A compilation of a covered work with other separate and independent
+works, which are not by their nature extensions of the covered work,
+and which are not combined with it such as to form a larger program,
+in or on a volume of a storage or distribution medium, is called an
+"aggregate" if the compilation and its resulting copyright are not
+used to limit the access or legal rights of the compilation's users
+beyond what the individual works permit.  Inclusion of a covered work
+in an aggregate does not cause this License to apply to the other
+parts of the aggregate.
+
+  6. Conveying Non-Source Forms.
+
+  You may convey a covered work in object code form under the terms
+of sections 4 and 5, provided that you also convey the
+machine-readable Corresponding Source under the terms of this License,
+in one of these ways:
+
+    a) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by the
+    Corresponding Source fixed on a durable physical medium
+    customarily used for software interchange.
+
+    b) Convey the object code in, or embodied in, a physical product
+    (including a physical distribution medium), accompanied by a
+    written offer, valid for at least three years and valid for as
+    long as you offer spare parts or customer support for that product
+    model, to give anyone who possesses the object code either (1) a
+    copy of the Corresponding Source for all the software in the
+    product that is covered by this License, on a durable physical
+    medium customarily used for software interchange, for a price no
+    more than your reasonable cost of physically performing this
+    conveying of source, or (2) access to copy the
+    Corresponding Source from a network server at no charge.
+
+    c) Convey individual copies of the object code with a copy of the
+    written offer to provide the Corresponding Source.  This
+    alternative is allowed only occasionally and noncommercially, and
+    only if you received the object code with such an offer, in accord
+    with subsection 6b.
+
+    d) Convey the object code by offering access from a designated
+    place (gratis or for a charge), and offer equivalent access to the
+    Corresponding Source in the same way through the same place at no
+    further charge.  You need not require recipients to copy the
+    Corresponding Source along with the object code.  If the place to
+    copy the object code is a network server, the Corresponding Source
+    may be on a different server (operated by you or a third party)
+    that supports equivalent copying facilities, provided you maintain
+    clear directions next to the object code saying where to find the
+    Corresponding Source.  Regardless of what server hosts the
+    Corresponding Source, you remain obligated to ensure that it is
+    available for as long as needed to satisfy these requirements.
+
+    e) Convey the object code using peer-to-peer transmission, provided
+    you inform other peers where the object code and Corresponding
+    Source of the work are being offered to the general public at no
+    charge under subsection 6d.
+
+  A separable portion of the object code, whose source code is excluded
+from the Corresponding Source as a System Library, need not be
+included in conveying the object code work.
+
+  A "User Product" is either (1) a "consumer product", which means any
+tangible personal property which is normally used for personal, family,
+or household purposes, or (2) anything designed or sold for incorporation
+into a dwelling.  In determining whether a product is a consumer product,
+doubtful cases shall be resolved in favor of coverage.  For a particular
+product received by a particular user, "normally used" refers to a
+typical or common use of that class of product, regardless of the status
+of the particular user or of the way in which the particular user
+actually uses, or expects or is expected to use, the product.  A product
+is a consumer product regardless of whether the product has substantial
+commercial, industrial or non-consumer uses, unless such uses represent
+the only significant mode of use of the product.
+
+  "Installation Information" for a User Product means any methods,
+procedures, authorization keys, or other information required to install
+and execute modified versions of a covered work in that User Product from
+a modified version of its Corresponding Source.  The information must
+suffice to ensure that the continued functioning of the modified object
+code is in no case prevented or interfered with solely because
+modification has been made.
+
+  If you convey an object code work under this section in, or with, or
+specifically for use in, a User Product, and the conveying occurs as
+part of a transaction in which the right of possession and use of the
+User Product is transferred to the recipient in perpetuity or for a
+fixed term (regardless of how the transaction is characterized), the
+Corresponding Source conveyed under this section must be accompanied
+by the Installation Information.  But this requirement does not apply
+if neither you nor any third party retains the ability to install
+modified object code on the User Product (for example, the work has
+been installed in ROM).
+
+  The requirement to provide Installation Information does not include a
+requirement to continue to provide support service, warranty, or updates
+for a work that has been modified or installed by the recipient, or for
+the User Product in which it has been modified or installed.  Access to a
+network may be denied when the modification itself materially and
+adversely affects the operation of the network or violates the rules and
+protocols for communication across the network.
+
+  Corresponding Source conveyed, and Installation Information provided,
+in accord with this section must be in a format that is publicly
+documented (and with an implementation available to the public in
+source code form), and must require no special password or key for
+unpacking, reading or copying.
+
+  7. Additional Terms.
+
+  "Additional permissions" are terms that supplement the terms of this
+License by making exceptions from one or more of its conditions.
+Additional permissions that are applicable to the entire Program shall
+be treated as though they were included in this License, to the extent
+that they are valid under applicable law.  If additional permissions
+apply only to part of the Program, that part may be used separately
+under those permissions, but the entire Program remains governed by
+this License without regard to the additional permissions.
+
+  When you convey a copy of a covered work, you may at your option
+remove any additional permissions from that copy, or from any part of
+it.  (Additional permissions may be written to require their own
+removal in certain cases when you modify the work.)  You may place
+additional permissions on material, added by you to a covered work,
+for which you have or can give appropriate copyright permission.
+
+  Notwithstanding any other provision of this License, for material you
+add to a covered work, you may (if authorized by the copyright holders of
+that material) supplement the terms of this License with terms:
+
+    a) Disclaiming warranty or limiting liability differently from the
+    terms of sections 15 and 16 of this License; or
+
+    b) Requiring preservation of specified reasonable legal notices or
+    author attributions in that material or in the Appropriate Legal
+    Notices displayed by works containing it; or
+
+    c) Prohibiting misrepresentation of the origin of that material, or
+    requiring that modified versions of such material be marked in
+    reasonable ways as different from the original version; or
+
+    d) Limiting the use for publicity purposes of names of licensors or
+    authors of the material; or
+
+    e) Declining to grant rights under trademark law for use of some
+    trade names, trademarks, or service marks; or
+
+    f) Requiring indemnification of licensors and authors of that
+    material by anyone who conveys the material (or modified versions of
+    it) with contractual assumptions of liability to the recipient, for
+    any liability that these contractual assumptions directly impose on
+    those licensors and authors.
+
+  All other non-permissive additional terms are considered "further
+restrictions" within the meaning of section 10.  If the Program as you
+received it, or any part of it, contains a notice stating that it is
+governed by this License along with a term that is a further
+restriction, you may remove that term.  If a license document contains
+a further restriction but permits relicensing or conveying under this
+License, you may add to a covered work material governed by the terms
+of that license document, provided that the further restriction does
+not survive such relicensing or conveying.
+
+  If you add terms to a covered work in accord with this section, you
+must place, in the relevant source files, a statement of the
+additional terms that apply to those files, or a notice indicating
+where to find the applicable terms.
+
+  Additional terms, permissive or non-permissive, may be stated in the
+form of a separately written license, or stated as exceptions;
+the above requirements apply either way.
+
+  8. Termination.
+
+  You may not propagate or modify a covered work except as expressly
+provided under this License.  Any attempt otherwise to propagate or
+modify it is void, and will automatically terminate your rights under
+this License (including any patent licenses granted under the third
+paragraph of section 11).
+
+  However, if you cease all violation of this License, then your
+license from a particular copyright holder is reinstated (a)
+provisionally, unless and until the copyright holder explicitly and
+finally terminates your license, and (b) permanently, if the copyright
+holder fails to notify you of the violation by some reasonable means
+prior to 60 days after the cessation.
+
+  Moreover, your license from a particular copyright holder is
+reinstated permanently if the copyright holder notifies you of the
+violation by some reasonable means, this is the first time you have
+received notice of violation of this License (for any work) from that
+copyright holder, and you cure the violation prior to 30 days after
+your receipt of the notice.
+
+  Termination of your rights under this section does not terminate the
+licenses of parties who have received copies or rights from you under
+this License.  If your rights have been terminated and not permanently
+reinstated, you do not qualify to receive new licenses for the same
+material under section 10.
+
+  9. Acceptance Not Required for Having Copies.
+
+  You are not required to accept this License in order to receive or
+run a copy of the Program.  Ancillary propagation of a covered work
+occurring solely as a consequence of using peer-to-peer transmission
+to receive a copy likewise does not require acceptance.  However,
+nothing other than this License grants you permission to propagate or
+modify any covered work.  These actions infringe copyright if you do
+not accept this License.  Therefore, by modifying or propagating a
+covered work, you indicate your acceptance of this License to do so.
+
+  10. Automatic Licensing of Downstream Recipients.
+
+  Each time you convey a covered work, the recipient automatically
+receives a license from the original licensors, to run, modify and
+propagate that work, subject to this License.  You are not responsible
+for enforcing compliance by third parties with this License.
+
+  An "entity transaction" is a transaction transferring control of an
+organization, or substantially all assets of one, or subdividing an
+organization, or merging organizations.  If propagation of a covered
+work results from an entity transaction, each party to that
+transaction who receives a copy of the work also receives whatever
+licenses to the work the party's predecessor in interest had or could
+give under the previous paragraph, plus a right to possession of the
+Corresponding Source of the work from the predecessor in interest, if
+the predecessor has it or can get it with reasonable efforts.
+
+  You may not impose any further restrictions on the exercise of the
+rights granted or affirmed under this License.  For example, you may
+not impose a license fee, royalty, or other charge for exercise of
+rights granted under this License, and you may not initiate litigation
+(including a cross-claim or counterclaim in a lawsuit) alleging that
+any patent claim is infringed by making, using, selling, offering for
+sale, or importing the Program or any portion of it.
+
+  11. Patents.
+
+  A "contributor" is a copyright holder who authorizes use under this
+License of the Program or a work on which the Program is based.  The
+work thus licensed is called the contributor's "contributor version".
+
+  A contributor's "essential patent claims" are all patent claims
+owned or controlled by the contributor, whether already acquired or
+hereafter acquired, that would be infringed by some manner, permitted
+by this License, of making, using, or selling its contributor version,
+but do not include claims that would be infringed only as a
+consequence of further modification of the contributor version.  For
+purposes of this definition, "control" includes the right to grant
+patent sublicenses in a manner consistent with the requirements of
+this License.
+
+  Each contributor grants you a non-exclusive, worldwide, royalty-free
+patent license under the contributor's essential patent claims, to
+make, use, sell, offer for sale, import and otherwise run, modify and
+propagate the contents of its contributor version.
+
+  In the following three paragraphs, a "patent license" is any express
+agreement or commitment, however denominated, not to enforce a patent
+(such as an express permission to practice a patent or covenant not to
+sue for patent infringement).  To "grant" such a patent license to a
+party means to make such an agreement or commitment not to enforce a
+patent against the party.
+
+  If you convey a covered work, knowingly relying on a patent license,
+and the Corresponding Source of the work is not available for anyone
+to copy, free of charge and under the terms of this License, through a
+publicly available network server or other readily accessible means,
+then you must either (1) cause the Corresponding Source to be so
+available, or (2) arrange to deprive yourself of the benefit of the
+patent license for this particular work, or (3) arrange, in a manner
+consistent with the requirements of this License, to extend the patent
+license to downstream recipients.  "Knowingly relying" means you have
+actual knowledge that, but for the patent license, your conveying the
+covered work in a country, or your recipient's use of the covered work
+in a country, would infringe one or more identifiable patents in that
+country that you have reason to believe are valid.
+
+  If, pursuant to or in connection with a single transaction or
+arrangement, you convey, or propagate by procuring conveyance of, a
+covered work, and grant a patent license to some of the parties
+receiving the covered work authorizing them to use, propagate, modify
+or convey a specific copy of the covered work, then the patent license
+you grant is automatically extended to all recipients of the covered
+work and works based on it.
+
+  A patent license is "discriminatory" if it does not include within
+the scope of its coverage, prohibits the exercise of, or is
+conditioned on the non-exercise of one or more of the rights that are
+specifically granted under this License.  You may not convey a covered
+work if you are a party to an arrangement with a third party that is
+in the business of distributing software, under which you make payment
+to the third party based on the extent of your activity of conveying
+the work, and under which the third party grants, to any of the
+parties who would receive the covered work from you, a discriminatory
+patent license (a) in connection with copies of the covered work
+conveyed by you (or copies made from those copies), or (b) primarily
+for and in connection with specific products or compilations that
+contain the covered work, unless you entered into that arrangement,
+or that patent license was granted, prior to 28 March 2007.
+
+  Nothing in this License shall be construed as excluding or limiting
+any implied license or other defenses to infringement that may
+otherwise be available to you under applicable patent law.
+
+  12. No Surrender of Others' Freedom.
+
+  If conditions are imposed on you (whether by court order, agreement or
+otherwise) that contradict the conditions of this License, they do not
+excuse you from the conditions of this License.  If you cannot convey a
+covered work so as to satisfy simultaneously your obligations under this
+License and any other pertinent obligations, then as a consequence you may
+not convey it at all.  For example, if you agree to terms that obligate you
+to collect a royalty for further conveying from those to whom you convey
+the Program, the only way you could satisfy both those terms and this
+License would be to refrain entirely from conveying the Program.
+
+  13. Use with the GNU Affero General Public License.
+
+  Notwithstanding any other provision of this License, you have
+permission to link or combine any covered work with a work licensed
+under version 3 of the GNU Affero General Public License into a single
+combined work, and to convey the resulting work.  The terms of this
+License will continue to apply to the part which is the covered work,
+but the special requirements of the GNU Affero General Public License,
+section 13, concerning interaction through a network will apply to the
+combination as such.
+
+  14. Revised Versions of this License.
+
+  The Free Software Foundation may publish revised and/or new versions of
+the GNU General Public License from time to time.  Such new versions will
+be similar in spirit to the present version, but may differ in detail to
+address new problems or concerns.
+
+  Each version is given a distinguishing version number.  If the
+Program specifies that a certain numbered version of the GNU General
+Public License "or any later version" applies to it, you have the
+option of following the terms and conditions either of that numbered
+version or of any later version published by the Free Software
+Foundation.  If the Program does not specify a version number of the
+GNU General Public License, you may choose any version ever published
+by the Free Software Foundation.
+
+  If the Program specifies that a proxy can decide which future
+versions of the GNU General Public License can be used, that proxy's
+public statement of acceptance of a version permanently authorizes you
+to choose that version for the Program.
+
+  Later license versions may give you additional or different
+permissions.  However, no additional obligations are imposed on any
+author or copyright holder as a result of your choosing to follow a
+later version.
+
+  15. Disclaimer of Warranty.
+
+  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
+APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
+HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
+OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
+IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
+ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
+
+  16. Limitation of Liability.
+
+  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
+WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
+THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
+GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
+USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
+DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
+PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
+EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
+SUCH DAMAGES.
+
+  17. Interpretation of Sections 15 and 16.
+
+  If the disclaimer of warranty and limitation of liability provided
+above cannot be given local legal effect according to their terms,
+reviewing courts shall apply local law that most closely approximates
+an absolute waiver of all civil liability in connection with the
+Program, unless a warranty or assumption of liability accompanies a
+copy of the Program in return for a fee.
+
+                     END OF TERMS AND CONDITIONS
+
+            How to Apply These Terms to Your New Programs
+
+  If you develop a new program, and you want it to be of the greatest
+possible use to the public, the best way to achieve this is to make it
+free software which everyone can redistribute and change under these terms.
+
+  To do so, attach the following notices to the program.  It is safest
+to attach them to the start of each source file to most effectively
+state the exclusion of warranty; and each file should have at least
+the "copyright" line and a pointer to where the full notice is found.
+
+    <one line to give the program's name and a brief idea of what it does.>
+    Copyright (C) <year>  <name of author>
+
+    This program is free software: you can redistribute it and/or modify
+    it under the terms of the GNU General Public License as published by
+    the Free Software Foundation, either version 3 of the License, or
+    (at your option) any later version.
+
+    This program is distributed in the hope that it will be useful,
+    but WITHOUT ANY WARRANTY; without even the implied warranty of
+    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+    GNU General Public License for more details.
+
+    You should have received a copy of the GNU General Public License
+    along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+Also add information on how to contact you by electronic and paper mail.
+
+  If the program does terminal interaction, make it output a short
+notice like this when it starts in an interactive mode:
+
+    <program>  Copyright (C) <year>  <name of author>
+    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
+    This is free software, and you are welcome to redistribute it
+    under certain conditions; type `show c' for details.
+
+The hypothetical commands `show w' and `show c' should show the appropriate
+parts of the General Public License.  Of course, your program's commands
+might be different; for a GUI interface, you would use an "about box".
+
+  You should also get your employer (if you work as a programmer) or school,
+if any, to sign a "copyright disclaimer" for the program, if necessary.
+For more information on this, and how to apply and follow the GNU GPL, see
+<http://www.gnu.org/licenses/>.
+
+  The GNU General Public License does not permit incorporating your program
+into proprietary programs.  If your program is a subroutine library, you
+may consider it more useful to permit linking proprietary applications with
+the library.  If this is what you want to do, use the GNU Lesser General
+Public License instead of this License.  But first, please read
+<http://www.gnu.org/philosophy/why-not-lgpl.html>.

dependency-check-cli/NOTICE.txt

@@ -0,0 +1,18 @@
+dependency-check-cli
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the licenses.
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm

dependency-check-cli/README.md

@@ -0,0 +1,24 @@
+Dependency-Check Command Line
+================
+Dependency-Check Command Line can be used to check project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+
+Copyright & License
+------------
+
+Dependency-Check is Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the GPLv3 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+
+Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/NOTICES.txt) file for more information.

dependency-check-cli/config/checkstyle-checks.xml

@@ -0,0 +1,223 @@
+<?xml version="1.0"?>
+<!DOCTYPE module PUBLIC
+          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
+          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
+
+<module name="Checker">
+  <!--
+      If you set the basedir property below, then all reported file
+      names will be relative to the specified directory. See
+      http://checkstyle.sourceforge.net/5.x/config.html#Checker
+
+      <property name="basedir" value="${basedir}"/>
+  -->
+
+  <property name="severity" value="error"/>
+
+  <module name="SuppressionFilter">
+    <property name="file" value="${checkstyle.suppressions.file}"/>
+  </module>
+
+  <module name="JavadocPackage">
+    <property name="allowLegacy" value="false"/>
+  </module>
+
+  <module name="Translation">
+    <property name="severity" value="warning"/>
+  </module>
+
+  <module name="FileTabCharacter">
+    <property name="eachLine" value="false"/>
+  </module>
+
+  <module name="FileLength">
+    <property name="fileExtensions" value="java"/>
+  </module>
+
+  <module name="NewlineAtEndOfFile">
+  <property name="fileExtensions" value="java"/>
+  <property name="lineSeparator" value="lf"/>
+  </module>
+
+  <module name="RegexpHeader">
+    <property name="headerFile" value="${checkstyle.header.file}"/>
+    <property name="fileExtensions" value="java"/>
+    <property name="id" value="header"/>
+  </module>
+
+  <module name="RegexpSingleline">
+    <property name="format" value="\s+$"/>
+    <property name="minimum" value="0"/>
+    <property name="maximum" value="0"/>
+  </module>
+
+  <module name="TreeWalker">
+    <property name="tabWidth" value="4"/>
+
+    <module name="AvoidStarImport"/>
+    <module name="ConstantName"/>
+    <module name="EmptyBlock"/>
+    <module name="EmptyForIteratorPad"/>
+    <module name="EqualsHashCode"/>
+    <module name="OneStatementPerLine"/>
+
+    <!-- module name="IllegalCatch"/ -->
+    <!--module name="ImportControl">
+      <property name="file" value="${checkstyle.importcontrol.file}"/>
+    </module-->
+    <module name="IllegalImport"/>
+    <module name="IllegalInstantiation"/>
+    <module name="IllegalThrows"/>
+    <module name="InnerAssignment"/>
+    <module name="JavadocType">
+      <property name="authorFormat" value="\S"/>
+    </module>
+    <module name="JavadocMethod">
+      <property name="allowUndeclaredRTE" value="true"/>
+      <property name="allowThrowsTagsForSubclasses" value="true"/>
+      <property name="allowMissingPropertyJavadoc" value="true"/>
+    </module>
+    <module name="JavadocVariable"/>
+    <module name="JavadocStyle">
+      <property name="scope" value="public"/>
+    </module>
+
+    <module name="LeftCurly">
+      <property name="option" value="eol"/>
+      <property name="tokens" value="CLASS_DEF"/>
+      <property name="tokens" value="CTOR_DEF"/>
+      <property name="tokens" value="INTERFACE_DEF"/>
+      <property name="tokens" value="METHOD_DEF"/>
+      <property name="tokens" value="LITERAL_CATCH"/>
+      <property name="tokens" value="LITERAL_DO"/>
+      <property name="tokens" value="LITERAL_ELSE"/>
+      <property name="tokens" value="LITERAL_FINALLY"/>
+      <property name="tokens" value="LITERAL_FOR"/>
+      <property name="tokens" value="LITERAL_IF"/>
+      <property name="tokens" value="LITERAL_SWITCH"/>
+      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
+      <property name="tokens" value="LITERAL_TRY"/>
+      <property name="tokens" value="LITERAL_WHILE"/>
+    </module>
+
+    <module name="OuterTypeNumber"/>
+    <module name="LineLength">
+      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
+    <property name="max" value="150"/>
+    </module>
+
+    <module name="MethodCount">
+      <property name="maxTotal" value="40"/>
+    </module>
+
+    <module name="LocalFinalVariableName"/>
+    <module name="LocalVariableName"/>
+    <module name="MemberName">
+      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
+    </module>
+    <module name="MethodLength">
+        <property name="max" value="160"/>
+        <property name="countEmpty" value="false"/>
+    </module>
+    <module name="MethodName"/>
+    <module name="MethodParamPad"/>
+    <module name="ModifierOrder"/>
+    <module name="NeedBraces"/>
+    <module name="NoWhitespaceAfter">
+      <property name="tokens" value="ARRAY_INIT"/>
+      <property name="tokens" value="BNOT"/>
+      <property name="tokens" value="DEC"/>
+      <property name="tokens" value="DOT"/>
+      <property name="tokens" value="INC"/>
+      <property name="tokens" value="LNOT"/>
+      <property name="tokens" value="UNARY_MINUS"/>
+      <property name="tokens" value="UNARY_PLUS"/>
+    </module>
+
+    <module name="NoWhitespaceBefore"/>
+    <module name="NoWhitespaceBefore">
+      <property name="tokens" value="DOT"/>
+      <property name="allowLineBreaks" value="true"/>
+    </module>
+
+    <module name="OperatorWrap"/>
+    <module name="OperatorWrap">
+      <property name="tokens" value="ASSIGN"/>
+      <property name="tokens" value="DIV_ASSIGN"/>
+      <property name="tokens" value="PLUS_ASSIGN"/>
+      <property name="tokens" value="MINUS_ASSIGN"/>
+      <property name="tokens" value="STAR_ASSIGN"/>
+      <property name="tokens" value="MOD_ASSIGN"/>
+      <property name="tokens" value="SR_ASSIGN"/>
+      <property name="tokens" value="BSR_ASSIGN"/>
+      <property name="tokens" value="SL_ASSIGN"/>
+      <property name="tokens" value="BXOR_ASSIGN"/>
+      <property name="tokens" value="BOR_ASSIGN"/>
+      <property name="tokens" value="BAND_ASSIGN"/>
+      <property name="option" value="eol"/>
+    </module>
+    <module name="PackageName"/>
+    <module name="ParameterName">
+      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
+    </module>
+    <module name="ParameterNumber">
+      <property name="id" value="paramNum"/>
+    </module>
+    <module name="ParenPad"/>
+    <module name="TypecastParenPad"/>
+    <module name="RedundantImport"/>
+    <module name="RedundantModifier"/>
+    <module name="RightCurly">
+      <property name="option" value="same"/>
+    </module>
+    <module name="SimplifyBooleanExpression"/>
+    <module name="SimplifyBooleanReturn"/>
+    <module name="StaticVariableName">
+      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
+    </module>
+    <module name="TypeName"/>
+    <module name="UnusedImports"/>
+    <module name="UpperEll"/>
+    <module name="VisibilityModifier"/>
+    <module name="WhitespaceAfter"/>
+    <module name="WhitespaceAround"/>
+    <module name="GenericWhitespace"/>
+    <module name="FinalClass"/>
+    <module name="MissingSwitchDefault"/>
+    <!--module name="MagicNumber"/-->
+    <!--module name="Indentation">
+      <property name="basicOffset" value="4"/>
+      <property name="braceAdjustment" value="0"/>
+      <property name="caseIndent" value="0"/>
+    </module-->
+    <module name="ArrayTrailingComma"/>
+    <module name="FinalLocalVariable"/>
+    <module name="EqualsAvoidNull"/>
+    <module name="ParameterAssignment"/>
+
+    <!-- Generates quite a few errors -->
+    <module name="CyclomaticComplexity">
+      <property name="severity" value="ignore"/>
+    </module>
+
+    <module name="NestedForDepth">
+      <property name="max" value="2"/>
+    </module>
+    <module name="NestedIfDepth">
+      <property name="max" value="4"/>
+    </module>
+    <module name="NestedTryDepth">
+        <property name="max" value="2"/>
+    </module>
+    <!--module name="ExplicitInitialization"/-->
+    <module name="AnnotationUseStyle"/>
+    <module name="MissingDeprecated"/>
+    <module name="MissingOverride">
+      <property name="javaFiveCompatibility" value="true"/>
+    </module>
+    <module name="PackageAnnotation"/>
+    <module name="SuppressWarnings"/>
+    <module name="OuterTypeFilename"/>
+    <module name="HideUtilityClassConstructor"/>
+  </module>
+</module>

dependency-check-cli/config/checkstyle-header.txt

@@ -1,18 +1,18 @@
 ^/\*\s*$
-^ \* This file is part of Dependency-Check\.\s*$
+^ \* This file is part of dependency-check-cli\.\s*$
 ^ \*\s*$
-^ \* Dependency-Check is free software\: you can redistribute it and/or modify it\s*$
+^ \* Dependency-check-cli is free software\: you can redistribute it and/or modify it\s*$
 ^ \* under the terms of the GNU General Public License as published by the Free\s*$
 ^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
 ^ \* later version\.
 ^ \*\s*$
-^ \* Dependency-Check is distributed in the hope that it will be useful, but\s*$
+^ \* Dependency-check-cli is distributed in the hope that it will be useful, but\s*$
 ^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
 ^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
 ^ \* details\.\s*$
 ^ \*\s*$
 ^ \* You should have received a copy of the GNU General Public License along with\s*$
-^ \* Dependency-Check\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* dependency-check-cli\. If not, see http://www.gnu.org/licenses/\.\s*$
 ^ \*\s*$
 ^ \* Copyright \(c\) 201[23] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$

dependency-check-cli/config/checkstyle-suppressions.xml

@@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+
+<!DOCTYPE suppressions PUBLIC
+     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
+     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
+
+<suppressions>
+    <suppress checks=".*" files=".*[\\/]package-info\.java" />
+</suppressions>

