version 1.0.5

Former-commit-id: 3315c121f8adeeb5e4dc9fff9d2753bc5faf78fc

dependency-check-ant/pom.xml

@@ -22,7 +22,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -323,6 +323,53 @@ public class DependencyCheckTask extends Task {
     public void setProxyPort(String proxyPort) {
         this.proxyPort = proxyPort;
     }
+
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+
+    /**
+     * Get the value of proxyUsername.
+     *
+     * @return the value of proxyUsername
+     */
+    public String getProxyUsername() {
+        return proxyUsername;
+    }
+
+    /**
+     * Set the value of proxyUsername.
+     *
+     * @param proxyUsername new value of proxyUsername
+     */
+    public void setProxyUsername(String proxyUsername) {
+        this.proxyUsername = proxyUsername;
+    }
+
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+
+    /**
+     * Get the value of proxyPassword.
+     *
+     * @return the value of proxyPassword
+     */
+    public String getProxyPassword() {
+        return proxyPassword;
+    }
+
+    /**
+     * Set the value of proxyPassword.
+     *
+     * @param proxyPassword new value of proxyPassword
+     */
+    public void setProxyPassword(String proxyPassword) {
+        this.proxyPassword = proxyPassword;
+    }
+
     /**
      * The Connection Timeout.
      */
@@ -459,6 +506,12 @@ public class DependencyCheckTask extends Task {
         if (proxyPort != null && !proxyPort.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
         }
+        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        }
+        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        }
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }

dependency-check-ant/src/site/markdown/configuration.md

@@ -28,8 +28,11 @@ ReportOutputDirectory | The directory where dependency-check will store data use
 FailBuildOn           | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional
 AutoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional
 DataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional
+LogFile               | The file path to write verbose logging information. | Optional
 ProxyUrl              | Defines the proxy used to connect to the Internet. | Optional
 ProxyPort             | Defines the port for the proxy. | Optional
+ProxyUsername         | Defines the proxy user name. | Optional
+ProxyPassword         | Defines the proxy password. | Optional
 ConnectionTimeout     | The connection timeout used when downloading data files from the Internet. | Optional
 
 

dependency-check-cli/pom.xml

@@ -22,7 +22,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -98,7 +98,8 @@ public class App {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
             updateSettings(cli.isAutoUpdate(), cli.getConnectionTimeout(), cli.getProxyUrl(),
-                    cli.getProxyPort(), cli.getDataDirectory(), cli.getPropertiesFile());
+                    cli.getProxyPort(), cli.getProxyUsername(), cli.getProxyPassword(),
+                    cli.getDataDirectory(), cli.getPropertiesFile());
             runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
         } else {
             cli.printHelp();
@@ -149,8 +150,8 @@ public class App {
      * @param dataDirectory the directory to store/retrieve persistent data from
      * @param propertiesFile the properties file to utilize
      */
-    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl,
+    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl, String proxyPort,
-            String proxyPort, String dataDirectory, File propertiesFile) {
+                                String proxyUser, String proxyPass, String dataDirectory, File propertiesFile) {
 
         if (propertiesFile != null) {
             try {
@@ -184,6 +185,12 @@ public class App {
         if (proxyPort != null && !proxyPort.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
         }
+        if (proxyUser != null && !proxyUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
+        }
+        if (proxyPass != null && !proxyPass.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
+        }
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -175,6 +175,14 @@ public final class CliParser {
                 .withDescription("The proxy port to use when downloading resources.")
                 .create(ArgumentName.PROXY_PORT_SHORT);
 
