version 1.0.4

Former-commit-id: 4792f22bc0e21dec5078790bbd266030185f1a04

dependency-check-ant/pom.xml

@@ -22,7 +22,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.3</version>
+        <version>1.0.4</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -23,7 +23,6 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.util.List;
 import java.util.logging.Level;
-import java.util.logging.LogManager;
 import java.util.logging.Logger;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Task;
@@ -38,6 +37,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
+import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -345,41 +345,33 @@ public class DependencyCheckTask extends Task {
     public void setConnectionTimeout(String connectionTimeout) {
         this.connectionTimeout = connectionTimeout;
     }
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
 
     /**
-     * Configures the logger for use by the application.
+     * Get the value of logFile.
+     *
+     * @return the value of logFile
      */
-    private static void prepareLogger() {
+    public String getLogFile() {
-        InputStream in = null;
+        return logFile;
-        try {
+    }
-            in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+
-            LogManager.getLogManager().reset();
+    /**
-            LogManager.getLogManager().readConfiguration(in);
+     * Set the value of logFile.
-            //TODO add code to disable fine grained log file.
+     *
-//            Logger logger = LogManager.getLogManager().getLogger("");
+     * @param logFile new value of logFile
-//            for (Handler h : logger.getHandlers()) {
+     */
-//                if (h.getFormatter(). h.toString());
+    public void setLogFile(String logFile) {
-//            }
+        this.logFile = logFile;
-        } catch (IOException ex) {
-            System.err.println(ex.toString());
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, null, ex);
-        } catch (SecurityException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE, null, ex);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (Exception ex) {
-                    //noinspection UnusedAssignment
-                    in = null;
-                }
-            }
-        }
     }
 
     @Override
     public void execute() throws BuildException {
-        prepareLogger();
+        final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        LogUtils.prepareLogger(in, logFile);
 
         dealWithReferences();
         validateConfiguration();
@@ -512,6 +504,7 @@ public class DependencyCheckTask extends Task {
          *
          * @return the list of values for the report format
          */
+        @Override
         public String[] getValues() {
             int i = 0;
             final Format[] formats = Format.values();

dependency-check-cli/pom.xml

@@ -22,7 +22,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.3</version>
+        <version>1.0.4</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -24,12 +24,12 @@ import java.io.IOException;
 import java.io.InputStream;
 import java.util.List;
 import java.util.logging.Level;
-import java.util.logging.LogManager;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.cli.CliParser;
+import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /*
@@ -67,35 +67,10 @@ public class App {
      * @param args the command line arguments
      */
     public static void main(String[] args) {
-        prepareLogger();
         final App app = new App();
         app.run(args);
     }
 
-    /**
-     * Configures the logger for use by the application.
-     */
-    private static void prepareLogger() {
-        InputStream in = null;
-        try {
-            in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
-            LogManager.getLogManager().reset();
-            LogManager.getLogManager().readConfiguration(in);
-        } catch (IOException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.FINE, "IO Error preparing the logger", ex);
-        } catch (SecurityException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.FINE, "Error preparing the logger", ex);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (Exception ex) {
-                    Logger.getLogger(App.class.getName()).log(Level.FINEST, "Error closing resource stream", ex);
-                }
-            }
-        }
-    }
-
     /**
      * Main CLI entry-point into the application.
      *
@@ -116,10 +91,14 @@ public class App {
             return;
         }
 