dependency-check-cli/pom.xml

@@ -0,0 +1,342 @@
+<!--
+This file is part of Dependency-Check.
+
+Dependency-Check is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+Dependency-Check is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
+
+Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.0.8</version>
+    </parent>
+
+    <artifactId>dependency-check-cli</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Command Line</name>
+    <description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
+    <distributionManagement>
+        <site>
+            <id>github-pages-site</id>
+            <name>Deployment through GitHub's site deployment plugin</name>
+            <url>${basedir}/../target/site/${project.version}/dependency-check-cli</url>
+        </site>
+    </distributionManagement>
+    <!-- end copy -->
+    <build>
+        <finalName>dependency-check-${project.version}</finalName>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+            <resource>
+                <directory>${basedir}</directory>
+                <targetPath>META-INF</targetPath>
+                <includes>
+                    <include>LICENSE.txt</include>
+                    <include>NOTICE.txt</include>
+                </includes>
+            </resource>
+        </resources>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <mainClass>org.owasp.dependencycheck.App</mainClass>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                        </manifest>
+                    </archive>
+                    <excludes>
+                        <exclude>**/checkstyle*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.5.2</version>
+                <configuration>
+                    <check>
+                        <branchRate>85</branchRate>
+                        <lineRate>85</lineRate>
+                        <haltOnFailure>false</haltOnFailure>
+                        <totalBranchRate>85</totalBranchRate>
+                        <totalLineRate>85</totalLineRate>
+                        <packageLineRate>85</packageLineRate>
+                        <packageBranchRate>85</packageBranchRate>
+                        <regexes>
+                            <regex>
+                                <pattern>.*\$.*</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                            <regex>
+                                <pattern>org.owasp.dependencycheck.App</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                        </regexes>
+                    </check>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>net.sourceforge.cobertura.datafile</name>
+                            <value>${project.build.directory}/cobertura/cobertura.ser</value>
+                            <workingDirectory>target</workingDirectory>
+                        </property>
+                        <property>
+                            <name>cpe</name>
+                            <value>data/cpe</value>
+                            <workingDirectory>target</workingDirectory>
+                        </property>
+                        <property>
+                            <name>cve</name>
+                            <value>data/cpe</value>
+                            <workingDirectory>target</workingDirectory>
+                        </property>
+                    </systemProperties>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <showDeprecation>false</showDeprecation>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.3</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.doxia</groupId>
+                        <artifactId>doxia-module-markdown</artifactId>
+                        <version>1.5</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <skipDeploy>true</skipDeploy>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                            <version>2.7</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>index</report>
+                                        <report>summary</report>
+                                        <report>license</report>
+                                        <report>help</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <version>2.9.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <id>default</id>
+                                    <reports>
+                                        <report>javadoc</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <version>2.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <version>2.4</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>cobertura-maven-plugin</artifactId>
+                            <version>2.5.2</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <version>2.16</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>report-only</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-checkstyle-plugin</artifactId>
+                            <version>2.11</version>
+                            <configuration>
+                                <enableRulesSummary>false</enableRulesSummary>
+                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-pmd-plugin</artifactId>
+                            <version>3.0.1</version>
+                            <configuration>
+                                <targetJdk>1.6</targetJdk>
+                                <linkXref>true</linkXref>
+                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>findbugs-maven-plugin</artifactId>
+                            <version>2.5.3</version>
+                        </plugin>
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>appassembler-maven-plugin</artifactId>
+                <version>1.7</version>
+                <configuration>
+                    <programs>
+                        <program>
+                            <mainClass>org.owasp.dependencycheck.App</mainClass>
+                            <name>dependency-check</name>
+                        </program>
+                    </programs>
+                    <assembleDirectory>${project.build.directory}/release</assembleDirectory>
+                    <licenseHeaderFile>${basedir}/src/main/assembly/license.txt</licenseHeaderFile>
+                    <binFileExtensions>
+                        <unix>.sh</unix>
+                    </binFileExtensions>
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>assemble</id>
+                        <goals>
+                            <goal>assemble</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-assembly-plugin</artifactId>
+                <configuration>
+                    <attach>false</attach> <!-- don't install/deploy this archive -->
+                </configuration>
+                <executions>
+                    <execution>
+                        <id>create-distribution</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>single</goal>
+                        </goals>
+                        <configuration>
+                            <descriptors>
+                                <descriptor>src/main/assembly/release.xml</descriptor>
+                            </descriptors>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
+    </dependencies>
+</project>

dependency-check-cli/src/main/assembly/license.txt

@@ -0,0 +1,15 @@
+
+Copyright (c) 2012-2013 Jeremy Long.  All rights reserved.
+
+Licensed under the GPL License, Version 3; you may not use this work
+except in compliance with the License. You may obtain a copy of the
+License in the LICENSE.txt file, or at:
+
+http://www.gnu.org/licenses/gpl-3.0.txt
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+----------------------------------------------------------------------------

dependency-check-cli/src/main/assembly/release.xml

@@ -0,0 +1,60 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<assembly
+    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="
+    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd
+  "
+>
+    <id>release</id>
+    <formats>
+        <format>zip</format>
+    </formats>
+    <includeBaseDirectory>false</includeBaseDirectory>
+    <fileSets>
+        <fileSet>
+            <outputDirectory>/</outputDirectory>
+            <directory>${project.build.directory}/release</directory>
+        </fileSet>
+        <fileSet>
+            <includes>
+                <include>LICENSE*</include>
+                <include>NOTICE*</include>
+            </includes>
+        </fileSet>
+        <fileSet>
+            <outputDirectory>licenses</outputDirectory>
+            <directory>${basedir}/src/main/resources/META-INF/licenses</directory>
+        </fileSet>
+        <fileSet>
+            <outputDirectory>licenses</outputDirectory>
+            <directory>${basedir}/../dependency-check-core/src/main/resources/META-INF/licenses</directory>
+        </fileSet>
+        <fileSet>
+            <outputDirectory>/</outputDirectory>
+            <directory>${basedir}</directory>
+            <includes>
+                <include>README.md</include>
+                <include>LICENSE.txt</include>
+            </includes>
+        </fileSet>
+    </fileSets>
+    <!--
+            <fileSets>
+            <fileSet>
+                <outputDirectory>/</outputDirectory>
+                <directory>${project.build.directory}</directory>
+                <includes>
+                    <include>dependency-check*.jar</include>
+                </includes>
+            </fileSet>
+        </fileSets>
+        <dependencySets>
+            <dependencySet>
+                <outputDirectory>/lib</outputDirectory>
+                <scope>runtime</scope>
+            </dependencySet>
+        </dependencySets>
+    -->
+</assembly>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -1,34 +1,35 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-cli.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-cli is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-cli is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-cli. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck;
 
+import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.List;
 import java.util.logging.Level;
-import java.util.logging.LogManager;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.utils.CliParser;
+import org.owasp.dependencycheck.cli.CliParser;
+import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /*
@@ -51,14 +52,14 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The command line interface for the DependencyCheck application.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class App {
 
     /**
      * The location of the log properties configuration file.
      */
-    private static final String LOG_PROPERTIES_FILE = "configuration/log.properties";
+    private static final String LOG_PROPERTIES_FILE = "log.properties";
 
     /**
      * The main method for the application.
@@ -66,35 +67,10 @@ public class App {
      * @param args the command line arguments
      */
     public static void main(String[] args) {
-        prepareLogger();
         final App app = new App();
         app.run(args);
     }
 
-    /**
-     * Configures the logger for use by the application.
-     */
-    private static void prepareLogger() {
-        InputStream in = null;
-        try {
-            in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
-            LogManager.getLogManager().reset();
-            LogManager.getLogManager().readConfiguration(in);
-        } catch (IOException ex) {
-            System.err.println(ex.toString());
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
-        } catch (SecurityException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
-        } finally {
-            try {
-                in.close();
-            } catch (Exception ex) {
-                //ignore
-                in = null;
-            }
-        }
-    }
-
     /**
      * Main CLI entry-point into the application.
      *
@@ -108,19 +84,22 @@ public class App {
         } catch (FileNotFoundException ex) {
             System.err.println(ex.getMessage());
             cli.printHelp();
-            Logger.getLogger(App.class.getName()).log(Level.WARNING, null, ex);
             return;
         } catch (ParseException ex) {
             System.err.println(ex.getMessage());
             cli.printHelp();
-            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
             return;
         }
 
+        final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        LogUtils.prepareLogger(in, cli.getVerboseLog());
+
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
-            updateSettings(cli.isAutoUpdate(), cli.isDeepScan(), cli.getConnectionTimeout(), cli.getProxyUrl(), cli.getProxyPort());
+            updateSettings(cli.isAutoUpdate(), cli.getConnectionTimeout(), cli.getProxyUrl(),
+                    cli.getProxyPort(), cli.getProxyUsername(), cli.getProxyPassword(),
+                    cli.getDataDirectory(), cli.getPropertiesFile(), cli.getSuppressionFile());
             runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
         } else {
             cli.printHelp();
@@ -151,31 +130,76 @@ public class App {
         try {
             report.generateReports(reportDirectory, outputFormat);
         } catch (IOException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
         } catch (Exception ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
+            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
         }
     }
 
     /**
      * Updates the global Settings.
+     *
      * @param autoUpdate whether or not to update cached web data sources
-     * @param deepScan whether or not to perform a deep scan (increases false positives, but may reduce false negatives)
-     * @param connectionTimeout the timeout to use when downloading resources (null or blank will use default)
+     * @param connectionTimeout the timeout to use when downloading resources
+     * (null or blank will use default)
      * @param proxyUrl the proxy url (null or blank means no proxy will be used)
-     * @param proxyPort the proxy port (null or blank means no port will be used)
+     * @param proxyPort the proxy port (null or blank means no port will be
+     * used)
+     * @param proxyUser the proxy user name
+     * @param proxyPass the password for the proxy
+     * @param dataDirectory the directory to store/retrieve persistent data from
+     * @param propertiesFile the properties file to utilize
+     * @param suppressionFile the path to the suppression file
      */
-    private void updateSettings(boolean autoUpdate, boolean deepScan, String connectionTimeout, String proxyUrl, String proxyPort) {
+    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl, String proxyPort,
+            String proxyUser, String proxyPass, String dataDirectory, File propertiesFile,
+            String suppressionFile) {
+
+        if (propertiesFile != null) {
+            try {
+                Settings.mergeProperties(propertiesFile);
+            } catch (FileNotFoundException ex) {
+                final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+            } catch (IOException ex) {
+                final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+            }
+        }
+        if (dataDirectory != null) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else if (System.getProperty("basedir") != null) {
+            final File dataDir = new File(System.getProperty("basedir"), "data");
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        } else {
+            final File jarPath = new File(App.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        Settings.setBoolean(Settings.KEYS.PERFORM_DEEP_SCAN, deepScan);
         if (proxyUrl != null && !proxyUrl.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
         }
         if (proxyPort != null && !proxyPort.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
         }
+        if (proxyUser != null && !proxyUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
+        }
+        if (proxyPass != null && !proxyPass.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
+        }
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -1,22 +1,22 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-cli.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-cli is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-cli is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-cli. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.utils;
+package org.owasp.dependencycheck.cli;
 
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -29,11 +29,13 @@ import org.apache.commons.cli.OptionGroup;
 import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.cli.PosixParser;
+import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * A utility to parse command line arguments for the DependencyCheck.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class CliParser {
 
@@ -83,35 +85,23 @@ public final class CliParser {
      *
      * @throws FileNotFoundException if there is a file specified by either the
      * SCAN or CPE command line arguments that does not exist.
-     * @throws ParseException is thrown if there is an exception parsing the command line.
+     * @throws ParseException is thrown if there is an exception parsing the
+     * command line.
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
         if (isRunScan()) {
-            validatePathExists(getScanFiles());
-            if (!line.hasOption(ArgumentName.OUT)) {
-                //TODO - need a new exception type here, this isn't really a ParseException.
-                throw new ParseException("Scan cannot be run without specifying a directory "
-                        + "to write the reports to via the 'out' argument.");
-            } else {
-                final String p = line.getOptionValue(ArgumentName.OUT, "");
-                final File f = new File(p);
-                if ("".equals(p) || !(f.exists() && f.isDirectory())) {
-                    //TODO - need a new exception type here, this isn't really a ParseException.
-                    throw new ParseException("A valid directory name must be specified for "
-                            + "the 'out' argument.");
-                }
-            }
+            validatePathExists(getScanFiles(), "scan");
+            validatePathExists(getReportDirectory(), "out");
             if (!line.hasOption(ArgumentName.APP_NAME)) {
-                throw new ParseException("Scan cannot be run without specifying an application "
-                        + "name via the 'app' argument.");
+                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
             }
             if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
                 final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
-                if (!("ALL".equalsIgnoreCase(format)
-                        || "XML".equalsIgnoreCase(format)
-                        || "HTML".equalsIgnoreCase(format)
-                        || "VULN".equalsIgnoreCase(format))) {
-                    throw new ParseException("Supported output formats are XML, HTML, VULN, or ALL");
+                try {
+                    Format.valueOf(format);
+                } catch (IllegalArgumentException ex) {
+                    final String msg = String.format("An invalid 'format' of '%s' was specified. Supported output formats are XML, HTML, VULN, or ALL", format);
+                    throw new ParseException(msg);
                 }
             }
         }
@@ -123,12 +113,13 @@ public final class CliParser {
      * thrown.
      *
      * @param paths the paths to validate if they exists
+     * @param optType the option being validated (e.g. scan, out, etc.)
      * @throws FileNotFoundException is thrown if one of the paths being
      * validated does not exist.
      */
-    private void validatePathExists(String[] paths) throws FileNotFoundException {
+    private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
         for (String path : paths) {
-            validatePathExists(path);
+            validatePathExists(path, optType);
         }
     }
 
@@ -138,14 +129,16 @@ public final class CliParser {
      * thrown.
      *
      * @param path the paths to validate if they exists
+     * @param optType the option being validated (e.g. scan, out, etc.)
      * @throws FileNotFoundException is thrown if the path being validated does
      * not exist.
      */
-    private void validatePathExists(String path) throws FileNotFoundException {
+    private void validatePathExists(String path, String optType) throws FileNotFoundException {
         final File f = new File(path);
         if (!f.exists()) {
             isValid = false;
-            throw new FileNotFoundException("Invalid file argument: " + path);
+            final String msg = String.format("Invalid '%s' argument: '%s'", optType, path);
+            throw new FileNotFoundException(msg);
         }
     }
 
@@ -160,9 +153,6 @@ public final class CliParser {
         final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
                 "Print this message.");
 
-        final Option deepScan = new Option(ArgumentName.PERFORM_DEEP_SCAN_SHORT, ArgumentName.PERFORM_DEEP_SCAN, false,
-                "Extracts extra information from dependencies that may increase false positives, but also decrease false negatives.");
-
         final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
                 false, "Print the version information.");
 
@@ -170,7 +160,7 @@ public final class CliParser {
                 false, "Disables the automatic updating of the CPE data.");
 
         final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
-                .withDescription("The name of the application being scanned.")
+                .withDescription("The name of the application being scanned. This is a required argument.")
                 .create(ArgumentName.APP_NAME_SHORT);
 
         final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
@@ -185,6 +175,14 @@ public final class CliParser {
                 .withDescription("The proxy port to use when downloading resources.")
                 .create(ArgumentName.PROXY_PORT_SHORT);
 
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+                .withDescription("The proxy username to use when downloading resources.")
+                .create(ArgumentName.PROXY_USERNAME_SHORT);
+
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+                .withDescription("The proxy password to use when downloading resources.")
+                .create(ArgumentName.PROXY_PASSWORD_SHORT);
+
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
                 .withDescription("The path to scan - this option can be specified multiple times.")
                 .create(ArgumentName.SCAN_SHORT);
@@ -193,14 +191,27 @@ public final class CliParser {
                 .withDescription("A property file to load.")
                 .create(ArgumentName.PROP_SHORT);
 
+        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
+                .withDescription("The location of the data directory used to store persistent data. This option should generally not be set.")
+                .create(ArgumentName.DATA_DIRECTORY_SHORT);
+
         final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
-                .withDescription("The folder to write reports to.")
+                .withDescription("The folder to write reports to. This defaults to the current directory.")
                 .create(ArgumentName.OUT_SHORT);
 
         final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
-                .withDescription("The output format to write to (XML, HTML, VULN, ALL).")
+                .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
 
+        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
+                .withDescription("The file path to write verbose logging information.")
+                .create(ArgumentName.VERBOSE_LOG_SHORT);
+
+        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
+                .withDescription("The file path to the suppression XML file.")
+                .create(ArgumentName.SUPPRESION_FILE_SHORT);
+
+
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
 
@@ -212,10 +223,14 @@ public final class CliParser {
         opts.addOption(version);
         opts.addOption(help);
         opts.addOption(noUpdate);
-        opts.addOption(deepScan);
         opts.addOption(props);
+        opts.addOption(data);
+        opts.addOption(verboseLog);
+        opts.addOption(suppressionFile);
         opts.addOption(proxyPort);
         opts.addOption(proxyUrl);
+        opts.addOption(proxyUsername);
+        opts.addOption(proxyPassword);
         opts.addOption(connectionTimeout);
 
         return opts;
@@ -282,12 +297,12 @@ public final class CliParser {
      * @return the path to the reports directory.
      */
     public String getReportDirectory() {
-        return line.getOptionValue(ArgumentName.OUT);
+        return line.getOptionValue(ArgumentName.OUT, ".");
     }
 
     /**
-     * Returns the output format specified on the command line. Defaults to
-     * HTML if no format was specified.
+     * Returns the output format specified on the command line. Defaults to HTML
+     * if no format was specified.
      *
      * @return the output format name.
      */
@@ -306,6 +321,7 @@ public final class CliParser {
 
     /**
      * Returns the connection timeout.
+     *
      * @return the connection timeout
      */
     public String getConnectionTimeout() {
@@ -314,6 +330,7 @@ public final class CliParser {
 
     /**
      * Returns the proxy url.
+     *
      * @return the proxy url
      */
     public String getProxyUrl() {
@@ -322,12 +339,71 @@ public final class CliParser {
 
     /**
      * Returns the proxy port.
+     *
      * @return the proxy port
      */
     public String getProxyPort() {
         return line.getOptionValue(ArgumentName.PROXY_PORT);
     }
 
+    /**
+     * Returns the proxy username.
+     *
+     * @return the proxy username
+     */
+    public String getProxyUsername() {
+        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
+    }
+
+    /**
+     * Returns the proxy password.
+     *
+     * @return the proxy password
+     */
+    public String getProxyPassword() {
+        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
+    }
+
+    /**
+     * Get the value of dataDirectory.
+     *
+     * @return the value of dataDirectory
+     */
+    public String getDataDirectory() {
+        return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
+    }
+
+    /**
+     * Returns the properties file specified on the command line.
+     *
+     * @return the properties file specified on the command line
+     */
+    public File getPropertiesFile() {
+        final String path = line.getOptionValue(ArgumentName.PROP);
+        if (path != null) {
+            return new File(path);
+        }
+        return null;
+    }
+
+    /**
+     * Returns the path to the verbose log file.
+     *
+     * @return the path to the verbose log file
+     */
+    public String getVerboseLog() {
+        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
+    }
+
+    /**
+     * Returns the path to the suppression file.
+     *
+     * @return the path to the suppression file
+     */
+    public String getSuppressionFile() {
+        return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
+    }
+
     /**
      * <p>Prints the manifest information to standard output.</p>
      * <ul><li>Implementation-Title: ${pom.name}</li>
@@ -350,13 +426,6 @@ public final class CliParser {
         return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
     }
 
-    /**
-     * Checks if a deep scan of the dependencies was requested.
-     * @return whether a deep scan of the evidence within the dependencies was requested.
-     */
-    public boolean isDeepScan() {
-        return (line != null) && line.hasOption(ArgumentName.PERFORM_DEEP_SCAN);
-    }
     /**
      * A collection of static final strings that represent the possible command
      * line arguments.
@@ -444,23 +513,29 @@ public final class CliParser {
          */
         public static final String PROXY_URL = "proxyurl";
         /**
-         * The short CLI argument name indicating the proxy url.
+         * The short CLI argument name indicating the proxy username.
+         */
+        public static final String PROXY_USERNAME_SHORT = "pu";
+        /**
+         * The CLI argument name indicating the proxy username.
+         */
+        public static final String PROXY_USERNAME = "proxyuser";
+        /**
+         * The short CLI argument name indicating the proxy password.
+         */
+        public static final String PROXY_PASSWORD_SHORT = "pp";
+        /**
+         * The CLI argument name indicating the proxy password.
+         */
+        public static final String PROXY_PASSWORD = "proxypass";
+        /**
+         * The short CLI argument name indicating the connection timeout.
          */
         public static final String CONNECTION_TIMEOUT_SHORT = "c";
         /**
-         * The CLI argument name indicating the proxy url.
+         * The CLI argument name indicating the connection timeout.
          */
         public static final String CONNECTION_TIMEOUT = "connectiontimeout";
-        /**
-         * The short CLI argument name indicating a deep scan of the dependencies
-         * should be performed.
-         */
-        public static final String PERFORM_DEEP_SCAN_SHORT = "d";
-        /**
-         * The CLI argument name indicating a deep scan of the dependencies
-         * should be performed.
-         */
-        public static final String PERFORM_DEEP_SCAN = "deepscan";
         /**
          * The short CLI argument name for setting the location of an additional
          * properties file.
@@ -471,5 +546,33 @@ public final class CliParser {
          * properties file.
          */
         public static final String PROP = "propertyfile";
+        /**
+         * The CLI argument name for setting the location of the data directory.
+         */
+        public static final String DATA_DIRECTORY = "data";
+        /**
+         * The short CLI argument name for setting the location of the data
+         * directory.
+         */
+        public static final String DATA_DIRECTORY_SHORT = "d";
+        /**
+         * The CLI argument name for setting the location of the data directory.
+         */
+        public static final String VERBOSE_LOG = "log";
+        /**
+         * The short CLI argument name for setting the location of the data
+         * directory.
+         */
+        public static final String VERBOSE_LOG_SHORT = "l";
+        /**
+         * The CLI argument name for setting the location of the suppression
+         * file.
+         */
+        public static final String SUPPRESION_FILE = "suppression";
+        /**
+         * The short CLI argument name for setting the location of the
+         * suppression file.
+         */
+        public static final String SUPPRESION_FILE_SHORT = "sf";
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.cli</title>
+ * </head>
+ * <body>
+ * Includes utility classes such as the CLI Parser,
+ * </body>
+ * </html>
+*/
+
+package org.owasp.dependencycheck.cli;

dependency-check-cli/src/main/resources/log.properties

@@ -0,0 +1,22 @@
+handlers=java.util.logging.ConsoleHandler
+#, java.util.logging.FileHandler
+
+# logging levels
+# FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
+
+# Configure the ConsoleHandler.
+java.util.logging.ConsoleHandler.level=INFO
+
+# Configure the FileHandler.
+java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
+java.util.logging.FileHandler.level=FINE
+
+# The following special tokens can be used in the pattern property
+# which specifies the location and name of the log file.
+#   / - standard path separator
+#   %t - system temporary directory
+#   %h - value of the user.home system property
+#   %g - generation number for rotating logs
+#   %u - unique number to avoid conflicts
+# FileHandler writes to %h/demo0.log by default.
+java.util.logging.FileHandler.pattern=./dependency-check.log

dependency-check-cli/src/site/markdown/arguments.md

@@ -0,0 +1,22 @@
+Command Line Arguments
+====================
+
+The following table lists the command line arguments:
+
+Short  | Argument Name         | Parameter   | Description | Requirement
+-------|-----------------------|-------------|-------------|------------
+ \-a   | \-\-app               | \<name\>    | The name of the application being scanned. This is a required argument. |
+ \-c   | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional
+ \-d   | \-\-data              | \<path\>    | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
+ \-f   | \-\-format            | \<format\>  | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. |
+ \-h   | \-\-help              |             | Print the help message. | Optional
+ \-l   | \-\-log               | \<file\>    | The file path to write verbose logging information. | Optional
+ \-n   | \-\-noupdate          |             | Disables the automatic updating of the CPE data. | Optional
+ \-o   | \-\-out               | \<folder\>  | The folder to write reports to. This defaults to the current directory. | Optional
+ \-p   | \-\-proxyport         | \<port\>    | The proxy port to use when downloading resources. | Optional
+ \-pp  | \-\-proxypass         | \<pass\>    | The proxy password to use when downloading resources. | Optional
+ \-pu  | \-\-proxyuser         | \<user\>    | The proxy username to use when downloading resources. | Optional
+ \-s   | \-\-scan              | \<path\>    | The path to scan \- this option can be specified multiple times. |
+ \-sf  | \-\-suppression       | \<file\>    | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
+ \-u   | \-\-proxyurl          | \<url\>     | The proxy url to use when downloading resources. | Optional
+ \-v   | \-\-version           |             | Print the version information. | Optional

dependency-check-cli/src/site/markdown/installation.md.vm

@@ -0,0 +1,23 @@
+Installation & Usage
+--------------------
+Downlod the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
+Extract the zip file to a location on your computer and put the 'bin' directory into the
+path environment variable. On \*nix systems you will likely need to make the shell
+script executable:
+
+    $ chmod +777 dependency-check.sh
+
+To scan a folder on the system you can run:
+
+### Windows
+    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
+
+### \*nix
+    dependency-check.sh --app "My App Name" --scan "/java/application/lib"
+
+To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
+### Windows
+    dependency-check.bat --help
+
+### \*nix
+    dependency-check.sh --help

dependency-check-cli/src/site/site.xml

@@ -0,0 +1,35 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+This file is part of dependency-check-cli.
+
+Dependency-check-cli is free software: you can redistribute it and/or modify it
+under the terms of the GNU General Public License as published by the Free
+Software Foundation, either version 3 of the License, or (at your option) any
+later version.
+
+Dependency-check-cli is distributed in the hope that it will be useful, but
+WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+details.
+
+You should have received a copy of the GNU General Public License along with
+dependency-check-cli. If not, see http://www.gnu.org/licenses/.
+
+Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+-->
+<project name="dependency-check-cli">
+    <bannerLeft>
+        <name>dependency-check-cli</name>
+    </bannerLeft>
+    <body>
+        <breadcrumbs>
+            <item name="dependency-check" href="../index.html"/>
+        </breadcrumbs>
+        <menu name="Getting Started">
+            <item name="Installation" href="installation.html"/>
+            <item name="Configuration" href="arguments.html"/>
+        </menu>
+        <menu ref="Project Documentation" />
+        <menu ref="reports" />
+    </body>
+</project>

dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java

@@ -16,9 +16,9 @@
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.utils;
+package org.owasp.dependencycheck.cli;
 
-import org.owasp.dependencycheck.utils.CliParser;
+import org.owasp.dependencycheck.cli.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -34,7 +34,7 @@ import org.junit.Test;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class CliParserTest {
 
@@ -56,6 +56,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -77,6 +78,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with help arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -95,6 +97,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with version arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -112,6 +115,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with jar and cpe args, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -140,6 +144,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with scan arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -162,6 +167,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with jar arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -173,7 +179,7 @@ public class CliParserTest {
         try {
             instance.parse(args);
         } catch (FileNotFoundException ex) {
-            Assert.assertTrue(ex.getMessage().contains("Invalid file argument"));
+            Assert.assertTrue(ex.getMessage().contains("Invalid 'scan' argument"));
         }
 
         Assert.assertFalse(instance.isGetVersion());
@@ -183,6 +189,7 @@ public class CliParserTest {
 
     /**
      * Test of parse method with jar arg, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -202,6 +209,7 @@ public class CliParserTest {
 
     /**
      * Test of printVersionInfo, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test
@@ -230,6 +238,7 @@ public class CliParserTest {
 