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+                .withDescription("The proxy username to use when downloading resources.")
+                .create(ArgumentName.PROXY_USERNAME_SHORT);
+
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+                .withDescription("The proxy password to use when downloading resources.")
+                .create(ArgumentName.PROXY_PASSWORD_SHORT);
+
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
                 .withDescription("The path to scan - this option can be specified multiple times.")
                 .create(ArgumentName.SCAN_SHORT);
@@ -215,6 +223,8 @@ public final class CliParser {
         opts.addOption(verboseLog);
         opts.addOption(proxyPort);
         opts.addOption(proxyUrl);
+        opts.addOption(proxyUsername);
+        opts.addOption(proxyPassword);
         opts.addOption(connectionTimeout);
 
         return opts;
@@ -330,6 +340,24 @@ public final class CliParser {
         return line.getOptionValue(ArgumentName.PROXY_PORT);
     }
 
+    /**
+     * Returns the proxy username.
+     *
+     * @return the proxy username
+     */
+    public String getProxyUsername() {
+        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
+    }
+
+    /**
+     * Returns the proxy password.
+     *
+     * @return the proxy password
+     */
+    public String getProxyPassword() {
+        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
+    }
+
     /**
      * Get the value of dataDirectory.
      *
@@ -470,11 +498,27 @@ public final class CliParser {
          */
         public static final String PROXY_URL = "proxyurl";
         /**
-         * The short CLI argument name indicating the proxy url.
+         * The short CLI argument name indicating the proxy username.
+         */
+        public static final String PROXY_USERNAME_SHORT = "pu";
+        /**
+         * The CLI argument name indicating the proxy username.
+         */
+        public static final String PROXY_USERNAME = "proxyuser";
+        /**
+         * The short CLI argument name indicating the proxy password.
+         */
+        public static final String PROXY_PASSWORD_SHORT = "pp";
+        /**
+         * The CLI argument name indicating the proxy password.
+         */
+        public static final String PROXY_PASSWORD = "proxypass";
+        /**
+         * The short CLI argument name indicating the connection timeout.
          */
         public static final String CONNECTION_TIMEOUT_SHORT = "c";
         /**
-         * The CLI argument name indicating the proxy url.
+         * The CLI argument name indicating the connection timeout.
          */
         public static final String CONNECTION_TIMEOUT = "connectiontimeout";
         /**

dependency-check-core/pom.xml

@@ -22,7 +22,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck;
 
