minor correction to unit tests

Former-commit-id: 44829f536b0940ed95750890262a1ab668c57745

.gitignore

@@ -12,5 +12,9 @@ nb-configuration.xml
 /target/
 #maven-shade-plugin generated pom
 dependency-reduced-pom.xml
-# vim files
-*.swp
+#ruby Gemfile, etc. This is a java project, Gemfile is here to check site problem with Jekyll
+Gemfile
+Gemfile.lock
+_site/**
+#unknown as to why these are showing up... but need to be ignored.
+.LCKpom.xml~

LICENSE.txt

@@ -1,674 +1,202 @@
-                    GNU GENERAL PUBLIC LICENSE 
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

README.md

@@ -14,7 +14,7 @@ For instructions on the use of the Jenkins plugin please see the [Jenkins depend
 ### Command Line
 
 More detailed instructions can be found on the [dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
-The latest CLI can be downloaded from bintray's [dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check). 
+The latest CLI can be downloaded from bintray's [dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
 
 On *nix
 ```
@@ -29,7 +29,7 @@ On Windows
 
 ### Maven Plugin
 
-More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html).
 The plugin can be configured using the following:
 
 ```xml
@@ -82,7 +82,7 @@ On Windows
 > dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
 ```
 
-Then load the resulting 'DependencyCheck-Report.html' into your favourite browser.
+Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
 
 Mailing List
 ------------
@@ -96,9 +96,9 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Permission to modify and redistribute is granted under the terms of the GPLv3 license. See the [LICENSE.txt] [GPLv3] file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
 
 Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
 
@@ -106,5 +106,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
   [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
   [post]: mailto:dependency-check@googlegroups.com
-  [GPLv3]: https://github.com/jeremylong/DependencyCheck/blob/master/LICENSE.txt
   [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt

dependency-check-ant/LICENSE.txt

@@ -1,674 +1,202 @@
-                    GNU GENERAL PUBLIC LICENSE 
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

dependency-check-ant/README.md

@@ -18,8 +18,8 @@ Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.c
 Copyright & License
 -------------------
 
-Dependency-Check is Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Permission to modify and redistribute is granted under the terms of the GPLv3 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
 
 Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/NOTICES.txt) file for more information.

dependency-check-ant/config/checkstyle-header.txt

@@ -1,19 +1,18 @@
 ^/\*\s*$
 ^ \* This file is part of dependency-check-ant\.\s*$
 ^ \*\s*$
-^ \* Dependency-check-ant is free software\: you can redistribute it and/or modify it\s*$
-^ \* under the terms of the GNU General Public License as published by the Free\s*$
-^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
-^ \* later version\.
+^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
+^ \* you may not use this file except in compliance with the License.\s*$
+^ \* You may obtain a copy of the License at\s*$
 ^ \*\s*$
-^ \* Dependency-check-ant is distributed in the hope that it will be useful, but\s*$
-^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
-^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
-^ \* details\.\s*$
+^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
 ^ \*\s*$
-^ \* You should have received a copy of the GNU General Public License along with\s*$
-^ \* dependency-check-ant\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* Unless required by applicable law or agreed to in writing, software\s*$
+^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
+^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
+^ \* See the License for the specific language governing permissions and\s*$
+^ \* limitations under the License\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 2013 (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package

dependency-check-ant/pom.xml

@@ -1,18 +1,17 @@
 <!--
 This file is part of dependency-check-ant.
 
-Dependency-check-ant is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Dependency-check is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
+    http://www.apache.org/licenses/LICENSE-2.0
 
-You should have received a copy of the GNU General Public License
-along with dependency-check-ant.  If not, see <http://www.gnu.org/licenses />.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
 -->
@@ -22,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.8</version>
+        <version>1.1.4</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -238,8 +237,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.5.2</version>
+                <version>2.6</version>
                 <configuration>
+                    <instrumentation>
+                        <ignoreTrivial>true</ignoreTrivial>
+                    </instrumentation>
                     <check>
                         <branchRate>85</branchRate>
                         <lineRate>85</lineRate>
@@ -271,11 +273,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                 <version>2.16</version>
                 <configuration>
                     <systemProperties>
-                        <property>
-                            <name>net.sourceforge.cobertura.datafile</name>
-                            <value>${project.build.directory}/cobertura/cobertura.ser</value>
-                            <workingDirectory>target</workingDirectory>
-                        </property>
                         <property>
                             <name>data.directory</name>
                             <value>${project.build.directory}/dependency-check-data</value>
@@ -357,7 +354,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                         <plugin>
                             <groupId>org.codehaus.mojo</groupId>
                             <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.5.2</version>
+                            <version>2.6</version>
                         </plugin>
                         <plugin>
                             <groupId>org.apache.maven.plugins</groupId>
@@ -443,12 +440,12 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.apache.ant</groupId>
             <artifactId>ant</artifactId>
-            <version>1.9.1</version>
+            <version>1.9.3</version>
         </dependency>
         <dependency>
             <groupId>org.apache.ant</groupId>
             <artifactId>ant-testutil</artifactId>
-            <version>1.9.1</version>
+            <version>1.9.3</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-ant.
  *
- * Dependency-check-ant is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-ant is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-ant. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -33,6 +32,9 @@ import org.apache.tools.ant.types.ResourceCollection;
 import org.apache.tools.ant.types.resources.FileProvider;
 import org.apache.tools.ant.types.resources.Resources;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -92,8 +94,8 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Returns the path. If the path has not been initialized yet, this class is
-     * synchronized, and will instantiate the path object.
+     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the
+     * path object.
      *
      * @return the path
      */
@@ -115,8 +117,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Add a reference to a Path, FileSet, DirSet, or FileList defined
-     * elsewhere.
+     * Add a reference to a Path, FileSet, DirSet, or FileList defined elsewhere.
      *
      * @param r the reference to a path, fileset, dirset or filelist.
      */
@@ -128,8 +129,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * If this is a reference, this method will add the referenced resource
-     * collection to the collection of paths.
+     * If this is a reference, this method will add the referenced resource collection to the collection of paths.
      *
      * @throws BuildException if the reference is not to a resource collection
      */
@@ -189,8 +189,7 @@ public class DependencyCheckTask extends Task {
         this.dataDirectory = dataDirectory;
     }
     /**
-     * Specifies the destination directory for the generated Dependency-Check
-     * report.
+     * Specifies the destination directory for the generated Dependency-Check report.
      */
     private String reportOutputDirectory = ".";
 
@@ -212,11 +211,9 @@ public class DependencyCheckTask extends Task {
         this.reportOutputDirectory = reportOutputDirectory;
     }
     /**
-     * Specifies if the build should be failed if a CVSS score above a specified
-     * level is identified. The default is 11 which means since the CVSS scores
-     * are 0-10, by default the build will never fail and the CVSS score is set
-     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
-     * anything above 10 will not cause the build to fail.
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
+     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
+     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
      */
     private float failBuildOnCVSS = 11;
 
@@ -238,8 +235,8 @@ public class DependencyCheckTask extends Task {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
     /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
-     * recommended that this be turned to false. Default is true.
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
+     * false. Default is true.
      */
     private boolean autoUpdate = true;
 
@@ -261,9 +258,8 @@ public class DependencyCheckTask extends Task {
         this.autoUpdate = autoUpdate;
     }
     /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This
-     * configuration option has no affect if using this within the Site plugin
-     * unless the externalReport is set to true. Default is HTML.
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
+     * within the Site plugin unless the externalReport is set to true. Default is HTML.
      */
     private String reportFormat = "HTML";
 
@@ -461,6 +457,400 @@ public class DependencyCheckTask extends Task {
         this.showSummary = showSummary;
     }
 
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param jarAnalyzerEnabled the value of the new setting
+     */
+    public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
+        this.jarAnalyzerEnabled = jarAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the Archive Analyzer is enabled.
+     */
+    private boolean archiveAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isArchiveAnalyzerEnabled() {
+        return archiveAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the .NET Assembly Analyzer is enabled.
+     */
+    private boolean assemblyAnalyzerEnabled = true;
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param archiveAnalyzerEnabled the value of the new setting
+     */
+    public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
+        this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
+    }
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isAssemblyAnalyzerEnabled() {
+        return assemblyAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param assemblyAnalyzerEnabled the value of the new setting
+     */
+    public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
+        this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the .NET Nuspec Analyzer is enabled.
+     */
+    private boolean nuspecAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isNuspecAnalyzerEnabled() {
+        return nuspecAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param nuspecAnalyzerEnabled the value of the new setting
+     */
+    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
+        this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
+    }
+
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+
+    /**
+     * Get the value of nexusAnalyzerEnabled.
+     *
+     * @return the value of nexusAnalyzerEnabled
+     */
+    public boolean isNexusAnalyzerEnabled() {
+        return nexusAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of nexusAnalyzerEnabled.
+     *
+     * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
+     */
+    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+        this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
+    }
+
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+
+    /**
+     * Get the value of nexusUrl.
+     *
+     * @return the value of nexusUrl
+     */
+    public String getNexusUrl() {
+        return nexusUrl;
+    }
+
+    /**
+     * Set the value of nexusUrl.
+     *
+     * @param nexusUrl new value of nexusUrl
+     */
+    public void setNexusUrl(String nexusUrl) {
+        this.nexusUrl = nexusUrl;
+    }
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+
+    /**
+     * Get the value of nexusUsesProxy.
+     *
+     * @return the value of nexusUsesProxy
+     */
+    public boolean isNexusUsesProxy() {
+        return nexusUsesProxy;
+    }
+
+    /**
+     * Set the value of nexusUsesProxy.
+     *
+     * @param nexusUsesProxy new value of nexusUsesProxy
+     */
+    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+        this.nexusUsesProxy = nexusUsesProxy;
+    }
+
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+
+    /**
+     * Get the value of databaseDriverName.
+     *
+     * @return the value of databaseDriverName
+     */
+    public String getDatabaseDriverName() {
+        return databaseDriverName;
+    }
+
+    /**
+     * Set the value of databaseDriverName.
+     *
+     * @param databaseDriverName new value of databaseDriverName
+     */
+    public void setDatabaseDriverName(String databaseDriverName) {
+        this.databaseDriverName = databaseDriverName;
+    }
+
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+
+    /**
+     * Get the value of databaseDriverPath.
+     *
+     * @return the value of databaseDriverPath
+     */
+    public String getDatabaseDriverPath() {
+        return databaseDriverPath;
+    }
+
+    /**
+     * Set the value of databaseDriverPath.
+     *
+     * @param databaseDriverPath new value of databaseDriverPath
+     */
+    public void setDatabaseDriverPath(String databaseDriverPath) {
+        this.databaseDriverPath = databaseDriverPath;
+    }
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+
+    /**
+     * Get the value of connectionString.
+     *
+     * @return the value of connectionString
+     */
+    public String getConnectionString() {
+        return connectionString;
+    }
+
+    /**
+     * Set the value of connectionString.
+     *
+     * @param connectionString new value of connectionString
+     */
+    public void setConnectionString(String connectionString) {
+        this.connectionString = connectionString;
+    }
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+
+    /**
+     * Get the value of databaseUser.
+     *
+     * @return the value of databaseUser
+     */
+    public String getDatabaseUser() {
+        return databaseUser;
+    }
+
+    /**
+     * Set the value of databaseUser.
+     *
+     * @param databaseUser new value of databaseUser
+     */
+    public void setDatabaseUser(String databaseUser) {
+        this.databaseUser = databaseUser;
+    }
+
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+
+    /**
+     * Get the value of databasePassword.
+     *
+     * @return the value of databasePassword
+     */
+    public String getDatabasePassword() {
+        return databasePassword;
+    }
+
+    /**
+     * Set the value of databasePassword.
+     *
+     * @param databasePassword new value of databasePassword
+     */
+    public void setDatabasePassword(String databasePassword) {
+        this.databasePassword = databasePassword;
+    }
+
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
+     * like ZIP files.
+     */
+    private String zipExtensions;
+
+    /**
+     * Get the value of zipExtensions.
+     *
+     * @return the value of zipExtensions
+     */
+    public String getZipExtensions() {
+        return zipExtensions;
+    }
+
+    /**
+     * Set the value of zipExtensions.
+     *
+     * @param zipExtensions new value of zipExtensions
+     */
+    public void setZipExtensions(String zipExtensions) {
+        this.zipExtensions = zipExtensions;
+    }
+
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+
+    /**
+     * Get the value of cveUrl12Modified.
+     *
+     * @return the value of cveUrl12Modified
+     */
+    public String getCveUrl12Modified() {
+        return cveUrl12Modified;
+    }
+
+    /**
+     * Set the value of cveUrl12Modified.
+     *
+     * @param cveUrl12Modified new value of cveUrl12Modified
+     */
+    public void setCveUrl12Modified(String cveUrl12Modified) {
+        this.cveUrl12Modified = cveUrl12Modified;
+    }
+
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+
+    /**
+     * Get the value of cveUrl20Modified.
+     *
+     * @return the value of cveUrl20Modified
+     */
+    public String getCveUrl20Modified() {
+        return cveUrl20Modified;
+    }
+
+    /**
+     * Set the value of cveUrl20Modified.
+     *
+     * @param cveUrl20Modified new value of cveUrl20Modified
+     */
+    public void setCveUrl20Modified(String cveUrl20Modified) {
+        this.cveUrl20Modified = cveUrl20Modified;
+    }
+
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+
+    /**
+     * Get the value of cveUrl12Base.
+     *
+     * @return the value of cveUrl12Base
+     */
+    public String getCveUrl12Base() {
+        return cveUrl12Base;
+    }
+
+    /**
+     * Set the value of cveUrl12Base.
+     *
+     * @param cveUrl12Base new value of cveUrl12Base
+     */
+    public void setCveUrl12Base(String cveUrl12Base) {
+        this.cveUrl12Base = cveUrl12Base;
+    }
+
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+
+    /**
+     * Get the value of cveUrl20Base.
+     *
+     * @return the value of cveUrl20Base
+     */
+    public String getCveUrl20Base() {
+        return cveUrl20Base;
+    }
+
+    /**
+     * Set the value of cveUrl20Base.
+     *
+     * @param cveUrl20Base new value of cveUrl20Base
+     */
+    public void setCveUrl20Base(String cveUrl20Base) {
+        this.cveUrl20Base = cveUrl20Base;
+    }
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+
+    /**
+     * Get the value of pathToMono.
+     *
+     * @return the value of pathToMono
+     */
+    public String getPathToMono() {
+        return pathToMono;
+    }
+
+    /**
+     * Set the value of pathToMono.
+     *
+     * @param pathToMono new value of pathToMono
+     */
+    public void setPathToMono(String pathToMono) {
+        this.pathToMono = pathToMono;
+    }
+
     @Override
     public void execute() throws BuildException {
         final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
@@ -470,39 +860,65 @@ public class DependencyCheckTask extends Task {
         validateConfiguration();
         populateSettings();
 
-        final Engine engine = new Engine();
-        for (Resource resource : path) {
-            final FileProvider provider = resource.as(FileProvider.class);
-            if (provider != null) {
-                final File file = provider.getFile();
-                if (file != null && file.exists()) {
-                    engine.scan(file);
+        Engine engine = null;
+        try {
+            engine = new Engine();
+
+            for (Resource resource : path) {
+                final FileProvider provider = resource.as(FileProvider.class);
+                if (provider != null) {
+                    final File file = provider.getFile();
+                    if (file != null && file.exists()) {
+                        engine.scan(file);
+                    }
                 }
             }
-        }
-        try {
-            engine.analyzeDependencies();
-            final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers());
-            reporter.generateReports(reportOutputDirectory, reportFormat);
+            try {
+                engine.analyzeDependencies();
+                DatabaseProperties prop = null;
+                CveDB cve = null;
+                try {
+                    cve = new CveDB();
+                    cve.open();
+                    prop = cve.getDatabaseProperties();
+                } catch (DatabaseException ex) {
+                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                } finally {
+                    if (cve != null) {
+                        cve.close();
+                    }
+                }
+                final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+                reporter.generateReports(reportOutputDirectory, reportFormat);
 
-            if (this.failBuildOnCVSS <= 10) {
-                checkForFailure(engine.getDependencies());
+                if (this.failBuildOnCVSS <= 10) {
+                    checkForFailure(engine.getDependencies());
+                }
+                if (this.showSummary) {
+                    showSummary(engine.getDependencies());
+                }
+            } catch (IOException ex) {
+                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
+                        "Unable to generate dependency-check report", ex);
+                throw new BuildException("Unable to generate dependency-check report", ex);
+            } catch (Exception ex) {
+                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
+                        "An exception occurred; unable to continue task", ex);
+                throw new BuildException("An exception occurred; unable to continue task", ex);
             }
-            if (this.showSummary) {
-                showSummary(engine.getDependencies());
+        } catch (DatabaseException ex) {
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
+                    "Unable to connect to the dependency-check database; analysis has stopped");
+            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
+        } finally {
+            if (engine != null) {
+                engine.cleanup();
             }
-        } catch (IOException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to generate dependency-check report", ex);
-            throw new BuildException("Unable to generate dependency-check report", ex);
-        } catch (Exception ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "An exception occurred; unable to continue task", ex);
-            throw new BuildException("An exception occurred; unable to continue task", ex);
         }
     }
 
     /**
-     * Validate the configuration to ensure the parameters have been properly
-     * configured/initialized.
+     * Validate the configuration to ensure the parameters have been properly configured/initialized.
      *
      * @throws BuildException if the task was not configured correctly.
      */
@@ -516,9 +932,8 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings.
-     * Additionally, this sets the system properties required to change the
-     * proxy url, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
+     * properties required to change the proxy url, port, and connection timeout.
      */
     private void populateSettings() {
         InputStream taskProperties = null;
@@ -567,15 +982,64 @@ public class DependencyCheckTask extends Task {
         if (suppressionFile != null && !suppressionFile.isEmpty()) {
             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
         }
+
+        //File Type Analyzer Settings
+        //JAR ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        //NUSPEC ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        //NEXUS ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        //ARCHIVE ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
+        //ASSEMBLY ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+
+        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        }
+        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        }
+        if (connectionString != null && !connectionString.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        }
+        if (databaseUser != null && !databaseUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
+        }
+        if (databasePassword != null && !databasePassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
+        }
+        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        }
+        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        }
+        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        }
+        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        }
     }
 
     /**
-     * Checks to see if a vulnerability has been identified with a CVSS score
-     * that is above the threshold set in the configuration.
+     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * configuration.
      *
      * @param dependencies the list of dependency objects
-     * @throws BuildException thrown if a CVSS score is found that is higher
-     * then the threshold set
+     * @throws BuildException thrown if a CVSS score is found that is higher then the threshold set
      */
     private void checkForFailure(List<Dependency> dependencies) throws BuildException {
         final StringBuilder ids = new StringBuilder();
@@ -599,8 +1063,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Generates a warning message listing a summary of dependencies and their
-     * associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
      *
      * @param dependencies a list of dependency objects
      */
@@ -640,8 +1103,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN",
-     * etc..
+     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", etc..
      */
     public static class ReportFormats extends EnumeratedAttribute {
 
@@ -661,4 +1123,18 @@ public class DependencyCheckTask extends Task {
             return values;
         }
     }
+
+    /**
+     * Whether or not the Jar Analyzer is enabled.
+     */
+    private boolean jarAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isJarAnalyzerEnabled() {
+        return jarAnalyzerEnabled;
+    }
 }

dependency-check-ant/src/site/markdown/configuration.md

@@ -18,22 +18,60 @@ the project's dependencies.
     </dependency-check>
 </target>
 ```
-The following table lists the configurable properties:
 
-Property              | Description | Requirement
-----------------------|-------------|---------
-ApplicationName       | The name of the application to use in the generated report. | Required
-ReportFormat          | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional
-ReportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional
-FailBuildOn           | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional
-AutoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. The default value is true. | Optional
-DataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional
-LogFile               | The file path to write verbose logging information. | Optional
-SuppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional
-ProxyUrl              | Defines the proxy used to connect to the Internet. | Optional
-ProxyPort             | Defines the port for the proxy. | Optional
-ProxyUsername         | Defines the proxy user name. | Optional
-ProxyPassword         | Defines the proxy password. | Optional
-ConnectionTimeout     | The connection timeout used when downloading data files from the Internet. | Optional
+Configuration
+====================
+The following properties can be set on the dependency-check-maven plugin.
 