     /**
      * Test of printHelp, of class CliParser.
+     *
      * @throws Exception thrown when an exception occurs.
      */
     @Test

dependency-check-core/config/checkstyle-checks.xml

@@ -0,0 +1,223 @@
+<?xml version="1.0"?>
+<!DOCTYPE module PUBLIC
+          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
+          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
+
+<module name="Checker">
+  <!--
+      If you set the basedir property below, then all reported file
+      names will be relative to the specified directory. See
+      http://checkstyle.sourceforge.net/5.x/config.html#Checker
+
+      <property name="basedir" value="${basedir}"/>
+  -->
+
+  <property name="severity" value="error"/>
+
+  <module name="SuppressionFilter">
+    <property name="file" value="${checkstyle.suppressions.file}"/>
+  </module>
+
+  <module name="JavadocPackage">
+    <property name="allowLegacy" value="false"/>
+  </module>
+
+  <module name="Translation">
+    <property name="severity" value="warning"/>
+  </module>
+
+  <module name="FileTabCharacter">
+    <property name="eachLine" value="false"/>
+  </module>
+
+  <module name="FileLength">
+    <property name="fileExtensions" value="java"/>
+  </module>
+
+  <module name="NewlineAtEndOfFile">
+  <property name="fileExtensions" value="java"/>
+  <property name="lineSeparator" value="lf"/>
+  </module>
+
+  <module name="RegexpHeader">
+    <property name="headerFile" value="${checkstyle.header.file}"/>
+    <property name="fileExtensions" value="java"/>
+    <property name="id" value="header"/>
+  </module>
+
+  <module name="RegexpSingleline">
+    <property name="format" value="\s+$"/>
+    <property name="minimum" value="0"/>
+    <property name="maximum" value="0"/>
+  </module>
+
+  <module name="TreeWalker">
+    <property name="tabWidth" value="4"/>
+
+    <module name="AvoidStarImport"/>
+    <module name="ConstantName"/>
+    <module name="EmptyBlock"/>
+    <module name="EmptyForIteratorPad"/>
+    <module name="EqualsHashCode"/>
+    <module name="OneStatementPerLine"/>
+
+    <!-- module name="IllegalCatch"/ -->
+    <!--module name="ImportControl">
+      <property name="file" value="${checkstyle.importcontrol.file}"/>
+    </module-->
+    <module name="IllegalImport"/>
+    <module name="IllegalInstantiation"/>
+    <module name="IllegalThrows"/>
+    <module name="InnerAssignment"/>
+    <module name="JavadocType">
+      <property name="authorFormat" value="\S"/>
+    </module>
+    <module name="JavadocMethod">
+      <property name="allowUndeclaredRTE" value="true"/>
+      <property name="allowThrowsTagsForSubclasses" value="true"/>
+      <property name="allowMissingPropertyJavadoc" value="true"/>
+    </module>
+    <module name="JavadocVariable"/>
+    <module name="JavadocStyle">
+      <property name="scope" value="public"/>
+    </module>
+
+    <module name="LeftCurly">
+      <property name="option" value="eol"/>
+      <property name="tokens" value="CLASS_DEF"/>
+      <property name="tokens" value="CTOR_DEF"/>
+      <property name="tokens" value="INTERFACE_DEF"/>
+      <property name="tokens" value="METHOD_DEF"/>
+      <property name="tokens" value="LITERAL_CATCH"/>
+      <property name="tokens" value="LITERAL_DO"/>
+      <property name="tokens" value="LITERAL_ELSE"/>
+      <property name="tokens" value="LITERAL_FINALLY"/>
+      <property name="tokens" value="LITERAL_FOR"/>
+      <property name="tokens" value="LITERAL_IF"/>
+      <property name="tokens" value="LITERAL_SWITCH"/>
+      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
+      <property name="tokens" value="LITERAL_TRY"/>
+      <property name="tokens" value="LITERAL_WHILE"/>
+    </module>
+
+    <module name="OuterTypeNumber"/>
+    <module name="LineLength">
+      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
+    <property name="max" value="150"/>
+    </module>
+
+    <module name="MethodCount">
+      <property name="maxTotal" value="40"/>
+    </module>
+
+    <module name="LocalFinalVariableName"/>
+    <module name="LocalVariableName"/>
+    <module name="MemberName">
+      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
+    </module>
+    <module name="MethodLength">
+        <property name="max" value="160"/>
+        <property name="countEmpty" value="false"/>
+    </module>
+    <module name="MethodName"/>
+    <module name="MethodParamPad"/>
+    <module name="ModifierOrder"/>
+    <module name="NeedBraces"/>
+    <module name="NoWhitespaceAfter">
+      <property name="tokens" value="ARRAY_INIT"/>
+      <property name="tokens" value="BNOT"/>
+      <property name="tokens" value="DEC"/>
+      <property name="tokens" value="DOT"/>
+      <property name="tokens" value="INC"/>
+      <property name="tokens" value="LNOT"/>
+      <property name="tokens" value="UNARY_MINUS"/>
+      <property name="tokens" value="UNARY_PLUS"/>
+    </module>
+
+    <module name="NoWhitespaceBefore"/>
+    <module name="NoWhitespaceBefore">
+      <property name="tokens" value="DOT"/>
+      <property name="allowLineBreaks" value="true"/>
+    </module>
+
+    <module name="OperatorWrap"/>
+    <module name="OperatorWrap">
+      <property name="tokens" value="ASSIGN"/>
+      <property name="tokens" value="DIV_ASSIGN"/>
+      <property name="tokens" value="PLUS_ASSIGN"/>
+      <property name="tokens" value="MINUS_ASSIGN"/>
+      <property name="tokens" value="STAR_ASSIGN"/>
+      <property name="tokens" value="MOD_ASSIGN"/>
+      <property name="tokens" value="SR_ASSIGN"/>
+      <property name="tokens" value="BSR_ASSIGN"/>
+      <property name="tokens" value="SL_ASSIGN"/>
+      <property name="tokens" value="BXOR_ASSIGN"/>
+      <property name="tokens" value="BOR_ASSIGN"/>
+      <property name="tokens" value="BAND_ASSIGN"/>
+      <property name="option" value="eol"/>
+    </module>
+    <module name="PackageName"/>
+    <module name="ParameterName">
+      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
+    </module>
+    <module name="ParameterNumber">
+      <property name="id" value="paramNum"/>
+    </module>
+    <module name="ParenPad"/>
+    <module name="TypecastParenPad"/>
+    <module name="RedundantImport"/>
+    <module name="RedundantModifier"/>
+    <module name="RightCurly">
+      <property name="option" value="same"/>
+    </module>
+    <module name="SimplifyBooleanExpression"/>
+    <module name="SimplifyBooleanReturn"/>
+    <module name="StaticVariableName">
+      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
+    </module>
+    <module name="TypeName"/>
+    <module name="UnusedImports"/>
+    <module name="UpperEll"/>
+    <module name="VisibilityModifier"/>
+    <module name="WhitespaceAfter"/>
+    <module name="WhitespaceAround"/>
+    <module name="GenericWhitespace"/>
+    <module name="FinalClass"/>
+    <module name="MissingSwitchDefault"/>
+    <!--module name="MagicNumber"/-->
+    <!--module name="Indentation">
+      <property name="basicOffset" value="4"/>
+      <property name="braceAdjustment" value="0"/>
+      <property name="caseIndent" value="0"/>
+    </module-->
+    <module name="ArrayTrailingComma"/>
+    <module name="FinalLocalVariable"/>
+    <module name="EqualsAvoidNull"/>
+    <module name="ParameterAssignment"/>
+
+    <!-- Generates quite a few errors -->
+    <module name="CyclomaticComplexity">
+      <property name="severity" value="ignore"/>
+    </module>
+
+    <module name="NestedForDepth">
+      <property name="max" value="2"/>
+    </module>
+    <module name="NestedIfDepth">
+      <property name="max" value="4"/>
+    </module>
+    <module name="NestedTryDepth">
+        <property name="max" value="2"/>
+    </module>
+    <!--module name="ExplicitInitialization"/-->
+    <module name="AnnotationUseStyle"/>
+    <module name="MissingDeprecated"/>
+    <module name="MissingOverride">
+      <property name="javaFiveCompatibility" value="true"/>
+    </module>
+    <module name="PackageAnnotation"/>
+    <module name="SuppressWarnings"/>
+    <module name="OuterTypeFilename"/>
+    <module name="HideUtilityClassConstructor"/>
+  </module>
+</module>

dependency-check-core/config/checkstyle-header.txt

@@ -0,0 +1,19 @@
+^/\*\s*$
+^ \* This file is part of dependency-check-core\.\s*$
+^ \*\s*$
+^ \* Dependency-check-core is free software\: you can redistribute it and/or modify it\s*$
+^ \* under the terms of the GNU General Public License as published by the Free\s*$
+^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
+^ \* later version\.
+^ \*\s*$
+^ \* Dependency-check-core is distributed in the hope that it will be useful, but\s*$
+^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
+^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
+^ \* details\.\s*$
+^ \*\s*$
+^ \* You should have received a copy of the GNU General Public License along with\s*$
+^ \* dependency-check-core\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \*\s*$
+^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
+^ \*/\s*$
+^package

dependency-check-core/config/checkstyle-suppressions.xml

@@ -9,7 +9,4 @@
     <suppress checks=".*" files=".*org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Filter.java" />
     <suppress checks=".*" files=".*org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Checksum.java" />
     <suppress checks=".*" files=".*[\\/]generated[\\/].*.java" />
-    <suppress checks="MagicNumberCheck"
-              files="org[\\/]owasp[\\/]dependencycheck[\\/]data[\\/]cpe/Entry.java"
-              lines="376"/>
 </suppressions>

dependency-check-core/pom.xml

@@ -0,0 +1,628 @@
+<!--
+Copyright (c) 2012 - Jeremy Long
+
+This file is part of Dependency-Check.
+
+Dependency-Check is free software: you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation, either version 3 of the License, or
+(at your option) any later version.
+
+Dependency-Check is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
+-->
+
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>1.0.8</version>
+    </parent>
+
+    <artifactId>dependency-check-core</artifactId>
+    <packaging>jar</packaging>
+
+    <name>Dependency-Check Core</name>
+    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
+    <distributionManagement>
+        <site>
+            <id>github-pages-site</id>
+            <name>Deployment through GitHub's site deployment plugin</name>
+            <url>${basedir}/../target/site/${project.version}/dependency-check-core</url>
+        </site>
+    </distributionManagement>
+    <!-- end copy -->
+    <build>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                    <include>**/schema/*.xsd</include>
+                </includes>
+                <filtering>true</filtering>
+            </resource>
+            <resource>
+                <directory>${basedir}/..</directory>
+                <targetPath>META-INF</targetPath>
+                <includes>
+                    <include>LICENSE.txt</include>
+                    <include>NOTICE.txt</include>
+                </includes>
+            </resource>
+            <resource>
+                <directory>src/main/resources</directory>
+                <excludes>
+                    <exclude>**/*.properties</exclude>
+                    <exclude>**/*.gif</exclude>
+                    <exclude>**/*.js</exclude>
+                    <exclude>**/schema/**/*.xsd</exclude>
+                    <exclude>**/schema/**/*.xml</exclude>
+                    <exclude>**/schema/**/*.bat</exclude>
+                    <exclude>**/schema/**/*.sh</exclude>
+                </excludes>
+                <filtering>false</filtering>
+            </resource>
+        </resources>
+        <testResources>
+            <testResource>
+                <directory>${basedir}/../src/test/resources</directory>
+                <filtering>false</filtering>
+            </testResource>
+            <testResource>
+                <directory>${basedir}/src/test/resources</directory>
+                <excludes>
+                    <exclude>**/mysql-connector-java-5.1.27-bin.jar</exclude>
+                </excludes>
+                <filtering>false</filtering>
+            </testResource>
+        </testResources>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-dependency-plugin</artifactId>
+                <version>2.8</version>
+                <executions>
+                    <execution>
+                        <phase>generate-resources</phase>
+                        <goals>
+                            <goal>copy-dependencies</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
+                            <includeScope>provided</includeScope>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+                <version>2.4</version>
+                <executions>
+                    <execution>
+                        <id>jar</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>jar</goal>
+                        </goals>
+                    </execution>
+                    <execution>
+                        <id>test-jar</id>
+                        <phase>package</phase>
+                        <goals>
+                            <goal>test-jar</goal>
+                        </goals>
+                    </execution>
+                </executions>
+                <configuration>
+                    <archive>
+                        <manifest>
+                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
+                        </manifest>
+                    </archive>
+                    <excludes>
+                        <exclude>**/checkstyle*</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+                <configuration>
+                    <instrumentation>
+                        <ignores>
+                            <ignore>.*\$KEYS\.class</ignore>
+                            <ignore>.*\$Element\.class</ignore>
+                        </ignores>
+                        <excludes>
+                            <exclude>.*\$KEYS\.class</exclude>
+                            <exclude>.*\$Element\.class</exclude>
+                        </excludes>
+                    </instrumentation>
+                    <check>
+                        <branchRate>85</branchRate>
+                        <lineRate>85</lineRate>
+                        <haltOnFailure>false</haltOnFailure>
+                        <totalBranchRate>85</totalBranchRate>
+                        <totalLineRate>85</totalLineRate>
+                        <packageLineRate>85</packageLineRate>
+                        <packageBranchRate>85</packageBranchRate>
+                        <regexes>
+                            <regex>
+                                <pattern>.*\$.*</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                            <regex>
+                                <pattern>org.owasp.dependencycheck.data.cpe.Fields</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                            <regex>
+                                <pattern>org.owasp.dependencycheck.App</pattern>
+                                <branchRate>0</branchRate>
+                                <lineRate>0</lineRate>
+                            </regex>
+                        </regexes>
+                    </check>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>clean</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>data.directory</name>
+                            <value>${project.build.directory}/data</value>
+                        </property>
+                        <property>
+                            <name>temp.directory</name>
+                            <value>${project.build.directory}/temp</value>
+                        </property>
+                    </systemProperties>
+                    <excludes>
+                        <exclude>**/*IntegrationTest.java</exclude>
+                        <exclude>**/*MySQLTest.java</exclude>
+                    </excludes>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-failsafe-plugin</artifactId>
+                <version>2.16</version>
+                <configuration>
+                    <systemProperties>
+                        <property>
+                            <name>data.directory</name>
+                            <value>${project.build.directory}/data</value>
+                        </property>
+                    </systemProperties>
+                    <includes>
+                        <include>**/*IntegrationTest.java</include>
+                    </includes>
+                </configuration>
+                <executions>
+                    <execution>
+                        <goals>
+                            <goal>integration-test</goal>
+                            <goal>verify</goal>
+                        </goals>
+                    </execution>
+                </executions>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-site-plugin</artifactId>
+                <version>3.3</version>
+                <dependencies>
+                    <dependency>
+                        <groupId>org.apache.maven.doxia</groupId>
+                        <artifactId>doxia-module-markdown</artifactId>
+                        <version>1.5</version>
+                    </dependency>
+                </dependencies>
+                <configuration>
+                    <skipDeploy>true</skipDeploy>
+                    <reportPlugins>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                            <version>2.7</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>index</report>
+                                        <report>summary</report>
+                                        <report>license</report>
+                                        <report>help</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-javadoc-plugin</artifactId>
+                            <version>2.9.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <id>default</id>
+                                    <reports>
+                                        <report>javadoc</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>versions-maven-plugin</artifactId>
+                            <version>2.1</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>dependency-updates-report</report>
+                                        <report>plugin-updates-report</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-jxr-plugin</artifactId>
+                            <version>2.4</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>cobertura-maven-plugin</artifactId>
+                            <version>2.6</version>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-surefire-report-plugin</artifactId>
+                            <version>2.16</version>
+                            <reportSets>
+                                <reportSet>
+                                    <reports>
+                                        <report>report-only</report>
+                                    </reports>
+                                </reportSet>
+                                <reportSet>
+                                    <id>integration-tests</id>
+                                    <reports>
+                                        <report>report-only</report>
+                                        <report>failsafe-report-only</report>
+                                    </reports>
+                                </reportSet>
+                            </reportSets>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>taglist-maven-plugin</artifactId>
+                            <version>2.4</version>
+                            <configuration>
+                                <tagListOptions>
+                                    <tagClasses>
+                                        <tagClass>
+                                            <displayName>Todo Work</displayName>
+                                            <tags>
+                                                <tag>
+                                                    <matchString>todo</matchString>
+                                                    <matchType>ignoreCase</matchType>
+                                                </tag>
+                                                <tag>
+                                                    <matchString>FIXME</matchString>
+                                                    <matchType>exact</matchType>
+                                                </tag>
+                                            </tags>
+                                        </tagClass>
+                                    </tagClasses>
+                                </tagListOptions>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-checkstyle-plugin</artifactId>
+                            <version>2.11</version>
+                            <configuration>
+                                <enableRulesSummary>false</enableRulesSummary>
+                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.apache.maven.plugins</groupId>
+                            <artifactId>maven-pmd-plugin</artifactId>
+                            <version>3.0.1</version>
+                            <configuration>
+                                <targetJdk>1.6</targetJdk>
+                                <linkXref>true</linkXref>
+                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                            </configuration>
+                        </plugin>
+                        <plugin>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>findbugs-maven-plugin</artifactId>
+                            <version>2.5.3</version>
+                        </plugin>
+                    </reportPlugins>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <showDeprecation>false</showDeprecation>
+                    <source>1.6</source>
+                    <target>1.6</target>
+                </configuration>
+            </plugin>
+        </plugins>
+    </build>
+    <dependencies>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-test-framework</artifactId>
+            <version>4.3.1</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>com.google.code.findbugs</groupId>
+            <artifactId>annotations</artifactId>
+            <version>2.0.1</version>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>commons-cli</groupId>
+            <artifactId>commons-cli</artifactId>
+            <version>1.2</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-io</groupId>
+            <artifactId>commons-io</artifactId>
+            <version>2.4</version>
+        </dependency>
+        <dependency>
+            <groupId>commons-lang</groupId>
+            <artifactId>commons-lang</artifactId>
+            <version>2.5</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-core</artifactId>
+            <version>4.5.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-analyzers-common</artifactId>
+            <version>4.5.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.lucene</groupId>
+            <artifactId>lucene-queryparser</artifactId>
+            <version>4.5.1</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.velocity</groupId>
+            <artifactId>velocity</artifactId>
+            <version>1.7</version>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.velocity</groupId>
+            <artifactId>velocity-tools</artifactId>
+            <version>2.0</version>
+            <!-- very limited use of the velocity-tools, not all of the dependencies are needed-->
+            <exclusions>
+                <exclusion>
+                    <groupId>commons-chain</groupId>
+                    <artifactId>commons-chain</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>javax.servlet</groupId>
+                    <artifactId>servlet-api</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>commons-validator</groupId>
+                    <artifactId>commons-validator</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>dom4j</groupId>
+                    <artifactId>dom4j</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>sslext</groupId>
+                    <artifactId>sslext</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-core</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>antlr</groupId>
+                    <artifactId>antlr</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-taglib</artifactId>
+                </exclusion>
+                <exclusion>
+                    <groupId>org.apache.struts</groupId>
+                    <artifactId>struts-tiles</artifactId>
+                </exclusion>
+            </exclusions>
+        </dependency>
+        <dependency>
+            <groupId>com.h2database</groupId>
+            <artifactId>h2</artifactId>
+            <version>1.3.172</version>
+        </dependency>
+        <dependency>
+            <groupId>org.jsoup</groupId>
+            <artifactId>jsoup</artifactId>
+            <version>1.7.2</version>
+            <type>jar</type>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.5</version>
+        </dependency>
+        <!-- The following dependencies are only used during testing -->
+        <dependency>
+            <groupId>org.apache.maven.scm</groupId>
+            <artifactId>maven-scm-provider-cvsexe</artifactId>
+            <version>1.8.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework</groupId>
+            <artifactId>spring-webmvc</artifactId>
+            <version>2.5.5</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.hazelcast</groupId>
+            <artifactId>hazelcast</artifactId>
+            <version>2.5</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>net.sf.ehcache</groupId>
+            <artifactId>ehcache-core</artifactId>
+            <version>2.2.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.struts</groupId>
+            <artifactId>struts2-core</artifactId>
+            <version>2.1.2</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.mortbay.jetty</groupId>
+            <artifactId>jetty</artifactId>
+            <version>6.1.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-spring</artifactId>
+            <version>1.4.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.axis2</groupId>
+            <artifactId>axis2-adb</artifactId>
+            <version>1.4.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.apache.geronimo.daytrader</groupId>
+            <artifactId>daytrader-ear</artifactId>
+            <version>2.1.7</version>
+            <type>ear</type>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.glassfish.main.admingui</groupId>
+            <artifactId>war</artifactId>
+            <version>4.0</version>
+            <type>war</type>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.dojotoolkit</groupId>
+            <artifactId>dojo-war</artifactId>
+            <version>1.3.0</version>
+            <type>war</type>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+    </dependencies>
+    <profiles>
+        <profile>
+            <id>MySQL-IntegrationTest</id>
+            <activation>
+                <property>
+                    <name>mysql</name>
+                    <!--value>test</value-->
+                </property>
+            </activation>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <version>2.16</version>
+                        <configuration>
+                            <skip>true</skip>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <version>2.16</version>
+                        <configuration>
+                            <systemProperties>
+                                <property>
+                                    <name>data.driver_path</name>
+                                    <value>${basedir}/${driver_path}</value>
+                                </property>
+                                <property>
+                                    <name>data.driver_name</name>
+                                    <value>${driver_name}</value>
+                                </property>
+                                <property>
+                                    <name>data.connection_string</name>
+                                    <value>${connection_string}</value>
+                                </property>
+                            </systemProperties>
+                            <includes>
+                                <include>**/*MySQLTest.java</include>
+                            </includes>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+    </profiles>
+</project>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -0,0 +1,450 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import java.io.File;
+import java.util.ArrayList;
+import java.util.EnumMap;
+import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.analyzer.AnalysisException;
+import org.owasp.dependencycheck.analyzer.AnalysisPhase;
+import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.analyzer.AnalyzerService;
+import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
+import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.update.CachedWebDataSource;
+import org.owasp.dependencycheck.data.update.UpdateService;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.NoDataException;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the
+ * scan, if a file is encountered and an Analyzer is associated with the file type then the file is turned into a
+ * dependency.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class Engine {
+
+    /**
+     * The list of dependencies.
+     */
+    private final List<Dependency> dependencies = new ArrayList<Dependency>();
+    /**
+     * A Map of analyzers grouped by Analysis phase.
+     */
+    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers
+            = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+    /**
+     * A set of extensions supported by the analyzers.
+     */
+    private final Set<String> extensions = new HashSet<String>();
+
+    /**
+     * Creates a new Engine.
+     */
+    public Engine() {
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
+        }
+        if (autoUpdate) {
+            doUpdates();
+        }
+        loadAnalyzers();
+    }
+
+    /**
+     * Creates a new Engine.
+     *
+     * @param autoUpdate indicates whether or not data should be updated from the Internet
+     * @deprecated This function should no longer be used; the autoupdate flag should be set using:
+     * <code>Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);</code>
+     */
+    @Deprecated
+    public Engine(boolean autoUpdate) {
+        if (autoUpdate) {
+            doUpdates();
+        }
+        loadAnalyzers();
+    }
+
+    /**
+     * Loads the analyzers specified in the configuration file (or system properties).
+     */
+    private void loadAnalyzers() {
+
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            analyzers.put(phase, new ArrayList<Analyzer>());
+        }
+
+        final AnalyzerService service = AnalyzerService.getInstance();
+        final Iterator<Analyzer> iterator = service.getAnalyzers();
+        while (iterator.hasNext()) {
+            final Analyzer a = iterator.next();
+            analyzers.get(a.getAnalysisPhase()).add(a);
+            if (a.getSupportedExtensions() != null) {
+                extensions.addAll(a.getSupportedExtensions());
+            }
+        }
+    }
+
+    /**
+     * Get the List of the analyzers for a specific phase of analysis.
+     *
+     * @param phase the phase to get the configured analyzers.
+     * @return the analyzers loaded
+     */
+    public List<Analyzer> getAnalyzers(AnalysisPhase phase) {
+        return analyzers.get(phase);
+    }
+
+    /**
+     * Get the dependencies identified.
+     *
+     * @return the dependencies identified
+     */
+    public List<Dependency> getDependencies() {
+        return dependencies;
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param paths an array of paths to files or directories to be analyzed.
+     */
+    public void scan(String[] paths) {
+        for (String path : paths) {
+            final File file = new File(path);
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
+     *
+     * @param path the path to a file or directory to be analyzed.
+     */
+    public void scan(String path) {
+        final File file = new File(path);
+        scan(file);
+    }
+
+    /**
+     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param files an array of paths to files or directories to be analyzed.
+     */
+    public void scan(File[] files) {
+        for (File file : files) {
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param files a set of paths to files or directories to be analyzed.
+     */
+    public void scan(Set<File> files) {
+        for (File file : files) {
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * dependencies identified are added to the dependency collection.
+     *
+     * @since v0.3.2.5
+     *
+     * @param files a set of paths to files or directories to be analyzed.
+     */
+    public void scan(List<File> files) {
+        for (File file : files) {
+            scan(file);
+        }
+    }
+
+    /**
+     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
+     *
+     * @since v0.3.2.4
+     *
+     * @param file the path to a file or directory to be analyzed.
+     */
+    public void scan(File file) {
+        if (file.exists()) {
+            if (file.isDirectory()) {
+                scanDirectory(file);
+            } else {
+                scanFile(file);
+            }
+        }
+    }
+
+    /**
+     * Recursively scans files and directories. Any dependencies identified are added to the dependency collection.
+     *
+     * @param dir the directory to scan.
+     */
+    protected void scanDirectory(File dir) {
+        final File[] files = dir.listFiles();
+        if (files != null) {
+            for (File f : files) {
+                if (f.isDirectory()) {
+                    scanDirectory(f);
+                } else {
+                    scanFile(f);
+                }
+            }
+        }
+    }
+
+    /**
+     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
+     *
+     * @param file The file to scan.
+     */
+    protected void scanFile(File file) {
+        if (!file.isFile()) {
+            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+            return;
+        }
+        final String fileName = file.getName();
+        final String extension = FileUtils.getFileExtension(fileName);
+        if (extension != null) {
+            if (extensions.contains(extension)) {
+                final Dependency dependency = new Dependency(file);
+                dependencies.add(dependency);
+            }
+        } else {
+            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
+                    file.toString());
+            Logger.getLogger(Engine.class.getName()).log(Level.FINEST, msg);
+        }
+    }
+
+    /**
+     * Runs the analyzers against all of the dependencies.
+     */
+    public void analyzeDependencies() {
+        //need to ensure that data exists
+        try {
+            ensureDataExists();
+        } catch (NoDataException ex) {
+            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            return;
+        } catch (DatabaseException ex) {
+            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            return;
+
+        }
+
+        final String logHeader = String.format("%n"
+                + "----------------------------------------------------%n"
+                + "BEGIN ANALYSIS%n"
+                + "----------------------------------------------------");
+        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
+        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
+
+        //phase one initialize
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+            for (Analyzer a : analyzerList) {
+                try {
+                    final String msg = String.format("Initializing %s", a.getName());
+                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+                    a.initialize();
+                } catch (Exception ex) {
+                    final String msg = String.format("Exception occurred initializing %s.", a.getName());
+                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+                    Logger.getLogger(Engine.class.getName()).log(Level.INFO, null, ex);
+                    try {
+                        a.close();
+                    } catch (Exception ex1) {
+                        Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
+                    }
+                }
+            }
+        }
+
+        // analysis phases
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+
+            for (Analyzer a : analyzerList) {
+                /* need to create a copy of the collection because some of the
+                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
+                 * This is okay for adds/deletes because it happens per analyzer.
+                 */
+                final String msg = String.format("Begin Analyzer '%s'", a.getName());
+                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+                final Set<Dependency> dependencySet = new HashSet<Dependency>();
+                dependencySet.addAll(dependencies);
+                for (Dependency d : dependencySet) {
+                    if (a.supportsExtension(d.getFileExtension())) {
+                        final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
+                        Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
+                        try {
+                            a.analyze(d, this);
+                        } catch (AnalysisException ex) {
+                            d.addAnalysisException(ex);
+                        } catch (Throwable ex) {
+                            final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
+                            final AnalysisException ax = new AnalysisException(axMsg, ex);
+                            d.addAnalysisException(ax);
+                            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, axMsg);
+                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, axMsg, ex);
+                        }
+                    }
+                }
+            }
+        }
+
+        //close/cleanup
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+            for (Analyzer a : analyzerList) {
+                final String msg = String.format("Closing Analyzer '%s'", a.getName());
+                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+                try {
+                    a.close();
+                } catch (Exception ex) {
+                    Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+        }
+
+        final String logFooter = String.format("%n"
+                + "----------------------------------------------------%n"
+                + "END ANALYSIS%n"
+                + "----------------------------------------------------");
+        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
+    }
+
+    /**
+     * Cycles through the cached web data sources and calls update on all of them.
+     */
+    private void doUpdates() {
+        final UpdateService service = UpdateService.getInstance();
+        final Iterator<CachedWebDataSource> iterator = service.getDataSources();
+        while (iterator.hasNext()) {
+            final CachedWebDataSource source = iterator.next();
+            try {
+                source.update();
+            } catch (UpdateException ex) {
+                Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
+                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
+                Logger.getLogger(Engine.class.getName()).log(Level.FINE,
+                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
+            }
+        }
+    }
+
+    /**
+     * Returns a full list of all of the analyzers. This is useful for reporting which analyzers where used.
+     *
+     * @return a list of Analyzers
+     */
+    public List<Analyzer> getAnalyzers() {
+        final List<Analyzer> ret = new ArrayList<Analyzer>();
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+            ret.addAll(analyzerList);
+        }
+        return ret;
+    }
+
+    /**
+     * Checks all analyzers to see if an extension is supported.
+     *
+     * @param ext a file extension
+     * @return true or false depending on whether or not the file extension is supported
+     */
+    public boolean supportsExtension(String ext) {
+        if (ext == null) {
+            return false;
+        }
+        for (AnalysisPhase phase : AnalysisPhase.values()) {
+            final List<Analyzer> analyzerList = analyzers.get(phase);
+            for (Analyzer a : analyzerList) {
+                if (a.getSupportedExtensions() != null && a.supportsExtension(ext)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
+    /**
+     * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
+     *
+     * @throws NoDataException thrown if no data exists in the CPE Index
+     * @throws DatabaseException thrown if there is an exception opening the database
+     */
+    private void ensureDataExists() throws NoDataException, DatabaseException {
+        final CpeMemoryIndex cpe = CpeMemoryIndex.getInstance();
+        final CveDB cve = new CveDB();
+
+        try {
+            cve.open();
+            cpe.open(cve);
+        } catch (IndexException ex) {
+            throw new NoDataException(ex.getMessage(), ex);
+        } catch (DatabaseException ex) {
+            throw new NoDataException(ex.getMessage(), ex);
+        } finally {
+            cve.close();
+        }
+        if (cpe.numDocs() <= 0) {
+            cpe.close();
+            throw new NoDataException("No documents exist");
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,15 +24,17 @@ import java.util.Set;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public abstract class AbstractAnalyzer implements Analyzer {
 