 import java.util.EnumMap;
 import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -32,8 +33,10 @@ import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
 import org.owasp.dependencycheck.data.CachedWebDataSource;
+import org.owasp.dependencycheck.data.NoDataException;
 import org.owasp.dependencycheck.data.UpdateException;
 import org.owasp.dependencycheck.data.UpdateService;
+import org.owasp.dependencycheck.data.cpe.CpeIndexReader;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -277,6 +280,16 @@ public class Engine {
      * Runs the analyzers against all of the dependencies.
      */
     public void analyzeDependencies() {
+        //need to ensure that data exists
+        try {
+            ensureDataExists();
+        } catch (NoDataException ex) {
+            final String msg = String.format("%n%n%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            return;
+        }
+
         //phase one initialize
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             final List<Analyzer> analyzerList = analyzers.get(phase);
@@ -396,4 +409,37 @@ public class Engine {
         }
         return false;
     }
+
+    /**
+     * Checks the CPE Index to ensure documents exists. If none exist a
+     * NoDataException is thrown.
+     *
+     * @throws NoDataException thrown if no data exists in the CPE Index
+     */
+    private void ensureDataExists() throws NoDataException {
+        CpeIndexReader cpe = null;
+        boolean noDataExists = false;
+        try {
+            cpe = new CpeIndexReader();
+            cpe.open();
+            if (cpe.numDocs() <= 0) {
+                noDataExists = true;
+            }
+        } catch (IOException ex) {
+            noDataExists = true;
+        } catch (NullPointerException ex) {
+            noDataExists = true;
+        } finally {
+            if (cpe != null) {
+                cpe.close();
+            }
+        }
+        if (noDataExists) {
+            throw new NoDataException("No data exists in the data store. Please check that you are able to connect "
+                    + "to the Internet and re-run dependency-check. If the problem persists determine whether you need "
+                    + "to set a proxy url and port.\\n\\nIf you are unable to solve this problem please contact the mailing "
+                    + "list for help: dependency-check@googlegroups.com");
+
+        }
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -32,29 +32,21 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-//import java.util.zip.ZipEntry;
+import org.apache.commons.compress.archivers.ArchiveEntry;
-//import java.util.zip.ZipException;
+import org.apache.commons.compress.archivers.ArchiveInputStream;
-//import java.util.zip.ZipInputStream;
+import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
-import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
 import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.compressors.CompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
+import org.apache.commons.compress.compressors.gzip.GzipUtils;
 import org.h2.store.fs.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * <p>An analyzer that works on archive files:
+ * <p>An analyzer that extracts files from archives and ensures any supported
- * <ul>
+ * files contained within the archive are added to the dependency list.</p>
- * <li><b>ZIP</b> - if it is determined to be a JAR, WAR or EAR a copy is made
- * and the copy is given the correct extension so that it will be correctly
- * analyzed.</li>
- * <li><b>WAR</b> - the WAR contents are extracted and added as dependencies to
- * the scan. The displayed path is relative to the WAR.</li>
- * <li><b>EAR</b> - the WAR contents are extracted and added as dependencies to
- * the scan. Any WAR files are also processed so that the contained JAR files
- * are added to the list of dependencies. The displayed path is relative to the
- * EAR.</li>
- * </ul></p>
  *
  * @author Jeremy Long (jeremy.long@owasp.org)
  */
@@ -94,7 +86,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     /**
      * The set of file extensions supported by this analyzer.
      */
-    private static final Set<String> EXTENSIONS = newHashSet("zip", "ear", "war");
+    private static final Set<String> EXTENSIONS = newHashSet("zip", "ear", "war", "tar", "gz", "tgz");
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
@@ -152,10 +144,12 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
         }
         tempFileLocation = File.createTempFile("check", "tmp", baseDir);
         if (!tempFileLocation.delete()) {
-            throw new AnalysisException("Unable to delete temporary file '" + tempFileLocation.getAbsolutePath() + "'.");
+            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
         }
         if (!tempFileLocation.mkdirs()) {
-            throw new AnalysisException("Unable to create directory '" + tempFileLocation.getAbsolutePath() + "'.");
+            final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
         }
     }
 
@@ -231,8 +225,13 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     private File getNextTempDirectory() throws AnalysisException {
         dirCount += 1;
         final File directory = new File(tempFileLocation, String.valueOf(dirCount));
+        //getting an exception for some directories not being able to be created; might be because the directory already exists?
+        if (directory.exists()) {
+            return getNextTempDirectory();
+        }
         if (!directory.mkdirs()) {
-            throw new AnalysisException("Unable to create temp directory '" + directory.getAbsolutePath() + "'.");
+            final String msg = String.format("Unable to create temp directory '%s'.", directory.getAbsolutePath());
+            throw new AnalysisException(msg);
         }
         return directory;
     }
@@ -241,37 +240,75 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      * Extracts the contents of an archive into the specified directory.
      *
      * @param archive an archive file such as a WAR or EAR
-     * @param extractTo a directory to extract the contents to
+     * @param destination a directory to extract the contents to
      * @param engine the scanning engine
      * @throws AnalysisException thrown if the archive is not found
      */
-    private void extractFiles(File archive, File extractTo, Engine engine) throws AnalysisException {
+    private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
-        if (archive == null || extractTo == null) {
+        if (archive == null || destination == null) {
             return;
         }
 