+Property             | Description                        | Default Value
+---------------------|------------------------------------|------------------
+autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
+outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+logFile              | The file path to write verbose logging information. | &nbsp;
+suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
+proxyUrl             | The Proxy URL.                     | &nbsp;
+proxyPort            | The Proxy Port.                    | &nbsp;
+proxyUsername        | Defines the proxy user name.       | &nbsp;
+proxyPassword        | Defines the proxy password.        | &nbsp;
+connectionTimeout    | The URL Connection Timeout.        | &nbsp;
 
+Analyzer Configuration
+====================
+The following properties are used to configure the various file type analyzers.
+These properties can be used to turn off specific analyzers if it is not needed.
+Note, that specific analyzers will automatically disable themselves if no file
+types that they support are detected - so specifically disabling them may not
+be needed.
+
+Property                | Description                        | Default Value
+------------------------|------------------------------------|------------------
+archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                    | true
+zipExtensions           | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+jarAnalyzer             | Sets whether Jar Analyzer will be used.                            | true
+nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used.                          | true
+nexusUrl                | Defines the Nexus URL. | https://repository.sonatype.org/service/local/
+nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
+nuspecAnalyzerEnabled  | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.   | true
+assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.     | true
+pathToMono              | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp;
+
+Advanced Configuration
+====================
+The following properties can be configured in the plugin. However, they are less frequently changed. One exception
+may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
+
+Property             | Description                                                             | Default Value
+---------------------|-------------------------------------------------------------------------|------------------
+cveUrl12Modified     | URL for the modified CVE 1.2                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+dataDirectory        | Data directory to hold SQL CVEs contents. This should generally not be changed.             | &nbsp;
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    | &nbsp;
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
+connectionString     | The connection string used to connect to the database.                                      | &nbsp;
+databaseUser         | The username used when connecting to the database.                                          | &nbsp;
+databasePassword     | The password used when connecting to the database.                                          | &nbsp;

dependency-check-ant/src/site/site.xml

@@ -2,18 +2,17 @@
 <!--
 This file is part of dependency-check-ant.
 
-Dependency-check-ant is free software: you can redistribute it and/or modify it
-under the terms of the GNU General Public License as published by the Free
-Software Foundation, either version 3 of the License, or (at your option) any
-later version.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Dependency-check-ant is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
-details.
+    http://www.apache.org/licenses/LICENSE-2.0
 
-You should have received a copy of the GNU General Public License along with
-dependency-check-ant. If not, see http://www.gnu.org/licenses/.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 -->

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-ant.
  *
- * Dependency-check-ant is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-ant is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-ant. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -20,12 +19,12 @@ package org.owasp.dependencycheck.taskdefs;
 
 import java.io.File;
 import static junit.framework.TestCase.assertTrue;
+import org.apache.tools.ant.BuildFileTest;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
-import org.apache.tools.ant.BuildFileTest;
 import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
 
 /**
@@ -65,7 +64,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
      */
     @Test
     public void testAddFileSet() throws Exception {
-        File report = new File("target/DependencyCheck-Report.html");
+        File report = new File("target/dependency-check-report.html");
         if (report.exists()) {
             if (!report.delete()) {
                 throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
@@ -84,7 +83,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
      */
     @Test
     public void testAddFileList() throws Exception {
-        File report = new File("target/DependencyCheck-Report.xml");
+        File report = new File("target/dependency-check-report.xml");
         if (report.exists()) {
             if (!report.delete()) {
                 throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
@@ -102,7 +101,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
      */
     @Test
     public void testAddDirSet() throws Exception {
-        File report = new File("target/DependencyCheck-Vulnerability.html");
+        File report = new File("target/dependency-check-vulnerability.html");
         if (report.exists()) {
             if (!report.delete()) {
                 throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");