+        final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        LogUtils.prepareLogger(in, cli.getVerboseLog());
+
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
-            updateSettings(cli.isAutoUpdate(), cli.getConnectionTimeout(), cli.getProxyUrl(), cli.getProxyPort(), cli.getDataDirectory());
+            updateSettings(cli.isAutoUpdate(), cli.getConnectionTimeout(), cli.getProxyUrl(),
+                    cli.getProxyPort(), cli.getDataDirectory(), cli.getPropertiesFile());
             runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
         } else {
             cli.printHelp();
@@ -168,8 +147,24 @@ public class App {
      * @param proxyPort the proxy port (null or blank means no port will be
      * used)
      * @param dataDirectory the directory to store/retrieve persistent data from
+     * @param propertiesFile the properties file to utilize
      */
-    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl, String proxyPort, String dataDirectory) {
+    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl,
+            String proxyPort, String dataDirectory, File propertiesFile) {
+
+        if (propertiesFile != null) {
+            try {
+                Settings.mergeProperties(propertiesFile);
+            } catch (FileNotFoundException ex) {
+                final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+            } catch (IOException ex) {
+                final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+            }
+        }
         if (dataDirectory != null) {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else if (System.getProperty("basedir") != null) {
@@ -182,8 +177,6 @@ public class App {
             final File dataDir = new File(base, sub);
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
         }
-
-
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
         if (proxyUrl != null && !proxyUrl.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -195,6 +195,10 @@ public final class CliParser {
                 .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
                 .create(ArgumentName.OUTPUT_FORMAT_SHORT);
 
+        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
+                .withDescription("The file path to write verbose logging information.")
+                .create(ArgumentName.VERBOSE_LOG_SHORT);
+
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
 
@@ -208,6 +212,7 @@ public final class CliParser {
         opts.addOption(noUpdate);
         opts.addOption(props);
         opts.addOption(data);
+        opts.addOption(verboseLog);
         opts.addOption(proxyPort);
         opts.addOption(proxyUrl);
         opts.addOption(connectionTimeout);
@@ -334,6 +339,28 @@ public final class CliParser {
         return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
     }
 
+    /**
+     * Returns the properties file specified on the command line.
+     *
+     * @return the properties file specified on the command line
+     */
+    public File getPropertiesFile() {
+        final String path = line.getOptionValue(ArgumentName.PROP);
+        if (path != null) {
+            return new File(path);
+        }
+        return null;
+    }
+
+    /**
+     * Returns the path to the verbose log file.
+     *
+     * @return the path to the verbose log file
+     */
+    public String getVerboseLog() {
+        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
+    }
+
     /**
      * <p>Prints the manifest information to standard output.</p>
      * <ul><li>Implementation-Title: ${pom.name}</li>
@@ -469,5 +496,14 @@ public final class CliParser {
          * directory.
          */
         public static final String DATA_DIRECTORY_SHORT = "d";
+        /**
+         * The CLI argument name for setting the location of the data directory.
+         */
+        public static final String VERBOSE_LOG = "log";
+        /**
+         * The short CLI argument name for setting the location of the data
+         * directory.
+         */
+        public static final String VERBOSE_LOG_SHORT = "l";
     }
 }

dependency-check-cli/src/main/resources/log.properties

@@ -7,8 +7,6 @@ handlers=java.util.logging.ConsoleHandler
 # Configure the ConsoleHandler.
 java.util.logging.ConsoleHandler.level=INFO
 
-org.owasp.dependencycheck.data.nvdcve.xml
-
 # Configure the FileHandler.
 java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
 java.util.logging.FileHandler.level=FINE
@@ -21,4 +19,4 @@ java.util.logging.FileHandler.level=FINE
 #   %g - generation number for rotating logs
 #   %u - unique number to avoid conflicts
 # FileHandler writes to %h/demo0.log by default.
-java.util.logging.FileHandler.pattern=./logs/DependencyCheck.log
+java.util.logging.FileHandler.pattern=./dependency-check.log