         FileInputStream fis = null;
-        //ZipInputStream zis = null;
-        ZipArchiveInputStream zis = null;
-
         try {
             fis = new FileInputStream(archive);
         } catch (FileNotFoundException ex) {
             Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
             throw new AnalysisException("Archive file was not found.", ex);
         }
-        zis = new ZipArchiveInputStream(new BufferedInputStream(fis));
+        final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase();
-        ZipArchiveEntry entry;
-
         try {
-            while ((entry = zis.getNextZipEntry()) != null) {
+            if ("zip".equals(archiveExt) || "war".equals(archiveExt) || "ear".equals(archiveExt)) {
+                extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+            } else if ("tar".equals(archiveExt)) {
+                extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+            } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
+                final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
+                final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase();
+                if (engine.supportsExtension(uncompressedExt)) {
+                    decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
+                }
+            }
+        } catch (ArchiveExtractionException ex) {
+            final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+        } catch (IOException ex) {
+            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+        } finally {
+            try {
+                fis.close();
+            } catch (IOException ex) {
+                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            }
+        }
+    }
+
+    /**
+     * Extracts files from an archive.
+     *
+     * @param input the archive to extract files from
+     * @param destination the location to write the files too
+     * @param engine the dependency-check engine
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * extracting files from the archive
+     */
+    private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
+        ArchiveEntry entry;
+        try {
+            while ((entry = input.getNextEntry()) != null) {
                 if (entry.isDirectory()) {
-                    final File d = new File(extractTo, entry.getName());
+                    final File d = new File(destination, entry.getName());
-                    if (!d.mkdirs()) {
+                    if (!d.exists()) {
-                        throw new AnalysisException("Unable to create '" + d.getAbsolutePath() + "'.");
+                        if (!d.mkdirs()) {
+                            final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
+                            throw new AnalysisException(msg);
+                        }
                     }
                 } else {
-                    final File file = new File(extractTo, entry.getName());
+                    final File file = new File(destination, entry.getName());
                     final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
                     if (engine.supportsExtension(ext)) {
                         BufferedOutputStream bos = null;
@@ -281,22 +318,27 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                             int count;
                             final byte data[] = new byte[BUFFER_SIZE];
-                            while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
+                            while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                                 bos.write(data, 0, count);
                             }
                             bos.flush();
                         } catch (FileNotFoundException ex) {
-                            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                            Logger.getLogger(ArchiveAnalyzer.class
-                            throw new AnalysisException("Unable to find file '" + file.getName() + "'.", ex);
+                                    .getName()).log(Level.FINE, null, ex);
+                            final String msg = String.format("Unable to find file '%s'.", file.getName());
+                            throw new AnalysisException(msg, ex);
                         } catch (IOException ex) {
-                            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                            Logger.getLogger(ArchiveAnalyzer.class
-                            throw new AnalysisException("IO Exception while parsing file '" + file.getName() + "'.", ex);
+                                    .getName()).log(Level.FINE, null, ex);
+                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
+                            throw new AnalysisException(msg, ex);
                         } finally {
                             if (bos != null) {
                                 try {
                                     bos.close();
                                 } catch (IOException ex) {
-                                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                                    Logger.getLogger(ArchiveAnalyzer.class
+                                            .getName()).log(Level.FINEST, null, ex);
                                 }
                             }
                         }
@@ -304,20 +346,50 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                 }
             }
         } catch (IOException ex) {
-            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            throw new ArchiveExtractionException(ex);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
-            throw new AnalysisException(msg, ex);
         } catch (Throwable ex) {
-            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            throw new ArchiveExtractionException(ex);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, null, ex);
-            throw new AnalysisException(msg, ex);
         } finally {
-            try {
+            if (input != null) {
-                zis.close();
+                try {
-            } catch (IOException ex) {
+                    input.close();
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                } catch (IOException ex) {
+                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Decompresses a file.
+     *
+     * @param inputStream the compressed file
+     * @param outputFile the location to write the decompressed file
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * decompressing the file
+     */
+    private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
+        FileOutputStream out = null;
+        try {
+            out = new FileOutputStream(outputFile);
+            final byte[] buffer = new byte[BUFFER_SIZE];
+            int n = 0;
+            while (-1 != (n = inputStream.read(buffer))) {
+                out.write(buffer, 0, n);
+            }
+        } catch (FileNotFoundException ex) {
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            throw new ArchiveExtractionException(ex);
+        } catch (IOException ex) {
+            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            throw new ArchiveExtractionException(ex);
+        } finally {
+            if (out != null) {
+                try {
+                    out.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                }
             }
         }
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveExtractionException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ * An exception thrown when the analysis of a dependency fails.
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class ArchiveExtractionException extends Exception {
+
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new AnalysisException.
+     */
+    public ArchiveExtractionException() {
+        super();
+    }
+
+    /**
+     * Creates a new AnalysisException.
+     *
+     * @param msg a message for the exception.
+     */
+    public ArchiveExtractionException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new AnalysisException.
+     *
+     * @param ex the cause of the failure.
+     */
+    public ArchiveExtractionException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new DownloadFailedException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the failure.
+     */
+    public ArchiveExtractionException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -23,12 +23,15 @@ import java.util.HashSet;
 import java.util.Iterator;
 import java.util.ListIterator;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.LogUtils;
 