dependency-check-cli/LICENSE.txt

@@ -1,674 +1,202 @@
-                    GNU GENERAL PUBLIC LICENSE 
-                       Version 3, 29 June 2007
-
- Copyright (C) 2007 Free Software Foundation, Inc. <http://fsf.org/>
- Everyone is permitted to copy and distribute verbatim copies
- of this license document, but changing it is not allowed.
-
-                            Preamble
-
-  The GNU General Public License is a free, copyleft license for
-software and other kinds of works.
-
-  The licenses for most software and other practical works are designed
-to take away your freedom to share and change the works.  By contrast,
-the GNU General Public License is intended to guarantee your freedom to
-share and change all versions of a program--to make sure it remains free
-software for all its users.  We, the Free Software Foundation, use the
-GNU General Public License for most of our software; it applies also to
-any other work released this way by its authors.  You can apply it to
-your programs, too.
-
-  When we speak of free software, we are referring to freedom, not
-price.  Our General Public Licenses are designed to make sure that you
-have the freedom to distribute copies of free software (and charge for
-them if you wish), that you receive source code or can get it if you
-want it, that you can change the software or use pieces of it in new
-free programs, and that you know you can do these things.
-
-  To protect your rights, we need to prevent others from denying you
-these rights or asking you to surrender the rights.  Therefore, you have
-certain responsibilities if you distribute copies of the software, or if
-you modify it: responsibilities to respect the freedom of others.
-
-  For example, if you distribute copies of such a program, whether
-gratis or for a fee, you must pass on to the recipients the same
-freedoms that you received.  You must make sure that they, too, receive
-or can get the source code.  And you must show them these terms so they
-know their rights.
-
-  Developers that use the GNU GPL protect your rights with two steps:
-(1) assert copyright on the software, and (2) offer you this License
-giving you legal permission to copy, distribute and/or modify it.
-
-  For the developers' and authors' protection, the GPL clearly explains
-that there is no warranty for this free software.  For both users' and
-authors' sake, the GPL requires that modified versions be marked as
-changed, so that their problems will not be attributed erroneously to
-authors of previous versions.
-
-  Some devices are designed to deny users access to install or run
-modified versions of the software inside them, although the manufacturer
-can do so.  This is fundamentally incompatible with the aim of
-protecting users' freedom to change the software.  The systematic
-pattern of such abuse occurs in the area of products for individuals to
-use, which is precisely where it is most unacceptable.  Therefore, we
-have designed this version of the GPL to prohibit the practice for those
-products.  If such problems arise substantially in other domains, we
-stand ready to extend this provision to those domains in future versions
-of the GPL, as needed to protect the freedom of users.
-
-  Finally, every program is threatened constantly by software patents.
-States should not allow patents to restrict development and use of
-software on general-purpose computers, but in those that do, we wish to
-avoid the special danger that patents applied to a free program could
-make it effectively proprietary.  To prevent this, the GPL assures that
-patents cannot be used to render the program non-free.
-
-  The precise terms and conditions for copying, distribution and
-modification follow.
-
-                       TERMS AND CONDITIONS
-
-  0. Definitions.
-
-  "This License" refers to version 3 of the GNU General Public License.
-
-  "Copyright" also means copyright-like laws that apply to other kinds of
-works, such as semiconductor masks.
-
-  "The Program" refers to any copyrightable work licensed under this
-License.  Each licensee is addressed as "you".  "Licensees" and
-"recipients" may be individuals or organizations.
-
-  To "modify" a work means to copy from or adapt all or part of the work
-in a fashion requiring copyright permission, other than the making of an
-exact copy.  The resulting work is called a "modified version" of the
-earlier work or a work "based on" the earlier work.
-
-  A "covered work" means either the unmodified Program or a work based
-on the Program.
-
-  To "propagate" a work means to do anything with it that, without
-permission, would make you directly or secondarily liable for
-infringement under applicable copyright law, except executing it on a
-computer or modifying a private copy.  Propagation includes copying,
-distribution (with or without modification), making available to the
-public, and in some countries other activities as well.
-
-  To "convey" a work means any kind of propagation that enables other
-parties to make or receive copies.  Mere interaction with a user through
-a computer network, with no transfer of a copy, is not conveying.
-
-  An interactive user interface displays "Appropriate Legal Notices"
-to the extent that it includes a convenient and prominently visible
-feature that (1) displays an appropriate copyright notice, and (2)
-tells the user that there is no warranty for the work (except to the
-extent that warranties are provided), that licensees may convey the
-work under this License, and how to view a copy of this License.  If
-the interface presents a list of user commands or options, such as a
-menu, a prominent item in the list meets this criterion.
-
-  1. Source Code.
-
-  The "source code" for a work means the preferred form of the work
-for making modifications to it.  "Object code" means any non-source
-form of a work.
-
-  A "Standard Interface" means an interface that either is an official
-standard defined by a recognized standards body, or, in the case of
-interfaces specified for a particular programming language, one that
-is widely used among developers working in that language.
-
-  The "System Libraries" of an executable work include anything, other
-than the work as a whole, that (a) is included in the normal form of
-packaging a Major Component, but which is not part of that Major
-Component, and (b) serves only to enable use of the work with that
-Major Component, or to implement a Standard Interface for which an
-implementation is available to the public in source code form.  A
-"Major Component", in this context, means a major essential component
-(kernel, window system, and so on) of the specific operating system
-(if any) on which the executable work runs, or a compiler used to
-produce the work, or an object code interpreter used to run it.
-
-  The "Corresponding Source" for a work in object code form means all
-the source code needed to generate, install, and (for an executable
-work) run the object code and to modify the work, including scripts to
-control those activities.  However, it does not include the work's
-System Libraries, or general-purpose tools or generally available free
-programs which are used unmodified in performing those activities but
-which are not part of the work.  For example, Corresponding Source
-includes interface definition files associated with source files for
-the work, and the source code for shared libraries and dynamically
-linked subprograms that the work is specifically designed to require,
-such as by intimate data communication or control flow between those
-subprograms and other parts of the work.
-
-  The Corresponding Source need not include anything that users
-can regenerate automatically from other parts of the Corresponding
-Source.
-
-  The Corresponding Source for a work in source code form is that
-same work.
-
-  2. Basic Permissions.
-
-  All rights granted under this License are granted for the term of
-copyright on the Program, and are irrevocable provided the stated
-conditions are met.  This License explicitly affirms your unlimited
-permission to run the unmodified Program.  The output from running a
-covered work is covered by this License only if the output, given its
-content, constitutes a covered work.  This License acknowledges your
-rights of fair use or other equivalent, as provided by copyright law.
-
-  You may make, run and propagate covered works that you do not
-convey, without conditions so long as your license otherwise remains
-in force.  You may convey covered works to others for the sole purpose
-of having them make modifications exclusively for you, or provide you
-with facilities for running those works, provided that you comply with
-the terms of this License in conveying all material for which you do
-not control copyright.  Those thus making or running the covered works
-for you must do so exclusively on your behalf, under your direction
-and control, on terms that prohibit them from making any copies of
-your copyrighted material outside their relationship with you.
-
-  Conveying under any other circumstances is permitted solely under
-the conditions stated below.  Sublicensing is not allowed; section 10
-makes it unnecessary.
-
-  3. Protecting Users' Legal Rights From Anti-Circumvention Law.
-
-  No covered work shall be deemed part of an effective technological
-measure under any applicable law fulfilling obligations under article
-11 of the WIPO copyright treaty adopted on 20 December 1996, or
-similar laws prohibiting or restricting circumvention of such
-measures.
-
-  When you convey a covered work, you waive any legal power to forbid
-circumvention of technological measures to the extent such circumvention
-is effected by exercising rights under this License with respect to
-the covered work, and you disclaim any intention to limit operation or
-modification of the work as a means of enforcing, against the work's
-users, your or third parties' legal rights to forbid circumvention of
-technological measures.
-
-  4. Conveying Verbatim Copies.
-
-  You may convey verbatim copies of the Program's source code as you
-receive it, in any medium, provided that you conspicuously and
-appropriately publish on each copy an appropriate copyright notice;
-keep intact all notices stating that this License and any
-non-permissive terms added in accord with section 7 apply to the code;
-keep intact all notices of the absence of any warranty; and give all
-recipients a copy of this License along with the Program.
-
-  You may charge any price or no price for each copy that you convey,
-and you may offer support or warranty protection for a fee.
-
-  5. Conveying Modified Source Versions.
-
-  You may convey a work based on the Program, or the modifications to
-produce it from the Program, in the form of source code under the
-terms of section 4, provided that you also meet all of these conditions:
-
-    a) The work must carry prominent notices stating that you modified
-    it, and giving a relevant date.
-
-    b) The work must carry prominent notices stating that it is
-    released under this License and any conditions added under section
-    7.  This requirement modifies the requirement in section 4 to
-    "keep intact all notices".
-
-    c) You must license the entire work, as a whole, under this
-    License to anyone who comes into possession of a copy.  This
-    License will therefore apply, along with any applicable section 7
-    additional terms, to the whole of the work, and all its parts,
-    regardless of how they are packaged.  This License gives no
-    permission to license the work in any other way, but it does not
-    invalidate such permission if you have separately received it.
-
-    d) If the work has interactive user interfaces, each must display
-    Appropriate Legal Notices; however, if the Program has interactive
-    interfaces that do not display Appropriate Legal Notices, your
-    work need not make them do so.
-
-  A compilation of a covered work with other separate and independent
-works, which are not by their nature extensions of the covered work,
-and which are not combined with it such as to form a larger program,
-in or on a volume of a storage or distribution medium, is called an
-"aggregate" if the compilation and its resulting copyright are not
-used to limit the access or legal rights of the compilation's users
-beyond what the individual works permit.  Inclusion of a covered work
-in an aggregate does not cause this License to apply to the other
-parts of the aggregate.
-
-  6. Conveying Non-Source Forms.
-
-  You may convey a covered work in object code form under the terms
-of sections 4 and 5, provided that you also convey the
-machine-readable Corresponding Source under the terms of this License,
-in one of these ways:
-
-    a) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by the
-    Corresponding Source fixed on a durable physical medium
-    customarily used for software interchange.
-
-    b) Convey the object code in, or embodied in, a physical product
-    (including a physical distribution medium), accompanied by a
-    written offer, valid for at least three years and valid for as
-    long as you offer spare parts or customer support for that product
-    model, to give anyone who possesses the object code either (1) a
-    copy of the Corresponding Source for all the software in the
-    product that is covered by this License, on a durable physical
-    medium customarily used for software interchange, for a price no
-    more than your reasonable cost of physically performing this
-    conveying of source, or (2) access to copy the
-    Corresponding Source from a network server at no charge.
-
-    c) Convey individual copies of the object code with a copy of the
-    written offer to provide the Corresponding Source.  This
-    alternative is allowed only occasionally and noncommercially, and
-    only if you received the object code with such an offer, in accord
-    with subsection 6b.
-
-    d) Convey the object code by offering access from a designated
-    place (gratis or for a charge), and offer equivalent access to the
-    Corresponding Source in the same way through the same place at no
-    further charge.  You need not require recipients to copy the
-    Corresponding Source along with the object code.  If the place to
-    copy the object code is a network server, the Corresponding Source
-    may be on a different server (operated by you or a third party)
-    that supports equivalent copying facilities, provided you maintain
-    clear directions next to the object code saying where to find the
-    Corresponding Source.  Regardless of what server hosts the
-    Corresponding Source, you remain obligated to ensure that it is
-    available for as long as needed to satisfy these requirements.
-
-    e) Convey the object code using peer-to-peer transmission, provided
-    you inform other peers where the object code and Corresponding
-    Source of the work are being offered to the general public at no
-    charge under subsection 6d.
-
-  A separable portion of the object code, whose source code is excluded
-from the Corresponding Source as a System Library, need not be
-included in conveying the object code work.
-
-  A "User Product" is either (1) a "consumer product", which means any
-tangible personal property which is normally used for personal, family,
-or household purposes, or (2) anything designed or sold for incorporation
-into a dwelling.  In determining whether a product is a consumer product,
-doubtful cases shall be resolved in favor of coverage.  For a particular
-product received by a particular user, "normally used" refers to a
-typical or common use of that class of product, regardless of the status
-of the particular user or of the way in which the particular user
-actually uses, or expects or is expected to use, the product.  A product
-is a consumer product regardless of whether the product has substantial
-commercial, industrial or non-consumer uses, unless such uses represent
-the only significant mode of use of the product.
-
-  "Installation Information" for a User Product means any methods,
-procedures, authorization keys, or other information required to install
-and execute modified versions of a covered work in that User Product from
-a modified version of its Corresponding Source.  The information must
-suffice to ensure that the continued functioning of the modified object
-code is in no case prevented or interfered with solely because
-modification has been made.
-
-  If you convey an object code work under this section in, or with, or
-specifically for use in, a User Product, and the conveying occurs as
-part of a transaction in which the right of possession and use of the
-User Product is transferred to the recipient in perpetuity or for a
-fixed term (regardless of how the transaction is characterized), the
-Corresponding Source conveyed under this section must be accompanied
-by the Installation Information.  But this requirement does not apply
-if neither you nor any third party retains the ability to install
-modified object code on the User Product (for example, the work has
-been installed in ROM).
-
-  The requirement to provide Installation Information does not include a
-requirement to continue to provide support service, warranty, or updates
-for a work that has been modified or installed by the recipient, or for
-the User Product in which it has been modified or installed.  Access to a
-network may be denied when the modification itself materially and
-adversely affects the operation of the network or violates the rules and
-protocols for communication across the network.
-
-  Corresponding Source conveyed, and Installation Information provided,
-in accord with this section must be in a format that is publicly
-documented (and with an implementation available to the public in
-source code form), and must require no special password or key for
-unpacking, reading or copying.
-
-  7. Additional Terms.
-
-  "Additional permissions" are terms that supplement the terms of this
-License by making exceptions from one or more of its conditions.
-Additional permissions that are applicable to the entire Program shall
-be treated as though they were included in this License, to the extent
-that they are valid under applicable law.  If additional permissions
-apply only to part of the Program, that part may be used separately
-under those permissions, but the entire Program remains governed by
-this License without regard to the additional permissions.
-
-  When you convey a copy of a covered work, you may at your option
-remove any additional permissions from that copy, or from any part of
-it.  (Additional permissions may be written to require their own
-removal in certain cases when you modify the work.)  You may place
-additional permissions on material, added by you to a covered work,
-for which you have or can give appropriate copyright permission.
-
-  Notwithstanding any other provision of this License, for material you
-add to a covered work, you may (if authorized by the copyright holders of
-that material) supplement the terms of this License with terms:
-
-    a) Disclaiming warranty or limiting liability differently from the
-    terms of sections 15 and 16 of this License; or
-
-    b) Requiring preservation of specified reasonable legal notices or
-    author attributions in that material or in the Appropriate Legal
-    Notices displayed by works containing it; or
-
-    c) Prohibiting misrepresentation of the origin of that material, or
-    requiring that modified versions of such material be marked in
-    reasonable ways as different from the original version; or
-
-    d) Limiting the use for publicity purposes of names of licensors or
-    authors of the material; or
-
-    e) Declining to grant rights under trademark law for use of some
-    trade names, trademarks, or service marks; or
-
-    f) Requiring indemnification of licensors and authors of that
-    material by anyone who conveys the material (or modified versions of
-    it) with contractual assumptions of liability to the recipient, for
-    any liability that these contractual assumptions directly impose on
-    those licensors and authors.
-
-  All other non-permissive additional terms are considered "further
-restrictions" within the meaning of section 10.  If the Program as you
-received it, or any part of it, contains a notice stating that it is
-governed by this License along with a term that is a further
-restriction, you may remove that term.  If a license document contains
-a further restriction but permits relicensing or conveying under this
-License, you may add to a covered work material governed by the terms
-of that license document, provided that the further restriction does
-not survive such relicensing or conveying.
-
-  If you add terms to a covered work in accord with this section, you
-must place, in the relevant source files, a statement of the
-additional terms that apply to those files, or a notice indicating
-where to find the applicable terms.
-
-  Additional terms, permissive or non-permissive, may be stated in the
-form of a separately written license, or stated as exceptions;
-the above requirements apply either way.
-
-  8. Termination.
-
-  You may not propagate or modify a covered work except as expressly
-provided under this License.  Any attempt otherwise to propagate or
-modify it is void, and will automatically terminate your rights under
-this License (including any patent licenses granted under the third
-paragraph of section 11).
-
-  However, if you cease all violation of this License, then your
-license from a particular copyright holder is reinstated (a)
-provisionally, unless and until the copyright holder explicitly and
-finally terminates your license, and (b) permanently, if the copyright
-holder fails to notify you of the violation by some reasonable means
-prior to 60 days after the cessation.
-
-  Moreover, your license from a particular copyright holder is
-reinstated permanently if the copyright holder notifies you of the
-violation by some reasonable means, this is the first time you have
-received notice of violation of this License (for any work) from that
-copyright holder, and you cure the violation prior to 30 days after
-your receipt of the notice.
-
-  Termination of your rights under this section does not terminate the
-licenses of parties who have received copies or rights from you under
-this License.  If your rights have been terminated and not permanently
-reinstated, you do not qualify to receive new licenses for the same
-material under section 10.
-
-  9. Acceptance Not Required for Having Copies.
-
-  You are not required to accept this License in order to receive or
-run a copy of the Program.  Ancillary propagation of a covered work
-occurring solely as a consequence of using peer-to-peer transmission
-to receive a copy likewise does not require acceptance.  However,
-nothing other than this License grants you permission to propagate or
-modify any covered work.  These actions infringe copyright if you do
-not accept this License.  Therefore, by modifying or propagating a
-covered work, you indicate your acceptance of this License to do so.
-
-  10. Automatic Licensing of Downstream Recipients.
-
-  Each time you convey a covered work, the recipient automatically
-receives a license from the original licensors, to run, modify and
-propagate that work, subject to this License.  You are not responsible
-for enforcing compliance by third parties with this License.
-
-  An "entity transaction" is a transaction transferring control of an
-organization, or substantially all assets of one, or subdividing an
-organization, or merging organizations.  If propagation of a covered
-work results from an entity transaction, each party to that
-transaction who receives a copy of the work also receives whatever
-licenses to the work the party's predecessor in interest had or could
-give under the previous paragraph, plus a right to possession of the
-Corresponding Source of the work from the predecessor in interest, if
-the predecessor has it or can get it with reasonable efforts.
-
-  You may not impose any further restrictions on the exercise of the
-rights granted or affirmed under this License.  For example, you may
-not impose a license fee, royalty, or other charge for exercise of
-rights granted under this License, and you may not initiate litigation
-(including a cross-claim or counterclaim in a lawsuit) alleging that
-any patent claim is infringed by making, using, selling, offering for
-sale, or importing the Program or any portion of it.
-
-  11. Patents.
-
-  A "contributor" is a copyright holder who authorizes use under this
-License of the Program or a work on which the Program is based.  The
-work thus licensed is called the contributor's "contributor version".
-
-  A contributor's "essential patent claims" are all patent claims
-owned or controlled by the contributor, whether already acquired or
-hereafter acquired, that would be infringed by some manner, permitted
-by this License, of making, using, or selling its contributor version,
-but do not include claims that would be infringed only as a
-consequence of further modification of the contributor version.  For
-purposes of this definition, "control" includes the right to grant
-patent sublicenses in a manner consistent with the requirements of
-this License.
-
-  Each contributor grants you a non-exclusive, worldwide, royalty-free
-patent license under the contributor's essential patent claims, to
-make, use, sell, offer for sale, import and otherwise run, modify and
-propagate the contents of its contributor version.
-
-  In the following three paragraphs, a "patent license" is any express
-agreement or commitment, however denominated, not to enforce a patent
-(such as an express permission to practice a patent or covenant not to
-sue for patent infringement).  To "grant" such a patent license to a
-party means to make such an agreement or commitment not to enforce a
-patent against the party.
-
-  If you convey a covered work, knowingly relying on a patent license,
-and the Corresponding Source of the work is not available for anyone
-to copy, free of charge and under the terms of this License, through a
-publicly available network server or other readily accessible means,
-then you must either (1) cause the Corresponding Source to be so
-available, or (2) arrange to deprive yourself of the benefit of the
-patent license for this particular work, or (3) arrange, in a manner
-consistent with the requirements of this License, to extend the patent
-license to downstream recipients.  "Knowingly relying" means you have
-actual knowledge that, but for the patent license, your conveying the
-covered work in a country, or your recipient's use of the covered work
-in a country, would infringe one or more identifiable patents in that
-country that you have reason to believe are valid.
-
-  If, pursuant to or in connection with a single transaction or
-arrangement, you convey, or propagate by procuring conveyance of, a
-covered work, and grant a patent license to some of the parties
-receiving the covered work authorizing them to use, propagate, modify
-or convey a specific copy of the covered work, then the patent license
-you grant is automatically extended to all recipients of the covered
-work and works based on it.
-
-  A patent license is "discriminatory" if it does not include within
-the scope of its coverage, prohibits the exercise of, or is
-conditioned on the non-exercise of one or more of the rights that are
-specifically granted under this License.  You may not convey a covered
-work if you are a party to an arrangement with a third party that is
-in the business of distributing software, under which you make payment
-to the third party based on the extent of your activity of conveying
-the work, and under which the third party grants, to any of the
-parties who would receive the covered work from you, a discriminatory
-patent license (a) in connection with copies of the covered work
-conveyed by you (or copies made from those copies), or (b) primarily
-for and in connection with specific products or compilations that
-contain the covered work, unless you entered into that arrangement,
-or that patent license was granted, prior to 28 March 2007.
-
-  Nothing in this License shall be construed as excluding or limiting
-any implied license or other defenses to infringement that may
-otherwise be available to you under applicable patent law.
-
-  12. No Surrender of Others' Freedom.
-
-  If conditions are imposed on you (whether by court order, agreement or
-otherwise) that contradict the conditions of this License, they do not
-excuse you from the conditions of this License.  If you cannot convey a
-covered work so as to satisfy simultaneously your obligations under this
-License and any other pertinent obligations, then as a consequence you may
-not convey it at all.  For example, if you agree to terms that obligate you
-to collect a royalty for further conveying from those to whom you convey
-the Program, the only way you could satisfy both those terms and this
-License would be to refrain entirely from conveying the Program.
-
-  13. Use with the GNU Affero General Public License.
-
-  Notwithstanding any other provision of this License, you have
-permission to link or combine any covered work with a work licensed
-under version 3 of the GNU Affero General Public License into a single
-combined work, and to convey the resulting work.  The terms of this
-License will continue to apply to the part which is the covered work,
-but the special requirements of the GNU Affero General Public License,
-section 13, concerning interaction through a network will apply to the
-combination as such.
-
-  14. Revised Versions of this License.
-
-  The Free Software Foundation may publish revised and/or new versions of
-the GNU General Public License from time to time.  Such new versions will
-be similar in spirit to the present version, but may differ in detail to
-address new problems or concerns.
-
-  Each version is given a distinguishing version number.  If the
-Program specifies that a certain numbered version of the GNU General
-Public License "or any later version" applies to it, you have the
-option of following the terms and conditions either of that numbered
-version or of any later version published by the Free Software
-Foundation.  If the Program does not specify a version number of the
-GNU General Public License, you may choose any version ever published
-by the Free Software Foundation.
-
-  If the Program specifies that a proxy can decide which future
-versions of the GNU General Public License can be used, that proxy's
-public statement of acceptance of a version permanently authorizes you
-to choose that version for the Program.
-
-  Later license versions may give you additional or different
-permissions.  However, no additional obligations are imposed on any
-author or copyright holder as a result of your choosing to follow a
-later version.
-
-  15. Disclaimer of Warranty.
-
-  THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT PERMITTED BY
-APPLICABLE LAW.  EXCEPT WHEN OTHERWISE STATED IN WRITING THE COPYRIGHT
-HOLDERS AND/OR OTHER PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY
-OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
-THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
-PURPOSE.  THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM
-IS WITH YOU.  SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF
-ALL NECESSARY SERVICING, REPAIR OR CORRECTION.
-
-  16. Limitation of Liability.
-
-  IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
-WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MODIFIES AND/OR CONVEYS
-THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES, INCLUDING ANY
-GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE
-USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO LOSS OF
-DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD
-PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS),
-EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF
-SUCH DAMAGES.
-
-  17. Interpretation of Sections 15 and 16.
-
-  If the disclaimer of warranty and limitation of liability provided
-above cannot be given local legal effect according to their terms,
-reviewing courts shall apply local law that most closely approximates
-an absolute waiver of all civil liability in connection with the
-Program, unless a warranty or assumption of liability accompanies a
-copy of the Program in return for a fee.
-
-                     END OF TERMS AND CONDITIONS
-
-            How to Apply These Terms to Your New Programs
-
-  If you develop a new program, and you want it to be of the greatest
-possible use to the public, the best way to achieve this is to make it
-free software which everyone can redistribute and change under these terms.
-
-  To do so, attach the following notices to the program.  It is safest
-to attach them to the start of each source file to most effectively
-state the exclusion of warranty; and each file should have at least
-the "copyright" line and a pointer to where the full notice is found.
-
-    <one line to give the program's name and a brief idea of what it does.>
-    Copyright (C) <year>  <name of author>
-
-    This program is free software: you can redistribute it and/or modify
-    it under the terms of the GNU General Public License as published by
-    the Free Software Foundation, either version 3 of the License, or
-    (at your option) any later version.
-
-    This program is distributed in the hope that it will be useful,
-    but WITHOUT ANY WARRANTY; without even the implied warranty of
-    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
-    GNU General Public License for more details.
-
-    You should have received a copy of the GNU General Public License
-    along with this program.  If not, see <http://www.gnu.org/licenses/>.
-
-Also add information on how to contact you by electronic and paper mail.
-
-  If the program does terminal interaction, make it output a short
-notice like this when it starts in an interactive mode:
-
-    <program>  Copyright (C) <year>  <name of author>
-    This program comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
-    This is free software, and you are welcome to redistribute it
-    under certain conditions; type `show c' for details.
-
-The hypothetical commands `show w' and `show c' should show the appropriate
-parts of the General Public License.  Of course, your program's commands
-might be different; for a GUI interface, you would use an "about box".
-
-  You should also get your employer (if you work as a programmer) or school,
-if any, to sign a "copyright disclaimer" for the program, if necessary.
-For more information on this, and how to apply and follow the GNU GPL, see
-<http://www.gnu.org/licenses/>.
-
-  The GNU General Public License does not permit incorporating your program
-into proprietary programs.  If your program is a subroutine library, you
-may consider it more useful to permit linking proprietary applications with
-the library.  If this is what you want to do, use the GNU Lesser General
-Public License instead of this License.  But first, please read
-<http://www.gnu.org/philosophy/why-not-lgpl.html>.
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

dependency-check-cli/README.md

@@ -17,8 +17,8 @@ Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.c
 Copyright & License
 ------------
 
-Dependency-Check is Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Permission to modify and redistribute is granted under the terms of the GPLv3 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
 
 Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/NOTICES.txt) file for more information.

dependency-check-cli/config/checkstyle-header.txt

@@ -1,19 +1,18 @@
 ^/\*\s*$
 ^ \* This file is part of dependency-check-cli\.\s*$
 ^ \*\s*$
-^ \* Dependency-check-cli is free software\: you can redistribute it and/or modify it\s*$
-^ \* under the terms of the GNU General Public License as published by the Free\s*$
-^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
-^ \* later version\.
+^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
+^ \* you may not use this file except in compliance with the License.\s*$
+^ \* You may obtain a copy of the License at\s*$
 ^ \*\s*$
-^ \* Dependency-check-cli is distributed in the hope that it will be useful, but\s*$
-^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
-^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
-^ \* details\.\s*$
+^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
 ^ \*\s*$
-^ \* You should have received a copy of the GNU General Public License along with\s*$
-^ \* dependency-check-cli\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* Unless required by applicable law or agreed to in writing, software\s*$
+^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
+^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
+^ \* See the License for the specific language governing permissions and\s*$
+^ \* limitations under the License\.\s*$
 ^ \*\s*$
-^ \* Copyright \(c\) 201[23] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
+^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package

dependency-check-cli/pom.xml

@@ -1,18 +1,17 @@
 <!--
 This file is part of Dependency-Check.
 
-Dependency-Check is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Dependency-Check is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
+    http://www.apache.org/licenses/LICENSE-2.0
 
-You should have received a copy of the GNU General Public License
-along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
 -->
@@ -22,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.8</version>
+        <version>1.1.4</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -78,8 +77,11 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.5.2</version>
+                <version>2.6</version>
                 <configuration>
+                    <instrumentation>
+                        <ignoreTrivial>true</ignoreTrivial>
+                    </instrumentation>
                     <check>
                         <branchRate>85</branchRate>
                         <lineRate>85</lineRate>
@@ -116,11 +118,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                 <version>2.16</version>
                 <configuration>
                     <systemProperties>
-                        <property>
-                            <name>net.sourceforge.cobertura.datafile</name>
-                            <value>${project.build.directory}/cobertura/cobertura.ser</value>
-                            <workingDirectory>target</workingDirectory>
-                        </property>
                         <property>
                             <name>cpe</name>
                             <value>data/cpe</value>
@@ -207,7 +204,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                         <plugin>
                             <groupId>org.codehaus.mojo</groupId>
                             <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.5.2</version>
+                            <version>2.6</version>
                         </plugin>
                         <plugin>
                             <groupId>org.apache.maven.plugins</groupId>

dependency-check-cli/src/main/assembly/license.txt

@@ -1,11 +1,11 @@
 
 Copyright (c) 2012-2013 Jeremy Long.  All rights reserved.
 