dependency-check-core/pom.xml

@@ -22,7 +22,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.3</version>
+        <version>1.0.4</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -282,11 +282,13 @@ public class Engine {
             final List<Analyzer> analyzerList = analyzers.get(phase);
             for (Analyzer a : analyzerList) {
                 try {
+                    final String msg = String.format("Initializing %s", a.getName());
+                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
                     a.initialize();
                 } catch (Exception ex) {
-                    final String msg = String.format("\"Exception occurred initializing \"%s\".\"", a.getName());
+                    final String msg = String.format("Exception occurred initializing %s.", a.getName());
                     Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-                    Logger.getLogger(Engine.class.getName()).log(Level.INFO, msg, ex);
+                    Logger.getLogger(Engine.class.getName()).log(Level.INFO, null, ex);
                     try {
                         a.close();
                     } catch (Exception ex1) {
@@ -305,9 +307,13 @@ public class Engine {
                  * analyzers may modify it. This prevents ConcurrentModificationExceptions.
                  * This is okay for adds/deletes because it happens per analyzer.
                  */
+                final String msg = String.format("Begin Analyzer '%s'", a.getName());
+                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
                 final Set<Dependency> dependencySet = new HashSet<Dependency>();
                 dependencySet.addAll(dependencies);
                 for (Dependency d : dependencySet) {
+                    final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
+                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
                     if (a.supportsExtension(d.getFileExtension())) {
                         try {
                             a.analyze(d, this);
@@ -323,6 +329,8 @@ public class Engine {
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             final List<Analyzer> analyzerList = analyzers.get(phase);
             for (Analyzer a : analyzerList) {
+                final String msg = String.format("Closing Analyzer '%s'", a.getName());
+                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
                 try {
                     a.close();
                 } catch (Exception ex) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -145,7 +145,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     public void initialize() throws Exception {
         final File baseDir = Settings.getTempDirectory();
         if (!baseDir.exists()) {
-            baseDir.mkdirs();
+            if (!baseDir.mkdirs()) {
+                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
+                throw new AnalysisException(msg);
+            }
         }
         tempFileLocation = File.createTempFile("check", "tmp", baseDir);
         if (!tempFileLocation.delete()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -444,6 +444,9 @@ public class CPEAnalyzer implements Analyzer {
         //</editor-fold>
 
         //TODO - likely need to change the split... not sure if this will work for CPE with special chars
+        if (text == null) {
+            return false;
+        }
         final String[] words = text.split("[\\s_-]");
         final List<String> list = new ArrayList<String>();
         String tempWord = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogFilter.java

@@ -0,0 +1,44 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.util.logging.Filter;
+import java.util.logging.LogRecord;
+
+/**
+ * A simple log filter to limit the entries written to the verbose log file. The
+ * verbose log file uses the root logger as I couldn't get anything else to
+ * work; as such, this filter limits the log entries to specific classes.
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class LogFilter implements Filter {
+
+    /**
+     * Determines if the record should be logged.
+     *
+     * @param record a log record to examine
+     * @return true if the record should be logged, otherwise false
+     */
+    @Override
+    public boolean isLoggable(LogRecord record) {
+        final String name = record.getSourceClassName();
+        return name.startsWith("org.owasp.dependencycheck") && !name.contains("generated") && !name.contains("VelocityLoggerRedirect");
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java

@@ -0,0 +1,75 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.util.logging.FileHandler;
+import java.util.logging.Level;
+import java.util.logging.LogManager;
+import java.util.logging.Logger;
+import java.util.logging.SimpleFormatter;
+
+/**
+ * A utility class to aide in the setup of the logging mechanism.
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public final class LogUtils {
+
+    /**
+     * Private constructor for a utility class.
+     */
+    private LogUtils() {
+    }
+
+    /**
+     * Configures the logger for use by the application.
+     *
+     * @param in the input stream to read the log settings from
+     * @param verboseLogFile the file path for the verbose log
+     */
+    public static void prepareLogger(InputStream in, String verboseLogFile) {
+        try {
+            LogManager.getLogManager().reset();
+            LogManager.getLogManager().readConfiguration(in);
+            if (verboseLogFile != null && !verboseLogFile.isEmpty()) {
+                final Logger logger = Logger.getLogger("");
+                final FileHandler handler = new FileHandler(verboseLogFile, true);
+                handler.setFormatter(new SimpleFormatter());
+                handler.setLevel(Level.FINE);
+                handler.setFilter(new LogFilter());
+                logger.addHandler(handler);
+                logger.setLevel(Level.FINE);
+            }
+        } catch (IOException ex) {
+            Logger.getLogger(LogUtils.class.getName()).log(Level.FINE, "IO Error preparing the logger", ex);
+        } catch (SecurityException ex) {
+            Logger.getLogger(LogUtils.class.getName()).log(Level.FINE, "Error preparing the logger", ex);
+        } finally {
+            if (in != null) {
+                try {
+                    in.close();
+                } catch (Exception ex) {
+                    Logger.getLogger(LogUtils.class.getName()).log(Level.FINEST, "Error closing resource stream", ex);
+                }
+            }
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -195,6 +195,23 @@ public final class Settings {
         }
     }
 