 /**
  * <p>This analyzer ensures dependencies that should be grouped together, to
@@ -144,16 +147,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                 }
                                 dependenciesToRemove.add(nextDependency);
                             } else {
-                                if (isCore(nextDependency, dependency)) {
+                                nextDependency.addRelatedDependency(dependency);
-                                    nextDependency.addRelatedDependency(dependency);
+                                //move any "related dependencies" to the new "parent" dependency
-                                    //move any "related dependencies" to the new "parent" dependency
+                                final Iterator<Dependency> i = dependency.getRelatedDependencies().iterator();
-                                    final Iterator<Dependency> i = dependency.getRelatedDependencies().iterator();
+                                while (i.hasNext()) {
-                                    while (i.hasNext()) {
+                                    nextDependency.addRelatedDependency(i.next());
-                                        nextDependency.addRelatedDependency(i.next());
+                                    i.remove();
-                                        i.remove();
-                                    }
-                                    dependenciesToRemove.add(dependency);
                                 }
+                                dependenciesToRemove.add(dependency);
                             }
                         }
                     }
@@ -260,8 +261,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                 || dependency2 == null || dependency2.getIdentifiers() == null) {
             return false;
         }
-        return dependency1.getIdentifiers().size() > 0
+        final boolean matches = dependency1.getIdentifiers().size() > 0
                 && dependency2.getIdentifiers().equals(dependency1.getIdentifiers());
+        if (LogUtils.isVerboseLoggingEnabled()) {
+            final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
+            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+        }
+        return matches;
     }
 
     /**
@@ -299,10 +305,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * This is likely a very broken attempt at determining if the 'left'
      * dependency is the 'core' library in comparison to the 'right' library.
      *
-     * TODO - consider splitting on /\._-\s/ and checking if all of one side is
-     * fully contained in the other With the exception of the word "core". This
-     * might work even on groups when we don't have a CVE.
-     *
      * @param left the dependency to test
      * @param right the dependency to test against
      * @return a boolean indicating whether or not the left dependency should be
@@ -311,18 +313,31 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     private boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();
         final String rightName = right.getFileName().toLowerCase();
-
+        final boolean returnVal;
         if (rightName.contains("core") && !leftName.contains("core")) {
-            return false;
+            returnVal = false;
         } else if (!rightName.contains("core") && leftName.contains("core")) {
-            return true;
+            returnVal = true;
         } else {
-            //TODO should we be splitting the name on [-_(.\d)+] and seeing if the
+            /*
-            //  parts are contained in the other side?
+             * considered splitting the names up and comparing the components,
+             * but decided that the file name length should be sufficient as the
+             * "core" component, if this follows a normal namming protocol should
+             * be shorter:
+             * axis2-saaj-1.4.1.jar
+             * axis2-1.4.1.jar       <-----
+             * axis2-kernal-1.4.1.jar
+             */
             if (leftName.length() > rightName.length()) {
-                return false;
+                returnVal = false;
+            } else {
+                returnVal = true;
             }
-            return true;
         }
+        if (LogUtils.isVerboseLoggingEnabled()) {
+            final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
+            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+        }
+        return returnVal;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -109,6 +109,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         removeJreEntries(dependency);
         removeBadMatches(dependency);
+        removeWrongVersionMatches(dependency);
         removeSpuriousCPE(dependency);
         addFalseNegativeCPEs(dependency);
     }
@@ -129,6 +130,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      *
      * @param dependency the dependency being analyzed
      */
+    @SuppressWarnings("null")
     private void removeSpuriousCPE(Dependency dependency) {
         final List<Identifier> ids = new ArrayList<Identifier>();
         ids.addAll(dependency.getIdentifiers());
@@ -291,6 +293,40 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         }
     }
 