-Licensed under the GPL License, Version 3; you may not use this work
-except in compliance with the License. You may obtain a copy of the
-License in the LICENSE.txt file, or at:
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-http://www.gnu.org/licenses/gpl-3.0.txt
+    http://www.apache.org/licenses/LICENSE-2.0
 
 Unless required by applicable law or agreed to in writing, software
 distributed under the License is distributed on an "AS IS" BASIS,

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-cli.
  *
- * Dependency-check-cli is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-cli is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-cli. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -26,29 +25,15 @@ import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
-import org.owasp.dependencycheck.reporting.ReportGenerator;
-import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.cli.CliParser;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
-/*
- * This file is part of App.
- *
- * App is free software: you can redistribute it and/or modify it under the
- * terms of the GNU General Public License as published by the Free Software
- * Foundation, either version 3 of the License, or (at your option) any later
- * version.
- *
- * App is distributed in the hope that it will be useful, but WITHOUT ANY
- * WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR
- * A PARTICULAR PURPOSE. See the GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along with
- * App. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
 /**
  * The command line interface for the DependencyCheck application.
  *
@@ -97,9 +82,7 @@ public class App {
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
         } else if (cli.isRunScan()) {
-            updateSettings(cli.isAutoUpdate(), cli.getConnectionTimeout(), cli.getProxyUrl(),
-                    cli.getProxyPort(), cli.getProxyUsername(), cli.getProxyPassword(),
-                    cli.getDataDirectory(), cli.getPropertiesFile(), cli.getSuppressionFile());
+            updateSettings(cli);
             runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
         } else {
             cli.printHelp();
@@ -107,55 +90,87 @@ public class App {
     }
 
     /**
-     * Scans the specified directories and writes the dependency reports to the
-     * reportDirectory.
+     * Scans the specified directories and writes the dependency reports to the reportDirectory.
      *
-     * @param reportDirectory the path to the directory where the reports will
-     * be written
+     * @param reportDirectory the path to the directory where the reports will be written
      * @param outputFormat the output format of the report
      * @param applicationName the application name for the report
      * @param files the files/directories to scan
      */
     private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
-        final Engine scanner = new Engine();
-
-        for (String file : files) {
-            scanner.scan(file);
-        }
-
-        scanner.analyzeDependencies();
-        final List<Dependency> dependencies = scanner.getDependencies();
-
-        final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers());
+        Engine scanner = null;
         try {
-            report.generateReports(reportDirectory, outputFormat);
-        } catch (IOException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
-            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
-        } catch (Exception ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
-            Logger.getLogger(App.class.getName()).log(Level.INFO, null, ex);
+            scanner = new Engine();
+
+            for (String file : files) {
+                scanner.scan(file);
+            }
+
+            scanner.analyzeDependencies();
+            final List<Dependency> dependencies = scanner.getDependencies();
+            DatabaseProperties prop = null;
+            CveDB cve = null;
+            try {
+                cve = new CveDB();
+                cve.open();
+                prop = cve.getDatabaseProperties();
+            } catch (DatabaseException ex) {
+                Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+            } finally {
+                if (cve != null) {
+                    cve.close();
+                }
+            }
+            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
+            try {
+                report.generateReports(reportDirectory, outputFormat);
+            } catch (IOException ex) {
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+            } catch (Throwable ex) {
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
+                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+            }
+        } catch (DatabaseException ex) {
+            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
+        } finally {
+            if (scanner != null) {
+                scanner.cleanup();
+            }
         }
     }
 
     /**
      * Updates the global Settings.
      *
-     * @param autoUpdate whether or not to update cached web data sources
-     * @param connectionTimeout the timeout to use when downloading resources
-     * (null or blank will use default)
-     * @param proxyUrl the proxy url (null or blank means no proxy will be used)
-     * @param proxyPort the proxy port (null or blank means no port will be
-     * used)
-     * @param proxyUser the proxy user name
-     * @param proxyPass the password for the proxy
-     * @param dataDirectory the directory to store/retrieve persistent data from
-     * @param propertiesFile the properties file to utilize
-     * @param suppressionFile the path to the suppression file
+     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
+     * settings in the core engine.
      */
-    private void updateSettings(boolean autoUpdate, String connectionTimeout, String proxyUrl, String proxyPort,
-            String proxyUser, String proxyPass, String dataDirectory, File propertiesFile,
-            String suppressionFile) {
+    private void updateSettings(CliParser cli) {
+
+        final boolean autoUpdate = cli.isAutoUpdate();
+        final String connectionTimeout = cli.getConnectionTimeout();
+        final String proxyUrl = cli.getProxyUrl();
+        final String proxyPort = cli.getProxyPort();
+        final String proxyUser = cli.getProxyUsername();
+        final String proxyPass = cli.getProxyPassword();
+        final String dataDirectory = cli.getDataDirectory();
+        final File propertiesFile = cli.getPropertiesFile();
+        final String suppressionFile = cli.getSuppressionFile();
+        final boolean jarDisabled = cli.isJarDisabled();
+        final boolean archiveDisabled = cli.isArchiveDisabled();
+        final boolean assemblyDisabled = cli.isAssemblyDisabled();
+        final boolean nuspecDisabled = cli.isNuspecDisabled();
+        final boolean nexusDisabled = cli.isNexusDisabled();
+        final String nexusUrl = cli.getNexusUrl();
+        final String databaseDriverName = cli.getDatabaseDriverName();
+        final String databaseDriverPath = cli.getDatabaseDriverPath();
+        final String connectionString = cli.getConnectionString();
+        final String databaseUser = cli.getDatabaseUser();
+        final String databasePassword = cli.getDatabasePassword();
+        final String additionalZipExtensions = cli.getAdditionalZipExtensions();
+        final String pathToMono = cli.getPathToMono();
 
         if (propertiesFile != null) {
             try {
@@ -170,6 +185,10 @@ public class App {
                 Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
             }
         }
+        // We have to wait until we've merged the properties before attempting to set whether we use
+        // the proxy for Nexus since it could be disabled in the properties, but not explicitly stated
+        // on the command line
+        final boolean nexusUsesProxy = cli.isNexusUsesProxy();
         if (dataDirectory != null) {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else if (System.getProperty("basedir") != null) {
@@ -201,5 +220,38 @@ public class App {
         if (suppressionFile != null && !suppressionFile.isEmpty()) {
             Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
         }
+
+        //File Type Analyzer Settings
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
+
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
+        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        }
+        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        }
+        if (connectionString != null && !connectionString.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        }
+        if (databaseUser != null && !databaseUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
+        }
+        if (databasePassword != null && !databasePassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
+        }
+        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
+        }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-cli.
  *
- * Dependency-check-cli is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-cli is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-cli. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -30,6 +29,7 @@ import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.cli.PosixParser;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -43,10 +43,6 @@ public final class CliParser {
      * The command line.
      */
     private CommandLine line;
-    /**
-     * The options for the command line parser.
-     */
-    private final Options options = createCommandLineOptions();
     /**
      * Indicates whether the arguments are valid.
      */
@@ -56,8 +52,7 @@ public final class CliParser {
      * Parses the arguments passed in and captures the results for later use.
      *
      * @param args the command line arguments
-     * @throws FileNotFoundException is thrown when a 'file' argument does not
-     * point to a file that exists.
+     * @throws FileNotFoundException is thrown when a 'file' argument does not point to a file that exists.
      * @throws ParseException is thrown when a Parse Exception occurs.
      */
     public void parse(String[] args) throws FileNotFoundException, ParseException {
@@ -77,21 +72,24 @@ public final class CliParser {
      */
     private CommandLine parseArgs(String[] args) throws ParseException {
         final CommandLineParser parser = new PosixParser();
+        final Options options = createCommandLineOptions();
         return parser.parse(options, args);
     }
 
     /**
      * Validates that the command line arguments are valid.
      *
-     * @throws FileNotFoundException if there is a file specified by either the
-     * SCAN or CPE command line arguments that does not exist.
-     * @throws ParseException is thrown if there is an exception parsing the
-     * command line.
+     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
+     * does not exist.
+     * @throws ParseException is thrown if there is an exception parsing the command line.
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
         if (isRunScan()) {
-            validatePathExists(getScanFiles(), "scan");
-            validatePathExists(getReportDirectory(), "out");
+            validatePathExists(getScanFiles(), ArgumentName.SCAN);
+            validatePathExists(getReportDirectory(), ArgumentName.OUT);
+            if (getPathToMono() != null) {
+                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
+            }
             if (!line.hasOption(ArgumentName.APP_NAME)) {
                 throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
             }
@@ -100,7 +98,8 @@ public final class CliParser {
                 try {
                     Format.valueOf(format);
                 } catch (IllegalArgumentException ex) {
-                    final String msg = String.format("An invalid 'format' of '%s' was specified. Supported output formats are XML, HTML, VULN, or ALL", format);
+                    final String msg = String.format("An invalid 'format' of '%s' was specified. "
+                            + "Supported output formats are XML, HTML, VULN, or ALL", format);
                     throw new ParseException(msg);
                 }
             }
@@ -108,14 +107,12 @@ public final class CliParser {
     }
 
     /**
-     * Validates whether or not the path(s) points at a file that exists; if the
-     * path(s) does not point to an existing file a FileNotFoundException is
-     * thrown.
+     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
+     * file a FileNotFoundException is thrown.
      *
      * @param paths the paths to validate if they exists
      * @param optType the option being validated (e.g. scan, out, etc.)
-     * @throws FileNotFoundException is thrown if one of the paths being
-     * validated does not exist.
+     * @throws FileNotFoundException is thrown if one of the paths being validated does not exist.
      */
     private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
         for (String path : paths) {
@@ -124,35 +121,53 @@ public final class CliParser {
     }
 
     /**
-     * Validates whether or not the path points at a file that exists; if the
-     * path does not point to an existing file a FileNotFoundException is
-     * thrown.
+     * Validates whether or not the path points at a file that exists; if the path does not point to an existing file a
+     * FileNotFoundException is thrown.
      *
      * @param path the paths to validate if they exists
-     * @param optType the option being validated (e.g. scan, out, etc.)
-     * @throws FileNotFoundException is thrown if the path being validated does
-     * not exist.
+     * @param argumentName the argument being validated (e.g. scan, out, etc.)
+     * @throws FileNotFoundException is thrown if the path being validated does not exist.
      */
-    private void validatePathExists(String path, String optType) throws FileNotFoundException {
-        final File f = new File(path);
-        if (!f.exists()) {
-            isValid = false;
-            final String msg = String.format("Invalid '%s' argument: '%s'", optType, path);
-            throw new FileNotFoundException(msg);
-        }
+    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
+        if (!path.contains("*.")) {
+            final File f = new File(path);
+            if (!f.exists()) {
+                isValid = false;
+                final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                throw new FileNotFoundException(msg);
+            }
+        } // else { // TODO add a validation for *.zip extensions rather then relying on the engine to validate it.
     }
 
     /**
-     * Generates an Options collection that is used to parse the command line
-     * and to display the help message.
+     * Generates an Options collection that is used to parse the command line and to display the help message.
      *
      * @return the command line options used for parsing the command line
      */
     @SuppressWarnings("static-access")
     private Options createCommandLineOptions() {
+
+        final Options options = new Options();
+        addStandardOptions(options);
+        addAdvancedOptions(options);
+
+        return options;
+    }
+
+    /**
+     * Adds the standard command line options to the given options collection.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addStandardOptions(final Options options) throws IllegalArgumentException {
         final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
                 "Print this message.");
 
+        final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
+                .withDescription("Print the advanced help message.").create();
+
         final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
                 false, "Print the version information.");
 
@@ -163,38 +178,15 @@ public final class CliParser {
                 .withDescription("The name of the application being scanned. This is a required argument.")
                 .create(ArgumentName.APP_NAME_SHORT);
 
-        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
-                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
-                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
-
-        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
-                .withDescription("The proxy url to use when downloading resources.")
-                .create(ArgumentName.PROXY_URL_SHORT);
-
-        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
-                .withDescription("The proxy port to use when downloading resources.")
-                .create(ArgumentName.PROXY_PORT_SHORT);
-
-        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
-                .withDescription("The proxy username to use when downloading resources.")
-                .create(ArgumentName.PROXY_USERNAME_SHORT);
-
-        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
-                .withDescription("The proxy password to use when downloading resources.")
-                .create(ArgumentName.PROXY_PASSWORD_SHORT);
-
         final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("The path to scan - this option can be specified multiple times.")
+                .withDescription("The path to scan - this option can be specified multiple times. To limit the scan"
+                        + " to specific file types *.[ext] can be added to the end of the path.")
                 .create(ArgumentName.SCAN_SHORT);
 
         final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
                 .withDescription("A property file to load.")
                 .create(ArgumentName.PROP_SHORT);
 
-        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
-                .withDescription("The location of the data directory used to store persistent data. This option should generally not be set.")
-                .create(ArgumentName.DATA_DIRECTORY_SHORT);
-
         final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
                 .withDescription("The folder to write reports to. This defaults to the current directory.")
                 .create(ArgumentName.OUT_SHORT);
@@ -209,31 +201,134 @@ public final class CliParser {
 
         final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
                 .withDescription("The file path to the suppression XML file.")
-                .create(ArgumentName.SUPPRESION_FILE_SHORT);
-
+                .create();
 
+        //This is an option group because it can be specified more then once.
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
 
-        final Options opts = new Options();
-        opts.addOptionGroup(og);
-        opts.addOption(out);
-        opts.addOption(outputFormat);
-        opts.addOption(appName);
-        opts.addOption(version);
-        opts.addOption(help);
-        opts.addOption(noUpdate);
-        opts.addOption(props);
-        opts.addOption(data);
-        opts.addOption(verboseLog);
-        opts.addOption(suppressionFile);
-        opts.addOption(proxyPort);
-        opts.addOption(proxyUrl);
-        opts.addOption(proxyUsername);
-        opts.addOption(proxyPassword);
-        opts.addOption(connectionTimeout);
+        options.addOptionGroup(og)
+                .addOption(out)
+                .addOption(outputFormat)
+                .addOption(appName)
+                .addOption(version)
+                .addOption(help)
+                .addOption(advancedHelp)
+                .addOption(noUpdate)
+                .addOption(props)
+                .addOption(verboseLog)
+                .addOption(suppressionFile);
+    }
 
-        return opts;
+    /**
+     * Adds the advanced command line options to the given options collection. These are split out for purposes of being
+     * able to display two different help messages.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
+
+        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
+                .withDescription("The location of the H2 Database file. This option should generally not be set.")
+                .create(ArgumentName.DATA_DIRECTORY_SHORT);
+
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
+                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+
+        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
+                .withDescription("The proxy url to use when downloading resources.")
+                .create(ArgumentName.PROXY_URL_SHORT);
+
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+                .withDescription("The proxy port to use when downloading resources.")
+                .create(ArgumentName.PROXY_PORT_SHORT);
+
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+                .withDescription("The proxy username to use when downloading resources.")
+                .create();
+
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+                .withDescription("The proxy password to use when downloading resources.")
+                .create();
+
+        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
+                .withDescription("The connection string to the database.")
+                .create();
+
+        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
+                .withDescription("The username used to connect to the database.")
+                .create();
+
+        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
+                .withDescription("The password for connecting to the database.")
+                .create();
+
+        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
+                .withDescription("The database driver name.")
+                .create();
+
+        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
+                .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
+                .create();
+
+        final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_JAR)
+                .withDescription("Disable the Jar Analyzer.")
+                .create();
+        final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ARCHIVE)
+                .withDescription("Disable the Archive Analyzer.")
+                .create();
+        final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NUSPEC)
+                .withDescription("Disable the Nuspec Analyzer.")
+                .create();
+        final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ASSEMBLY)
+                .withDescription("Disable the .NET Assembly Analyzer.")
+                .create();
+
+        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
+                .withDescription("Disable the Nexus Analyzer.")
+                .create();
+
+        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
+                .withDescription("The url to the Nexus Server.")
+                .create();
+
+        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
+                .create();
+
+        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
+                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
+                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+                        + "(ZIP, EAR, WAR are already treated as zip files)")
+                .create();
+
+        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
+                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
+                .create();
+
+        options.addOption(proxyPort)
+                .addOption(proxyUrl)
+                .addOption(proxyUsername)
+                .addOption(proxyPassword)
+                .addOption(connectionTimeout)
+                .addOption(connectionString)
+                .addOption(dbUser)
+                .addOption(data)
+                .addOption(dbPassword)
+                .addOption(dbDriver)
+                .addOption(dbDriverPath)
+                .addOption(disableJarAnalyzer)
+                .addOption(disableArchiveAnalyzer)
+                .addOption(disableAssemblyAnalyzer)
+                .addOption(disableNuspecAnalyzer)
+                .addOption(disableNexusAnalyzer)
+                .addOption(nexusUrl)
+                .addOption(nexusUsesProxy)
+                .addOption(additionalZipExtensions)
+                .addOption(pathToMono);
     }
 
     /**
@@ -263,26 +358,110 @@ public final class CliParser {
         return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
     }
 