     /**
-     * Utility method to help in the creation of the extensions set. This constructs
-     * a new Set that can be used in a final static declaration.<br/><br/>
+     * Utility method to help in the creation of the extensions set. This
+     * constructs a new Set that can be used in a final static
+     * declaration.<br/><br/>
      *
-     * This implementation was copied from http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction
+     * This implementation was copied from
+     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction
      *
      * @param strings a list of strings to add to the set.
      * @return a Set of strings.
@@ -44,18 +46,23 @@ public abstract class AbstractAnalyzer implements Analyzer {
         return set;
     }
 
-
     /**
      * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
      */
-    public void initialize() {
+    @Override
+    public void initialize() throws Exception {
         //do nothing
     }
 
     /**
      * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
      */
-    public void close() {
+    @Override
+    public void close() throws Exception {
         //do nothing
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -0,0 +1,115 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.suppression.SuppressionParser;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Abstract base suppression analyzer that contains methods for parsing the
+ * suppression xml file.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return null;
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this
+     * analyzer.
+     */
+    @Override
+    public boolean supportsExtension(String extension) {
+        return true;
+    }
+
+    //</editor-fold>
+    /**
+     * The initialize method loads the suppression XML file.
+     *
+     * @throws Exception thrown if there is an exception
+     */
+    @Override
+    public void initialize() throws Exception {
+        super.initialize();
+        loadSuppressionData();
+    }
+    /**
+     * The list of suppression rules
+     */
+    private List<SuppressionRule> rules;
+
+    /**
+     * Get the value of rules.
+     *
+     * @return the value of rules
+     */
+    public List<SuppressionRule> getRules() {
+        return rules;
+    }
+
+    /**
+     * Set the value of rules.
+     *
+     * @param rules new value of rules
+     */
+    public void setRules(List<SuppressionRule> rules) {
+        this.rules = rules;
+    }
+
+    /**
+     * Loads the suppression rules file.
+     *
+     * @throws SuppressionParseException thrown if the XML cannot be parsed.
+     */
+    private void loadSuppressionData() throws SuppressionParseException {
+        final File file = Settings.getFile(Settings.KEYS.SUPPRESSION_FILE);
+        if (file != null) {
+            final SuppressionParser parser = new SuppressionParser();
+            try {
+                rules = parser.parseSuppressionRules(file);
+            } catch (SuppressionParseException ex) {
+                final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
+                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
+                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
+                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                throw ex;
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An exception thrown when the analysis of a dependency fails.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class AnalysisException extends Exception {
 
@@ -56,7 +56,7 @@ public class AnalysisException extends Exception {
     }
 
     /**
-     * Creates a new DownloadFailedException.
+     * Creates a new AnalysisException.
      *
      * @param msg a message for the exception.
      * @param ex the cause of the failure.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An enumeration defining the phases of analysis.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public enum AnalysisPhase {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * An analyzer will collect information about the dependency in the form of
  * Evidence.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public interface Analyzer {
 
@@ -38,8 +38,8 @@ public interface Analyzer {
      * description or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies - this is useful
-     * if we need to check other dependencies
+     * @param engine the engine that is scanning the dependencies - this is
+     * useful if we need to check other dependencies
      * @throws AnalysisException is thrown if there is an error analyzing the
      * dependency file
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,7 @@ import java.util.ServiceLoader;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class AnalyzerService {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -0,0 +1,396 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.compress.archivers.ArchiveEntry;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
+import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipUtils;
+import org.h2.store.fs.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * <p>An analyzer that extracts files from archives and ensures any supported
+ * files contained within the archive are added to the dependency list.</p>
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
+
+    /**
+     * The buffer size to use when extracting files from the archive.
+     */
+    private static final int BUFFER_SIZE = 4096;
+    /**
+     * The count of directories created during analysis. This is used for
+     * creating temporary directories.
+     */
+    private static int dirCount = 0;
+    /**
+     * The parent directory for the individual directories per archive.
+     */
+    private File tempFileLocation = null;
+    /**
+     * The max scan depth that the analyzer will recursively extract nested
+     * archives.
+     */
+    private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
+    /**
+     * Tracks the current scan/extraction depth for nested archives.
+     */
+    private int scanDepth = 0;
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Archive Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("zip", "ear", "war", "tar", "gz", "tgz");
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this
+     * analyzer.
+     */
+    public boolean supportsExtension(String extension) {
+        return EXTENSIONS.contains(extension);
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception is thrown if there is an exception deleting or creating
+     * temporary files
+     */
+    @Override
+    public void initialize() throws Exception {
+        final File baseDir = Settings.getTempDirectory();
+        if (!baseDir.exists()) {
+            if (!baseDir.mkdirs()) {
+                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
+                throw new AnalysisException(msg);
+            }
+        }
+        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
+        if (!tempFileLocation.delete()) {
+            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+        if (!tempFileLocation.mkdirs()) {
+            final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+    }
+
+    /**
+     * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception deleting temporary
+     * files
+     */
+    @Override
+    public void close() throws Exception {
+        if (tempFileLocation != null && tempFileLocation.exists()) {
+            FileUtils.deleteRecursive(tempFileLocation.getAbsolutePath(), true);
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        final File f = new File(dependency.getActualFilePath());
+        final File tmpDir = getNextTempDirectory();
+        extractFiles(f, tmpDir, engine);
+
+        //make a copy
+        final List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
+        engine.scan(tmpDir);
+        final List<Dependency> newDependencies = engine.getDependencies();
+        if (dependencies.size() != newDependencies.size()) {
+            //get the new dependencies
+            final Set<Dependency> dependencySet = new HashSet<Dependency>();
+            dependencySet.addAll(newDependencies);
+            dependencySet.removeAll(dependencies);
+
+            for (Dependency d : dependencySet) {
+                //fix the dependency's display name and path
+                final String displayPath = String.format("%s%s",
+                        dependency.getFilePath(),
+                        d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
+                final String displayName = String.format("%s%s%s",
+                        dependency.getFileName(),
+                        File.separator,
+                        d.getFileName());
+                d.setFilePath(displayPath);
+                d.setFileName(displayName);
+
+                //TODO - can we get more evidence from the parent? EAR contains module name, etc.
+
+                //analyze the dependency (i.e. extract files) if it is a supported type.
+                if (this.supportsExtension(d.getFileExtension()) && scanDepth < MAX_SCAN_DEPTH) {
+                    scanDepth += 1;
+                    analyze(d, engine);
+                    scanDepth -= 1;
+                }
+            }
+        }
+        Collections.sort(engine.getDependencies());
+    }
+
+    /**
+     * Retrieves the next temporary directory to extract an archive too.
+     *
+     * @return a directory
+     * @throws AnalysisException thrown if unable to create temporary directory
+     */
+    private File getNextTempDirectory() throws AnalysisException {
+        dirCount += 1;
+        final File directory = new File(tempFileLocation, String.valueOf(dirCount));
+        //getting an exception for some directories not being able to be created; might be because the directory already exists?
+        if (directory.exists()) {
+            return getNextTempDirectory();
+        }
+        if (!directory.mkdirs()) {
+            final String msg = String.format("Unable to create temp directory '%s'.", directory.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+        return directory;
+    }
+
+    /**
+     * Extracts the contents of an archive into the specified directory.
+     *
+     * @param archive an archive file such as a WAR or EAR
+     * @param destination a directory to extract the contents to
+     * @param engine the scanning engine
+     * @throws AnalysisException thrown if the archive is not found
+     */
+    private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
+        if (archive == null || destination == null) {
+            return;
+        }
+
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(archive);
+        } catch (FileNotFoundException ex) {
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
+            throw new AnalysisException("Archive file was not found.", ex);
+        }
+        final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase();
+        try {
+            if ("zip".equals(archiveExt) || "war".equals(archiveExt) || "ear".equals(archiveExt)) {
+                extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+            } else if ("tar".equals(archiveExt)) {
+                extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+            } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
+                final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
+                final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase();
+                if (engine.supportsExtension(uncompressedExt)) {
+                    decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
+                }
+            }
+        } catch (ArchiveExtractionException ex) {
+            final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+        } catch (IOException ex) {
+            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+        } finally {
+            try {
+                fis.close();
+            } catch (IOException ex) {
+                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            }
+        }
+    }
+
+    /**
+     * Extracts files from an archive.
+     *
+     * @param input the archive to extract files from
+     * @param destination the location to write the files too
+     * @param engine the dependency-check engine
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * extracting files from the archive
+     */
+    private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
+        ArchiveEntry entry;
+        try {
+            while ((entry = input.getNextEntry()) != null) {
+                if (entry.isDirectory()) {
+                    final File d = new File(destination, entry.getName());
+                    if (!d.exists()) {
+                        if (!d.mkdirs()) {
+                            final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
+                            throw new AnalysisException(msg);
+                        }
+                    }
+                } else {
+                    final File file = new File(destination, entry.getName());
+                    final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
+                    if (engine.supportsExtension(ext)) {
+                        BufferedOutputStream bos = null;
+                        FileOutputStream fos;
+                        try {
+                            fos = new FileOutputStream(file);
+                            bos = new BufferedOutputStream(fos, BUFFER_SIZE);
+                            int count;
+                            final byte data[] = new byte[BUFFER_SIZE];
+                            while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
+                                bos.write(data, 0, count);
+                            }
+                            bos.flush();
+                        } catch (FileNotFoundException ex) {
+                            Logger.getLogger(ArchiveAnalyzer.class
+                                    .getName()).log(Level.FINE, null, ex);
+                            final String msg = String.format("Unable to find file '%s'.", file.getName());
+                            throw new AnalysisException(msg, ex);
+                        } catch (IOException ex) {
+                            Logger.getLogger(ArchiveAnalyzer.class
+                                    .getName()).log(Level.FINE, null, ex);
+                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
+                            throw new AnalysisException(msg, ex);
+                        } finally {
+                            if (bos != null) {
+                                try {
+                                    bos.close();
+                                } catch (IOException ex) {
+                                    Logger.getLogger(ArchiveAnalyzer.class
+                                            .getName()).log(Level.FINEST, null, ex);
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (IOException ex) {
+            throw new ArchiveExtractionException(ex);
+        } catch (Throwable ex) {
+            throw new ArchiveExtractionException(ex);
+        } finally {
+            if (input != null) {
+                try {
+                    input.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Decompresses a file.
+     *
+     * @param inputStream the compressed file
+     * @param outputFile the location to write the decompressed file
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * decompressing the file
+     */
+    private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
+        FileOutputStream out = null;
+        try {
+            out = new FileOutputStream(outputFile);
+            final byte[] buffer = new byte[BUFFER_SIZE];
+            int n = 0;
+            while (-1 != (n = inputStream.read(buffer))) {
+                out.write(buffer, 0, n);
+            }
+        } catch (FileNotFoundException ex) {
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            throw new ArchiveExtractionException(ex);
+        } catch (IOException ex) {
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            throw new ArchiveExtractionException(ex);
+        } finally {
+            if (out != null) {
+                try {
+                    out.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveExtractionException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ * An exception thrown when files in an archive cannot be extracted.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class ArchiveExtractionException extends Exception {
+
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     */
+    public ArchiveExtractionException() {
+        super();
+    }
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     *
+     * @param msg a message for the exception.
+     */
+    public ArchiveExtractionException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     *
+     * @param ex the cause of the failure.
+     */
+    public ArchiveExtractionException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new ArchiveExtractionException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the failure.
+     */
+    public ArchiveExtractionException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -0,0 +1,788 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.IOException;
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.StringTokenizer;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.lucene.document.Document;
+import org.apache.lucene.index.CorruptIndexException;
+import org.apache.lucene.queryparser.classic.ParseException;
+import org.apache.lucene.search.ScoreDoc;
+import org.apache.lucene.search.TopDocs;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.lucene.LuceneUtils;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.Evidence.Confidence;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
+import org.owasp.dependencycheck.data.cpe.Fields;
+import org.owasp.dependencycheck.data.cpe.IndexEntry;
+import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+
+/**
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts
+ * to discern if there is an associated CPE. It uses the evidence contained
+ * within the dependency to search the Lucene index.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class CPEAnalyzer implements Analyzer {
+
+    /**
+     * The maximum number of query results to return.
+     */
+    static final int MAX_QUERY_RESULTS = 25;
+    /**
+     * The weighting boost to give terms when constructing the Lucene query.
+     */
+    static final String WEIGHTING_BOOST = "^5";
+    /**
+     * A string representation of a regular expression defining characters
+     * utilized within the CPE Names.
+     */
+    static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
+    /**
+     * A string representation of a regular expression used to remove all but
+     * alpha characters.
+     */
+    static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
+    /**
+     * The additional size to add to a new StringBuilder to account for extra
+     * data that will be written into the string.
+     */
+    static final int STRING_BUILDER_BUFFER = 20;
+    /**
+     * The CPE in memory index.
+     */
+    private CpeMemoryIndex cpe;
+    /**
+     * The CVE Database.
+     */
+    private CveDB cve;
+
+    /**
+     * Opens the data source.
+     *
+     * @throws IOException when the Lucene directory to be queried does not
+     * exist or is corrupt.
+     * @throws DatabaseException when the database throws an exception. This
+     * usually occurs when the database is in use by another process.
+     */
+    public void open() throws IOException, DatabaseException {
+        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
+        cve = new CveDB();
+        cve.open();
+        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Creating the Lucene CPE Index");
+        cpe = CpeMemoryIndex.getInstance();
+        try {
+            cpe.open(cve);
+        } catch (IndexException ex) {
+            Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "IndexException", ex);
+            throw new DatabaseException(ex);
+        }
+    }
+
+    /**
+     * Closes the data sources.
+     */
+    @Override
+    public void close() {
+        if (cpe != null) {
+            cpe.close();
+        }
+        if (cve != null) {
+            cve.close();
+        }
+    }
+
+    /**
+     * Searches the data store of CPE entries, trying to identify the CPE for
+     * the given dependency based on the evidence contained within. The
+     * dependency passed in is updated with any identified CPE values.
+     *
+     * @param dependency the dependency to search for CPE entries on.
+     * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
+     * @throws IOException is thrown when an IOException occurs.
+     * @throws ParseException is thrown when the Lucene query cannot be parsed.
+     */
+    protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
+        Confidence confidence = Confidence.HIGHEST;
+
+        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
+        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
+        /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+         * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+        addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+
+        int ctr = 0;
+        do {
+            if (!vendors.isEmpty() && !products.isEmpty()) {
+                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
+                        dependency.getVendorEvidence().getWeighting());
+
+                for (IndexEntry e : entries) {
+                    if (verifyEntry(e, dependency)) {
+                        final String vendor = e.getVendor();
+                        final String product = e.getProduct();
+                        determineIdentifiers(dependency, vendor, product);
+                    }
+                }
+            }
+            confidence = reduceConfidence(confidence);
+            if (dependency.getVendorEvidence().contains(confidence)) {
+                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
+            }
+            if (dependency.getProductEvidence().contains(confidence)) {
+                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
+            }
+            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+            if (dependency.getVersionEvidence().contains(confidence)) {
+                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+            }
+        } while ((++ctr) < 4);
+    }
+
+    /**
+     * Returns the text created by concatenating the text and the values from
+     * the EvidenceCollection (filtered for a specific confidence). This
+     * attempts to prevent duplicate terms from being added.<br/<br/> Note, if
+     * the evidence is longer then 200 characters it will be truncated.
+     *
+     * @param text the base text.
+     * @param ec an EvidenceCollection
+     * @param confidenceFilter a Confidence level to filter the evidence by.
+     * @return the new evidence text
+     */
+    private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
+        final String txt = (text == null) ? "" : text;
+        final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
+        sb.append(' ').append(txt).append(' ');
+        for (Evidence e : ec.iterator(confidenceFilter)) {
+            String value = e.getValue();
+
+            //hack to get around the fact that lucene does a really good job of recognizing domains and not
+            // splitting them. TODO - put together a better lucene analyzer specific to the domain.
+            if (value.startsWith("http://")) {
+                value = value.substring(7).replaceAll("\\.", " ");
+            }
+            if (value.startsWith("https://")) {
+                value = value.substring(8).replaceAll("\\.", " ");
+            }
+            if (sb.indexOf(" " + value + " ") < 0) {
+                sb.append(value).append(' ');
+            }
+        }
+        return sb.toString().trim();
+    }
+
+    /**
+     * Reduces the given confidence by one level. This returns LOW if the
+     * confidence passed in is not HIGH.
+     *
+     * @param c the confidence to reduce.
+     * @return One less then the confidence passed in.
+     */
+    private Confidence reduceConfidence(final Confidence c) {
+        if (c == Confidence.HIGHEST) {
+            return Confidence.HIGH;
+        } else if (c == Confidence.HIGH) {
+            return Confidence.MEDIUM;
+        } else {
+            return Confidence.LOW;
+        }
+    }
+
+    /**
+     * <p>Searches the Lucene CPE index to identify possible CPE entries
+     * associated with the supplied vendor, product, and version.</p>
+     *
+     * <p>If either the vendorWeightings or productWeightings lists have been
+     * populated this data is used to add weighting factors to the search.</p>
+     *
+     * @param vendor the text used to search the vendor field
+     * @param product the text used to search the product field
+     * @param vendorWeightings a list of strings to use to add weighting factors
+     * to the vendor field
+     * @param productWeightings Adds a list of strings that will be used to add
+     * weighting factors to the product search
+     * @return a list of possible CPE values
+     * @throws CorruptIndexException when the Lucene index is corrupt
+     * @throws IOException when the Lucene index is not found
+     * @throws ParseException when the generated query is not valid
+     */
+    protected List<IndexEntry> searchCPE(String vendor, String product,
+            Set<String> vendorWeightings, Set<String> productWeightings)
+            throws CorruptIndexException, IOException, ParseException {
+        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+
+        final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
+        if (searchString == null) {
+            return ret;
+        }
+
+        final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
+        for (ScoreDoc d : docs.scoreDocs) {
+            if (d.score >= 0.08) {
+                final Document doc = cpe.getDocument(d.doc);
+                final IndexEntry entry = new IndexEntry();
+                entry.setVendor(doc.get(Fields.VENDOR));
+                entry.setProduct(doc.get(Fields.PRODUCT));
+//                if (d.score < 0.08) {
+//                    System.out.print(entry.getVendor());
+//                    System.out.print(":");
+//                    System.out.print(entry.getProduct());
+//                    System.out.print(":");
+//                    System.out.println(d.score);
+//                }
+                entry.setSearchScore(d.score);
+                if (!ret.contains(entry)) {
+                    ret.add(entry);
+                }
+            }
+        }
+        return ret;
+    }
+
+    /**
+     * <p>Builds a Lucene search string by properly escaping data and
+     * constructing a valid search query.</p>
+     *
+     * <p>If either the possibleVendor or possibleProducts lists have been
+     * populated this data is used to add weighting factors to the search string
+     * generated.</p>
+     *
+     * @param vendor text to search the vendor field
+     * @param product text to search the product field
+     * @param vendorWeighting a list of strings to apply to the vendor to boost
+     * the terms weight
+     * @param productWeightings a list of strings to apply to the product to
+     * boost the terms weight
+     * @return the Lucene query
+     */
+    protected String buildSearch(String vendor, String product,
+            Set<String> vendorWeighting, Set<String> productWeightings) {
+        final String v = vendor; //.replaceAll("[^\\w\\d]", " ");
+        final String p = product; //.replaceAll("[^\\w\\d]", " ");
+        final StringBuilder sb = new StringBuilder(v.length() + p.length()
+                + Fields.PRODUCT.length() + Fields.VENDOR.length() + STRING_BUILDER_BUFFER);
+
+        if (!appendWeightedSearch(sb, Fields.PRODUCT, p, productWeightings)) {
+            return null;
+        }
+        sb.append(" AND ");
+        if (!appendWeightedSearch(sb, Fields.VENDOR, v, vendorWeighting)) {
+            return null;
+        }
+        return sb.toString();
+    }
+
+    /**
+     * This method constructs a Lucene query for a given field. The searchText
+     * is split into separate words and if the word is within the list of
+     * weighted words then an additional weighting is applied to the term as it
+     * is appended into the query.
+     *
+     * @param sb a StringBuilder that the query text will be appended to.
+     * @param field the field within the Lucene index that the query is
+     * searching.
+     * @param searchText text used to construct the query.
+     * @param weightedText a list of terms that will be considered higher
+     * importance when searching.
+     * @return if the append was successful.
+     */
+    private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
+        sb.append(" ").append(field).append(":( ");
+
+        final String cleanText = cleanseText(searchText);
+
+        if ("".equals(cleanText)) {
+            return false;
+        }
+
+        if (weightedText == null || weightedText.isEmpty()) {
+            LuceneUtils.appendEscapedLuceneQuery(sb, cleanText);
+        } else {
+            final StringTokenizer tokens = new StringTokenizer(cleanText);
+            while (tokens.hasMoreElements()) {
+                final String word = tokens.nextToken();
+                String temp = null;
+                for (String weighted : weightedText) {
+                    final String weightedStr = cleanseText(weighted);
+                    if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
+                        temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
+                        if (!word.equalsIgnoreCase(weightedStr)) {
+                            temp += " " + LuceneUtils.escapeLuceneQuery(weightedStr) + WEIGHTING_BOOST;
+                        }
+                    }
+                }
+                if (temp == null) {
+                    temp = LuceneUtils.escapeLuceneQuery(word);
+                }
+                sb.append(" ").append(temp);
+            }
+        }
+        sb.append(" ) ");
+        return true;
+    }
+
+    /**
+     * Removes characters from the input text that are not used within the CPE
+     * index.
+     *
+     * @param text is the text to remove the characters from.
+     * @return the text having removed some characters.
+     */
+    private String cleanseText(String text) {
+        return text.replaceAll(CLEANSE_CHARACTER_RX, " ");
+    }
+
+    /**
+     * Compares two strings after lower casing them and removing the non-alpha
+     * characters.
+     *
+     * @param l string one to compare.
+     * @param r string two to compare.
+     * @return whether or not the two strings are similar.
+     */
+    private boolean equalsIgnoreCaseAndNonAlpha(String l, String r) {
+        if (l == null || r == null) {
+            return false;
+        }
+
+        final String left = l.replaceAll(CLEANSE_NONALPHA_RX, "");
+        final String right = r.replaceAll(CLEANSE_NONALPHA_RX, "");
+        return left.equalsIgnoreCase(right);
+    }
+
+    /**
+     * Ensures that the CPE Identified matches the dependency. This validates
+     * that the product, vendor, and version information for the CPE are
+     * contained within the dependencies evidence.
+     *
+     * @param entry a CPE entry.
+     * @param dependency the dependency that the CPE entries could be for.
+     * @return whether or not the entry is valid.
+     */
+    private boolean verifyEntry(final IndexEntry entry, final Dependency dependency) {
+        boolean isValid = false;
+
+        if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
+                && collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())) {
+            //&& collectionContainsVersion(dependency.getVersionEvidence(), entry.getVersion())
+            isValid = true;
+        }
+        return isValid;
+    }
+
+    /**
+     * Used to determine if the EvidenceCollection contains a specific string.
+     *
+     * @param ec an EvidenceCollection
+     * @param text the text to search for
+     * @return whether or not the EvidenceCollection contains the string
+     */
+    private boolean collectionContainsString(EvidenceCollection ec, String text) {
+
+        //<editor-fold defaultstate="collapsed" desc="This code fold contains an old version of the code, delete once more testing is done">
+        //        String[] splitText = text.split("[\\s_-]");
+        //
+        //        for (String search : splitText) {
+        //            //final String search = text.replaceAll("[\\s_-]", "").toLowerCase();
+        //            if (ec.containsUsedString(search)) {
+        //                return true;
+        //            }
+        //        }
+        //</editor-fold>
+
+        //TODO - likely need to change the split... not sure if this will work for CPE with special chars
+        if (text == null) {
+            return false;
+        }
+        final String[] words = text.split("[\\s_-]");
+        final List<String> list = new ArrayList<String>();
+        String tempWord = null;
+        for (String word : words) {
+            /*
+            single letter words should be concatenated with the next word.
+            so { "m", "core", "sample" } -> { "mcore", "sample" }
+            */
+            if (tempWord != null) {
+                list.add(tempWord + word);
+                tempWord = null;
+            } else if (word.length() <= 2) {
+                tempWord = word;
+            } else {
+                list.add(word);
+            }
+        }
+        if (tempWord != null && !list.isEmpty()) {
+            final String tmp = list.get(list.size() - 1) + tempWord;
+            list.add(tmp);
+        }
+        boolean contains = true;
+        for (String word : list) {
+            contains &= ec.containsUsedString(word);
+        }
+        return contains;
+    }
+
+    /**
+     * Analyzes a dependency and attempts to determine if there are any CPE
+     * identifiers for this dependency.
+     *
+     * @param dependency The Dependency to analyze.
+     * @param engine The analysis engine
+     * @throws AnalysisException is thrown if there is an issue analyzing the
+     * dependency.
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        try {
+            determineCPE(dependency);
+        } catch (CorruptIndexException ex) {
+            throw new AnalysisException("CPE Index is corrupt.", ex);
+        } catch (IOException ex) {
+            throw new AnalysisException("Failure opening the CPE Index.", ex);
+        } catch (ParseException ex) {
+            throw new AnalysisException("Unable to parse the generated Lucene query for this dependency.", ex);
+        }
+    }
+
+    /**
+     * Returns true because this analyzer supports all dependency types.
+     *
+     * @return true.
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return null;
+    }
+
+    /**
+     * Returns the name of this analyzer.
+     *
+     * @return the name of this analyzer.
+     */
+    @Override
+    public String getName() {
+        return "CPE Analyzer";
+    }
+
+    /**
+     * Returns true because this analyzer supports all dependency types.
+     *
+     * @param extension the file extension of the dependency being analyzed.
+     * @return true.
+     */
+    @Override
+    public boolean supportsExtension(String extension) {
+        return true;
+    }
+
+    /**
+     * Returns the analysis phase that this analyzer should run in.
+     *
+     * @return the analysis phase that this analyzer should run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.IDENTIFIER_ANALYSIS;
+    }
+
+    /**
+     * Opens the CPE Lucene Index.
+     *
+     * @throws Exception is thrown if there is an issue opening the index.
+     */
+    @Override
+    public void initialize() throws Exception {
+        this.open();
+    }
+
+    /**
+     * Retrieves a list of CPE values from the CveDB based on the vendor and
+     * product passed in. The list is then validated to find only CPEs that are
+     * valid for the given dependency. It is possible that the CPE identified is
+     * a best effort "guess" based on the vendor, product, and version
+     * information.
+     *
+     * @param dependency the Dependency being analyzed
+     * @param vendor the vendor for the CPE being analyzed
+     * @param product the product for the CPE being analyzed
+     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
+     */
+    private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
+        final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
+        DependencyVersion bestGuess = new DependencyVersion("-");
+        Confidence bestGuessConf = null;
+        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
+        for (Confidence conf : Confidence.values()) {
+            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
+                final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
+                if (evVer == null) {
+                    continue;
+                }
+                for (VulnerableSoftware vs : cpes) {
+                    DependencyVersion dbVer;
+                    if (vs.getRevision() != null && !vs.getRevision().isEmpty()) {
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getRevision());
+                    } else {
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
+                    }
+                    if (dbVer == null //special case, no version specified - everything is vulnerable
+                            || evVer.equals(dbVer)) { //yeah! exact match
+                        final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
+                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
+                        collected.add(match);
+                    } else {
+                        //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
+                        if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
+                                && evVer.matchesAtLeastThreeLevels(dbVer)) {
+                            if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                                if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
+                                    bestGuess = dbVer;
+                                    bestGuessConf = conf;
+                                }
+                            }
+                        }
+                    }
+                }
+                if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                    if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
+                        bestGuess = evVer;
+                        bestGuessConf = conf;
+                    }
+                }
+            }
+        }
+        final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
+        final String url = null; //String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(cpeName, "UTF-8"));
+        if (bestGuessConf == null) {
+            bestGuessConf = Confidence.LOW;
+        }
+        final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf);
+        collected.add(match);
+
+        Collections.sort(collected);
+        final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
+        final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
+        for (IdentifierMatch m : collected) {
+            if (bestIdentifierQuality.equals(m.getConfidence())
+                    && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
+                dependency.addIdentifier(m.getIdentifier());
+            }
+        }
+    }
+
+    /**
+     * The confidence whether the identifier is an exact match, or a best guess.
+     */
+    private enum IdentifierConfidence {
+
+        /**
+         * An exact match for the CPE.
+         */
+        EXACT_MATCH,
+        /**
+         * A best guess for the CPE.
+         */
+        BEST_GUESS
+    }
+
+    /**
+     * A simple object to hold an identifier and carry information about the
+     * confidence in the identifier.
+     */
+    private static class IdentifierMatch implements Comparable<IdentifierMatch> {
+
+        /**
+         * Constructs an IdentifierMatch.
+         *
+         * @param type the type of identifier (such as CPE)
+         * @param value the value of the identifier
+         * @param url the URL of the identifier
+         * @param identifierConfidence the confidence in the identifier: best
+         * guess or exact match
+         * @param evidenceConfidence the confidence of the evidence used to find
+         * the identifier
+         */
+        IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
+            this.identifier = new Identifier(type, value, url);
+            this.confidence = identifierConfidence;
+            this.evidenceConfidence = evidenceConfidence;
+        }
+        //<editor-fold defaultstate="collapsed" desc="Property implementations: evidenceConfidence, confidence, identifier">
+        /**
+         * The confidence in the evidence used to identify this match.
+         */
+        private Confidence evidenceConfidence;
+
+        /**
+         * Get the value of evidenceConfidence
+         *
+         * @return the value of evidenceConfidence
+         */
+        public Confidence getEvidenceConfidence() {
+            return evidenceConfidence;
+        }
+
+        /**
+         * Set the value of evidenceConfidence
+         *
+         * @param evidenceConfidence new value of evidenceConfidence
+         */
+        public void setEvidenceConfidence(Confidence evidenceConfidence) {
+            this.evidenceConfidence = evidenceConfidence;
+        }
+        /**
+         * The confidence whether this is an exact match, or a best guess.
+         */
+        private IdentifierConfidence confidence;
+
+        /**
+         * Get the value of confidence.
+         *
+         * @return the value of confidence
+         */
+        public IdentifierConfidence getConfidence() {
+            return confidence;
+        }
+
+        /**
+         * Set the value of confidence.
+         *
+         * @param confidence new value of confidence
+         */
+        public void setConfidence(IdentifierConfidence confidence) {
+            this.confidence = confidence;
+        }
+        /**
+         * The CPE identifier.
+         */
+        private Identifier identifier;
+
+        /**
+         * Get the value of identifier.
+         *
+         * @return the value of identifier
+         */
+        public Identifier getIdentifier() {
+            return identifier;
+        }
+
+        /**
+         * Set the value of identifier.
+         *
+         * @param identifier new value of identifier
+         */
+        public void setIdentifier(Identifier identifier) {
+            this.identifier = identifier;
+        }
+        //</editor-fold>
+        //<editor-fold defaultstate="collapsed" desc="Standard implementations of toString, hashCode, and equals">
+
+        /**
+         * Standard toString() implementation.
+         *
+         * @return the string representation of the object
+         */
+        @Override
+        public String toString() {
+            return "IdentifierMatch{" + "evidenceConfidence=" + evidenceConfidence
+                    + ", confidence=" + confidence + ", identifier=" + identifier + '}';
+        }
+
+        /**
+         * Standard hashCode() implementation.
+         *
+         * @return the hashCode
+         */
+        @Override
+        public int hashCode() {
+            int hash = 5;
+            hash = 97 * hash + (this.evidenceConfidence != null ? this.evidenceConfidence.hashCode() : 0);
+            hash = 97 * hash + (this.confidence != null ? this.confidence.hashCode() : 0);
+            hash = 97 * hash + (this.identifier != null ? this.identifier.hashCode() : 0);
+            return hash;
+        }
+
+        /**
+         * Standard equals implementation.
+         *
+         * @param obj the object to compare
+         * @return true if the objects are equal, otherwise false
+         */
+        @Override
+        public boolean equals(Object obj) {
+            if (obj == null) {
+                return false;
+            }
+            if (getClass() != obj.getClass()) {
+                return false;
+            }
+            final IdentifierMatch other = (IdentifierMatch) obj;
+            if (this.evidenceConfidence != other.evidenceConfidence) {
+                return false;
+            }
+            if (this.confidence != other.confidence) {
+                return false;
+            }
+            if (this.identifier != other.identifier && (this.identifier == null || !this.identifier.equals(other.identifier))) {
+                return false;
+            }
+            return true;
+        }
+        //</editor-fold>
+
+        /**
+         * Standard implementation of compareTo that compares identifier
+         * confidence, evidence confidence, and then the identifier.
+         *
+         * @param o the IdentifierMatch to compare to
+         * @return the natural ordering of IdentifierMatch
+         */
+        @Override
+        public int compareTo(IdentifierMatch o) {
+            int conf = this.confidence.compareTo(o.confidence);
+            if (conf == 0) {
+                conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
+                if (conf == 0) {
+                    conf = identifier.compareTo(o.identifier);
+                }
+            }
+            return conf;
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -0,0 +1,76 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+
+/**
+ * The suppression analyzer processes an externally defined XML document that
+ * complies with the suppressions.xsd schema. Any identified CPE entries within
+ * the dependencies that match will be removed.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Cpe Suppression Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    @Override
+    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
+
+        if (getRules() == null || getRules().size() <= 0) {
+            return;
+        }
+
+        for (final SuppressionRule rule : getRules()) {
+            rule.process(dependency);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,12 +23,15 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.ListIterator;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.LogUtils;
 