+    /**
+     * Removes CPE matches for the wrong version of a dependency. Currently,
+     * this only covers Axis 1 & 2.
+     *
+     * @param dependency the dependency to analyze
+     */
+    private void removeWrongVersionMatches(Dependency dependency) {
+        final Set<Identifier> identifiers = dependency.getIdentifiers();
+        final Iterator<Identifier> itr = identifiers.iterator();
+
+        final String fileName = dependency.getFileName();
+        if (fileName != null && fileName.contains("axis2")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis:") || "cpe:/a:apache:axis".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        } else if (fileName != null && fileName.contains("axis")) {
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".equals(i.getType())) {
+                    final String cpe = i.getValue();
+                    if (cpe != null && (cpe.startsWith("cpe:/a:apache:axis2:") || "cpe:/a:apache:axis2".equals(cpe))) {
+                        itr.remove();
+                    }
+                }
+            }
+        }
+    }
+
     /**
      * There are some known CPE entries, specifically regarding sun and oracle
      * products due to the acquisition and changes in product names, that based

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/NoDataException.java

@@ -0,0 +1,69 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Dependency-check-core is free software: you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the Free
+ * Software Foundation, either version 3 of the License, or (at your option) any
+ * later version.
+ *
+ * Dependency-check-core is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
+ * details.
+ *
+ * You should have received a copy of the GNU General Public License along with
+ * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data;
+
+import java.io.IOException;
+
+/**
+ * An exception used when the data needed does not exist to perform analysis.
+ *
+ * @author Jeremy Long (jeremy.long@owasp.org)
+ */
+public class NoDataException extends IOException {
+
+    /**
+     * The serial version uid.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new NoDataException.
+     */
+    public NoDataException() {
+        super();
+    }
+
+    /**
+     * Creates a new NoDataException.
+     *
+     * @param msg a message for the exception.
+     */
+    public NoDataException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new NoDataException.
+     *
+     * @param ex the cause of the exception.
+     */
+    public NoDataException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new NoDataException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the exception.
+     */
+    public NoDataException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeIndexReader.java

@@ -194,4 +194,16 @@ public class CpeIndexReader extends BaseIndex {
             vendorSearchFieldAnalyzer.clear();
         }
     }
+
+    /**
+     * Returns the number of CPE entries stored in the index.
+     *
+     * @return the number of CPE entries stored in the index
+     */
+    public int numDocs() {
+        if (indexReader == null) {
+            return -1;
+        }
+        return indexReader.numDocs();
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -23,8 +23,10 @@ import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.net.Authenticator;
 import java.net.HttpURLConnection;
 import java.net.InetSocketAddress;
+import java.net.PasswordAuthentication;
 import java.net.Proxy;
 import java.net.SocketAddress;
 import java.net.URISyntaxException;
@@ -187,6 +189,22 @@ public final class Downloader {
             if (proxyUrl != null) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress addr = new InetSocketAddress(proxyUrl, proxyPort);
+
+                final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
+                final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
+                if (username != null && password != null) {
+                    final Authenticator auth = new Authenticator() {
+                        @Override
+                        public PasswordAuthentication getPasswordAuthentication() {
+                            if (getRequestorType().equals(RequestorType.PROXY)) {
+                                return new PasswordAuthentication(username, password.toCharArray());
+                            }
+                            return super.getPasswordAuthentication();
+                        }
+                    };
+                    Authenticator.setDefault(auth);
+                }
+
                 proxy = new Proxy(Proxy.Type.HTTP, addr);
                 conn = (HttpURLConnection) url.openConnection(proxy);
             } else {