+    /**
+     * Returns true if the disableJar command line argument was specified.
+     *
+     * @return true if the disableJar command line argument was specified; otherwise false
+     */
+    public boolean isJarDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_JAR);
+    }
+
+    /**
+     * Returns true if the disableArchive command line argument was specified.
+     *
+     * @return true if the disableArchive command line argument was specified; otherwise false
+     */
+    public boolean isArchiveDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_ARCHIVE);
+    }
+
+    /**
+     * Returns true if the disableNuspec command line argument was specified.
+     *
+     * @return true if the disableNuspec command line argument was specified; otherwise false
+     */
+    public boolean isNuspecDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_NUSPEC);
+    }
+
+    /**
+     * Returns true if the disableAssembly command line argument was specified.
+     *
+     * @return true if the disableAssembly command line argument was specified; otherwise false
+     */
+    public boolean isAssemblyDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_ASSEMBLY);
+    }
+
+    /**
+     * Returns true if the disableNexus command line argument was specified.
+     *
+     * @return true if the disableNexus command line argument was specified; otherwise false
+     */
+    public boolean isNexusDisabled() {
+        return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
+    }
+
+    /**
+     * Returns the url to the nexus server if one was specified.
+     *
+     * @return the url to the nexus server; if none was specified this will return null;
+     */
+    public String getNexusUrl() {
+        if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
+            return null;
+        } else {
+            return line.getOptionValue(ArgumentName.NEXUS_URL);
+        }
+    }
+
+    /**
+     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
+     * returned.
+     *
+     * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
+     */
+    public boolean isNexusUsesProxy() {
+        // If they didn't specify whether Nexus needs to use the proxy, we should
+        // still honor the property if it's set.
+        if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
+            try {
+                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
+            } catch (InvalidSettingException ise) {
+                return true;
+            }
+        } else {
+            return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
+        }
+    }
+
     /**
      * Displays the command line help message to the standard output.
      */
     public void printHelp() {
         final HelpFormatter formatter = new HelpFormatter();
-        final String nl = System.getProperty("line.separator");
+        final Options options = new Options();
+        addStandardOptions(options);
+        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
+            addAdvancedOptions(options);
+        }
+        final String helpMsg = String.format("%n%s"
+                + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
+                + "%s will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.%n%n",
+                Settings.getString("application.name", "DependencyCheck"),
+                Settings.getString("application.name", "DependencyCheck"));
 
         formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
-                nl + Settings.getString("application.name", "DependencyCheck")
-                + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
-                + Settings.getString("application.name", "DependencyCheck")
-                + " will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov." + nl + nl,
+                helpMsg,
                 options,
                 "",
                 true);
+
     }
 
     /**
-     * Retrieves the file command line parameter(s) specified for the 'scan'
-     * argument.
+     * Retrieves the file command line parameter(s) specified for the 'scan' argument.
      *
      * @return the file paths specified on the command line for scan
      */
@@ -291,8 +470,7 @@ public final class CliParser {
     }
 
     /**
-     * Returns the directory to write the reports to specified on the command
-     * line.
+     * Returns the directory to write the reports to specified on the command line.
      *
      * @return the path to the reports directory.
      */
@@ -301,8 +479,16 @@ public final class CliParser {
     }
 
     /**
-     * Returns the output format specified on the command line. Defaults to HTML
-     * if no format was specified.
+     * Returns the path to Mono for .NET Assembly analysis on non-windows systems.
+     *
+     * @return the path to Mono
+     */
+    public String getPathToMono() {
+        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
+    }
+
+    /**
+     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
      *
      * @return the output format name.
      */
@@ -405,7 +591,8 @@ public final class CliParser {
     }
 
     /**
-     * <p>Prints the manifest information to standard output.</p>
+     * <p>
+     * Prints the manifest information to standard output.</p>
      * <ul><li>Implementation-Title: ${pom.name}</li>
      * <li>Implementation-Version: ${pom.version}</li></ul>
      */
@@ -417,8 +604,8 @@ public final class CliParser {
     }
 
     /**
-     * Checks if the auto update feature has been disabled. If it has been
-     * disabled via the command line this will return false.
+     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
+     * return false.
      *
      * @return if auto-update is allowed.
      */
@@ -427,8 +614,61 @@ public final class CliParser {
     }
 
     /**
-     * A collection of static final strings that represent the possible command
-     * line arguments.
+     * Returns the database driver name if specified; otherwise null is returned.
+     *
+     * @return the database driver name if specified; otherwise null is returned
+     */
+    public String getDatabaseDriverName() {
+        return line.getOptionValue(ArgumentName.DB_DRIVER);
+    }
+
+    /**
+     * Returns the database driver path if specified; otherwise null is returned.
+     *
+     * @return the database driver name if specified; otherwise null is returned
+     */
+    public String getDatabaseDriverPath() {
+        return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
+    }
+
+    /**
+     * Returns the database connection string if specified; otherwise null is returned.
+     *
+     * @return the database connection string if specified; otherwise null is returned
+     */
+    public String getConnectionString() {
+        return line.getOptionValue(ArgumentName.CONNECTION_STRING);
+    }
+
+    /**
+     * Returns the database database user name if specified; otherwise null is returned.
+     *
+     * @return the database database user name if specified; otherwise null is returned
+     */
+    public String getDatabaseUser() {
+        return line.getOptionValue(ArgumentName.DB_NAME);
+    }
+
+    /**
+     * Returns the database database password if specified; otherwise null is returned.
+     *
+     * @return the database database password if specified; otherwise null is returned
+     */
+    public String getDatabasePassword() {
+        return line.getOptionValue(ArgumentName.DB_PASSWORD);
+    }
+
+    /**
+     * Returns the additional Extensions if specified; otherwise null is returned.
+     *
+     * @return the additional Extensions; otherwise null is returned
+     */
+    public String getAdditionalZipExtensions() {
+        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
+    }
+
+    /**
+     * A collection of static final strings that represent the possible command line arguments.
      */
     public static class ArgumentName {
 
@@ -441,49 +681,45 @@ public final class CliParser {
          */
         public static final String SCAN_SHORT = "s";
         /**
-         * The long CLI argument name specifying that the CPE/CVE/etc. data
-         * should not be automatically updated.
+         * The long CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
          */
         public static final String DISABLE_AUTO_UPDATE = "noupdate";
         /**
-         * The short CLI argument name specifying that the CPE/CVE/etc. data
-         * should not be automatically updated.
+         * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
          */
         public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
         /**
-         * The long CLI argument name specifying the directory to write the
-         * reports to.
+         * The long CLI argument name specifying the directory to write the reports to.
          */
         public static final String OUT = "out";
         /**
-         * The short CLI argument name specifying the directory to write the
-         * reports to.
+         * The short CLI argument name specifying the directory to write the reports to.
          */
         public static final String OUT_SHORT = "o";
         /**
-         * The long CLI argument name specifying the output format to write the
-         * reports to.
+         * The long CLI argument name specifying the output format to write the reports to.
          */
         public static final String OUTPUT_FORMAT = "format";
         /**
-         * The short CLI argument name specifying the output format to write the
-         * reports to.
+         * The short CLI argument name specifying the output format to write the reports to.
          */
         public static final String OUTPUT_FORMAT_SHORT = "f";
         /**
-         * The long CLI argument name specifying the name of the application to
-         * be scanned.
+         * The long CLI argument name specifying the name of the application to be scanned.
          */
         public static final String APP_NAME = "app";
         /**
-         * The short CLI argument name specifying the name of the application to
-         * be scanned.
+         * The short CLI argument name specifying the name of the application to be scanned.
          */
         public static final String APP_NAME_SHORT = "a";
         /**
          * The long CLI argument name asking for help.
          */
         public static final String HELP = "help";
+        /**
+         * The long CLI argument name asking for advanced help.
+         */
+        public static final String ADVANCED_HELP = "advancedHelp";
         /**
          * The short CLI argument name asking for help.
          */
@@ -512,18 +748,10 @@ public final class CliParser {
          * The CLI argument name indicating the proxy url.
          */
         public static final String PROXY_URL = "proxyurl";
-        /**
-         * The short CLI argument name indicating the proxy username.
-         */
-        public static final String PROXY_USERNAME_SHORT = "pu";
         /**
          * The CLI argument name indicating the proxy username.
          */
         public static final String PROXY_USERNAME = "proxyuser";
-        /**
-         * The short CLI argument name indicating the proxy password.
-         */
-        public static final String PROXY_PASSWORD_SHORT = "pp";
         /**
          * The CLI argument name indicating the proxy password.
          */
@@ -537,13 +765,11 @@ public final class CliParser {
          */
         public static final String CONNECTION_TIMEOUT = "connectiontimeout";
         /**
-         * The short CLI argument name for setting the location of an additional
-         * properties file.
+         * The short CLI argument name for setting the location of an additional properties file.
          */
-        public static final String PROP_SHORT = "p";
+        public static final String PROP_SHORT = "P";
         /**
-         * The CLI argument name for setting the location of an additional
-         * properties file.
+         * The CLI argument name for setting the location of an additional properties file.
          */
         public static final String PROP = "propertyfile";
         /**
@@ -551,8 +777,7 @@ public final class CliParser {
          */
         public static final String DATA_DIRECTORY = "data";
         /**
-         * The short CLI argument name for setting the location of the data
-         * directory.
+         * The short CLI argument name for setting the location of the data directory.
          */
         public static final String DATA_DIRECTORY_SHORT = "d";
         /**
@@ -560,19 +785,68 @@ public final class CliParser {
          */
         public static final String VERBOSE_LOG = "log";
         /**
-         * The short CLI argument name for setting the location of the data
-         * directory.
+         * The short CLI argument name for setting the location of the data directory.
          */
         public static final String VERBOSE_LOG_SHORT = "l";
         /**
-         * The CLI argument name for setting the location of the suppression
-         * file.
+         * The CLI argument name for setting the location of the suppression file.
          */
         public static final String SUPPRESION_FILE = "suppression";
         /**
-         * The short CLI argument name for setting the location of the
-         * suppression file.
+         * Disables the Jar Analyzer.
          */
-        public static final String SUPPRESION_FILE_SHORT = "sf";
+        public static final String DISABLE_JAR = "disableJar";
+        /**
+         * Disables the Archive Analyzer.
+         */
+        public static final String DISABLE_ARCHIVE = "disableArchive";
+        /**
+         * Disables the Assembly Analyzer.
+         */
+        public static final String DISABLE_ASSEMBLY = "disableAssembly";
+        /**
+         * Disables the Nuspec Analyzer.
+         */
+        public static final String DISABLE_NUSPEC = "disableNuspec";
+        /**
+         * Disables the Nexus Analyzer.
+         */
+        public static final String DISABLE_NEXUS = "disableNexus";
+        /**
+         * The URL of the nexus server.
+         */
+        public static final String NEXUS_URL = "nexus";
+        /**
+         * Whether or not the defined proxy should be used when connecting to Nexus.
+         */
+        public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
+        /**
+         * The CLI argument name for setting the connection string.
+         */
+        public static final String CONNECTION_STRING = "connectionString";
+        /**
+         * The CLI argument name for setting the database user name.
+         */
+        public static final String DB_NAME = "dbUser";
+        /**
+         * The CLI argument name for setting the database password.
+         */
+        public static final String DB_PASSWORD = "dbPassword";
+        /**
+         * The CLI argument name for setting the database driver name.
+         */
+        public static final String DB_DRIVER = "dbDriverName";
+        /**
+         * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
+         */
+        public static final String DB_DRIVER_PATH = "dbDriverPath";
+        /**
+         * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
+         */
+        public static final String PATH_TO_MONO = "mono";
+        /**
+         * The CLI argument name for setting extra extensions.
+         */
+        public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
     }
 }

dependency-check-cli/src/site/markdown/arguments.md

@@ -1,22 +1,43 @@
 Command Line Arguments
-====================
+======================
 
 The following table lists the command line arguments:
 
-Short  | Argument Name         | Parameter   | Description | Requirement
--------|-----------------------|-------------|-------------|------------
- \-a   | \-\-app               | \<name\>    | The name of the application being scanned. This is a required argument. |
- \-c   | \-\-connectiontimeout | \<timeout\> | The connection timeout (in milliseconds) to use when downloading resources. | Optional
- \-d   | \-\-data              | \<path\>    | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
- \-f   | \-\-format            | \<format\>  | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. |
- \-h   | \-\-help              |             | Print the help message. | Optional
- \-l   | \-\-log               | \<file\>    | The file path to write verbose logging information. | Optional
- \-n   | \-\-noupdate          |             | Disables the automatic updating of the CPE data. | Optional
- \-o   | \-\-out               | \<folder\>  | The folder to write reports to. This defaults to the current directory. | Optional
- \-p   | \-\-proxyport         | \<port\>    | The proxy port to use when downloading resources. | Optional
- \-pp  | \-\-proxypass         | \<pass\>    | The proxy password to use when downloading resources. | Optional
- \-pu  | \-\-proxyuser         | \<user\>    | The proxy username to use when downloading resources. | Optional
- \-s   | \-\-scan              | \<path\>    | The path to scan \- this option can be specified multiple times. |
- \-sf  | \-\-suppression       | \<file\>    | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
- \-u   | \-\-proxyurl          | \<url\>     | The proxy url to use when downloading resources. | Optional
- \-v   | \-\-version           |             | Print the version information. | Optional
+Short  | Argument Name         | Parameter       | Description | Requirement
+-------|-----------------------|-----------------|-------------|------------
+ \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
+ \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify specific file types that should be scanned by supplying a scan path of '[path]/[to]/[scan]/*.zip'. The wild card can only be used to denote any file-name with a specific extension. | Required
+ \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
+ \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
+ \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
+ \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
+       | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
+ \-h   | \-\-help              |                 | Print the help message. | Optional
+       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
+ \-v   | \-\-version           |                 | Print the version information. | Optional
+
+Advanced Options
+================
+Short  | Argument Name         | Parameter       | Description | Default Value
+-------|-----------------------|-----------------|-------------|---------------
+       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                      | false
+       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+       | \-\-disableJar        |                 | Sets whether Jar Analyzer will be used.                              | false
+       | \-\-disableNexus      |                 | Sets whether Nexus Analyzer will be used.                            | false
+       | \-\-disableNexus      |                 | Disable the Nexus Analyzer.                                          | &nbsp;
+       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | https://repository.sonatype.org/service/local/
+       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true
+       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.     | false
+       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.       | false
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.  | &nbsp;
+       | \-\-proxyurl          | \<url\>         | The proxy url to use when downloading resources. | &nbsp;
+       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | &nbsp;
+       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
+       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | &nbsp;
+       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | &nbsp;
+       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | &nbsp;
+       | \-\-dbDriverName      | \<driver\>      | The database driver name. | &nbsp;
+       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
+       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | &nbsp;
+       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | &nbsp;
+ \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;

dependency-check-cli/src/site/markdown/installation.md.vm

@@ -1,6 +1,6 @@
 Installation & Usage
---------------------
-Downlod the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
+====================
+Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
 Extract the zip file to a location on your computer and put the 'bin' directory into the
 path environment variable. On \*nix systems you will likely need to make the shell
 script executable:
@@ -8,16 +8,18 @@ script executable:
     $ chmod +777 dependency-check.sh
 
 To scan a folder on the system you can run:
+#set( $H = '#' )
 
-### Windows
+$H$H$H Windows
     dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
 
-### \*nix
+$H$H$H *nix
     dependency-check.sh --app "My App Name" --scan "/java/application/lib"
 
 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
-### Windows
+
+$H$H$H Windows
     dependency-check.bat --help
 
-### \*nix
+$H$H$H *nix
     dependency-check.sh --help

dependency-check-cli/src/site/site.xml

@@ -2,18 +2,17 @@
 <!--
 This file is part of dependency-check-cli.
 