+    /**
+     * Merges a new properties file into the current properties. This method
+     * allows for the loading of a user provided properties file.<br/><br/>
+     * Note: even if using this method - system properties will be loaded before
+     * properties loaded from files.
+     *
+     * @param filePath the path to the properties file to merge.
+     * @throws FileNotFoundException is thrown when the filePath points to a
+     * non-existent file
+     * @throws IOException is thrown when there is an exception loading/merging
+     * the properties
+     */
+    public static void mergeProperties(File filePath) throws FileNotFoundException, IOException {
+        final FileInputStream fis = new FileInputStream(filePath);
+        mergeProperties(fis);
+    }
+
     /**
      * Merges a new properties file into the current properties. This method
      * allows for the loading of a user provided properties file.<br/><br/>

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -26,7 +26,7 @@ cve.url.modified.validfordays=7
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cve.startyear=2002
+cve.startyear=2013
 cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 #cve.url-2.0.base=file:///C:/data/xml/nvdcve-2.0-%d.xml

dependency-check-jenkins/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.3</version>
+        <version>1.0.4</version>
     </parent>
 
     <groupId>org.owasp</groupId>

dependency-check-maven/pom.xml

@@ -24,7 +24,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.3</version>
+        <version>1.0.4</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java

@@ -34,7 +34,6 @@ import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.project.MavenProject;
 import java.util.Set;
-import java.util.logging.LogManager;
 import org.apache.maven.artifact.Artifact;
 import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.LifecyclePhase;
@@ -54,6 +53,7 @@ import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -90,6 +90,11 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
      */
     @Parameter(property = "report-name", defaultValue = "dependency-check-report")
     private String reportName;
+    /**
+     * The path to the verbose log
+     */
+    @Parameter(property = "logfile", defaultValue = "")
+    private String logFile;
     /**
      * The name of the report to be displayed in the Maven Generated Reports
      * page
@@ -163,44 +168,16 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     private String connectionTimeout = null;
 
     // </editor-fold>
-    /**
-     * Configures the logger for use by the application.
-     */
-    private static void prepareLogger() {
-        InputStream in = null;
-        try {
-            in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
-            LogManager.getLogManager().reset();
-            LogManager.getLogManager().readConfiguration(in);
-            //TODO add code to disable fine grained log file.
-//            Logger logger = LogManager.getLogManager().getLogger("");
-//            for (Handler h : logger.getHandlers()) {
-//                if (h.getFormatter(). h.toString());
-//            }
-        } catch (IOException ex) {
-            System.err.println(ex.toString());
-            Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, null, ex);
-        } catch (SecurityException ex) {
-            Logger.getLogger(DependencyCheckMojo.class.getName()).log(Level.SEVERE, null, ex);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (Exception ex) {
-                    //noinspection UnusedAssignment
-                    in = null;
-                }
-            }
-        }
-    }
-
     /**
      * Executes the Dependency-Check on the dependent libraries.
      *
      * @return the Engine used to scan the dependencies.
      */
     private Engine executeDependencyCheck() {
-        prepareLogger();
+
+        final InputStream in = DependencyCheckMojo.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        LogUtils.prepareLogger(in, logFile);
+
         populateSettings();
         final Engine engine = new Engine();
         final Set<Artifact> artifacts = project.getArtifacts();

pom.xml

@@ -22,7 +22,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.0.3</version>
+    <version>1.0.4</version>
     <packaging>pom</packaging>
 
     <parent>