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/LogUtils.java

@@ -50,6 +50,7 @@ public final class LogUtils {
             LogManager.getLogManager().reset();
             LogManager.getLogManager().readConfiguration(in);
             if (verboseLogFile != null && !verboseLogFile.isEmpty()) {
+                verboseLoggingEnabled = true;
                 final Logger logger = Logger.getLogger("");
                 final FileHandler handler = new FileHandler(verboseLogFile, true);
                 handler.setFormatter(new SimpleFormatter());
@@ -72,4 +73,17 @@ public final class LogUtils {
             }
         }
     }
+    /**
+     * Whether or not verbose logging is enabled.
+     */
+    private static boolean verboseLoggingEnabled = false;
+
+    /**
+     * Get the value of verboseLoggingEnabled.
+     *
+     * @return the value of verboseLoggingEnabled
+     */
+    public static boolean isVerboseLoggingEnabled() {
+        return verboseLoggingEnabled;
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -125,6 +125,14 @@ public final class Settings {
          * value.
          */
         public static final String PROXY_PORT = "proxy.port";
+        /**
+         * The properties key for the proxy username.
+         */
+        public static final String PROXY_USERNAME = "proxy.username";
+        /**
+         * The properties key for the proxy password.
+         */
+        public static final String PROXY_PASSWORD = "proxy.password";
         /**
          * The properties key for the connection timeout.
          */

dependency-check-core/src/main/resources/META-INF/licenses/commons-compress/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java

@@ -28,6 +28,7 @@ import org.junit.BeforeClass;
 import org.junit.Test;
 import static org.junit.Assert.*;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.cpe.BaseIndexTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -35,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long (jeremy.long@owasp.org)
  */
-public class ArchiveAnalyzerTest {
+public class ArchiveAnalyzerTest extends BaseIndexTestCase {
 
     public ArchiveAnalyzerTest() {
     }
@@ -49,11 +50,13 @@ public class ArchiveAnalyzerTest {
     }
 
     @Before
-    public void setUp() {
+    public void setUp() throws Exception {
+        super.setUp();
     }
 
     @After
-    public void tearDown() {
+    public void tearDown() throws Exception {
+        super.tearDown();
     }
 
     /**
@@ -66,6 +69,9 @@ public class ArchiveAnalyzerTest {
         expResult.add("zip");
         expResult.add("war");
         expResult.add("ear");
+        expResult.add("tar");
+        expResult.add("gz");
+        expResult.add("tgz");
         Set result = instance.getSupportedExtensions();
         assertEquals(expResult, result);
     }
@@ -86,7 +92,7 @@ public class ArchiveAnalyzerTest {
      */
     @Test
     public void testSupportsExtension() {
-        String extension = "tar"; //not supported
+        String extension = "7z"; //not supported
         ArchiveAnalyzer instance = new ArchiveAnalyzer();
         boolean expResult = false;
         boolean result = instance.supportsExtension(extension);
@@ -155,6 +161,83 @@ public class ArchiveAnalyzerTest {
         }
     }
 