-Dependency-check-cli is free software: you can redistribute it and/or modify it
-under the terms of the GNU General Public License as published by the Free
-Software Foundation, either version 3 of the License, or (at your option) any
-later version.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Dependency-check-cli is distributed in the hope that it will be useful, but
-WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
-FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
-details.
+    http://www.apache.org/licenses/LICENSE-2.0
 
-You should have received a copy of the GNU General Public License along with
-dependency-check-cli. If not, see http://www.gnu.org/licenses/.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
 Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 -->

dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java

@@ -1,24 +1,22 @@
 /*
  * This file is part of Dependency-Check.
  *
- * Dependency-Check is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-Check is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * Dependency-Check. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.cli;
 
-import org.owasp.dependencycheck.cli.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;

dependency-check-core/LICENSE.txt

@@ -0,0 +1,202 @@
+
+                                 Apache License
+                           Version 2.0, January 2004
+                        http://www.apache.org/licenses/
+
+   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+   1. Definitions.
+
+      "License" shall mean the terms and conditions for use, reproduction,
+      and distribution as defined by Sections 1 through 9 of this document.
+
+      "Licensor" shall mean the copyright owner or entity authorized by
+      the copyright owner that is granting the License.
+
+      "Legal Entity" shall mean the union of the acting entity and all
+      other entities that control, are controlled by, or are under common
+      control with that entity. For the purposes of this definition,
+      "control" means (i) the power, direct or indirect, to cause the
+      direction or management of such entity, whether by contract or
+      otherwise, or (ii) ownership of fifty percent (50%) or more of the
+      outstanding shares, or (iii) beneficial ownership of such entity.
+
+      "You" (or "Your") shall mean an individual or Legal Entity
+      exercising permissions granted by this License.
+
+      "Source" form shall mean the preferred form for making modifications,
+      including but not limited to software source code, documentation
+      source, and configuration files.
+
+      "Object" form shall mean any form resulting from mechanical
+      transformation or translation of a Source form, including but
+      not limited to compiled object code, generated documentation,
+      and conversions to other media types.
+
+      "Work" shall mean the work of authorship, whether in Source or
+      Object form, made available under the License, as indicated by a
+      copyright notice that is included in or attached to the work
+      (an example is provided in the Appendix below).
+
+      "Derivative Works" shall mean any work, whether in Source or Object
+      form, that is based on (or derived from) the Work and for which the
+      editorial revisions, annotations, elaborations, or other modifications
+      represent, as a whole, an original work of authorship. For the purposes
+      of this License, Derivative Works shall not include works that remain
+      separable from, or merely link (or bind by name) to the interfaces of,
+      the Work and Derivative Works thereof.
+
+      "Contribution" shall mean any work of authorship, including
+      the original version of the Work and any modifications or additions
+      to that Work or Derivative Works thereof, that is intentionally
+      submitted to Licensor for inclusion in the Work by the copyright owner
+      or by an individual or Legal Entity authorized to submit on behalf of
+      the copyright owner. For the purposes of this definition, "submitted"
+      means any form of electronic, verbal, or written communication sent
+      to the Licensor or its representatives, including but not limited to
+      communication on electronic mailing lists, source code control systems,
+      and issue tracking systems that are managed by, or on behalf of, the
+      Licensor for the purpose of discussing and improving the Work, but
+      excluding communication that is conspicuously marked or otherwise
+      designated in writing by the copyright owner as "Not a Contribution."
+
+      "Contributor" shall mean Licensor and any individual or Legal Entity
+      on behalf of whom a Contribution has been received by Licensor and
+      subsequently incorporated within the Work.
+
+   2. Grant of Copyright License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      copyright license to reproduce, prepare Derivative Works of,
+      publicly display, publicly perform, sublicense, and distribute the
+      Work and such Derivative Works in Source or Object form.
+
+   3. Grant of Patent License. Subject to the terms and conditions of
+      this License, each Contributor hereby grants to You a perpetual,
+      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
+      (except as stated in this section) patent license to make, have made,
+      use, offer to sell, sell, import, and otherwise transfer the Work,
+      where such license applies only to those patent claims licensable
+      by such Contributor that are necessarily infringed by their
+      Contribution(s) alone or by combination of their Contribution(s)
+      with the Work to which such Contribution(s) was submitted. If You
+      institute patent litigation against any entity (including a
+      cross-claim or counterclaim in a lawsuit) alleging that the Work
+      or a Contribution incorporated within the Work constitutes direct
+      or contributory patent infringement, then any patent licenses
+      granted to You under this License for that Work shall terminate
+      as of the date such litigation is filed.
+
+   4. Redistribution. You may reproduce and distribute copies of the
+      Work or Derivative Works thereof in any medium, with or without
+      modifications, and in Source or Object form, provided that You
+      meet the following conditions:
+
+      (a) You must give any other recipients of the Work or
+          Derivative Works a copy of this License; and
+
+      (b) You must cause any modified files to carry prominent notices
+          stating that You changed the files; and
+
+      (c) You must retain, in the Source form of any Derivative Works
+          that You distribute, all copyright, patent, trademark, and
+          attribution notices from the Source form of the Work,
+          excluding those notices that do not pertain to any part of
+          the Derivative Works; and
+
+      (d) If the Work includes a "NOTICE" text file as part of its
+          distribution, then any Derivative Works that You distribute must
+          include a readable copy of the attribution notices contained
+          within such NOTICE file, excluding those notices that do not
+          pertain to any part of the Derivative Works, in at least one
+          of the following places: within a NOTICE text file distributed
+          as part of the Derivative Works; within the Source form or
+          documentation, if provided along with the Derivative Works; or,
+          within a display generated by the Derivative Works, if and
+          wherever such third-party notices normally appear. The contents
+          of the NOTICE file are for informational purposes only and
+          do not modify the License. You may add Your own attribution
+          notices within Derivative Works that You distribute, alongside
+          or as an addendum to the NOTICE text from the Work, provided
+          that such additional attribution notices cannot be construed
+          as modifying the License.
+
+      You may add Your own copyright statement to Your modifications and
+      may provide additional or different license terms and conditions
+      for use, reproduction, or distribution of Your modifications, or
+      for any such Derivative Works as a whole, provided Your use,
+      reproduction, and distribution of the Work otherwise complies with
+      the conditions stated in this License.
+
+   5. Submission of Contributions. Unless You explicitly state otherwise,
+      any Contribution intentionally submitted for inclusion in the Work
+      by You to the Licensor shall be under the terms and conditions of
+      this License, without any additional terms or conditions.
+      Notwithstanding the above, nothing herein shall supersede or modify
+      the terms of any separate license agreement you may have executed
+      with Licensor regarding such Contributions.
+
+   6. Trademarks. This License does not grant permission to use the trade
+      names, trademarks, service marks, or product names of the Licensor,
+      except as required for reasonable and customary use in describing the
+      origin of the Work and reproducing the content of the NOTICE file.
+
+   7. Disclaimer of Warranty. Unless required by applicable law or
+      agreed to in writing, Licensor provides the Work (and each
+      Contributor provides its Contributions) on an "AS IS" BASIS,
+      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
+      implied, including, without limitation, any warranties or conditions
+      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
+      PARTICULAR PURPOSE. You are solely responsible for determining the
+      appropriateness of using or redistributing the Work and assume any
+      risks associated with Your exercise of permissions under this License.
+
+   8. Limitation of Liability. In no event and under no legal theory,
+      whether in tort (including negligence), contract, or otherwise,
+      unless required by applicable law (such as deliberate and grossly
+      negligent acts) or agreed to in writing, shall any Contributor be
+      liable to You for damages, including any direct, indirect, special,
+      incidental, or consequential damages of any character arising as a
+      result of this License or out of the use or inability to use the
+      Work (including but not limited to damages for loss of goodwill,
+      work stoppage, computer failure or malfunction, or any and all
+      other commercial damages or losses), even if such Contributor
+      has been advised of the possibility of such damages.
+
+   9. Accepting Warranty or Additional Liability. While redistributing
+      the Work or Derivative Works thereof, You may choose to offer,
+      and charge a fee for, acceptance of support, warranty, indemnity,
+      or other liability obligations and/or rights consistent with this
+      License. However, in accepting such obligations, You may act only
+      on Your own behalf and on Your sole responsibility, not on behalf
+      of any other Contributor, and only if You agree to indemnify,
+      defend, and hold each Contributor harmless for any liability
+      incurred by, or claims asserted against, such Contributor by reason
+      of your accepting any such warranty or additional liability.
+
+   END OF TERMS AND CONDITIONS
+
+   APPENDIX: How to apply the Apache License to your work.
+
+      To apply the Apache License to your work, attach the following
+      boilerplate notice, with the fields enclosed by brackets "[]"
+      replaced with your own identifying information. (Don't include
+      the brackets!)  The text should be enclosed in the appropriate
+      comment syntax for the file format. We also recommend that a
+      file or class name and description of purpose be included on the
+      same "printed page" as the copyright notice for easier
+      identification within third-party archives.
+
+   Copyright [yyyy] [name of copyright owner]
+
+   Licensed under the Apache License, Version 2.0 (the "License");
+   you may not use this file except in compliance with the License.
+   You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+   Unless required by applicable law or agreed to in writing, software
+   distributed under the License is distributed on an "AS IS" BASIS,
+   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+   See the License for the specific language governing permissions and
+   limitations under the License.

dependency-check-core/NOTICE.txt

@@ -0,0 +1,18 @@
+dependency-check
+
+Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+
+The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
+
+This product includes software developed by The Apache Software Foundation (http://www.apache.org/).
+
+This product includes software developed by Jquery.com (http://jquery.com/).
+
+This product includes software developed by Jonathan Hedley (jsoup.org)
+
+This software contains unmodified binary redistributions for H2 database engine (http://www.h2database.com/), which is dual licensed and available under a modified version of the MPL 1.1 (Mozilla Public License) or under the (unmodified) EPL 1.0 (Eclipse Public License).
+An original copy of the license agreement can be found at: http://www.h2database.com/html/license.html
+
+This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
+
+This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm

dependency-check-core/README.md

@@ -0,0 +1,28 @@
+Dependency-Check-Core
+================
+
+Dependency-Check-Core is the main engine used by all of the other modules to do the analysis and reporting.
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com] [subscribe]
+
+Post: [dependency-check@googlegroups.com] [post]
+
+Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check)
+
+Copyright & License
+------------
+
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
+
+
+  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
+  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
+  [post]: mailto:dependency-check@googlegroups.com
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt

dependency-check-core/config/checkstyle-header.txt

@@ -1,18 +1,17 @@
 ^/\*\s*$
 ^ \* This file is part of dependency-check-core\.\s*$
 ^ \*\s*$
-^ \* Dependency-check-core is free software\: you can redistribute it and/or modify it\s*$
-^ \* under the terms of the GNU General Public License as published by the Free\s*$
-^ \* Software Foundation, either version 3 of the License, or \(at your option\) any\s*$
-^ \* later version\.
+^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
+^ \* you may not use this file except in compliance with the License.\s*$
+^ \* You may obtain a copy of the License at\s*$
 ^ \*\s*$
-^ \* Dependency-check-core is distributed in the hope that it will be useful, but\s*$
-^ \* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or\s*$
-^ \* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more\s*$
-^ \* details\.\s*$
+^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
 ^ \*\s*$
-^ \* You should have received a copy of the GNU General Public License along with\s*$
-^ \* dependency-check-core\. If not, see http://www.gnu.org/licenses/\.\s*$
+^ \* Unless required by applicable law or agreed to in writing, software\s*$
+^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
+^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
+^ \* See the License for the specific language governing permissions and\s*$
+^ \* limitations under the License\.\s*$
 ^ \*\s*$
 ^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$

dependency-check-core/pom.xml

@@ -1,20 +1,19 @@
 <!--
-Copyright (c) 2012 - Jeremy Long
+This file is part of dependency-check-core.
 
-This file is part of Dependency-Check.
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
 
-Dependency-Check is free software: you can redistribute it and/or modify
-it under the terms of the GNU General Public License as published by
-the Free Software Foundation, either version 3 of the License, or
-(at your option) any later version.
+    http://www.apache.org/licenses/LICENSE-2.0
 
-Dependency-Check is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-GNU General Public License for more details.
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
 
-You should have received a copy of the GNU General Public License
-along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
+Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 -->
 
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
@@ -22,7 +21,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.0.8</version>
+        <version>1.1.4</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -71,6 +70,13 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
             </resource>
         </resources>
         <testResources>
+            <testResource>
+                <directory>src/test/resources</directory>
+                <includes>
+                    <include>**/*.properties</include>
+                </includes>
+                <filtering>true</filtering>
+            </testResource>
             <testResource>
                 <directory>${basedir}/../src/test/resources</directory>
                 <filtering>false</filtering>
@@ -138,6 +144,7 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
                 <version>2.6</version>
                 <configuration>
                     <instrumentation>
+                        <ignoreTrivial>true</ignoreTrivial>
                         <ignores>
                             <ignore>.*\$KEYS\.class</ignore>
                             <ignore>.*\$Element\.class</ignore>
@@ -365,6 +372,11 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
                             <artifactId>findbugs-maven-plugin</artifactId>
                             <version>2.5.3</version>
                         </plugin>
+                        <dependency>
+                            <groupId>org.codehaus.mojo</groupId>
+                            <artifactId>javancss-maven-plugin</artifactId>
+                            <version>2.0</version>
+                        </dependency>
                     </reportPlugins>
                 </configuration>
             </plugin>
@@ -569,6 +581,13 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
             <scope>provided</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa</artifactId>
+            <version>2.0.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>
@@ -624,5 +643,40 @@ along with Dependency-Check.  If not, see <http://www.gnu.org/licenses />.
                 </plugins>
             </build>
         </profile>
+        <profile>
+            <!-- The following profile adds additional
+            dependencies that are only used during testing.
+            Additionally, these are only added when using "allTests" to
+            make the build slightly faster in most cases. -->
+            <id>False Positive Tests</id>
+            <!--activation>
+                <property>
+                    <name>allTests</name>
+                </property>
+            </activation-->
+            <dependencies>
+                <dependency>
+                    <groupId>org.apache.xmlgraphics</groupId>
+                    <artifactId>batik-util</artifactId>
+                    <version>1.7</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.thoughtworks.xstream</groupId>
+                    <artifactId>xstream</artifactId>
+                    <version>1.4.2</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.apache.ws.security</groupId>
+                    <artifactId>wss4j</artifactId>
+                    <version>1.5.7</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+            </dependencies>
+        </profile>
     </profiles>
 </project>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,12 +26,14 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.owasp.dependencycheck.analyzer.AnalysisException;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.update.CachedWebDataSource;
@@ -56,21 +57,28 @@ public class Engine {
     /**
      * The list of dependencies.
      */
-    private final List<Dependency> dependencies = new ArrayList<Dependency>();
+    private List<Dependency> dependencies;
     /**
      * A Map of analyzers grouped by Analysis phase.
      */
-    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers
-            = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
     /**
-     * A set of extensions supported by the analyzers.
+     * A Map of analyzers grouped by Analysis phase.
      */
-    private final Set<String> extensions = new HashSet<String>();
+    private final Set<FileTypeAnalyzer> fileTypeAnalyzers;
 
     /**
      * Creates a new Engine.
+     *
+     * @throws DatabaseException thrown if there is an error connecting to the database
      */
-    public Engine() {
+    public Engine() throws DatabaseException {
+        this.dependencies = new ArrayList<Dependency>();
+        this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+        this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
+
+        ConnectionFactory.initialize();
+
         boolean autoUpdate = true;
         try {
             autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
@@ -84,18 +92,10 @@ public class Engine {
     }
 
     /**
-     * Creates a new Engine.
-     *
-     * @param autoUpdate indicates whether or not data should be updated from the Internet
-     * @deprecated This function should no longer be used; the autoupdate flag should be set using:
-     * <code>Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, value);</code>
+     * Properly cleans up resources allocated during analysis.
      */
-    @Deprecated
-    public Engine(boolean autoUpdate) {
-        if (autoUpdate) {
-            doUpdates();
-        }
-        loadAnalyzers();
+    public void cleanup() {
+        ConnectionFactory.cleanup();
     }
 
     /**
@@ -112,8 +112,8 @@ public class Engine {
         while (iterator.hasNext()) {
             final Analyzer a = iterator.next();
             analyzers.get(a.getAnalysisPhase()).add(a);
-            if (a.getSupportedExtensions() != null) {
-                extensions.addAll(a.getSupportedExtensions());
+            if (a instanceof FileTypeAnalyzer) {
+                this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
             }
         }
     }
@@ -137,6 +137,13 @@ public class Engine {
         return dependencies;
     }
 
+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+        //for (Dependency dependency: dependencies) {
+        //    dependencies.add(dependency);
+        //}
+    }
+
     /**
      * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
      * dependencies identified are added to the dependency collection.
@@ -159,8 +166,21 @@ public class Engine {
      * @param path the path to a file or directory to be analyzed.
      */
     public void scan(String path) {
-        final File file = new File(path);
-        scan(file);
+        if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
+            final String[] parts = path.split("\\*\\.");
+            final String[] ext = new String[]{parts[parts.length - 1]};
+            final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
+            if (dir.isDirectory()) {
+                final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
+                scan(files);
+            } else {
+                final String msg = String.format("Invalid file path provided to scan '%s'", path);
+                Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            }
+        } else {
+            final File file = new File(path);
+            scan(file);
+        }
     }
 
     /**
@@ -255,7 +275,7 @@ public class Engine {
         final String fileName = file.getName();
         final String extension = FileUtils.getFileExtension(fileName);
         if (extension != null) {
-            if (extensions.contains(extension)) {
+            if (supportsExtension(extension)) {
                 final Dependency dependency = new Dependency(file);
                 dependencies.add(dependency);
             }
@@ -293,32 +313,13 @@ public class Engine {
         Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
         Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
 
-        //phase one initialize
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
-            final List<Analyzer> analyzerList = analyzers.get(phase);
-            for (Analyzer a : analyzerList) {
-                try {
-                    final String msg = String.format("Initializing %s", a.getName());
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-                    a.initialize();
-                } catch (Exception ex) {
-                    final String msg = String.format("Exception occurred initializing %s.", a.getName());
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-                    Logger.getLogger(Engine.class.getName()).log(Level.INFO, null, ex);
-                    try {
-                        a.close();
-                    } catch (Exception ex1) {
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
-                    }
-                }
-            }
-        }
-
         // analysis phases
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             final List<Analyzer> analyzerList = analyzers.get(phase);
 
             for (Analyzer a : analyzerList) {
+                initializeAnalyzer(a);
+
                 /* need to create a copy of the collection because some of the
                  * analyzers may modify it. This prevents ConcurrentModificationExceptions.
                  * This is okay for adds/deletes because it happens per analyzer.
@@ -328,36 +329,35 @@ public class Engine {
                 final Set<Dependency> dependencySet = new HashSet<Dependency>();
                 dependencySet.addAll(dependencies);
                 for (Dependency d : dependencySet) {
-                    if (a.supportsExtension(d.getFileExtension())) {
+                    boolean shouldAnalyze = true;
+                    if (a instanceof FileTypeAnalyzer) {
+                        final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
+                        shouldAnalyze = fAnalyzer.supportsExtension(d.getFileExtension());
+                    }
+                    if (shouldAnalyze) {
                         final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
                         Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
                         try {
                             a.analyze(d, this);
                         } catch (AnalysisException ex) {
-                            d.addAnalysisException(ex);
+                            final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
+                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
+                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
                         } catch (Throwable ex) {
                             final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
-                            final AnalysisException ax = new AnalysisException(axMsg, ex);
-                            d.addAnalysisException(ax);
-                            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, axMsg);
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, axMsg, ex);
+                            //final AnalysisException ax = new AnalysisException(axMsg, ex);
+                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
+                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
                         }
                     }
                 }
             }
         }
-
-        //close/cleanup
         for (AnalysisPhase phase : AnalysisPhase.values()) {
             final List<Analyzer> analyzerList = analyzers.get(phase);
+
             for (Analyzer a : analyzerList) {
-                final String msg = String.format("Closing Analyzer '%s'", a.getName());
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-                try {
-                    a.close();
-                } catch (Exception ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
-                }
+                closeAnalyzer(a);
             }
         }
 