 /**
  * <p>This analyzer ensures dependencies that should be grouped together, to
@@ -39,10 +42,21 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
  * <p>Note, this grouping only works on dependencies with identified CVE
  * entries</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
+    /**
+     * A pattern for obtaining the first part of a filename.
+     */
+    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
+    /**
+     * a flag indicating if this analyzer has run. This analyzer only runs once.
+     */
+    private boolean analyzed = false;
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
      * The set of file extensions supported by this analyzer.
      */
@@ -55,10 +69,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
-    /**
-     * A pattern for obtaining the first part of a filename.
-     */
-    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
@@ -97,10 +107,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
-    /**
-     * a flag indicating if this analyzer has run. This analyzer only runs once.
-     */
-    private boolean analyzed = false;
+    //</editor-fold>
 
     /**
      * Analyzes a set of dependencies. If they have been found to have the same
@@ -112,6 +119,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
+    @Override
     public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
         if (!analyzed) {
             analyzed = true;
@@ -139,16 +147,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                 }
                                 dependenciesToRemove.add(nextDependency);
                             } else {
-                                if (isCore(nextDependency, dependency)) {
-                                    nextDependency.addRelatedDependency(dependency);
-                                    //move any "related dependencies" to the new "parent" dependency
-                                    final Iterator<Dependency> i = dependency.getRelatedDependencies().iterator();
-                                    while (i.hasNext()) {
-                                        nextDependency.addRelatedDependency(i.next());
-                                        i.remove();
-                                    }
-                                    dependenciesToRemove.add(dependency);
+                                nextDependency.addRelatedDependency(dependency);
+                                //move any "related dependencies" to the new "parent" dependency
+                                final Iterator<Dependency> i = dependency.getRelatedDependencies().iterator();
+                                while (i.hasNext()) {
+                                    nextDependency.addRelatedDependency(i.next());
+                                    i.remove();
                                 }
+                                dependenciesToRemove.add(dependency);
                             }
                         }
                     }
@@ -190,26 +196,47 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
 
     /**
      * Returns true if the file names (and version if it exists) of the two
-     * dependencies are sufficiently similiar.
+     * dependencies are sufficiently similar.
+     *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are equal
+     * @return true if the identifiers in the two supplied dependencies are
+     * equal
      */
     private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getFileName() == null
                 || dependency2 == null || dependency2.getFileName() == null) {
             return false;
         }
-        final String fileName1 = dependency1.getFileName();
-        final String fileName2 = dependency2.getFileName();
+        String fileName1 = dependency1.getFileName();
+        String fileName2 = dependency2.getFileName();
+
+        //update to deal with archive analyzer, the starting name maybe the same
+        // as this is incorrectly looking at the starting path
+        final File one = new File(fileName1);
+        final File two = new File(fileName2);
+        final String oneParent = one.getParent();
+        final String twoParent = two.getParent();
+        if (oneParent != null) {
+            if (oneParent.equals(twoParent)) {
+                fileName1 = one.getName();
+                fileName2 = two.getName();
+            } else {
+                return false;
+            }
+        } else if (twoParent != null) {
+            return false;
+        }
+
         //version check
-        final DependencyVersion version1 = DependencyVersionUtil.parseVersionFromFileName(fileName1);
-        final DependencyVersion version2 = DependencyVersionUtil.parseVersionFromFileName(fileName2);
+        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
+        final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
         if (version1 != null && version2 != null) {
             if (!version1.equals(version2)) {
                 return false;
             }
         }
+
         //filename check
         final Matcher match1 = STARTING_TEXT_PATTERN.matcher(fileName1);
         final Matcher match2 = STARTING_TEXT_PATTERN.matcher(fileName2);
@@ -221,22 +248,31 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Returns true if the identifiers in the two supplied dependencies are equal.
+     * Returns true if the identifiers in the two supplied dependencies are
+     * equal.
+     *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are equal
+     * @return true if the identifiers in the two supplied dependencies are
+     * equal
      */
     private boolean identifiersMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getIdentifiers() == null
                 || dependency2 == null || dependency2.getIdentifiers() == null) {
             return false;
         }
-        return dependency1.getIdentifiers().size() > 0
+        final boolean matches = dependency1.getIdentifiers().size() > 0
                 && dependency2.getIdentifiers().equals(dependency1.getIdentifiers());
+        if (LogUtils.isVerboseLoggingEnabled()) {
+            final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
+            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+        }
+        return matches;
     }
 
     /**
      * Determines if the two dependencies have the same base path.
+     *
      * @param dependency1 a Dependency object
      * @param dependency2 a Dependency object
      * @return true if the base paths of the dependencies are identical
@@ -250,10 +286,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         final File rFile = new File(dependency2.getFilePath());
         String right = rFile.getParent();
         if (left == null) {
-            if (right == null) {
-                return true;
-            }
-            return false;
+            return right == null;
         }
         if (left.equalsIgnoreCase(right)) {
             return true;
@@ -269,9 +302,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * This is likely a very broken attempt at determining if the 'left'
      * dependency is the 'core' library in comparison to the 'right' library.
      *
-     * TODO - consider splitting on /\._-\s/ and checking if all of one side is fully contained in the other
-     *  With the exception of the word "core". This might work even on groups when we don't have a CVE.
-     *
      * @param left the dependency to test
      * @param right the dependency to test against
      * @return a boolean indicating whether or not the left dependency should be
@@ -280,18 +310,27 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     private boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();
         final String rightName = right.getFileName().toLowerCase();
-
+        final boolean returnVal;
         if (rightName.contains("core") && !leftName.contains("core")) {
-            return false;
+            returnVal = false;
         } else if (!rightName.contains("core") && leftName.contains("core")) {
-            return true;
+            returnVal = true;
         } else {
-            //TODO should we be splitting the name on [-_(.\d)+] and seeing if the
-            //  parts are contained in the other side?
-            if (leftName.length() > rightName.length()) {
-                return false;
-            }
-            return true;
+            /*
+             * considered splitting the names up and comparing the components,
+             * but decided that the file name length should be sufficient as the
+             * "core" component, if this follows a normal naming protocol should
+             * be shorter:
+             * axis2-saaj-1.4.1.jar
+             * axis2-1.4.1.jar       <-----
+             * axis2-kernal-1.4.1.jar
+             */
+            returnVal = leftName.length() <= rightName.length();
         }
+        if (LogUtils.isVerboseLoggingEnabled()) {
+            final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
+            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+        }
+        return returnVal;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -0,0 +1,371 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ListIterator;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+
+/**
+ * This analyzer attempts to remove some well known false positives -
+ * specifically regarding the java runtime.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class FalsePositiveAnalyzer extends AbstractAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = null;
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "False Positive Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support
+     * @return whether or not the specified file extension is supported by this
+     * analyzer.
+     */
+    public boolean supportsExtension(String extension) {
+        return true;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    /**
+     * Analyzes the dependencies and removes bad/incorrect CPE associations
+     * based on various heuristics.
+     *
+     * @param dependency the dependency to analyze.
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        removeJreEntries(dependency);
+        removeBadMatches(dependency);
+        removeWrongVersionMatches(dependency);
+        removeSpuriousCPE(dependency);
+        addFalseNegativeCPEs(dependency);
+    }
+
+    /**
+     * <p>Intended to remove spurious CPE entries. By spurious we mean
+     * duplicate, less specific CPE entries.</p>
+     * <p>Example:</p>
+     * <code>
+     * cpe:/a:some-vendor:some-product
+     * cpe:/a:some-vendor:some-product:1.5
+     * cpe:/a:some-vendor:some-product:1.5.2
+     * </code>
+     * <p>Should be trimmed to:</p>
+     * <code>
+     * cpe:/a:some-vendor:some-product:1.5.2
+     * </code>
+     *
+     * @param dependency the dependency being analyzed
+     */
+    @SuppressWarnings("null")
+    private void removeSpuriousCPE(Dependency dependency) {
+        final List<Identifier> ids = new ArrayList<Identifier>();
+        ids.addAll(dependency.getIdentifiers());
+        Collections.sort(ids);
+        final ListIterator<Identifier> mainItr = ids.listIterator();
+        while (mainItr.hasNext()) {
+            final Identifier currentId = mainItr.next();
+            final VulnerableSoftware currentCpe = parseCpe(currentId.getType(), currentId.getValue());
+            if (currentCpe == null) {
+                continue;
+            }
+            final ListIterator<Identifier> subItr = ids.listIterator(mainItr.nextIndex());
+            while (subItr.hasNext()) {
+                final Identifier nextId = subItr.next();
+                final VulnerableSoftware nextCpe = parseCpe(nextId.getType(), nextId.getValue());
+                if (nextCpe == null) {
+                    continue;
+                }
+                //TODO fix the version problem below
+                if (currentCpe.getVendor().equals(nextCpe.getVendor())) {
+                    if (currentCpe.getProduct().equals(nextCpe.getProduct())) {
+                        // see if one is contained in the other.. remove the contained one from dependency.getIdentifier
+                        final String currentVersion = currentCpe.getVersion();
+                        final String nextVersion = nextCpe.getVersion();
+                        if (currentVersion == null && nextVersion == null) {
+                            //how did we get here?
+                            Logger.getLogger(FalsePositiveAnalyzer.class
+                                    .getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
+                        } else if (currentVersion == null && nextVersion != null) {
+                            dependency.getIdentifiers().remove(currentId);
+                        } else if (nextVersion == null && currentVersion != null) {
+                            dependency.getIdentifiers().remove(nextId);
+                        } else if (currentVersion.length() < nextVersion.length()) {
+                            if (nextVersion.startsWith(currentVersion) || "-".equals(currentVersion)) {
+                                dependency.getIdentifiers().remove(currentId);
+                            }
+                        } else {
+                            if (currentVersion.startsWith(nextVersion) || "-".equals(nextVersion)) {
+                                dependency.getIdentifiers().remove(nextId);
+                            }
+                        }
+                    }
+                }
+            }
+        }
+    }
+    /**
+     * Regex to identify core java libraries and a few other commonly
+     * misidentified ones.
+     */
+    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
+            + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+            + "jdk|jre|jsf|jsse)($|:.*)");
+    /**
+     * Regex to identify core java library files. This is currently incomplete.
+     */
+    public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+
+    /**
+     * Removes any CPE entries for the JDK/JRE unless the filename ends with
+     * rt.jar
+     *
+     * @param dependency the dependency to remove JRE CPEs from
+     */
+    private void removeJreEntries(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            final Matcher coreCPE = CORE_JAVA.matcher(i.getValue());
+            final Matcher coreFiles = CORE_FILES.matcher(dependency.getFileName());
+            if (coreCPE.matches() && !coreFiles.matches()) {
+                itr.remove();
+            }
+
+            //replacecd with the regex above.
+            //            if (("cpe:/a:sun:java".equals(i.getValue())
+            //                    || "cpe:/a:oracle:java".equals(i.getValue())
+            //                    || "cpe:/a:ibm:java".equals(i.getValue())
+            //                    || "cpe:/a:sun:j2se".equals(i.getValue())
+            //                    || "cpe:/a:oracle:j2se".equals(i.getValue())
+            //                    || i.getValue().startsWith("cpe:/a:sun:java:")
+            //                    || i.getValue().startsWith("cpe:/a:sun:j2se:")
+            //                    || i.getValue().startsWith("cpe:/a:sun:java:jre")
+            //                    || i.getValue().startsWith("cpe:/a:sun:java:jdk")
+            //                    || i.getValue().startsWith("cpe:/a:sun:java_se")
+            //                    || i.getValue().startsWith("cpe:/a:oracle:java_se")
+            //                    || i.getValue().startsWith("cpe:/a:oracle:java:")
+            //                    || i.getValue().startsWith("cpe:/a:oracle:j2se:")
+            //                    || i.getValue().startsWith("cpe:/a:oracle:jre")
+            //                    || i.getValue().startsWith("cpe:/a:oracle:jdk")
+            //                    || i.getValue().startsWith("cpe:/a:ibm:java:"))
+            //                    && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
+            //                itr.remove();
+            //            }
+        }
+    }
+
+    /**
+     * Parses a CPE string into an IndexEntry.
+     *
+     * @param type the type of identifier
+     * @param value the cpe identifier to parse
+     * @return an VulnerableSoftware object constructed from the identifier
+     */
+    private VulnerableSoftware parseCpe(String type, String value) {
+        if (!"cpe".equals(type)) {
+            return null;
+        }
+        final VulnerableSoftware cpe = new VulnerableSoftware();
+        try {
+            cpe.parseName(value);
+        } catch (UnsupportedEncodingException ex) {
+            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            return null;
+        }
+        return cpe;
+    }
+
+    /**
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these
+     * are hard-coded patches for specific problems identified when testing this
+     * on a LARGE volume of jar files.
+     *
+     * @param dependency the dependency to analyze
+     */
+    private void removeBadMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+
+        /* TODO - can we utilize the pom's groupid and artifactId to filter??? most of
+         * these are due to low quality data.  Other idea would be to say any CPE
+         * found based on LOW confidence evidence should have a different CPE type? (this
+         * might be a better solution then just removing the URL for "best-guess" matches).
+         */
+
+        //Set<Evidence> groupId = dependency.getVendorEvidence().getEvidence("pom", "groupid");
+        //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
+
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            //TODO move this startswith expression to a configuration file?
+            if ("cpe".equals(i.getType())) {
+                if ((i.getValue().matches(".*c\\+\\+.*")
+                        || i.getValue().startsWith("cpe:/a:jquery:jquery")
+                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
+                        || i.getValue().startsWith("cpe:/a:yahoo:yui")
+                        || i.getValue().startsWith("cpe:/a:file:file")
+                        || i.getValue().startsWith("cpe:/a:mozilla:mozilla")
+                        || i.getValue().startsWith("cpe:/a:cvs:cvs")
+                        || i.getValue().startsWith("cpe:/a:ftp:ftp")
+                        || i.getValue().startsWith("cpe:/a:ssh:ssh"))
+                        && dependency.getFileName().toLowerCase().endsWith(".jar")) {
+                    itr.remove();
+                } else if (i.getValue().startsWith("cpe:/a:apache:maven")
+                        && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
+                    itr.remove();
+                }
+            }
+        }
+    }
+
+    /**
+     * Removes CPE matches for the wrong version of a dependency. Currently,
+     * this only covers Axis 1 & 2.
+     *
+     * @param dependency the dependency to analyze
+     */
+    private void removeWrongVersionMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+
+        final String fileName = dependency.getFileName();
+        if (fileName != null && fileName.contains("axis2")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        } else if (fileName != null && fileName.contains("axis")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        }
+    }
+
+    /**
+     * There are some known CPE entries, specifically regarding sun and oracle
+     * products due to the acquisition and changes in product names, that based
+     * on given evidence we can add the related CPE entries to ensure a complete
+     * list of CVE entries.
+     *
+     * @param dependency the dependency being analyzed
+     */
+    private void addFalseNegativeCPEs(Dependency dependency) {
+        final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+        while (itr.hasNext()) {
+            final Identifier i = itr.next();
+            if ("cpe".equals(i.getType()) && i.getValue() != null
+                    && (i.getValue().startsWith("cpe:/a:oracle:opensso:")
+                    || i.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
+                    || i.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
+                    || i.getValue().startsWith("cpe:/a:sun:opensso:"))) {
+                final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", i.getValue().substring(22));
+                final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", i.getValue().substring(22));
+                final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", i.getValue().substring(22));
+                final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", i.getValue().substring(22));
+                try {
+                    dependency.addIdentifier("cpe",
+                            newCpe,
+                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
+                    dependency.addIdentifier("cpe",
+                            newCpe2,
+                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
+                    dependency.addIdentifier("cpe",
+                            newCpe3,
+                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
+                    dependency.addIdentifier("cpe",
+                            newCpe4,
+                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
+                } catch (UnsupportedEncodingException ex) {
+                    Logger.getLogger(FalsePositiveAnalyzer.class
+                            .getName()).log(Level.FINE, null, ex);
+                }
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -1,36 +1,40 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
 /**
  *
  * Takes a dependency and analyzes the filename and determines the hashes.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -81,6 +85,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
      * Collects information about the file name.
@@ -90,22 +95,38 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
+    @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
 
-        String fileName = dependency.getFileName();
+        //strip any path information that may get added by ArchiveAnalyzer, etc.
+        final File f = new File(dependency.getFileName());
+        String fileName = f.getName();
+
+        //remove file extension
         final int pos = fileName.lastIndexOf(".");
         if (pos > 0) {
             fileName = fileName.substring(0, pos);
         }
 
-        dependency.getProductEvidence().addEvidence("file", "name",
-                fileName, Evidence.Confidence.HIGH);
-
-        dependency.getVendorEvidence().addEvidence("file", "name",
-                fileName, Evidence.Confidence.HIGH);
-
-        if (fileName.matches(".*\\d.*")) {
+        //add version evidence
+        final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
+        if (version != null) {
             dependency.getVersionEvidence().addEvidence("file", "name",
+                    version.toString(), Evidence.Confidence.HIGHEST);
+            dependency.getVersionEvidence().addEvidence("file", "name",
+                    fileName, Evidence.Confidence.MEDIUM);
+        }
+
+        //add as vendor and product evidence
+        if (fileName.contains("-")) {
+            dependency.getProductEvidence().addEvidence("file", "name",
+                    fileName, Evidence.Confidence.HIGHEST);
+            dependency.getVendorEvidence().addEvidence("file", "name",
+                    fileName, Evidence.Confidence.HIGHEST);
+        } else {
+            dependency.getProductEvidence().addEvidence("file", "name",
+                    fileName, Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("file", "name",
                     fileName, Evidence.Confidence.HIGH);
         }
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -1,23 +1,25 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.util.ArrayList;
+import java.util.Iterator;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -25,10 +27,11 @@ import org.owasp.dependencycheck.dependency.Evidence;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -79,14 +82,18 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional information
-     * to help in identification of identifiers or vulnerabilities.
+     * The HintAnalyzer uses knowledge about a dependency to add additional
+     * information to help in identification of identifiers or vulnerabilities.
+     *
      * @param dependency The dependency being analyzed
      * @param engine The scanning engine
-     * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
+     * @throws AnalysisException is thrown if there is an exception analyzing
+     * the dependency.
      */
+    @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         final Evidence springTest1 = new Evidence("Manifest",
                 "Implementation-Title",
@@ -106,16 +113,32 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
         Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
         if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
-            dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "SpringSource", Evidence.Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Evidence.Confidence.HIGH);
         }
 
         evidence = dependency.getVendorEvidence().getEvidence();
         if (evidence.contains(springTest3)) {
-            dependency.getProductEvidence().addEvidence("a priori", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("a priori", "vendor", "vmware", Evidence.Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Evidence.Confidence.HIGH);
         }
+        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
+        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        while (itr.hasNext()) {
+            final Evidence e = itr.next();
+            if ("sun".equalsIgnoreCase(e.getValue(false))) {
+                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "oracle", e.getConfidence());
+                newEntries.add(newEvidence);
+            } else if ("oracle".equalsIgnoreCase(e.getValue(false))) {
+                final Evidence newEvidence = new Evidence(e.getSource() + " (hint)", e.getName(), "sun", e.getConfidence());
+                newEntries.add(newEvidence);
+            }
+        }
+        for (Evidence e : newEntries) {
+            dependency.getVendorEvidence().addEvidence(e);
+        }
+
 
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,14 +28,11 @@ import java.util.regex.Pattern;
  * Used to load a JAR file and collect information that can be used to determine
  * the associated CPE.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
 
-    /**
-     * The system independent newline character.
-     */
-    private static final String NEWLINE = System.getProperty("line.separator");
+    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -86,6 +83,7 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
+    //</editor-fold>
 
     /**
      * Loads a specified JAR file and collects information from the manifest and
@@ -96,37 +94,29 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @throws AnalysisException is thrown if there is an error reading the JAR
      * file.
      */
+    @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)");
 
     }
 
-    /**
-     * Adds license information to the given dependency.
-     *
-     * @param d the dependency
-     * @param license the license
-     */
-    private void addLicense(Dependency d, String license) {
-        if (d.getLicense() == null) {
-            d.setLicense(license);
-        } else if (!d.getLicense().contains(license)) {
-            d.setLicense(d.getLicense() + NEWLINE + license);
-        }
-    }
-
     /**
      * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
      */
-    public void initialize() {
+    @Override
+    public void initialize() throws Exception {
         //do nothing
     }
 