+    /**
+     * Test of analyze method, of class ArchiveAnalyzer.
+     */
+    @Test
+    public void testAnalyzeTar() throws Exception {
+        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        try {
+            instance.initialize();
+
+            File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
+            Dependency dependency = new Dependency(file);
+            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            Engine engine = new Engine();
+
+            int initial_size = engine.getDependencies().size();
+            instance.analyze(dependency, engine);
+            int ending_size = engine.getDependencies().size();
+
+            assertTrue(initial_size < ending_size);
+
+        } finally {
+            instance.close();
+        }
+    }
+
+    /**
+     * Test of analyze method, of class ArchiveAnalyzer.
+     */
+    @Test
+    public void testAnalyzeTarGz() throws Exception {
+        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        try {
+            instance.initialize();
+
+            File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
+            //Dependency dependency = new Dependency(file);
+            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            Engine engine = new Engine();
+
+            int initial_size = engine.getDependencies().size();
+            //instance.analyze(dependency, engine);
+            engine.scan(file);
+            engine.analyzeDependencies();
+            int ending_size = engine.getDependencies().size();
+
+            assertTrue(initial_size < ending_size);
+
+        } finally {
+            instance.close();
+        }
+    }
+
+    /**
+     * Test of analyze method, of class ArchiveAnalyzer.
+     */
+    @Test
+    public void testAnalyzeTgz() throws Exception {
+        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        try {
+            instance.initialize();
+
+            File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
+            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            Engine engine = new Engine();
+
+            int initial_size = engine.getDependencies().size();
+            engine.scan(file);
+            engine.analyzeDependencies();
+            int ending_size = engine.getDependencies().size();
+
+            assertTrue(initial_size < ending_size);
+
+        } finally {
+            instance.close();
+        }
+    }
+
     /**
      * Test of analyze method, of class ArchiveAnalyzer.
      */
@@ -168,13 +251,16 @@ public class ArchiveAnalyzerTest {
             Dependency dependency = new Dependency(file);
             Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
             Engine engine = new Engine();
-
             int initial_size = engine.getDependencies().size();
+//            boolean failed = false;
+//            try {
             instance.analyze(dependency, engine);
+//            } catch (java.lang.UnsupportedClassVersionError ex) {
+//                failed = true;
+//            }
+//            assertTrue(failed);
             int ending_size = engine.getDependencies().size();
-
+            assertEquals(initial_size, ending_size);
-            assertTrue(initial_size == ending_size);
-
         } finally {
             instance.close();
         }

dependency-check-jenkins/pom.xml

@@ -6,13 +6,13 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5</version>
     </parent>
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-jenkins</artifactId>
     <name>Dependency-Check Jenkins Plugin</name>
-    <packaging>jar</packaging>
+    <packaging>pom</packaging>
     <inceptionYear>2012</inceptionYear>
     <organization>
         <name>OWASP</name>

dependency-check-maven/pom.xml

@@ -24,7 +24,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.4</version>
+        <version>1.0.5</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java

@@ -160,6 +160,18 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     @SuppressWarnings("CanBeFinal")
     @Parameter(property = "proxyPort", defaultValue = "", required = false)
     private String proxyPort = null;
+    /**
+     * The Proxy username.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "proxyUsername", defaultValue = "", required = false)
+    private String proxyUsername = null;
+    /**
+     * The Proxy password.
+     */
+    @SuppressWarnings("CanBeFinal")
+    @Parameter(property = "proxyPassword", defaultValue = "", required = false)
+    private String proxyPassword = null;
     /**
      * The Connection Timeout.
      */
@@ -625,6 +637,12 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
         if (proxyPort != null && !proxyPort.isEmpty()) {
             Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
         }
+        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        }
+        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        }
         if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
             Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
         }

dependency-check-maven/src/site/markdown/configuration.md

@@ -8,6 +8,9 @@ autoUpdate          | Sets whether auto-updating of the NVD CVE/CPE data is enab
 externalReport      | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
 failBuildOnCVSS     | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
 format              | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+logFile             | The file path to write verbose logging information. |
 connectionTimeout   | The Connection Timeout.            |
 proxyUrl            | The Proxy URL.                     |
 proxyPort           | The Proxy Port.                    |
+proxyUsername       | Defines the proxy user name.       |
+proxyPassword       | Defines the proxy password.        |

pom.xml

@@ -22,7 +22,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.0.4</version>
+    <version>1.0.5</version>
     <packaging>pom</packaging>
 
     <parent>