@@ -366,6 +366,44 @@ public class Engine {
                 + "END ANALYSIS%n"
                 + "----------------------------------------------------");
         Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
+        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Complete");
+    }
+
+    /**
+     * Initializes the given analyzer.
+     *
+     * @param analyzer the analyzer to initialize
+     */
+    private void initializeAnalyzer(Analyzer analyzer) {
+        try {
+            final String msg = String.format("Initializing %s", analyzer.getName());
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+            analyzer.initialize();
+        } catch (Throwable ex) {
+            final String msg = String.format("Exception occurred initializing %s.", analyzer.getName());
+            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            try {
+                analyzer.close();
+            } catch (Throwable ex1) {
+                Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
+            }
+        }
+    }
+
+    /**
+     * Closes the given analyzer.
+     *
+     * @param analyzer the analyzer to close
+     */
+    private void closeAnalyzer(Analyzer analyzer) {
+        final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
+        Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+        try {
+            analyzer.close();
+        } catch (Throwable ex) {
+            Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
+        }
     }
 
     /**
@@ -411,15 +449,13 @@ public class Engine {
         if (ext == null) {
             return false;
         }
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
-            final List<Analyzer> analyzerList = analyzers.get(phase);
-            for (Analyzer a : analyzerList) {
-                if (a.getSupportedExtensions() != null && a.supportsExtension(ext)) {
-                    return true;
-                }
-            }
+        boolean scan = false;
+        for (FileTypeAnalyzer a : this.fileTypeAnalyzers) {
+            /* note, we can't break early on this loop as the analyzers need to know if
+             they have files to work on prior to initialization */
+            scan |= a.supportsExtension(ext);
         }
-        return false;
+        return scan;
     }
 
     /**
@@ -447,4 +483,5 @@ public class Engine {
             throw new NoDataException("No documents exist");
         }
     }
+
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -0,0 +1,973 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.agent;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.ScanAgentException;
+import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting
+ * evidence from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it
+ * takes a list of dependencies that can be programmatically added from data in a spreadsheet, database or some other
+ * datasource and conduct a scan based on this pre-defined evidence.
+ *
+ * <h2>Example:</h2>
+ * <pre>
+ * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
+ * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
+ * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
+ * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
+ * dependencies.add(dependency);
+ *
+ * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
+ * scan.setDependencies(dependencies);
+ * scan.setReportFormat(ReportGenerator.Format.ALL);
+ * scan.setReportOutputDirectory(System.getProperty("user.home"));
+ * scan.execute();
+ * </pre>
+ *
+ * @author Steve Springett <steve.springett@owasp.org>
+ */
+@SuppressWarnings("unused")
+public class DependencyCheckScanAgent {
+
+    /**
+     * System specific new line character.
+     */
+    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+
+    /**
+     * The application name for the report.
+     */
+    private String applicationName = "Dependency-Check";
+
+    /**
+     * Get the value of applicationName.
+     *
+     * @return the value of applicationName
+     */
+    public String getApplicationName() {
+        return applicationName;
+    }
+
+    /**
+     * Set the value of applicationName.
+     *
+     * @param applicationName new value of applicationName
+     */
+    public void setApplicationName(String applicationName) {
+        this.applicationName = applicationName;
+    }
+
+    /**
+     * The pre-determined dependencies to scan
+     */
+    private List<Dependency> dependencies;
+
+    /**
+     * Returns a list of pre-determined dependencies.
+     *
+     * @return returns a list of dependencies
+     */
+    public List<Dependency> getDependencies() {
+        return dependencies;
+    }
+
+    /**
+     * Sets the list of dependencies to scan.
+     *
+     * @param dependencies new value of dependencies
+     */
+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+    }
+
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+
+    /**
+     * Get the value of dataDirectory.
+     *
+     * @return the value of dataDirectory
+     */
+    public String getDataDirectory() {
+        return dataDirectory;
+    }
+
+    /**
+     * Set the value of dataDirectory.
+     *
+     * @param dataDirectory new value of dataDirectory
+     */
+    public void setDataDirectory(String dataDirectory) {
+        this.dataDirectory = dataDirectory;
+    }
+
+    /**
+     * Specifies the destination directory for the generated Dependency-Check report.
+     */
+    private String reportOutputDirectory;
+
+    /**
+     * Get the value of reportOutputDirectory.
+     *
+     * @return the value of reportOutputDirectory
+     */
+    public String getReportOutputDirectory() {
+        return reportOutputDirectory;
+    }
+
+    /**
+     * Set the value of reportOutputDirectory.
+     *
+     * @param reportOutputDirectory new value of reportOutputDirectory
+     */
+    public void setReportOutputDirectory(String reportOutputDirectory) {
+        this.reportOutputDirectory = reportOutputDirectory;
+    }
+
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
+     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
+     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+
+    /**
+     * Get the value of failBuildOnCVSS.
+     *
+     * @return the value of failBuildOnCVSS
+     */
+    public float getFailBuildOnCVSS() {
+        return failBuildOnCVSS;
+    }
+
+    /**
+     * Set the value of failBuildOnCVSS.
+     *
+     * @param failBuildOnCVSS new value of failBuildOnCVSS
+     */
+    public void setFailBuildOnCVSS(float failBuildOnCVSS) {
+        this.failBuildOnCVSS = failBuildOnCVSS;
+    }
+
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
+     * false. Default is true.
+     */
+    private boolean autoUpdate = true;
+
+    /**
+     * Get the value of autoUpdate.
+     *
+     * @return the value of autoUpdate
+     */
+    public boolean isAutoUpdate() {
+        return autoUpdate;
+    }
+
+    /**
+     * Set the value of autoUpdate.
+     *
+     * @param autoUpdate new value of autoUpdate
+     */
+    public void setAutoUpdate(boolean autoUpdate) {
+        this.autoUpdate = autoUpdate;
+    }
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
+     * within the Site plugin unless the externalReport is set to true. Default is HTML.
+     */
+    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
+
+    /**
+     * Get the value of reportFormat.
+     *
+     * @return the value of reportFormat
+     */
+    public ReportGenerator.Format getReportFormat() {
+        return reportFormat;
+    }
+
+    /**
+     * Set the value of reportFormat.
+     *
+     * @param reportFormat new value of reportFormat
+     */
+    public void setReportFormat(ReportGenerator.Format reportFormat) {
+        this.reportFormat = reportFormat;
+    }
+
+    /**
+     * The Proxy URL.
+     */
+    private String proxyUrl;
+
+    /**
+     * Get the value of proxyUrl.
+     *
+     * @return the value of proxyUrl
+     */
+    public String getProxyUrl() {
+        return proxyUrl;
+    }
+
+    /**
+     * Set the value of proxyUrl.
+     *
+     * @param proxyUrl new value of proxyUrl
+     */
+    public void setProxyUrl(String proxyUrl) {
+        this.proxyUrl = proxyUrl;
+    }
+
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+
+    /**
+     * Get the value of proxyPort.
+     *
+     * @return the value of proxyPort
+     */
+    public String getProxyPort() {
+        return proxyPort;
+    }
+
+    /**
+     * Set the value of proxyPort.
+     *
+     * @param proxyPort new value of proxyPort
+     */
+    public void setProxyPort(String proxyPort) {
+        this.proxyPort = proxyPort;
+    }
+
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+
+    /**
+     * Get the value of proxyUsername.
+     *
+     * @return the value of proxyUsername
+     */
+    public String getProxyUsername() {
+        return proxyUsername;
+    }
+
+    /**
+     * Set the value of proxyUsername.
+     *
+     * @param proxyUsername new value of proxyUsername
+     */
+    public void setProxyUsername(String proxyUsername) {
+        this.proxyUsername = proxyUsername;
+    }
+
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+
+    /**
+     * Get the value of proxyPassword.
+     *
+     * @return the value of proxyPassword
+     */
+    public String getProxyPassword() {
+        return proxyPassword;
+    }
+
+    /**
+     * Set the value of proxyPassword.
+     *
+     * @param proxyPassword new value of proxyPassword
+     */
+    public void setProxyPassword(String proxyPassword) {
+        this.proxyPassword = proxyPassword;
+    }
+
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+
+    /**
+     * Get the value of connectionTimeout.
+     *
+     * @return the value of connectionTimeout
+     */
+    public String getConnectionTimeout() {
+        return connectionTimeout;
+    }
+
+    /**
+     * Set the value of connectionTimeout.
+     *
+     * @param connectionTimeout new value of connectionTimeout
+     */
+    public void setConnectionTimeout(String connectionTimeout) {
+        this.connectionTimeout = connectionTimeout;
+    }
+
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+
+    /**
+     * Get the value of logFile.
+     *
+     * @return the value of logFile
+     */
+    public String getLogFile() {
+        return logFile;
+    }
+
+    /**
+     * Set the value of logFile.
+     *
+     * @param logFile new value of logFile
+     */
+    public void setLogFile(String logFile) {
+        this.logFile = logFile;
+    }
+
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+
+    /**
+     * Get the value of suppressionFile.
+     *
+     * @return the value of suppressionFile
+     */
+    public String getSuppressionFile() {
+        return suppressionFile;
+    }
+
+    /**
+     * Set the value of suppressionFile.
+     *
+     * @param suppressionFile new value of suppressionFile
+     */
+    public void setSuppressionFile(String suppressionFile) {
+        this.suppressionFile = suppressionFile;
+    }
+
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+
+    /**
+     * Get the value of showSummary.
+     *
+     * @return the value of showSummary
+     */
+    public boolean isShowSummary() {
+        return showSummary;
+    }
+
+    /**
+     * Set the value of showSummary.
+     *
+     * @param showSummary new value of showSummary
+     */
+    public void setShowSummary(boolean showSummary) {
+        this.showSummary = showSummary;
+    }
+
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+
+    /**
+     * Get the value of nexusAnalyzerEnabled.
+     *
+     * @return the value of nexusAnalyzerEnabled
+     */
+    public boolean isNexusAnalyzerEnabled() {
+        return nexusAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of nexusAnalyzerEnabled.
+     *
+     * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
+     */
+    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+        this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
+    }
+
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+
+    /**
+     * Get the value of nexusUrl.
+     *
+     * @return the value of nexusUrl
+     */
+    public String getNexusUrl() {
+        return nexusUrl;
+    }
+
+    /**
+     * Set the value of nexusUrl.
+     *
+     * @param nexusUrl new value of nexusUrl
+     */
+    public void setNexusUrl(String nexusUrl) {
+        this.nexusUrl = nexusUrl;
+    }
+
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+
+    /**
+     * Get the value of nexusUsesProxy.
+     *
+     * @return the value of nexusUsesProxy
+     */
+    public boolean isNexusUsesProxy() {
+        return nexusUsesProxy;
+    }
+
+    /**
+     * Set the value of nexusUsesProxy.
+     *
+     * @param nexusUsesProxy new value of nexusUsesProxy
+     */
+    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+        this.nexusUsesProxy = nexusUsesProxy;
+    }
+
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+
+    /**
+     * Get the value of databaseDriverName.
+     *
+     * @return the value of databaseDriverName
+     */
+    public String getDatabaseDriverName() {
+        return databaseDriverName;
+    }
+
+    /**
+     * Set the value of databaseDriverName.
+     *
+     * @param databaseDriverName new value of databaseDriverName
+     */
+    public void setDatabaseDriverName(String databaseDriverName) {
+        this.databaseDriverName = databaseDriverName;
+    }
+
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+
+    /**
+     * Get the value of databaseDriverPath.
+     *
+     * @return the value of databaseDriverPath
+     */
+    public String getDatabaseDriverPath() {
+        return databaseDriverPath;
+    }
+
+    /**
+     * Set the value of databaseDriverPath.
+     *
+     * @param databaseDriverPath new value of databaseDriverPath
+     */
+    public void setDatabaseDriverPath(String databaseDriverPath) {
+        this.databaseDriverPath = databaseDriverPath;
+    }
+
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+
+    /**
+     * Get the value of connectionString.
+     *
+     * @return the value of connectionString
+     */
+    public String getConnectionString() {
+        return connectionString;
+    }
+
+    /**
+     * Set the value of connectionString.
+     *
+     * @param connectionString new value of connectionString
+     */
+    public void setConnectionString(String connectionString) {
+        this.connectionString = connectionString;
+    }
+
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+
+    /**
+     * Get the value of databaseUser.
+     *
+     * @return the value of databaseUser
+     */
+    public String getDatabaseUser() {
+        return databaseUser;
+    }
+
+    /**
+     * Set the value of databaseUser.
+     *
+     * @param databaseUser new value of databaseUser
+     */
+    public void setDatabaseUser(String databaseUser) {
+        this.databaseUser = databaseUser;
+    }
+
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+
+    /**
+     * Get the value of databasePassword.
+     *
+     * @return the value of databasePassword
+     */
+    public String getDatabasePassword() {
+        return databasePassword;
+    }
+
+    /**
+     * Set the value of databasePassword.
+     *
+     * @param databasePassword new value of databasePassword
+     */
+    public void setDatabasePassword(String databasePassword) {
+        this.databasePassword = databasePassword;
+    }
+
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
+     * like ZIP files.
+     */
+    private String zipExtensions;
+
+    /**
+     * Get the value of zipExtensions.
+     *
+     * @return the value of zipExtensions
+     */
+    public String getZipExtensions() {
+        return zipExtensions;
+    }
+
+    /**
+     * Set the value of zipExtensions.
+     *
+     * @param zipExtensions new value of zipExtensions
+     */
+    public void setZipExtensions(String zipExtensions) {
+        this.zipExtensions = zipExtensions;
+    }
+
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+
+    /**
+     * Get the value of cveUrl12Modified.
+     *
+     * @return the value of cveUrl12Modified
+     */
+    public String getCveUrl12Modified() {
+        return cveUrl12Modified;
+    }
+
+    /**
+     * Set the value of cveUrl12Modified.
+     *
+     * @param cveUrl12Modified new value of cveUrl12Modified
+     */
+    public void setCveUrl12Modified(String cveUrl12Modified) {
+        this.cveUrl12Modified = cveUrl12Modified;
+    }
+
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+
+    /**
+     * Get the value of cveUrl20Modified.
+     *
+     * @return the value of cveUrl20Modified
+     */
+    public String getCveUrl20Modified() {
+        return cveUrl20Modified;
+    }
+
+    /**
+     * Set the value of cveUrl20Modified.
+     *
+     * @param cveUrl20Modified new value of cveUrl20Modified
+     */
+    public void setCveUrl20Modified(String cveUrl20Modified) {
+        this.cveUrl20Modified = cveUrl20Modified;
+    }
+
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+
+    /**
+     * Get the value of cveUrl12Base.
+     *
+     * @return the value of cveUrl12Base
+     */
+    public String getCveUrl12Base() {
+        return cveUrl12Base;
+    }
+
+    /**
+     * Set the value of cveUrl12Base.
+     *
+     * @param cveUrl12Base new value of cveUrl12Base
+     */
+    public void setCveUrl12Base(String cveUrl12Base) {
+        this.cveUrl12Base = cveUrl12Base;
+    }
+
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+
+    /**
+     * Get the value of cveUrl20Base.
+     *
+     * @return the value of cveUrl20Base
+     */
+    public String getCveUrl20Base() {
+        return cveUrl20Base;
+    }
+
+    /**
+     * Set the value of cveUrl20Base.
+     *
+     * @param cveUrl20Base new value of cveUrl20Base
+     */
+    public void setCveUrl20Base(String cveUrl20Base) {
+        this.cveUrl20Base = cveUrl20Base;
+    }
+
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+
+    /**
+     * Get the value of pathToMono.
+     *
+     * @return the value of pathToMono
+     */
+    public String getPathToMono() {
+        return pathToMono;
+    }
+
+    /**
+     * Set the value of pathToMono.
+     *
+     * @param pathToMono new value of pathToMono
+     */
+    public void setPathToMono(String pathToMono) {
+        this.pathToMono = pathToMono;
+    }
+
+    /**
+     * Executes the Dependency-Check on the dependent libraries.
+     *
+     * @return the Engine used to scan the dependencies.
+     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the
+     * database
+     */
+    private Engine executeDependencyCheck() throws DatabaseException {
+        populateSettings();
+        Engine engine = null;
+        try {
+            engine = new Engine();
+            engine.setDependencies(this.dependencies);
+            engine.analyzeDependencies();
+
+        } finally {
+            if (engine != null) {
+                engine.cleanup();
+            }
+        }
+        return engine;
+    }
+
+    /**
+     * Generates the reports for a given dependency-check engine.
+     *
+     * @param engine a dependency-check engine
+     * @param outDirectory the directory to write the reports to
+     */
+    private void generateExternalReports(Engine engine, File outDirectory) {
+        DatabaseProperties prop = null;
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            prop = cve.getDatabaseProperties();
+        } catch (DatabaseException ex) {
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+        final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+        try {
+            r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
+        } catch (IOException ex) {
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
+        } catch (Throwable ex) {
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, null, ex);
+        }
+    }
+
+    /**
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
+     * properties required to change the proxy url, port, and connection timeout.
+     */
+    private void populateSettings() {
+        if (dataDirectory != null) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else {
+            final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+
+        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        }
+        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        }
+        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        }
+        if (connectionString != null && !connectionString.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        }
+        if (databaseUser != null && !databaseUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
+        }
+        if (databasePassword != null && !databasePassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
+        }
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
+        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        }
+        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        }
+        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        }
+        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+    }
+
+    /**
+     * Executes the dependency-check and generates the report.
+     *
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
+     * scan.
+     */
+    public void execute() throws ScanAgentException {
+        Engine engine = null;
+        try {
+            engine = executeDependencyCheck();
+            generateExternalReports(engine, new File(this.reportOutputDirectory));
+            if (this.showSummary) {
+                showSummary(engine.getDependencies());
+            }
+            if (this.failBuildOnCVSS <= 10) {
+                checkForFailure(engine.getDependencies());
+            }
+        } catch (DatabaseException ex) {
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.SEVERE,
+                    "Unable to connect to the dependency-check database; analysis has stopped");
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.FINE, "", ex);
+        } finally {
+            if (engine != null) {
+                engine.cleanup();
+            }
+        }
+    }
+
+    /**
+     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * configuration.
+     *
+     * @param dependencies the list of dependency objects
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
+     * scan.
+     */
+    private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
+        final StringBuilder ids = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean addName = true;
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (v.getCvssScore() >= failBuildOnCVSS) {
+                    if (addName) {
+                        addName = false;
+                        ids.append(NEW_LINE).append(d.getFileName()).append(": ");
+                        ids.append(v.getName());
+                    } else {
+                        ids.append(", ").append(v.getName());
+                    }
+                }
+            }
+        }
+        if (ids.length() > 0) {
+            final String msg = String.format("%n%nDependency-Check Failure:%n"
+                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+
+            throw new ScanAgentException(msg);
+        }
+    }
+
+    /**
+     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     *
+     * @param dependencies a list of dependency objects
+     */
+    private void showSummary(List<Dependency> dependencies) {
+        final StringBuilder summary = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean firstEntry = true;
+            final StringBuilder ids = new StringBuilder();
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (firstEntry) {
+                    firstEntry = false;
+                } else {
+                    ids.append(", ");
+                }
+                ids.append(v.getName());
+            }
+            if (ids.length() > 0) {
+                summary.append(d.getFileName()).append(" (");
+                firstEntry = true;
+                for (Identifier id : d.getIdentifiers()) {
+                    if (firstEntry) {
+                        firstEntry = false;
+                    } else {
+                        summary.append(", ");
+                    }
+                    summary.append(id.getValue());
+                }
+                summary.append(") : ").append(ids).append(NEW_LINE);
+            }
+        }
+        if (summary.length() > 0) {
+            final String msg = String.format("%n%n"
+                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
+            Logger.getLogger(DependencyCheckScanAgent.class.getName()).log(Level.WARNING, msg);
+        }
+    }
+
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java