     /**
      * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
      */
-    public void close() {
+    @Override
+    public void close() throws Exception {
         //do nothing
     }
-
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -0,0 +1,182 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Set;
+import java.util.logging.Logger;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.data.nexus.NexusSearch;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Analyzer which will attempt to locate a dependency on a Nexus service
+ * by SHA-1 digest of the dependency.
+ *
+ * There are two settings which govern this behavior:
+ *
+ * <ul>
+ *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
+ * determines whether this analyzer is even enabled. This can be overridden by
+ * setting the system property.</li>
+ *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
+ * the URL to a Nexus service to search by SHA-1. There is an expected <code>%s</code>
+ * in this where the SHA-1 will get entered.</li>
+ * </ul>
+ *
+ * @author colezlaw
+ */
+public class NexusAnalyzer extends AbstractAnalyzer {
+    /**
+     * The logger
+     */
+    private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
+
+    /**
+     * The name of the analyzer
+     */
+    private static final String ANALYZER_NAME = "Nexus Analyzer";
+
+    /**
+     * The phase in which the analyzer runs
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The types of files on which this will work.
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
+
+    /**
+     * Whether this is actually enabled. Will get set during initialization
+     */
+    private boolean enabled = false;
+
+    /**
+     * The Nexus Search to be set up for this analyzer.
+     */
+    private NexusSearch searcher;
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @throws Exception if there's an error during initialization.
+     */
+    public void initialize() throws Exception {
+        enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
+
+        final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
+
+        if (enabled) {
+            try {
+                searcher = new NexusSearch(new URL(searchUrl));
+            } catch (MalformedURLException mue) {
+                // I know that initialize can throw an exception, but we'll
+                // just disable the analyzer if the URL isn't valid
+                LOGGER.warning(String.format("Property %s not a valid URL. Nexus searching disabled",
+                            searchUrl));
+            }
+        }
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which this analyzer runs
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the extensions for which this Analyzer runs.
+     *
+     * @return the extensions for which this Analyzer runs
+     */
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Determines whether the incoming extension is supported.
+     *
+     * @param extension the extension to check for support
+     * @return whether the extension is supported
+     */
+    public boolean supportsExtension(String extension) {
+        return SUPPORTED_EXTENSIONS.contains(extension);
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        // Make a quick exit if this analyzer is disabled
+        if (!enabled) {
+            return;
+        }
+
+        try {
+            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
+            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
+                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(),
+                        Evidence.Confidence.HIGH);
+            }
+            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
+                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(),
+                        Evidence.Confidence.HIGH);
+            }
+            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
+                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(),
+                        Evidence.Confidence.HIGH);
+            }
+            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
+                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl());
+            }
+        } catch (IllegalArgumentException iae) {
+            dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
+        } catch (FileNotFoundException fnfe) {
+            dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
+        } catch (IOException ioe) {
+            dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
+        }
+    }
+}
+
+// vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -1,41 +1,40 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.data.nvdcve;
+package org.owasp.dependencycheck.analyzer;
 
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.AnalysisException;
-import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.Identifier;
-import org.owasp.dependencycheck.analyzer.Analyzer;
-import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+
 /**
  * NvdCveAnalyzer is a utility class that takes a project dependency and
  * attempts to discern if there is an associated CVEs. It uses the the
  * identifiers found by other analyzers to lookup the CVE data.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class NvdCveAnalyzer implements Analyzer {
 
@@ -54,7 +53,8 @@ public class NvdCveAnalyzer implements Analyzer {
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
-     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be
+     * loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
@@ -106,11 +106,7 @@ public class NvdCveAnalyzer implements Analyzer {
                 try {
                     final String value = id.getValue();
                     final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
-                    for (Vulnerability v : vulns) {
-                        if (isValidMatch(dependency, v)) {
-                            dependency.addVulnerability(v);
-                        }
-                    }
+                    dependency.getVulnerabilities().addAll(vulns);
                 } catch (DatabaseException ex) {
                     throw new AnalysisException(ex);
                 }
@@ -163,52 +159,4 @@ public class NvdCveAnalyzer implements Analyzer {
     public void initialize() throws Exception {
         this.open();
     }
-
-    /**
-     * <p>Determines if this is a valid vulnerability match for the given dependency.
-     * Specifically, this is concerned with ensuring the version numbers are correct.</p>
-     * <p>Currently, this is focused on the issues with the versions for Struts 1 and Struts 2.
-     * In the future this will due better matching on more version numbers.</p>
-     * @param dependency the dependency
-     * @param v the vulnerability
-     * @return returns true if the vulnerability is for the given dependency
-     */
-    private boolean isValidMatch(final Dependency dependency, final Vulnerability v) {
-        //right now I only know of the issue with Struts1/2
-        // start with fixing this problem.
-
-        //TODO extend this solution to do better version matching for the vulnerable software.
-        boolean struts1 = false;
-        boolean struts2 = false;
-        for (Identifier i : dependency.getIdentifiers()) {
-            if (i.getValue().startsWith("cpe:/a:apache:struts:")) {
-                final char version = i.getValue().charAt(21);
-                if (version == '1') {
-                    struts1 = true;
-                }
-                if (version == '2') {
-                    struts2 = true;
-                }
-            }
-        }
-        if (!struts1 && !struts2) {
-            return true; //we are not looking at struts, so return true.
-        }
-        if (struts1 && struts2) {
-            return true; //there is a mismatch here, but we can't solve it here so we return valid.
-        }
-        if (struts1) {
-            boolean hasStruts1Vuln = false;
-            boolean hasStruts2PreviousVersion = false;
-            for (VulnerableSoftware vs : v.getVulnerableSoftware()) {
-                hasStruts2PreviousVersion |= vs.hasPreviousVersion() && vs.getName().charAt(21) == '2';
-                hasStruts1Vuln |= vs.getName().charAt(21) == '1';
-            }
-            if (!hasStruts1Vuln && hasStruts2PreviousVersion) {
-                return false;
-            }
-        }
-
-        return true;
-    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -0,0 +1,76 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+
+/**
+ * The suppression analyzer processes an externally defined XML document that
+ * complies with the suppressions.xsd schema. Any identified Vulnerability
+ * entries within the dependencies that match will be removed.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Vulnerability Suppression Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_FINDING_ANALYSIS;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+    //</editor-fold>
+
+    @Override
+    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
+
+        if (getRules() == null || getRules().size() <= 0) {
+            return;
+        }
+
+        for (final SuppressionRule rule : getRules()) {
+            rule.process(dependency);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/DirectoryLockException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.concurrency;
+
+/**
+ * If thrown, indicates that a problem occurred when locking a directory.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DirectoryLockException extends Exception {
+
+    /**
+     * Default serial version UID.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Constructs a new Directory Lock Exception.
+     */
+    public DirectoryLockException() {
+        super();
+    }
+
+    /**
+     * Constructs a new Directory Lock Exception.
+     *
+     * @param msg the message describing the exception
+     */
+    public DirectoryLockException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Constructs a new Directory Lock Exception.
+     *
+     * @param ex the cause of the exception
+     */
+    public DirectoryLockException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Constructs a new Directory Lock Exception.
+     *
+     * @param msg the message describing the exception
+     * @param ex the cause of the exception
+     */
+    public DirectoryLockException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/DirectorySpinLock.java

@@ -0,0 +1,267 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.concurrency;
+
+import java.io.Closeable;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.io.RandomAccessFile;
+import java.nio.channels.AsynchronousCloseException;
+import java.nio.channels.ClosedChannelException;
+import java.nio.channels.FileChannel;
+import java.nio.channels.FileLock;
+import java.nio.channels.FileLockInterruptionException;
+import java.nio.channels.NonWritableChannelException;
+import java.nio.channels.OverlappingFileLockException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+
+/**
+ * Implements a spin lock on a given directory. If the lock cannot be obtained,
+ * the process will "spin" waiting for an opportunity to obtain the lock
+ * requested.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
+
+    /**
+     * The name of the lock file.
+     */
+    public static final String LOCK_NAME = "data.lock";
+    /**
+     * The maximum wait period used when attempting to obtain a lock.
+     */
+    public static final int MAX_SPIN = 100;
+    /**
+     * The file channel used to perform the lock.
+     */
+    private FileChannel channel = null;
+    /**
+     * The file used to perform the lock.
+     */
+    private File lockFile = null;
+    /**
+     * The lock object.
+     */
+    private FileLock lock = null;
+    /**
+     * The maximum number of seconds that the spin lock will wait while trying
+     * to obtain a lock.
+     */
+    private long maxWait = MAX_SPIN;
+
+    /**
+     * Get the maximum wait time, in seconds, that the spin lock will wait while
+     * trying to obtain a lock.
+     *
+     * @return the number of seconds the spin lock will wait
+     */
+    public long getMaxWait() {
+        return maxWait / 2; //sleep is for 500, so / 2
+    }
+
+    /**
+     * Set the maximum wait time, in seconds, that the spin lock will wait while
+     * trying to obtain a lock.
+     *
+     * @param maxWait the number of seconds the spin lock will wait
+     */
+    public void setMaxWait(long maxWait) {
+        this.maxWait = maxWait * 2; //sleep is for 500, so * 2
+    }
+
+    /**
+     * Constructs a new spin lock on the given directory.
+     *
+     * @param directory the directory to monitor/lock
+     * @throws InvalidDirectoryException thrown if there is an issue with the
+     * directory provided
+     * @throws DirectoryLockException thrown there is an issue obtaining a
+     * handle to the lock file
+     */
+    public DirectorySpinLock(File directory) throws InvalidDirectoryException, DirectoryLockException {
+        checkDirectory(directory);
+        lockFile = new File(directory, LOCK_NAME);
+        RandomAccessFile file = null;
+        try {
+            file = new RandomAccessFile(lockFile, "rw");
+        } catch (FileNotFoundException ex) {
+            throw new DirectoryLockException("Lock file not found", ex);
+        }
+        channel = file.getChannel();
+    }
+
+    /**
+     * Attempts to obtain an exclusive lock; an exception is thrown if the lock
+     * could not be obtained. This method may block for a few seconds if a lock
+     * cannot be obtained.
+     *
+     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * the lock
+     */
+    public void obtainSharedLock() throws DirectoryLockException {
+        obtainLock(true);
+    }
+
+    /**
+     * Attempts to obtain an exclusive lock; an exception is thrown if the lock
+     * could not be obtained. This method may block for a few seconds if a lock
+     * cannot be obtained.
+     *
+     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * the lock
+     */
+    public void obtainExclusiveLock() throws DirectoryLockException {
+        obtainLock(false);
+    }
+
+    /**
+     * Attempts to obtain a lock; an exception is thrown if the lock could not
+     * be obtained. This method may block for a few seconds if a lock cannot be
+     * obtained.
+     *
+     * @param shared true if the lock is shared, otherwise false
+     * @param maxWait the maximum time to wait, in seconds, while trying to
+     * obtain the lock
+     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * the lock
+     */
+    protected void obtainLock(boolean shared, long maxWait) throws DirectoryLockException {
+        setMaxWait(maxWait);
+        obtainLock(shared);
+    }
+
+    /**
+     * Attempts to obtain a lock; an exception is thrown if the lock could not
+     * be obtained. This method may block for a few seconds if a lock cannot be
+     * obtained.
+     *
+     * @param shared true if the lock is shared, otherwise false
+     * @throws DirectoryLockException thrown if there is an exception obtaining
+     * the lock
+     */
+    protected void obtainLock(boolean shared) throws DirectoryLockException {
+        if (lock != null) {
+            release();
+        }
+        if (channel == null) {
+            throw new DirectoryLockException("Unable to create lock, no file channel exists");
+        }
+        int count = 0;
+        Exception lastException = null;
+        while (lock == null && count++ < maxWait) {
+            try {
+                lock = channel.lock(0, Long.MAX_VALUE, shared);
+            } catch (AsynchronousCloseException ex) {
+                lastException = ex;
+            } catch (ClosedChannelException ex) {
+                lastException = ex;
+            } catch (FileLockInterruptionException ex) {
+                lastException = ex;
+            } catch (OverlappingFileLockException ex) {
+                lastException = ex;
+            } catch (NonWritableChannelException ex) {
+                lastException = ex;
+            } catch (IOException ex) {
+                lastException = ex;
+            }
+            try {
+                Thread.sleep(500);
+            } catch (InterruptedException ex) {
+                Thread.currentThread().interrupt();
+            }
+        }
+        if (lock == null) {
+            if (lastException == null) {
+                throw new DirectoryLockException("Unable to obtain lock");
+            } else {
+                throw new DirectoryLockException("Unable to obtain lock", lastException);
+            }
+        }
+    }
+
+    /**
+     * Performs a few simple rudimentary checks on the specified directory.
+     * Specifically, does the file exist and is it a directory.
+     *
+     * @param directory the File object to inspect
+     * @throws InvalidDirectoryException thrown if the directory is null or is
+     * not a directory
+     */
+    private void checkDirectory(File directory) throws InvalidDirectoryException {
+        if (directory == null) {
+            throw new InvalidDirectoryException("Unable to obtain lock on a null File");
+        }
+        if (!directory.isDirectory()) {
+            final String msg = String.format("File, '%s', does not exist or is not a directory", directory.getAbsolutePath());
+            throw new InvalidDirectoryException(msg);
+        }
+    }
+
+    /**
+     * Releases any locks and closes the underlying channel.
+     *
+     * @throws IOException if an IO Exception occurs
+     */
+    @Override
+    public void close() throws IOException {
+        release();
+// TODO uncomment this once support for 1.6 is dropped.
+//        if (lock != null) {
+//            try {
+//                lock.close();
+//            } catch (IOException ex) {
+//                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to close file lock due to IO Exception", ex);
+//            }
+//        }
+        if (channel != null) {
+            try {
+                channel.close();
+            } catch (IOException ex) {
+                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to close the channel for the file lock", ex);
+            }
+        }
+        if (lockFile != null) {
+            if (lockFile.exists()) {
+                /* yes, this delete could fail which is totally fine. The other
+                 * thread holding the lock while delete it.
+                 */
+                lockFile.delete();
+            }
+        }
+    }
+
+    /**
+     * Releases the lock. Any exceptions that are thrown by the underlying lock
+     * during the release are ignored.
+     */
+    public void release() {
+        if (lock != null) {
+            try {
+                lock.release();
+            } catch (ClosedChannelException ex) {
+                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to release file lock", ex);
+            } catch (IOException ex) {
+                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to release file lock due to IO Exception", ex);
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/InvalidDirectoryException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.concurrency;
+
+/**
+ * If thrown, indicates that there is a problem with a directory.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class InvalidDirectoryException extends Exception {
+
+    /**
+     * Default serial version UID.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Constructs a new Invalid Directory Exception.
+     */
+    public InvalidDirectoryException() {
+        super();
+    }
+
+    /**
+     * Constructs a new Invalid Directory Exception.
+     *
+     * @param msg the message describing the exception
+     */
+    public InvalidDirectoryException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Constructs a new Invalid Directory Exception.
+     *
+     * @param ex the cause of the exception
+     */
+    public InvalidDirectoryException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Constructs a new Invalid Directory Exception.
+     *
+     * @param msg the message describing the exception
+     * @param ex the cause of the exception
+     */
+    public InvalidDirectoryException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/package-info.java

@@ -0,0 +1,11 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.concurrency</title>
+ * </head>
+ * <body>
+ * Contains classes used to create shared and exclusive locks on directories.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.concurrency;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -0,0 +1,328 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+import java.io.IOException;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.util.HashMap;
+import java.util.Map;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.lucene.analysis.Analyzer;
+import org.apache.lucene.analysis.core.KeywordAnalyzer;
+import org.apache.lucene.analysis.miscellaneous.PerFieldAnalyzerWrapper;
+import org.apache.lucene.document.Document;
+import org.apache.lucene.document.Field;
+import org.apache.lucene.document.TextField;
+import org.apache.lucene.index.CorruptIndexException;
+import org.apache.lucene.index.DirectoryReader;
+import org.apache.lucene.index.IndexReader;
+import org.apache.lucene.index.IndexWriter;
+import org.apache.lucene.index.IndexWriterConfig;
+import org.apache.lucene.queryparser.classic.ParseException;
+import org.apache.lucene.queryparser.classic.QueryParser;
+import org.apache.lucene.search.IndexSearcher;
+import org.apache.lucene.search.Query;
+import org.apache.lucene.search.TopDocs;
+import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.apache.lucene.store.RAMDirectory;
+import org.owasp.dependencycheck.data.lucene.LuceneUtils;
+import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
+
+/**
+ * An in memory lucene index that contains the vendor/product combinations from
+ * the CPE (application) identifiers within the NVD CVE data.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class CpeMemoryIndex {
+
+    /**
+     * singleton instance.
+     */
+    private static CpeMemoryIndex instance = new CpeMemoryIndex();
+
+    /**
+     * private constructor for singleton.
+     */
+    private CpeMemoryIndex() {
+    }
+
+    /**
+     * Gets the singleton instance of the CpeMemoryIndex.
+     *
+     * @return the instance of the CpeMemoryIndex
+     */
+    public static CpeMemoryIndex getInstance() {
+        return instance;
+    }
+    /**
+     * The in memory Lucene index.
+     */
+    private RAMDirectory index;
+    /**
+     * The Lucene IndexReader.
+     */
+    private IndexReader indexReader;
+    /**
+     * The Lucene IndexSearcher.
+     */
+    private IndexSearcher indexSearcher;
+    /**
+     * The Lucene Analyzer used for Searching.
+     */
+    private Analyzer searchingAnalyzer;
+    /**
+     * The Lucene QueryParser used for Searching.
+     */
+    private QueryParser queryParser;
+    /**
+     * The search field analyzer for the product field.
+     */
+    private SearchFieldAnalyzer productSearchFieldAnalyzer;
+    /**
+     * The search field analyzer for the vendor field.
+     */
+    private SearchFieldAnalyzer vendorSearchFieldAnalyzer;
+
+    /**
+     * Creates and loads data into an in memory index.
+     *
+     * @param cve the data source to retrieve the cpe data
+     * @throws IndexException thrown if there is an error creating the index
+     */
+    public void open(CveDB cve) throws IndexException {
+        if (!openState) {
+            index = new RAMDirectory();
+            buildIndex(cve);
+            try {
+                indexReader = DirectoryReader.open(index);
+            } catch (IOException ex) {
+                throw new IndexException(ex);
+            }
+            indexSearcher = new IndexSearcher(indexReader);
+            searchingAnalyzer = createSearchingAnalyzer();
+            queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
+            openState = true;
+        }
+    }
+    /**
+     * A flag indicating whether or not the index is open.
+     */
+    private boolean openState = false;
+
+    /**
+     * returns whether or not the index is open.
+     *
+     * @return whether or not the index is open
+     */
+    public boolean isOpen() {
+        return openState;
+    }
+
+    /**
+     * Creates the indexing analyzer for the CPE Index.
+     *
+     * @return the CPE Analyzer.
+     */
+    @SuppressWarnings("unchecked")
+    private Analyzer createIndexingAnalyzer() {
+        final Map fieldAnalyzers = new HashMap();
+        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
+    }
+
+    /**
+     * Creates an Analyzer for searching the CPE Index.
+     *
+     * @return the CPE Analyzer.
+     */
+    @SuppressWarnings("unchecked")
+    private Analyzer createSearchingAnalyzer() {
+        final Map fieldAnalyzers = new HashMap();
+        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
+        productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
+        vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
+        fieldAnalyzers.put(Fields.PRODUCT, productSearchFieldAnalyzer);
+        fieldAnalyzers.put(Fields.VENDOR, vendorSearchFieldAnalyzer);
+
+        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
+    }
+
+    /**
+     * Saves a CPE IndexEntry into the Lucene index.
+     *
+     * @param vendor the vendor to index
+     * @param product the product to index
+     * @param indexWriter the index writer to write the entry into
+     * @throws CorruptIndexException is thrown if the index is corrupt
+     * @throws IOException is thrown if an IOException occurs
+     */
+    public void saveEntry(String vendor, String product, IndexWriter indexWriter) throws CorruptIndexException, IOException {
+        final Document doc = new Document();
+        final Field v = new TextField(Fields.VENDOR, vendor, Field.Store.YES);
+        final Field p = new TextField(Fields.PRODUCT, product, Field.Store.YES);
+        doc.add(v);
+        doc.add(p);
+        indexWriter.addDocument(doc);
+    }
+
+    /**
+     * Closes the CPE Index.
+     */
+    public void close() {
+        if (searchingAnalyzer != null) {
+            searchingAnalyzer.close();
+            searchingAnalyzer = null;
+        }
+        if (indexReader != null) {
+            try {
+                indexReader.close();
+            } catch (IOException ex) {
+                Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINEST, null, ex);
+            }
+            indexReader = null;
+        }
+        queryParser = null;
+        indexSearcher = null;
+        if (index != null) {
+            index.close();
+            index = null;
+        }
+        openState = false;
+    }
+
+    /**
+     * Builds the lucene index based off of the data within the CveDB.
+     *
+     * @param cve the data base containing the CPE data
+     * @throws IndexException thrown if there is an issue creating the index
+     */
+    private void buildIndex(CveDB cve) throws IndexException {
+        Analyzer analyzer = null;
+        IndexWriter indexWriter = null;
+        try {
+            analyzer = createIndexingAnalyzer();
+            final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
+            indexWriter = new IndexWriter(index, conf);
+            final ResultSet rs = cve.getVendorProductList();
+            if (rs == null) {
+                throw new IndexException("No data exists");
+            }
+            try {
+                while (rs.next()) {
+                    saveEntry(rs.getString(1), rs.getString(2), indexWriter);
+                }
+            } catch (SQLException ex) {
+                Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
+                throw new IndexException("Error reading CPE data", ex);
+            }
+        } catch (CorruptIndexException ex) {
+            throw new IndexException("Unable to close an in-memory index", ex);
+        } catch (IOException ex) {
+            throw new IndexException("Unable to close an in-memory index", ex);
+        } finally {
+            if (indexWriter != null) {
+                try {
+                    try {
+                        indexWriter.commit();
+                    } finally {
+                        indexWriter.close(true);
+                    }
+                } catch (CorruptIndexException ex) {
+                    throw new IndexException("Unable to close an in-memory index", ex);
+                } catch (IOException ex) {
+                    throw new IndexException("Unable to close an in-memory index", ex);
+                }
+                if (analyzer != null) {
+                    analyzer.close();
+                }
+            }
+        }
+    }
+
+    /**
+     * Resets the searching analyzers
+     */
+    private void resetSearchingAnalyzer() {
+        if (productSearchFieldAnalyzer != null) {
+            productSearchFieldAnalyzer.clear();
+        }
+        if (vendorSearchFieldAnalyzer != null) {
+            vendorSearchFieldAnalyzer.clear();
+        }
+    }
+
+    /**
+     * Searches the index using the given search string.
+     *
+     * @param searchString the query text
+     * @param maxQueryResults the maximum number of documents to return
+     * @return the TopDocs found by the search
+     * @throws ParseException thrown when the searchString is invalid
+     * @throws IOException is thrown if there is an issue with the underlying
+     * Index
+     */
+    public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
+        if (searchString == null || searchString.trim().isEmpty()) {
+            throw new ParseException("Query is null or empty");
+        }
+        final Query query = queryParser.parse(searchString);
+        return indexSearcher.search(query, maxQueryResults);
+    }
+
+    /**
+     * Searches the index using the given query.
+     *
+     * @param query the query used to search the index
+     * @param maxQueryResults the max number of results to return
+     * @return the TopDocs found be the query
+     * @throws CorruptIndexException thrown if the Index is corrupt
+     * @throws IOException thrown if there is an IOException
+     */
+    public TopDocs search(Query query, int maxQueryResults) throws CorruptIndexException, IOException {
+        resetSearchingAnalyzer();
+        return indexSearcher.search(query, maxQueryResults);
+    }
+
+    /**
+     * Retrieves a document from the Index.
+     *
+     * @param documentId the id of the document to retrieve
+     * @return the Document
+     * @throws IOException thrown if there is an IOException
+     */
+    public Document getDocument(int documentId) throws IOException {
+        return indexSearcher.doc(documentId);
+    }
+
+    /**
+     * Returns the number of CPE entries stored in the index.
+     *
+     * @return the number of CPE entries stored in the index
+     */
+    public int numDocs() {
+        if (indexReader == null) {
+            return -1;
+        }
+        return indexReader.numDocs();
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,14 +22,14 @@ package org.owasp.dependencycheck.data.cpe;
  * Fields is a collection of field names used within the Lucene index for CPE
  * entries.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public abstract class Fields {
 
     /**
-     * The key for the name field.
+     * The key for the name document id.
      */
-    public static final String NAME = "name";
+    public static final String DOCUMENT_KEY = "id";
     /**
      * The key for the vendor field.
      */
@@ -41,6 +41,4 @@ public abstract class Fields {
     /**
      * The key for the version field.
      */
-    public static final String VERSION = "version";
-    //public static final String REVISION = "revision";
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -0,0 +1,189 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+import java.io.Serializable;
+import java.io.UnsupportedEncodingException;
+import java.net.URLDecoder;
+
+/**
+ * A CPE entry containing the name, vendor, product, and version.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class IndexEntry implements Serializable {
+
+    /**
+     * the serial version uid.
+     */
+    static final long serialVersionUID = 8011924485946326934L;
+    /**
+     * The vendor name.
+     */
+    private String vendor;
+    /**
+     * The documentId.
+     */
+    private String documentId;
+
+    /**
+     * Get the value of documentId.
+     *
+     * @return the value of documentId
+     */
+    public String getDocumentId() {
+        if (documentId == null && vendor != null && product != null) {
+            documentId = vendor + ":" + product;
+        }
+        return documentId;
+    }
+
+    /**
+     * Set the value of documentId.
+     *
+     * @param documentId new value of documentId
+     */
+    public void setDocumentId(String documentId) {
+        this.documentId = documentId;
+    }
+
+    /**
+     * Get the value of vendor.
+     *
+     * @return the value of vendor
+     */
+    public String getVendor() {
+        return vendor;
+    }
+
+    /**
+     * Set the value of vendor.
+     *
+     * @param vendor new value of vendor
+     */
+    public void setVendor(String vendor) {
+        this.vendor = vendor;
+    }
+    /**
+     * The product name.
+     */
+    private String product;
+
+    /**
+     * Get the value of product.
+     *
+     * @return the value of product
+     */
+    public String getProduct() {
+        return product;
+    }
+
+    /**
+     * Set the value of product.
+     *
+     * @param product new value of product
+     */
+    public void setProduct(String product) {
+        this.product = product;
+    }
+    /**
+     * The search score.
+     */
+    private float searchScore;
+
+    /**
+     * Get the value of searchScore.
+     *
+     * @return the value of searchScore
+     */
+    public float getSearchScore() {
+        return searchScore;
+    }
+
+    /**
+     * Set the value of searchScore.
+     *
+     * @param searchScore new value of searchScore
+     */
+    public void setSearchScore(float searchScore) {
+        this.searchScore = searchScore;
+    }
+
+    /**
+     * <p>Parses a name attribute value, from the cpe.xml, into its
+     * corresponding parts: vendor, product.</p>
+     * <p>Example:</p>
+     * <code>nbsp;nbsp;nbsp;cpe:/a:apache:struts:1.1:rc2</code>
+     *
+     * <p>Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
+     * </ul>
+     * <p>If it is necessary to parse the CPE into more parts (i.e. to include
+     * version and revision) then you should use the
+     * {@link org.owasp.dependencycheck.dependency.VulnerableSoftware#parseName VulnerableSoftware.parseName()}.
+     *
+     * @param cpeName the cpe name
+     * @throws UnsupportedEncodingException should never be thrown...
+     */
+    public void parseName(String cpeName) throws UnsupportedEncodingException {
+        if (cpeName != null && cpeName.length() > 7) {
+            final String[] data = cpeName.substring(7).split(":");
+            if (data.length >= 1) {
+                vendor = URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8");
+                if (data.length >= 2) {
+                    product = URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8");
+                }
+            }
+        }
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 7;
+        hash = 97 * hash + (this.getDocumentId() != null ? this.getDocumentId().hashCode() : 0);
+        return hash;
+    }
+
+    @Override
+    public boolean equals(Object obj) {
+        if (obj == null) {
+            return false;
+        }
+        if (getClass() != obj.getClass()) {
+            return false;
+        }
+        final IndexEntry other = (IndexEntry) obj;
+        if ((this.vendor == null) ? (other.vendor != null) : !this.vendor.equals(other.vendor)) {
+            return false;
+        }
+        if ((this.product == null) ? (other.product != null) : !this.product.equals(other.product)) {
+            return false;
+        }
+        return true;
+    }
+
+    /**
+     * Standard implementation of toString showing vendor and product.
+     *
+     * @return the string representation of the object
+     */
+    @Override
+    public String toString() {
+        return "IndexEntry{" + "vendor=" + vendor + ", product=" + product + '}';
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.cpe;
+
+/**
+ * An exception thrown when the there is an issue using the in-memory CPE Index.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class IndexException extends Exception {
+
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new IndexException.
+     */
+    public IndexException() {
+        super();
+    }
+
+    /**
+     * Creates a new IndexException.
+     *
+     * @param msg a message for the exception.
+     */
+    public IndexException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new IndexException.
+     *
+     * @param ex the cause of the failure.
+     */
+    public IndexException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new IndexException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the failure.
+     */
+    public IndexException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,7 +27,7 @@ import java.util.logging.Logger;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class CweDB {
 
@@ -55,15 +55,17 @@ public final class CweDB {
             oin = new ObjectInputStream(input);
             return (HashMap<String, String>) oin.readObject();
         } catch (ClassNotFoundException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
+            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
         } catch (IOException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
+            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
         } finally {
             if (oin != null) {
                 try {
                     oin.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(CweDB.class.getName()).log(Level.SEVERE, null, ex);
+                    Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
                 }
             }
         }
@@ -72,6 +74,7 @@ public final class CweDB {
 
     /**
      * <p>Returns the full CWE name from the CWE ID.</p>
+     *
      * @param cweId the CWE ID
      * @return the full name of the CWE
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,7 +26,7 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the CWE XML.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class CweHandler extends DefaultHandler {
 
@@ -37,6 +37,7 @@ public class CweHandler extends DefaultHandler {
 
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
+     *
      * @return a HashMap of CWE entries <String, String>
      */
     public HashMap<String, String> getCwe() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -0,0 +1,85 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.util.LinkedList;
+import org.apache.lucene.analysis.TokenFilter;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
+
+/**
+ * An abstract tokenizing filter that can be used as the base for a tokenizing
+ * filter.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractTokenizingFilter extends TokenFilter {
+
+    /**
+     * The char term attribute.
+     */
+    private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
+
+    /**
+     * Gets the CharTermAttribute.
+     *
+     * @return the CharTermAttribute
+     */
+    protected CharTermAttribute getTermAtt() {
+        return termAtt;
+    }
+    /**
+     * A collection of tokens to add to the stream.
+     */
+    private final LinkedList<String> tokens;
+
+    /**
+     * Gets the list of tokens.
+     *
+     * @return the list of tokens
+     */
+    protected LinkedList<String> getTokens() {
+        return tokens;
+    }
+
+    /**
+     * Constructs a new AbstractTokenizingFilter.
+     *
+     * @param stream the TokenStream that this filter will process
+     */
+    public AbstractTokenizingFilter(TokenStream stream) {
+        super(stream);
+        tokens = new LinkedList<String>();
+    }
+
+    /**
+     * Adds a term, if one exists, from the tokens collection.
+     *
+     * @return whether or not a new term was added
+     */
+    protected boolean addTerm() {
+        final boolean termAdded = tokens.size() > 0;
+        if (termAdded) {
+            final String term = tokens.pop();
+            clearAttributes();
+            termAtt.append(term);
+        }
+        return termAdded;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AlphaNumericTokenizer.java

@@ -0,0 +1,64 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.io.Reader;
+import org.apache.lucene.analysis.util.CharTokenizer;
+import org.apache.lucene.util.Version;
+
+/**
+ * Tokenizes the input breaking it into tokens when non-alpha/numeric characters
+ * are found.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class AlphaNumericTokenizer extends CharTokenizer {
+
+    /**
+     * Constructs a new AlphaNumericTokenizer.
+     *
+     * @param matchVersion the lucene version
+     * @param in the Reader
+     */
+    public AlphaNumericTokenizer(Version matchVersion, Reader in) {
+        super(matchVersion, in);
+    }
+
+    /**
+     * Constructs a new AlphaNumericTokenizer.
+     *
+     * @param matchVersion the lucene version
+     * @param factory the AttributeFactory
+     * @param in the Reader
+     */
+    public AlphaNumericTokenizer(Version matchVersion, AttributeFactory factory, Reader in) {
+        super(matchVersion, factory, in);
+    }
+
+    /**
+     * Determines if the char passed in is part of a token.
+     *
+     * @param c the char being analyzed
+     * @return true if the char is a letter or digit, otherwise false
+     */
+    @Override
+    protected boolean isTokenChar(int c) {
+        return Character.isLetter(c) || Character.isDigit(c);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,7 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
 
 /**
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class DependencySimilarity extends DefaultSimilarity {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,6 @@ import java.io.Reader;
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.analysis.core.LowerCaseFilter;
 import org.apache.lucene.analysis.core.StopAnalyzer;
 import org.apache.lucene.analysis.core.StopFilter;
@@ -30,11 +29,11 @@ import org.apache.lucene.analysis.miscellaneous.WordDelimiterFilter;
 import org.apache.lucene.util.Version;
 
 /**
- * <p>A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter,
- * LowerCaseFilter, and StopFilter. The intended purpose of this Analyzer is
- * to index the CPE fields vendor and product.</p>
+ * <p>A Lucene Analyzer that utilizes the WhitespaceTokenizer,
+ * WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended purpose of
+ * this Analyzer is to index the CPE fields vendor and product.</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class FieldAnalyzer extends Analyzer {
 
@@ -61,7 +60,7 @@ public class FieldAnalyzer extends Analyzer {
      */
     @Override
     protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
+        final Tokenizer source = new AlphaNumericTokenizer(version, reader);
 
         TokenStream stream = source;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -1,31 +1,39 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.lucene;
 
+import org.apache.lucene.util.Version;
+
 /**
  * <p>Lucene utils is a set of utilize written to make constructing Lucene
  * queries simpler.</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class LuceneUtils {
 
+    /**
+     * The current version of Lucene being used. Declaring this one place so an
+     * upgrade doesn't require hunting through the code base.
+     */
+    public static final Version CURRENT_VERSION = Version.LUCENE_45;
+
     /**
      * Private constructor as this is a utility class.
      */
@@ -41,8 +49,8 @@ public final class LuceneUtils {
      */
     @SuppressWarnings("fallthrough")
     @edu.umd.cs.findbugs.annotations.SuppressWarnings(
-    value = "SF_SWITCH_NO_DEFAULT",
-    justification = "The switch below does have a default.")
+            value = "SF_SWITCH_NO_DEFAULT",
+            justification = "The switch below does have a default.")
     public static void appendEscapedLuceneQuery(StringBuilder buf,
             final CharSequence text) {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,7 +22,6 @@ import java.io.Reader;
 import org.apache.lucene.analysis.Analyzer;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.analysis.core.LowerCaseFilter;
 import org.apache.lucene.analysis.core.StopAnalyzer;
 import org.apache.lucene.analysis.core.StopFilter;
@@ -32,7 +31,7 @@ import org.apache.lucene.util.Version;
 /**
  * A Lucene field analyzer used to analyzer queries against the CPE data.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class SearchFieldAnalyzer extends Analyzer {
 
@@ -41,8 +40,8 @@ public class SearchFieldAnalyzer extends Analyzer {
      */
     private final Version version;
     /**
-     * A local reference to the TokenPairConcatenatingFilter so that we
-     * can clear any left over state if this analyzer is re-used.
+     * A local reference to the TokenPairConcatenatingFilter so that we can
+     * clear any left over state if this analyzer is re-used.
      */
     private TokenPairConcatenatingFilter concatenatingFilter;
 
@@ -57,13 +56,14 @@ public class SearchFieldAnalyzer extends Analyzer {
 
     /**
      * Creates a the TokenStreamComponents used to analyze the stream.
+     *
      * @param fieldName the field that this lucene analyzer will process
      * @param reader a reader containing the tokens
      * @return the token stream filter chain
      */
     @Override
     protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
+        final Tokenizer source = new AlphaNumericTokenizer(version, reader);
 
         TokenStream stream = source;
 
@@ -76,6 +76,7 @@ public class SearchFieldAnalyzer extends Analyzer {
                 | WordDelimiterFilter.STEM_ENGLISH_POSSESSIVE, null);
 
         stream = new LowerCaseFilter(version, stream);
+        stream = new UrlTokenizingFilter(stream);
         concatenatingFilter = new TokenPairConcatenatingFilter(stream);
         stream = concatenatingFilter;
         stream = new StopFilter(version, stream, StopAnalyzer.ENGLISH_STOP_WORDS_SET);
@@ -84,11 +85,14 @@ public class SearchFieldAnalyzer extends Analyzer {
     }
 
     /**
-     * <p>Resets the analyzer and clears any internal state data that may
-     * have been left-over from previous uses of the analyzer.</p>
-     * <p><b>If this analyzer is re-used this method must be called between uses.</b></p>
+     * <p>Resets the analyzer and clears any internal state data that may have
+     * been left-over from previous uses of the analyzer.</p>
+     * <p><b>If this analyzer is re-used this method must be called between
+     * uses.</b></p>
      */
     public void clear() {
-        concatenatingFilter.clear();
+        if (concatenatingFilter != null) {
+            concatenatingFilter.clear();
+        }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,10 +27,13 @@ import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.util.Version;
 
 /**
- * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
+ * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version
+ * information.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ * @deprecated version information is no longer stored in lucene
  */
+@Deprecated
 public class SearchVersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...
     // use custom attributes for major, minor, x, x, x, rcx

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -23,7 +23,6 @@ import java.util.LinkedList;
 import org.apache.lucene.analysis.TokenFilter;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
-import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
 
 /**
  * <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
@@ -31,7 +30,7 @@ import org.apache.lucene.analysis.tokenattributes.PositionIncrementAttribute;
  * <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
  * Framework FrameworkCore Core".</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class TokenPairConcatenatingFilter extends TokenFilter {
 
@@ -39,10 +38,6 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
      * The char term attribute.
      */
     private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
-    /**
-     * The position increment attribute.
-     */
-    private final PositionIncrementAttribute posIncAtt = addAttribute(PositionIncrementAttribute.class);
     /**
      * The previous word parsed.
      */
@@ -52,6 +47,24 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
      */
     private final LinkedList<String> words;
 
+    /**
+     * Returns the previous word. This is needed in the test cases.
+     *
+     * @return te previous word
+     */
+    protected String getPreviousWord() {
+        return previousWord;
+    }
+
+    /**
+     * Returns the words list. This is needed in the test cases.
+     *
+     * @return the words list
+     */
+    protected LinkedList<String> getWords() {
+        return words;
+    }
+
     /**
      * Constructs a new TokenPairConcatenatingFilter.
      *
@@ -85,7 +98,6 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
             final String word = words.getFirst();
             clearAttributes();
             termAtt.append(previousWord).append(word);
-            posIncAtt.setPositionIncrement(0);
             previousWord = null;
             return true;
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -0,0 +1,85 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.lucene;
+
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.LinkedList;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.lucene.analysis.TokenStream;
+import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
+import org.owasp.dependencycheck.utils.UrlStringUtils;
+
+/**
+ * <p>Takes a TokenStream and splits or adds tokens to correctly index version
+ * numbers.</p>
+ * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
+ * 3.0.0.RELEASE".</p>
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
+
+    /**
+     * Constructs a new VersionTokenizingFilter.
+     *
+     * @param stream the TokenStream that this filter will process
+     */
+    public UrlTokenizingFilter(TokenStream stream) {
+        super(stream);
+    }
+
+    /**
+     * Increments the underlying TokenStream and sets CharTermAttributes to
+     * construct an expanded set of tokens by concatenating tokens with the
+     * previous token.
+     *
+     * @return whether or not we have hit the end of the TokenStream
+     * @throws IOException is thrown when an IOException occurs
+     */
+    @Override
+    public boolean incrementToken() throws IOException {
+        final LinkedList<String> tokens = getTokens();
+        final CharTermAttribute termAtt = getTermAtt();
+        if (tokens.size() == 0 && input.incrementToken()) {
+            final String text = new String(termAtt.buffer(), 0, termAtt.length());
+            if (UrlStringUtils.containsUrl(text)) {
+                final String[] parts = text.split("\\s");
+                for (String part : parts) {
+                    if (UrlStringUtils.isUrl(part)) {
+                        try {
+                            final List<String> data = UrlStringUtils.extractImportantUrlData(part);
+                            tokens.addAll(data);
+                        } catch (MalformedURLException ex) {
+                            Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.INFO, "error parsing " + part, ex);
+                            tokens.add(part);
+                        }
+                    } else {
+                        tokens.add(part);
+                    }
+                }
+            } else {
+                tokens.add(text);
+            }
+        }
+        return addTerm();
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,8 +29,10 @@ import org.apache.lucene.util.Version;
 /**
  * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ * @deprecated version information is no longer stored in lucene
  */
+@Deprecated
 public class VersionAnalyzer extends Analyzer {
     //TODO consider implementing payloads/custom attributes...
     // use custom attributes for major, minor, x, x, x, rcx

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.data.lucene;
 
 import java.io.IOException;
 import java.util.LinkedList;
-import org.apache.lucene.analysis.TokenFilter;
 import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
@@ -30,18 +29,11 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
  * 3.0.0.RELEASE".</p>
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ * @deprecated version information is no longer stored in lucene
  */
-public final class VersionTokenizingFilter extends TokenFilter {
-
-    /**
-     * The char term attribute.
-     */
-    private final CharTermAttribute termAtt = addAttribute(CharTermAttribute.class);
-    /**
-     * A collection of tokens to add to the stream.
-     */
-    private final LinkedList<String> tokens;
+@Deprecated
+public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
 
     /**
      * Constructs a new VersionTokenizingFilter.
@@ -50,7 +42,6 @@ public final class VersionTokenizingFilter extends TokenFilter {
      */
     public VersionTokenizingFilter(TokenStream stream) {
         super(stream);
-        tokens = new LinkedList<String>();
     }
 
     /**
@@ -63,6 +54,8 @@ public final class VersionTokenizingFilter extends TokenFilter {
      */
     @Override
     public boolean incrementToken() throws IOException {
+        final LinkedList<String> tokens = getTokens();
+        final CharTermAttribute termAtt = getTermAtt();
         if (tokens.size() == 0 && input.incrementToken()) {
             final String version = new String(termAtt.buffer(), 0, termAtt.length());
             final String[] toAnalyze = version.split("[_-]");
@@ -75,21 +68,6 @@ public final class VersionTokenizingFilter extends TokenFilter {
         return addTerm();
     }
 
-    /**
-     * Adds a term, if one exists, from the tokens collection.
-     *
-     * @return whether or not a new term was added
-     */
-    private boolean addTerm() {
-        final boolean termAdded = tokens.size() > 0;
-        if (termAdded) {
-            final String version = tokens.pop();
-            clearAttributes();
-            termAtt.append(version);
-        }
-        return termAdded;
-    }
-
     /**
      * <p>Analyzes the version and adds several copies of the version as
      * different tokens. For example, the version 1.2.7 would create the tokens
@@ -104,6 +82,7 @@ public final class VersionTokenizingFilter extends TokenFilter {
     private void analyzeVersion(String version) {
         //todo should we also be splitting on dash or underscore? we would need
         //  to incorporate the dash or underscore back in...
+        final LinkedList<String> tokens = getTokens();
         final String[] versionParts = version.split("\\.");
         String dottedVersion = null;
         for (String current : versionParts) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -0,0 +1,154 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nexus;
+
+/**
+ * Simple bean representing a Maven Artifact.
+ *
+ * @author colezlaw
+ */
+public class MavenArtifact {
+    /**
+     * The groupId
+     */
+    private String groupId;
+
+    /**
+     * The artifactId
+     */
+    private String artifactId;
+
+    /**
+     * The version
+     */
+    private String version;
+
+    /**
+     * The artifact url. This may change depending on which Nexus
+     * server the search took place.
+     */
+    private String artifactUrl;
+
+
+    /**
+     * Creates an empty MavenArtifact.
+     */
+    public MavenArtifact() {
+    }
+
+    /**
+     * Creates a MavenArtifact with the given attributes.
+     *
+     * @param groupId the groupId
+     * @param artifactId the artifactId
+     * @param version the version
+     */
+    public MavenArtifact(String groupId, String artifactId, String version) {
+        setGroupId(groupId);
+        setArtifactId(artifactId);
+        setVersion(version);
+    }
+
+    /**
+     * Creates a MavenArtifact with the given attributes.
+     *
+     * @param groupId the groupId
+     * @param artifactId the artifactId
+     * @param version the version
+     * @param url the artifactLink url
+     */
+    public MavenArtifact(String groupId, String artifactId, String version, String url) {
+        setGroupId(groupId);
+        setArtifactId(artifactId);
+        setVersion(version);
+        setArtifactUrl(url);
+    }
+
+    /**
+     * Returns the Artifact coordinates as a String.
+     *
+     * @return the String representation of the artifact coordinates
+     */
+    @Override
+    public String toString() {
+        return String.format("%s:%s:%s", groupId, artifactId, version);
+    }
+
+    /**
+     * Sets the groupId.
+     *
+     * @param groupId the groupId
+     */
+    public void setGroupId(String groupId) { this.groupId = groupId; }
+
+    /**
+     * Gets the groupId.
+     *
+     * @return the groupId
+     */
+    public String getGroupId() { return groupId; }
+
+    /**
+     * Sets the artifactId.
+     *
+     * @param artifactId the artifactId
+     */
+    public void setArtifactId(String artifactId) { this.artifactId = artifactId; }
+
+    /**
+     * Gets the artifactId.
+     *
+     * @return the artifactId
+     */
+    public String getArtifactId() { return artifactId; }
+
+    /**
+     * Sets the version.
+     *
+     * @param version the version
+     */
+    public void setVersion(String version) { this.version = version; }
+
+    /**
+     * Gets the version.
+     *
+     * @return the version
+     */
+    public String getVersion() { return version; }
+
+    /**
+     * Sets the artifactUrl.
+     *
+     * @param artifactUrl the artifactUrl
+     */
+    public void setArtifactUrl(String artifactUrl) {
+        this.artifactUrl = artifactUrl;
+    }
+
+    /**
+     * Gets the artifactUrl.
+     *
+     * @return the artifactUrl
+     */
+    public String getArtifactUrl() {
+        return artifactUrl;
+    }
+}
+
+// vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -0,0 +1,105 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nexus;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.URL;
+import java.net.URLConnection;
+import java.util.logging.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathFactory;
+import org.w3c.dom.Document;
+
+/**
+ * Class of methods to search Nexus repositories.
+ *
+ * @author colezlaw
+ */
+public class NexusSearch {
+    /**
+     * The root URL for the Nexus repository service
+     */
+    private final URL rootURL;
+
+    /**
+     * Used for logging.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NexusSearch.class.getName());
+
+    /**
+     * Creates a NexusSearch for the given repository URL.
+     *
+     * @param rootURL the root URL of the repository on which searches should execute.
+     *        full URL's are calculated relative to this URL, so it should end with a /
+     */
+    public NexusSearch(URL rootURL) {
+        this.rootURL = rootURL;
+    }
+
+    /**
+     * Searches the configured Nexus repository for the given sha1
+     * hash. If the artifact is found, a <code>MavenArtifact</code> is populated
+     * with the coordinate information.
+     *
+     * @param sha1 The SHA-1 hash string for which to search
+     * @return the populated Maven coordinates
+     * @throws IOException if it's unable to connect to the specified repositor or
+     *         if the specified artifact is not found.
+     */
+    public MavenArtifact searchSha1(String sha1) throws IOException {
+        if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
+            throw new IllegalArgumentException("Invalid SHA1 format");
+        }
+
+        final URL url = new URL(rootURL, String.format("identify/sha1/%s", sha1.toLowerCase()));
+
+        LOGGER.fine(String.format("Searching Nexus url %s", url.toString()));
+
+        final URLConnection conn = url.openConnection();
+        conn.setDoOutput(true);
+
+        // JSON would be more elegant, but there's not currently a dependency
+        // on JSON, so don't want to add one just for this
+        conn.addRequestProperty("Accept", "application/xml");
+        conn.connect();
+
+        try {
+            final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            final Document doc = builder.parse(conn.getInputStream());
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+            final String groupId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/groupId", doc);
+            final String artifactId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", doc);
+            final String version = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/version", doc);
+            final String link = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", doc);
+            return new MavenArtifact(groupId, artifactId, version, link);
+        } catch (FileNotFoundException fnfe) {
+            // This is what we get when the SHA1 they sent doesn't exist in Nexus. This
+            // is useful upstream for recovery, so we just re-throw it
+            throw fnfe;
+        } catch (Exception e) {
+            // Anything else is jacked-up XML stuff that we really can't recover from well
+            throw new IOException(e.getMessage(), e);
+        }
+    }
+}
+
+// vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.data.nexus</title>
+ * </head>
+ * <body>
+ * <p>Contains classes related to searching a Nexus repository.</p>
+ * <p>These are used to abstract Nexus searching away from
+ * OWASP Dependency Check so they can be reused elsewhere.</p>
+ * </body>
+ * </html>
+ */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -0,0 +1,238 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.sql.CallableStatement;
+import java.sql.Connection;
+import java.sql.DriverManager;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.utils.DBUtils;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Loads the configured database driver and returns the database connection. If the embedded H2 database is used
+ * obtaining a connection will ensure the database file exists and that the appropriate table structure has been
+ * created.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class ConnectionFactory {
+
+    /**
+     * The version of the current DB Schema.
+     */
+    public static final String DB_SCHEMA_VERSION = "2.8";
+    /**
+     * Resource location for SQL file used to create the database schema.
+     */
+    public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
+
+    /**
+     * Private constructor for this factory class; no instance is ever needed.
+     */
+    private ConnectionFactory() {
+    }
+
+    /**
+     * Constructs a new database connection object per the database configuration. This will load the appropriate
+     * database driver, via the DriverManager, if configured.
+     *
+     * @return a database connection object
+     * @throws DatabaseException thrown if there is an exception loading the database connection
+     */
+    public static Connection getConnection() throws DatabaseException {
+        Connection conn = null;
+        try {
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
+
+            final String connStr = getConnectionString();
+            final String user = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
+            //yes, yes - hard-coded password - only if there isn't one in the properties file.
+            final String pass = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connStr);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", user);
+            boolean createTables = false;
+            if (connStr.startsWith("jdbc:h2:file:")) { //H2
+                createTables = needToCreateDatabaseStructure();
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", createTables);
+            }
+            final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
+            if (!driverName.isEmpty()) { //likely need to load the correct driver
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
+                final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
+                if (!driverPath.isEmpty()) { //ugh, driver is not on classpath?
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
+                    DriverLoader.load(driverName, driverPath);
+                } else {
+                    DriverLoader.load(driverName);
+                }
+            }
+
+            //JDBC4 drivers don't need this call.
+            //Class.forName("org.h2.Driver");
+            conn = DriverManager.getConnection(connStr, user, pass);
+            if (createTables) {
+                createTables(conn);
+            } else {
+                ensureSchemaVersion(conn);
+            }
+        } catch (IOException ex) {
+            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to load database");
+        } catch (DriverLoadException ex) {
+            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to load database driver");
+        } catch (SQLException ex) {
+            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to connect to the database");
+        } catch (DatabaseException ex) {
+            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to create the database structure");
+        }
+        return conn;
+    }
+
+    /**
+     * Returns the configured connection string. If using the embedded H2 database this function will also ensure the
+     * data directory exists and if not create it.
+     *
+     * @return the connection string
+     * @throws IOException thrown the data directory cannot be created
+     */
+    private static String getConnectionString() throws IOException {
+        final String connStr = Settings.getString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:h2:file:%s;AUTO_SERVER=TRUE");
+        if (connStr.contains("%s")) {
+            final String fileName = getDataDirectory().getCanonicalPath();
+            final File file = new File(fileName, "cve." + DB_SCHEMA_VERSION);
+            return String.format(connStr, file.getAbsolutePath());
+        }
+        return connStr;
+    }
+
+    /**
+     * Retrieves the directory that the JAR file exists in so that we can ensure we always use a common data directory
+     * for the embedded H2 database. This is public solely for some unit tests; otherwise this should be private.
+     *
+     * @return the data directory to store data files
+     * @throws IOException is thrown if an IOException occurs of course...
+     */
+    public static File getDataDirectory() throws IOException {
+        final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
+        if (!path.exists()) {
+            if (!path.mkdirs()) {
+                throw new IOException("Unable to create NVD CVE Data directory");
+            }
+        }
+        return path;
+    }
+
+    /**
+     * Determines if the H2 database file exists. If it does not exist then the data structure will need to be created.
+     *
+     * @return true if the H2 database file does not exist; otherwise false
+     * @throws IOException thrown if the data directory does not exist and cannot be created
+     */
+    private static boolean needToCreateDatabaseStructure() throws IOException {
+        final File dir = getDataDirectory();
+        final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
+        final File file = new File(dir, name);
+        return !file.exists();
+    }
+
+    /**
+     * Creates the database structure (tables and indexes) to store the CVE data.
+     *
+     * @param conn the database connection
+     * @throws DatabaseException thrown if there is a Database Exception
+     */
+    private static void createTables(Connection conn) throws DatabaseException {
+        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Creating database structure");
+        InputStream is;
+        InputStreamReader reader;
+        BufferedReader in = null;
+        try {
+            is = ConnectionFactory.class.getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE);
+            reader = new InputStreamReader(is, "UTF-8");
+            in = new BufferedReader(reader);
+            final StringBuilder sb = new StringBuilder(2110);
+            String tmp;
+            while ((tmp = in.readLine()) != null) {
+                sb.append(tmp);
+            }
+            Statement statement = null;
+            try {
+                statement = conn.createStatement();
+                statement.execute(sb.toString());
+            } catch (SQLException ex) {
+                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+                throw new DatabaseException("Unable to create database statement", ex);
+            } finally {
+                DBUtils.closeStatement(statement);
+            }
+        } catch (IOException ex) {
+            throw new DatabaseException("Unable to create database schema", ex);
+        } finally {
+            if (in != null) {
+                try {
+                    in.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Uses the provided connection to check the specified schema version within the database.
+     *
+     * @param conn the database connection object
+     * @throws DatabaseException thrown if the schema version is not compatible with this version of dependency-check
+     */
+    private static void ensureSchemaVersion(Connection conn) throws DatabaseException {
+        ResultSet rs = null;
+        CallableStatement cs = null;
+        try {
+            cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
+            rs = cs.executeQuery();
+            if (rs.next()) {
+                final boolean isWrongSchema = !DB_SCHEMA_VERSION.equals(rs.getString(1));
+                if (isWrongSchema) {
+                    throw new DatabaseException("Incorrect database schema; unable to continue");
+                }
+            } else {
+                throw new DatabaseException("Database schema is missing");
+            }
+        } catch (SQLException ex) {
+            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException("Unable to check the database schema version");
+        } finally {
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(cs);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -1,28 +1,28 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
 /**
- * An exception used to indicate the db4o database is corrupt.
- * This could be due to invalid data or a complete failure of the db.
+ * An exception used to indicate the db4o database is corrupt. This could be due
+ * to invalid data or a complete failure of the db.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 class CorruptDatabaseException extends DatabaseException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -0,0 +1,775 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import java.io.UnsupportedEncodingException;
+import java.sql.Connection;
+import java.sql.PreparedStatement;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Map.Entry;
+import java.util.Properties;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.data.cwe.CweDB;
+import org.owasp.dependencycheck.dependency.Reference;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.DBUtils;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+
+/**
+ * The database holding information about the NVD CVE data.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class CveDB {
+
+    /**
+     * Database connection
+     */
+    private Connection conn;
+
+    /**
+     * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller
+     * by calling the close method.
+     *
+     * @throws DatabaseException thrown if there is an exception opening the database.
+     */
+    public CveDB() throws DatabaseException {
+        super();
+        try {
+            open();
+            databaseProperties = new DatabaseProperties(this);
+        } catch (DatabaseException ex) {
+            throw ex;
+        }
+    }
+
+    /**
+     * Returns the database connection.
+     *
+     * @return the database connection
+     */
+    protected Connection getConnection() {
+        return conn;
+    }
+
+    /**
+     * Opens the database connection. If the database does not exist, it will create a new one.
+     *
+     * @throws DatabaseException thrown if there is an error opening the database connection
+     */
+    public final void open() throws DatabaseException {
+        conn = ConnectionFactory.getConnection();
+    }
+
+    /**
+     * Closes the DB4O database. Close should be called on this object when it is done being used.
+     */
+    public void close() {
+        if (conn != null) {
+            try {
+                conn.close();
+            } catch (SQLException ex) {
+                final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
+                Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
+            }
+            conn = null;
+        }
+    }
+
+    /**
+     * Returns whether the database connection is open or closed.
+     *
+     * @return whether the database connection is open or closed
+     */
+    public boolean isOpen() {
+        return conn != null;
+    }
+
+    /**
+     * Commits all completed transactions.
+     *
+     * @throws SQLException thrown if a SQL Exception occurs
+     */
+    public void commit() throws SQLException {
+        if (conn != null) {
+            //temporary remove this as autocommit is on.
+            //conn.commit();
+        }
+    }
+
+    /**
+     * Cleans up the object and ensures that "close" has been called.
+     *
+     * @throws Throwable thrown if there is a problem
+     */
+    @Override
+    protected void finalize() throws Throwable {
+        close();
+        super.finalize();
+    }
+    /**
+     * Database properties object containing the 'properties' from the database table.
+     */
+    private DatabaseProperties databaseProperties;
+
+    /**
+     * Get the value of databaseProperties.
+     *
+     * @return the value of databaseProperties
+     */
+    public DatabaseProperties getDatabaseProperties() {
+        return databaseProperties;
+    }
+    //<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
+    /**
+     * SQL Statement to delete references by vulnerability ID.
+     */
+    private static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
+    /**
+     * SQL Statement to delete software by vulnerability ID.
+     */
+    private static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
+    /**
+     * SQL Statement to delete a vulnerability by CVE.
+     */
+    private static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE id = ?";
+    /**
+     * SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works
+     * well to keep the data file size down a bit.
+     */
+    private static final String CLEANUP_ORPHANS = "DELETE FROM CpeEntry WHERE id not in (SELECT CPEEntryId FROM Software); ";
+    /**
+     * SQL Statement to insert a new reference.
+     */
+    private static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
+    /**
+     * SQL Statement to insert a new software.
+     */
+    private static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpeEntryId, previousVersion) VALUES (?, ?, ?)";
+    /**
+     * SQL Statement to insert a new cpe.
+     */
+    private static final String INSERT_CPE = "INSERT INTO cpeEntry (cpe, vendor, product) VALUES (?, ?, ?)";
+    /**
+     * SQL Statement to get a CPEProductID.
+     */
+    private static final String SELECT_CPE_ID = "SELECT id FROM cpeEntry WHERE cpe = ?";
+    /**
+     * SQL Statement to insert a new vulnerability.
+     */
+    private static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cve, description, cwe, cvssScore, cvssAccessVector, "
+            + "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
+            + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
+    /**
+     * SQL Statement to update a vulnerability.
+     */
+    private static final String UPDATE_VULNERABILITY = "UPDATE vulnerability SET description=?, cwe=?, cvssScore=?, cvssAccessVector=?, "
+            + "cvssAccessComplexity=?, cvssAuthentication=?, cvssConfidentialityImpact=?, cvssIntegrityImpact=?, cvssAvailabilityImpact=? "
+            + "WHERE id=?";
+    /**
+     * SQL Statement to find CVE entries based on CPE data.
+     */
+    private static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cve, cpe, previousVersion "
+            + "FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveId "
+            + "INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId "
+            + "WHERE vendor = ? AND product = ?";
+    //unfortunately, the version info is too complicated to do in a select. Need to filter this afterwards
+    //        + " AND (version = '-' OR previousVersion IS NOT NULL OR version=?)";
+    //
+    /**
+     * SQL Statement to find the CPE entry based on the vendor and product.
+     */
+    private static final String SELECT_CPE_ENTRIES = "SELECT cpe FROM cpeEntry WHERE vendor = ? AND product = ?";
+    /**
+     * SQL Statement to select references by CVEID.
+     */
+    private static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
+    /**
+     * SQL Statement to select vendor and product for lucene index.
+     */
+    private static final String SELECT_VENDOR_PRODUCT_LIST = "SELECT vendor, product FROM cpeEntry GROUP BY vendor, product";
+    /**
+     * SQL Statement to select software by CVEID.
+     */
+    private static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion "
+            + "FROM software INNER JOIN cpeEntry ON software.cpeEntryId = cpeEntry.id WHERE cveid = ?";
+//    public static final String SELECT_SOFTWARE = "SELECT part, vendor, product, version, revision, previousVersion "
+//            + "FROM software INNER JOIN cpeProduct ON cpeProduct.id = software.cpeProductId LEFT JOIN cpeVersion ON "
+//            + "software.cpeVersionId = cpeVersion.id LEFT JOIN Version ON cpeVersion.versionId = version.id WHERE cveid = ?";
+    /**
+     * SQL Statement to select a vulnerability by CVEID.
+     */
+    private static final String SELECT_VULNERABILITY = "SELECT id, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
+            + "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cve = ?";
+    /**
+     * SQL Statement to select a vulnerability's primary key.
+     */
+    private static final String SELECT_VULNERABILITY_ID = "SELECT id FROM vulnerability WHERE cve = ?";
+    /**
+     * SQL Statement to retrieve the properties from the database.
+     */
+    private static final String SELECT_PROPERTIES = "SELECT id, value FROM properties";
+    /**
+     * SQL Statement to retrieve a property from the database.
+     */
+    private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
+    /**
+     * SQL Statement to insert a new property.
+     */
+    private static final String INSERT_PROPERTY = "INSERT INTO properties (id, value) VALUES (?, ?)";
+    /**
+     * SQL Statement to update a property.
+     */
+    private static final String UPDATE_PROPERTY = "UPDATE properties SET value = ? WHERE id = ?";
+    /**
+     * SQL Statement to delete a property.
+     */
+    private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";
+
+    //</editor-fold>
+    /**
+     * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
+     * The returned list will include all versions of the product that are registered in the NVD CVE data.
+     *
+     * @param vendor the identified vendor name of the dependency being analyzed
+     * @param product the identified name of the product of the dependency being analyzed
+     * @return a set of vulnerable software
+     */
+    public Set<VulnerableSoftware> getCPEs(String vendor, String product) {
+        final Set<VulnerableSoftware> cpe = new HashSet<VulnerableSoftware>();
+        ResultSet rs = null;
+        PreparedStatement ps = null;
+        try {
+            ps = getConnection().prepareStatement(SELECT_CPE_ENTRIES);
+            ps.setString(1, vendor);
+            ps.setString(2, product);
+            rs = ps.executeQuery();
+
+            while (rs.next()) {
+                final VulnerableSoftware vs = new VulnerableSoftware();
+                vs.setCpe(rs.getString(1));
+                cpe.add(vs);
+            }
+        } catch (SQLException ex) {
+            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
+            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+        } finally {
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(ps);
+        }
+        return cpe;
+    }
+
+    /**
+     * Returns the entire list of vendor/product combinations.
+     *
+     * @return the entire list of vendor/product combinations.
+     */
+    public ResultSet getVendorProductList() {
+        ResultSet rs = null;
+        try {
+            final PreparedStatement ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
+            rs = ps.executeQuery();
+        } catch (SQLException ex) {
+            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
+            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+        } // can't close the statement in the PS as the resultset is returned, closing PS would close the resultset
+        return rs;
+    }
+
+    /**
+     * Returns a set of properties.
+     *
+     * @return the properties from the database
+     */
+    Properties getProperties() {
+        final Properties prop = new Properties();
+        PreparedStatement ps = null;
+        ResultSet rs = null;
+        try {
+            ps = getConnection().prepareStatement(SELECT_PROPERTIES);
+            rs = ps.executeQuery();
+            while (rs.next()) {
+                prop.setProperty(rs.getString(1), rs.getString(2));
+            }
+        } catch (SQLException ex) {
+            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
+            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+        } finally {
+            DBUtils.closeStatement(ps);
+            DBUtils.closeResultSet(rs);
+        }
+        return prop;
+    }
+
+    /**
+     * Saves a set of properties to the database.
+     *
+     * @param props a collection of properties
+     */
+    void saveProperties(Properties props) {
+        PreparedStatement updateProperty = null;
+        PreparedStatement insertProperty = null;
+        try {
+            try {
+                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
+                insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
+            } catch (SQLException ex) {
+                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                return;
+            }
+            for (Entry<Object, Object> entry : props.entrySet()) {
+                final String key = entry.getKey().toString();
+                final String value = entry.getValue().toString();
+                try {
+                    updateProperty.setString(1, value);
+                    updateProperty.setString(2, key);
+                    if (updateProperty.executeUpdate() == 0) {
+                        insertProperty.setString(1, key);
+                        insertProperty.setString(2, value);
+                    }
+                } catch (SQLException ex) {
+                    final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+                }
+            }
+        } finally {
+            DBUtils.closeStatement(updateProperty);
+            DBUtils.closeStatement(insertProperty);
+        }
+    }
+
+    /**
+     * Saves a property to the database.
+     *
+     * @param key the property key
+     * @param value the property value
+     */
+    void saveProperty(String key, String value) {
+        PreparedStatement updateProperty = null;
+        PreparedStatement insertProperty = null;
+        try {
+            try {
+                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
+            } catch (SQLException ex) {
+                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                return;
+            }
+            try {
+                updateProperty.setString(1, value);
+                updateProperty.setString(2, key);
+                if (updateProperty.executeUpdate() == 0) {
+                    try {
+                        insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
+                    } catch (SQLException ex) {
+                        Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
+                        Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                        return;
+                    }
+                    insertProperty.setString(1, key);
+                    insertProperty.setString(2, value);
+                    insertProperty.execute();
+                }
+            } catch (SQLException ex) {
+                final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
+                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            }
+        } finally {
+            DBUtils.closeStatement(updateProperty);
+            DBUtils.closeStatement(insertProperty);
+        }
+    }
+
+    /**
+     * Retrieves the vulnerabilities associated with the specified CPE.
+     *
+     * @param cpeStr the CPE name
+     * @return a list of Vulnerabilities
+     * @throws DatabaseException thrown if there is an exception retrieving data
+     */
+    public List<Vulnerability> getVulnerabilities(String cpeStr) throws DatabaseException {
+        ResultSet rs = null;
+        final VulnerableSoftware cpe = new VulnerableSoftware();
+        try {
+            cpe.parseName(cpeStr);
+        } catch (UnsupportedEncodingException ex) {
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
+        }
+        final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
+        final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
+
+        PreparedStatement ps;
+        final HashSet<String> cveEntries = new HashSet<String>();
+        try {
+            ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
+            ps.setString(1, cpe.getVendor());
+            ps.setString(2, cpe.getProduct());
+            rs = ps.executeQuery();
+            while (rs.next()) {
+                final String cveId = rs.getString(1);
+                final String cpeId = rs.getString(2);
+                final String previous = rs.getString(3);
+                if (!cveEntries.contains(cveId) && isAffected(cpe.getVendor(), cpe.getProduct(), detectedVersion, cpeId, previous)) {
+                    cveEntries.add(cveId);
+                }
+            }
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(ps);
+            for (String cve : cveEntries) {
+                final Vulnerability v = getVulnerability(cve);
+                vulnerabilities.add(v);
+            }
+
+        } catch (SQLException ex) {
+            throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
+        } finally {
+            DBUtils.closeResultSet(rs);
+        }
+        return vulnerabilities;
+    }
+
+    /**
+     * Gets a vulnerability for the provided CVE.
+     *
+     * @param cve the CVE to lookup
+     * @return a vulnerability object
+     * @throws DatabaseException if an exception occurs
+     */
+    private Vulnerability getVulnerability(String cve) throws DatabaseException {
+        PreparedStatement psV = null;
+        PreparedStatement psR = null;
+        PreparedStatement psS = null;
+        ResultSet rsV = null;
+        ResultSet rsR = null;
+        ResultSet rsS = null;
+        Vulnerability vuln = null;
+        try {
+            psV = getConnection().prepareStatement(SELECT_VULNERABILITY);
+            psV.setString(1, cve);
+            rsV = psV.executeQuery();
+            if (rsV.next()) {
+                vuln = new Vulnerability();
+                vuln.setName(cve);
+                vuln.setDescription(rsV.getString(2));
+                String cwe = rsV.getString(3);
+                if (cwe != null) {
+                    final String name = CweDB.getCweName(cwe);
+                    if (name != null) {
+                        cwe += " " + name;
+                    }
+                }
+                final int cveId = rsV.getInt(1);
+                vuln.setCwe(cwe);
+                vuln.setCvssScore(rsV.getFloat(4));
+                vuln.setCvssAccessVector(rsV.getString(5));
+                vuln.setCvssAccessComplexity(rsV.getString(6));
+                vuln.setCvssAuthentication(rsV.getString(7));
+                vuln.setCvssConfidentialityImpact(rsV.getString(8));
+                vuln.setCvssIntegrityImpact(rsV.getString(9));
+                vuln.setCvssAvailabilityImpact(rsV.getString(10));
+
+                psR = getConnection().prepareStatement(SELECT_REFERENCE);
+                psR.setInt(1, cveId);
+                rsR = psR.executeQuery();
+                while (rsR.next()) {
+                    vuln.addReference(rsR.getString(1), rsR.getString(2), rsR.getString(3));
+                }
+                psS = getConnection().prepareStatement(SELECT_SOFTWARE);
+                psS.setInt(1, cveId);
+                rsS = psS.executeQuery();
+                while (rsS.next()) {
+                    final String cpe = rsS.getString(1);
+                    final String prevVersion = rsS.getString(2);
+                    if (prevVersion == null) {
+                        vuln.addVulnerableSoftware(cpe);
+                    } else {
+                        vuln.addVulnerableSoftware(cpe, prevVersion);
+                    }
+                }
+            }
+        } catch (SQLException ex) {
+            throw new DatabaseException("Error retrieving " + cve, ex);
+        } finally {
+            DBUtils.closeResultSet(rsV);
+            DBUtils.closeResultSet(rsR);
+            DBUtils.closeResultSet(rsS);
+            DBUtils.closeStatement(psV);
+            DBUtils.closeStatement(psR);
+            DBUtils.closeStatement(psS);
+        }
+        return vuln;
+    }
+
+    /**
+     * Updates the vulnerability within the database. If the vulnerability does not exist it will be added.
+     *
+     * @param vuln the vulnerability to add to the database
+     * @throws DatabaseException is thrown if the database
+     */
+    public void updateVulnerability(Vulnerability vuln) throws DatabaseException {
+        PreparedStatement selectVulnerabilityId = null;
+        PreparedStatement deleteVulnerability = null;
+        PreparedStatement deleteReferences = null;
+        PreparedStatement deleteSoftware = null;
+        PreparedStatement updateVulnerability = null;
+        PreparedStatement insertVulnerability = null;
+        PreparedStatement insertReference = null;
+        PreparedStatement selectCpeId = null;
+        PreparedStatement insertCpe = null;
+        PreparedStatement insertSoftware = null;
+
+        try {
+            selectVulnerabilityId = getConnection().prepareStatement(SELECT_VULNERABILITY_ID);
+            deleteVulnerability = getConnection().prepareStatement(DELETE_VULNERABILITY);
+            deleteReferences = getConnection().prepareStatement(DELETE_REFERENCE);
+            deleteSoftware = getConnection().prepareStatement(DELETE_SOFTWARE);
+            updateVulnerability = getConnection().prepareStatement(UPDATE_VULNERABILITY);
+            insertVulnerability = getConnection().prepareStatement(INSERT_VULNERABILITY, Statement.RETURN_GENERATED_KEYS);
+            insertReference = getConnection().prepareStatement(INSERT_REFERENCE);
+            selectCpeId = getConnection().prepareStatement(SELECT_CPE_ID);
+            insertCpe = getConnection().prepareStatement(INSERT_CPE, Statement.RETURN_GENERATED_KEYS);
+            insertSoftware = getConnection().prepareStatement(INSERT_SOFTWARE);
+            int vulnerabilityId = 0;
+            selectVulnerabilityId.setString(1, vuln.getName());
+            ResultSet rs = selectVulnerabilityId.executeQuery();
+            if (rs.next()) {
+                vulnerabilityId = rs.getInt(1);
+                // first delete any existing vulnerability info. We don't know what was updated. yes, slower but atm easier.
+                deleteReferences.setInt(1, vulnerabilityId);
+                deleteReferences.execute();
+                deleteSoftware.setInt(1, vulnerabilityId);
+                deleteSoftware.execute();
+            }
+            DBUtils.closeResultSet(rs);
+            rs = null;
+            if (vulnerabilityId != 0) {
+                if (vuln.getDescription().contains("** REJECT **")) {
+                    deleteVulnerability.setInt(1, vulnerabilityId);
+                    deleteVulnerability.executeUpdate();
+                } else {
+                    updateVulnerability.setString(1, vuln.getDescription());
+                    updateVulnerability.setString(2, vuln.getCwe());
+                    updateVulnerability.setFloat(3, vuln.getCvssScore());
+                    updateVulnerability.setString(4, vuln.getCvssAccessVector());
+                    updateVulnerability.setString(5, vuln.getCvssAccessComplexity());
+                    updateVulnerability.setString(6, vuln.getCvssAuthentication());
+                    updateVulnerability.setString(7, vuln.getCvssConfidentialityImpact());
+                    updateVulnerability.setString(8, vuln.getCvssIntegrityImpact());
+                    updateVulnerability.setString(9, vuln.getCvssAvailabilityImpact());
+                    updateVulnerability.setInt(10, vulnerabilityId);
+                    updateVulnerability.executeUpdate();
+                }
+            } else {
+                insertVulnerability.setString(1, vuln.getName());
+                insertVulnerability.setString(2, vuln.getDescription());
+                insertVulnerability.setString(3, vuln.getCwe());
+                insertVulnerability.setFloat(4, vuln.getCvssScore());
+                insertVulnerability.setString(5, vuln.getCvssAccessVector());
+                insertVulnerability.setString(6, vuln.getCvssAccessComplexity());
+                insertVulnerability.setString(7, vuln.getCvssAuthentication());
+                insertVulnerability.setString(8, vuln.getCvssConfidentialityImpact());
+                insertVulnerability.setString(9, vuln.getCvssIntegrityImpact());
+                insertVulnerability.setString(10, vuln.getCvssAvailabilityImpact());
+                insertVulnerability.execute();
+                try {
+                    rs = insertVulnerability.getGeneratedKeys();
+                    rs.next();
+                    vulnerabilityId = rs.getInt(1);
+                } catch (SQLException ex) {
+                    final String msg = String.format("Unable to retrieve id for new vulnerability for '%s'", vuln.getName());
+                    throw new DatabaseException(msg, ex);
+                } finally {
+                    DBUtils.closeResultSet(rs);
+                    rs = null;
+                }
+            }
+            insertReference.setInt(1, vulnerabilityId);
+            for (Reference r : vuln.getReferences()) {
+                insertReference.setString(2, r.getName());
+                insertReference.setString(3, r.getUrl());
+                insertReference.setString(4, r.getSource());
+                insertReference.execute();
+            }
+            for (VulnerableSoftware s : vuln.getVulnerableSoftware()) {
+                int cpeProductId = 0;
+                selectCpeId.setString(1, s.getName());
+                try {
+                    rs = selectCpeId.executeQuery();
+                    if (rs.next()) {
+                        cpeProductId = rs.getInt(1);
+                    }
+                } catch (SQLException ex) {
+                    throw new DatabaseException("Unable to get primary key for new cpe: " + s.getName(), ex);
+                } finally {
+                    DBUtils.closeResultSet(rs);
+                    rs = null;
+                }
+
+                if (cpeProductId == 0) {
+                    insertCpe.setString(1, s.getName());
+                    insertCpe.setString(2, s.getVendor());
+                    insertCpe.setString(3, s.getProduct());
+                    insertCpe.executeUpdate();
+                    cpeProductId = DBUtils.getGeneratedKey(insertCpe);
+                }
+                if (cpeProductId == 0) {
+                    throw new DatabaseException("Unable to retrieve cpeProductId - no data returned");
+                }
+
+                insertSoftware.setInt(1, vulnerabilityId);
+                insertSoftware.setInt(2, cpeProductId);
+                if (s.getPreviousVersion() == null) {
+                    insertSoftware.setNull(3, java.sql.Types.VARCHAR);
+                } else {
+                    insertSoftware.setString(3, s.getPreviousVersion());
+                }
+                insertSoftware.execute();
+            }
+
+        } catch (SQLException ex) {
+            final String msg = String.format("Error updating '%s'", vuln.getName());
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            throw new DatabaseException(msg, ex);
+        } finally {
+            DBUtils.closeStatement(selectVulnerabilityId);
+            DBUtils.closeStatement(deleteReferences);
+            DBUtils.closeStatement(deleteSoftware);
+            DBUtils.closeStatement(updateVulnerability);
+            DBUtils.closeStatement(deleteVulnerability);
+            DBUtils.closeStatement(insertVulnerability);
+            DBUtils.closeStatement(insertReference);
+            DBUtils.closeStatement(selectCpeId);
+            DBUtils.closeStatement(insertCpe);
+            DBUtils.closeStatement(insertSoftware);
+        }
+    }
+
+    /**
+     * It is possible that orphaned rows may be generated during database updates. This should be called after all
+     * updates have been completed to ensure orphan entries are removed.
+     */
+    public void cleanupDatabase() {
+        PreparedStatement ps = null;
+        try {
+            ps = getConnection().prepareStatement(CLEANUP_ORPHANS);
+            if (ps != null) {
+                ps.executeUpdate();
+            }
+        } catch (SQLException ex) {
+            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
+            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+        } finally {
+            DBUtils.closeStatement(ps);
+        }
+    }
+
+    /**
+     * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null,
+     * non-empty string passed to the previous version argument indicates that all previous versions are affected.
+     *
+     * @param vendor the vendor of the dependency being analyzed
+     * @param product the product name of the dependency being analyzed
+     * @param identifiedVersion the identified version of the dependency being analyzed
+     * @param cpeId the cpe identifier of software that has a known vulnerability
+     * @param previous a flag indicating if previous versions of the product are vulnerable
+     * @return true if the identified version is affected, otherwise false
+     */
+    private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
+        boolean affected = false;
+        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
+        final DependencyVersion v = parseDependencyVersion(cpeId);
+        final boolean prevAffected = previous != null && !previous.isEmpty();
+        if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
+            if (v == null || "-".equals(v.toString())) {
+                affected = true;
+            }
+        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
+            if (isStruts) { //struts 2 vulns don't affect struts 1
+                if (identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
+                    affected = true;
+                }
+            } else {
+                affected = true;
+            }
+        }
+        /*
+         * TODO consider utilizing the matchThreeVersion method to get additional results. However, this
+         *      might also introduce false positives.
+         */
+        return affected;
+    }
+
+    /**
+     * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is
+     * returned.
+     *
+     * @param cpeStr a cpe identifier
+     * @return a dependency version
+     */
+    private DependencyVersion parseDependencyVersion(String cpeStr) {
+        final VulnerableSoftware cpe = new VulnerableSoftware();
+        try {
+            cpe.parseName(cpeStr);
+        } catch (UnsupportedEncodingException ex) {
+            //never going to happen.
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
+        }
+        return parseDependencyVersion(cpe);
+    }
+
+    /**
+     * Takes a CPE and parses out the version number. If no version is identified then a '-' is returned.
+     *
+     * @param cpe a cpe object
+     * @return a dependency version
+     */
+    private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
+        DependencyVersion cpeVersion;
+        if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
+            String versionText;
+            if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
+                versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
+            } else {
+                versionText = cpe.getVersion();
+            }
+            cpeVersion = DependencyVersionUtil.parseVersion(versionText);
+        } else {
+            cpeVersion = new DependencyVersion("-");
+        }
+        return cpeVersion;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java

@@ -1,18 +1,18 @@
 /*
- * This file is part of Dependency-Check.
+ * This file is part of dependency-check-core.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
  * under the terms of the GNU General Public License as published by the Free
  * Software Foundation, either version 3 of the License, or (at your option) any
  * later version.
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
+ * Dependency-check-core is distributed in the hope that it will be useful, but
  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
  * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
  * details.
  *
  * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,9 +21,10 @@ package org.owasp.dependencycheck.data.nvdcve;
 /**
  * An exception thrown if an operation against the database fails.
  *
- * @author Jeremy Long (jeremy.long@owasp.org)
+ * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class DatabaseException extends Exception {
+
     /**
      * the serial version uid.
      */
@@ -38,13 +39,22 @@ public class DatabaseException extends Exception {
         super(msg);
     }
 
+    /**
+     * Creates an DatabaseException.
+     *
+     * @param ex the cause of the exception
+     */
+    public DatabaseException(Throwable ex) {
+        super(ex);
+    }
+
     /**
      * Creates an DatabaseException.
      *
      * @param msg the exception message
      * @param ex the cause of the exception
      */
-    public DatabaseException(String msg, Exception ex) {
+    public DatabaseException(String msg, Throwable ex) {
         super(msg, ex);
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -0,0 +1,120 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import java.util.Properties;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.data.update.NvdCveInfo;
+
+/**
+ * This is a wrapper around a set of properties that are stored in the database.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class DatabaseProperties {
+
+    /**
+     * Modified key word, used as a key to store information about the modified
+     * file (i.e. the containing the last 8 days of updates)..
+     */
+    public static final String MODIFIED = "modified";
+    /**
+     * The properties file key for the last updated field - used to store the
+     * last updated time of the Modified NVD CVE xml file.
+     */
+    public static final String LAST_UPDATED = "lastupdated.modified";
+    /**
+     * Stores the last updated time for each of the NVD CVE files. These
+     * timestamps should be updated if we process the modified file within 7
+     * days of the last update.
+     */
+    public static final String LAST_UPDATED_BASE = "lastupdated.";
+    /**
+     * A collection of properties about the data.
+     */
+    private Properties properties;
+    /**
+     * A reference to the database.
+     */
+    private CveDB cveDB;
+
+    /**
+     * Constructs a new data properties object.
+     *
+     * @param cveDB the database object holding the properties
+     */
+    DatabaseProperties(CveDB cveDB) {
+        this.cveDB = cveDB;
+        loadProperties();
+    }
+
+    /**
+     * Loads the properties from the database.
+     */
+    private void loadProperties() {
+        this.properties = cveDB.getProperties();
+    }
+
+    /**
+     * Returns whether or not any properties are set.
+     *
+     * @return whether or not any properties are set
+     */
+    public boolean isEmpty() {
+        return properties == null || properties.isEmpty();
+    }
+
+    /**
+     * Writes a properties file containing the last updated date to the
+     * VULNERABLE_CPE directory.
+     *
+     * @param updatedValue the updated NVD CVE entry
+     * @throws UpdateException is thrown if there is an update exception
+     */
+    public void save(NvdCveInfo updatedValue) throws UpdateException {
+        if (updatedValue == null) {
+            return;
+        }
+        properties.put(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
+        cveDB.saveProperty(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
+    }
+
+    /**
+     * Returns the property value for the given key. If the key is not contained
+     * in the underlying properties null is returned.
+     *
+     * @param key the property key
+     * @return the value of the property
+     */
+    public String getProperty(String key) {
+        return properties.getProperty(key);
+    }
+
+    /**
+     * Returns the property value for the given key. If the key is not contained
+     * in the underlying properties the default value is returned.
+     *
+     * @param key the property key
+     * @param defaultValue the default value
+     * @return the value of the property
+     */
+    public String getProperty(String key, String defaultValue) {
+        return properties.getProperty(key, defaultValue);
+    }
+}