@@ -0,0 +1,13 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.agent</title>
+ * </head>
+ * <body>
+ * The agent package holds an agent API that can be used by other applications that have information about dependencies;
+ * but would rather implement something in their code directly rather then spawn a process to run the entire
+ * dependency-check engine. This basically provides programmatic access to running a scan.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.agent;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -1,51 +1,28 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
 /**
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public abstract class AbstractAnalyzer implements Analyzer {
 
-    /**
-     * Utility method to help in the creation of the extensions set. This
-     * constructs a new Set that can be used in a final static
-     * declaration.<br/><br/>
-     *
-     * This implementation was copied from
-     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction
-     *
-     * @param strings a list of strings to add to the set.
-     * @return a Set of strings.
-     */
-    protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>();
-
-        Collections.addAll(set, strings);
-        return set;
-    }
-
     /**
      * The initialize method does nothing for this Analyzer.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -0,0 +1,229 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Constructor">
+    /**
+     * Base constructor that all children must call. This checks the configuration to determine if the analyzer is
+     * enabled.
+     */
+    public AbstractFileTypeAnalyzer() {
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            enabled = Settings.getBoolean(key, true);
+        } catch (InvalidSettingException ex) {
+            String msg = String.format("Invalid settting for property '%s'", key);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            msg = String.format("%s has been disabled", getName());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Field defentitions">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractFileTypeAnalyzer.class.getName());
+    /**
+     * Whether the file type analyzer detected any files it needs to analyze.
+     */
+    private boolean filesMatched = false;
+
+    /**
+     * Get the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @return the value of filesMatched
+     */
+    protected boolean isFilesMatched() {
+        return filesMatched;
+    }
+
+    /**
+     * Set the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @param filesMatched new value of filesMatched
+     */
+    protected void setFilesMatched(boolean filesMatched) {
+        this.filesMatched = filesMatched;
+    }
+
+    /**
+     * A flag indicating whether or not the analyzer is enabled.
+     */
+    private boolean enabled = true;
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Set the value of enabled.
+     *
+     * @param enabled new value of enabled
+     */
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
+    /**
+     * <p>
+     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
+     * getSupportedExtensions function would return a set with a single element "jar".</p>
+     *
+     * <p>
+     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
+     *
+     * @return The file extensions supported by this analyzer.
+     *
+     * <p>
+     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
+     * file loaded</p>
+     */
+    protected abstract Set<String> getSupportedExtensions();
+
+    /**
+     * Initializes the file type analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    protected abstract void initializeFileTypeAnalyzer() throws Exception;
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    protected abstract String getAnalyzerEnabledSettingKey();
+
+//</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
+    /**
+     * Initializes the analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    @Override
+    public final void initialize() throws Exception {
+        if (filesMatched) {
+            initializeFileTypeAnalyzer();
+        } else {
+            enabled = false;
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (enabled) {
+            analyzeFileType(dependency, engine);
+        }
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    @Override
+    public final boolean supportsExtension(String extension) {
+        if (!enabled) {
+            return false;
+        }
+        final Set<String> ext = getSupportedExtensions();
+        if (ext == null) {
+            final String msg = String.format("The '%s' analyzer is misconfigured and does not have any file extensions;"
+                    + " it will be disabled", getName());
+            Logger.getLogger(AbstractFileTypeAnalyzer.class.getName()).log(Level.SEVERE, msg);
+            return false;
+        } else {
+            final boolean match = ext.contains(extension);
+            if (match) {
+                filesMatched = match;
+            }
+            return match;
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Static utility methods">
+    /**
+     * <p>
+     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
+     * final static declaration.</p>
+     *
+     * <p>
+     * This implementation was copied from
+     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
+     *
+     * @param strings a list of strings to add to the set.
+     * @return a Set of strings.
+     */
+    protected static Set<String> newHashSet(String... strings) {
+        final Set<String> set = new HashSet<String>();
+
+        Collections.addAll(set, strings);
+        return set;
+    }
+//</editor-fold>
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -1,36 +1,41 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 import org.owasp.dependencycheck.suppression.SuppressionParseException;
 import org.owasp.dependencycheck.suppression.SuppressionParser;
 import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Abstract base suppression analyzer that contains methods for parsing the
- * suppression xml file.
+ * Abstract base suppression analyzer that contains methods for parsing the suppression xml file.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -46,18 +51,6 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
         return null;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     //</editor-fold>
     /**
      * The initialize method loads the suppression XML file.
@@ -98,17 +91,58 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
      * @throws SuppressionParseException thrown if the XML cannot be parsed.
      */
     private void loadSuppressionData() throws SuppressionParseException {
-        final File file = Settings.getFile(Settings.KEYS.SUPPRESSION_FILE);
-        if (file != null) {
-            final SuppressionParser parser = new SuppressionParser();
-            try {
-                rules = parser.parseSuppressionRules(file);
-            } catch (SuppressionParseException ex) {
-                final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
-                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
-                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
-                throw ex;
+        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
+        if (suppressionFilePath == null) {
+            return;
+        }
+        File file = null;
+        boolean deleteTempFile = false;
+        try {
+            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
+            if (uriRx.matcher(suppressionFilePath).matches()) {
+                deleteTempFile = true;
+                file = FileUtils.getTempFile("suppression", "xml");
+                final URL url = new URL(suppressionFilePath);
+                try {
+                    Downloader.fetchFile(url, file, false);
+                } catch (DownloadFailedException ex) {
+                    Downloader.fetchFile(url, file, true);
+                }
+            } else {
+                file = new File(suppressionFilePath);
+            }
+
+            if (file != null) {
+                final SuppressionParser parser = new SuppressionParser();
+                try {
+                    rules = parser.parseSuppressionRules(file);
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, rules.size() + " suppression rules were loaded.");
+                } catch (SuppressionParseException ex) {
+                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+                    throw ex;
+                }
+            }
+        } catch (DownloadFailedException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+                    "Unable to fetch the configured suppression file");
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+            throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
+        } catch (MalformedURLException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+                    "Configured suppression file has an invalid URL");
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+            throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
+        } catch (IOException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+                    "Unable to create temp file for suppressions");
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+            throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
+        } finally {
+            if (deleteTempFile && file != null) {
+                FileUtils.delete(file);
             }
         }
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -1,65 +1,46 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 
 /**
- * An interface that defines an Analyzer that is used to identify Dependencies.
- * An analyzer will collect information about the dependency in the form of
- * Evidence.
+ * An interface that defines an Analyzer that is used to identify Dependencies. An analyzer will collect information
+ * about the dependency in the form of Evidence.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public interface Analyzer {
 
     /**
-     * Analyzes the given dependency. The analysis could be anything from
-     * identifying an Identifier for the dependency, to finding vulnerabilities,
-     * etc. Additionally, if the analyzer collects enough information to add a
-     * description or license information for the dependency it should be added.
+     * Analyzes the given dependency. The analysis could be anything from identifying an Identifier for the dependency,
+     * to finding vulnerabilities, etc. Additionally, if the analyzer collects enough information to add a description
+     * or license information for the dependency it should be added.
      *
      * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies - this is
-     * useful if we need to check other dependencies
-     * @throws AnalysisException is thrown if there is an error analyzing the
-     * dependency file
+     * @param engine the engine that is scanning the dependencies - this is useful if we need to check other
+     * dependencies
+     * @throws AnalysisException is thrown if there is an error analyzing the dependency file
      */
     void analyze(Dependency dependency, Engine engine) throws AnalysisException;
 
-    /**
-     * <p>Returns a list of supported file extensions. An example would be an
-     * analyzer that inspected java jar files. The getSupportedExtensions
-     * function would return a set with a single element "jar".</p>
-     *
-     * <p><b>Note:</b> when implementing this the extensions returned MUST be
-     * lowercase.</p>
-     *
-     * @return The file extensions supported by this analyzer.
-     *
-     * <p>If the analyzer returns null it will not cause additional files to be
-     * analyzed but will be executed against every file loaded</p>
-     */
-    Set<String> getSupportedExtensions();
-
     /**
      * Returns the name of the analyzer.
      *
@@ -67,15 +48,6 @@ public interface Analyzer {
      */
     String getName();
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    boolean supportsExtension(String extension);
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
@@ -84,17 +56,14 @@ public interface Analyzer {
     AnalysisPhase getAnalysisPhase();
 
     /**
-     * The initialize method is called (once) prior to the analyze method being
-     * called on all of the dependencies.
+     * The initialize method is called (once) prior to the analyze method being called on all of the dependencies.
      *
-     * @throws Exception is thrown if an exception occurs initializing the
-     * analyzer.
+     * @throws Exception is thrown if an exception occurs initializing the analyzer.
      */
     void initialize() throws Exception;
 
     /**
-     * The close method is called after all of the dependencies have been
-     * analyzed.
+     * The close method is called after all of the dependencies have been analyzed.
      *
      * @throws Exception is thrown if an exception occurs closing the analyzer.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -26,6 +25,7 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.List;
@@ -39,26 +39,32 @@ import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
 import org.apache.commons.compress.compressors.CompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipUtils;
-import org.h2.store.fs.FileUtils;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * <p>An analyzer that extracts files from archives and ensures any supported
- * files contained within the archive are added to the dependency list.</p>
+ * <p>
+ * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
+ * to the dependency list.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
-public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
 
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ArchiveAnalyzer.class.getName());
     /**
      * The buffer size to use when extracting files from the archive.
      */
     private static final int BUFFER_SIZE = 4096;
     /**
-     * The count of directories created during analysis. This is used for
-     * creating temporary directories.
+     * The count of directories created during analysis. This is used for creating temporary directories.
      */
     private static int dirCount = 0;
     /**
@@ -66,14 +72,14 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     private File tempFileLocation = null;
     /**
-     * The max scan depth that the analyzer will recursively extract nested
-     * archives.
+     * The max scan depth that the analyzer will recursively extract nested archives.
      */
     private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
     /**
      * Tracks the current scan/extraction depth for nested archives.
      */
     private int scanDepth = 0;
+
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
      * The name of the analyzer.
@@ -84,15 +90,30 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
     /**
-     * The set of file extensions supported by this analyzer.
+     * The set of things we can handle with Zip methods
      */
-    private static final Set<String> EXTENSIONS = newHashSet("zip", "ear", "war", "tar", "gz", "tgz");
+    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
+    /**
+     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
+     * to be explicitly handled in extractFiles().
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
+
+    static {
+        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
+        if (additionalZipExt != null) {
+            final HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            ZIPPABLES.addAll(ext);
+        }
+        EXTENSIONS.addAll(ZIPPABLES);
+    }
 
     /**
      * Returns a list of file EXTENSIONS supported by this analyzer.
      *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
+    @Override
     public Set<String> getSupportedExtensions() {
         return EXTENSIONS;
     }
@@ -102,39 +123,39 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @return the name of the analyzer.
      */
+    @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
     //</editor-fold>
 
     /**
-     * The initialize method does nothing for this Analyzer.
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
      *
-     * @throws Exception is thrown if there is an exception deleting or creating
-     * temporary files
+     * @return the analyzer's enabled property setting key
      */
     @Override
-    public void initialize() throws Exception {
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ARCHIVE_ENABLED;
+    }
+
+    /**
+     * The initialize method does nothing for this Analyzer.
+     *
+     * @throws Exception is thrown if there is an exception deleting or creating temporary files
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
         final File baseDir = Settings.getTempDirectory();
         if (!baseDir.exists()) {
             if (!baseDir.mkdirs()) {
@@ -154,29 +175,31 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
 
     /**
-     * The close method does nothing for this Analyzer.
+     * The close method deletes any temporary files and directories created during analysis.
      *
-     * @throws Exception thrown if there is an exception deleting temporary
-     * files
+     * @throws Exception thrown if there is an exception deleting temporary files
      */
     @Override
     public void close() throws Exception {
         if (tempFileLocation != null && tempFileLocation.exists()) {
-            FileUtils.deleteRecursive(tempFileLocation.getAbsolutePath(), true);
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
+            final boolean success = FileUtils.delete(tempFileLocation);
+            if (!success) {
+                LOGGER.log(Level.WARNING, "Failed to delete some temporary files, see the log for more details");
+            }
         }
     }
 
     /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a
-     * WAR or EAR, the contents are extracted, scanned, and added to the list of
-     * dependencies within the engine.
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine scanning
      * @throws AnalysisException thrown if there is an analysis exception
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         final File f = new File(dependency.getActualFilePath());
         final File tmpDir = getNextTempDirectory();
         extractFiles(f, tmpDir, engine);
@@ -204,7 +227,6 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                 d.setFileName(displayName);
 
                 //TODO - can we get more evidence from the parent? EAR contains module name, etc.
-
                 //analyze the dependency (i.e. extract files) if it is a supported type.
                 if (this.supportsExtension(d.getFileExtension()) && scanDepth < MAX_SCAN_DEPTH) {
                     scanDepth += 1;
@@ -253,35 +275,35 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
         try {
             fis = new FileInputStream(archive);
         } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.INFO, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
             throw new AnalysisException("Archive file was not found.", ex);
         }
-        final String archiveExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(archive.getName()).toLowerCase();
+        final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
         try {
-            if ("zip".equals(archiveExt) || "war".equals(archiveExt) || "ear".equals(archiveExt)) {
+            if (ZIPPABLES.contains(archiveExt)) {
                 extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
             } else if ("tar".equals(archiveExt)) {
                 extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
             } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
                 final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
-                final String uncompressedExt = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(uncompressedName).toLowerCase();
+                final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
                 if (engine.supportsExtension(uncompressedExt)) {
                     decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
                 }
             }
         } catch (ArchiveExtractionException ex) {
             final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
         } catch (IOException ex) {
             final String msg = String.format("Exception reading archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
         } finally {
             try {
                 fis.close();
             } catch (IOException ex) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
             }
         }
     }
@@ -292,8 +314,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      * @param input the archive to extract files from
      * @param destination the location to write the files too
      * @param engine the dependency-check engine
-     * @throws ArchiveExtractionException thrown if there is an exception
-     * extracting files from the archive
+     * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
      */
     private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
         ArchiveEntry entry;
@@ -303,17 +324,24 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                     final File d = new File(destination, entry.getName());
                     if (!d.exists()) {
                         if (!d.mkdirs()) {
-                            final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
+                            final String msg = String.format("Unable to create directory '%s'.", d.getAbsolutePath());
                             throw new AnalysisException(msg);
                         }
                     }
                 } else {
                     final File file = new File(destination, entry.getName());
-                    final String ext = org.owasp.dependencycheck.utils.FileUtils.getFileExtension(file.getName());
+                    final String ext = FileUtils.getFileExtension(file.getName());
                     if (engine.supportsExtension(ext)) {
                         BufferedOutputStream bos = null;
                         FileOutputStream fos;
                         try {
+                            final File parent = file.getParentFile();
+                            if (!parent.isDirectory()) {
+                                if (!parent.mkdirs()) {
+                                    final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
+                                    throw new AnalysisException(msg);
+                                }
+                            }
                             fos = new FileOutputStream(file);
                             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                             int count;
@@ -354,7 +382,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                 try {
                     input.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                 }
             }
         }
@@ -365,8 +393,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @param inputStream the compressed file
      * @param outputFile the location to write the decompressed file
-     * @throws ArchiveExtractionException thrown if there is an exception
-     * decompressing the file
+     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
      */
     private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
         FileOutputStream out = null;
@@ -378,17 +405,17 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                 out.write(buffer, 0, n);
             }
         } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
             throw new ArchiveExtractionException(ex);
         } catch (IOException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
             throw new ArchiveExtractionException(ex);
         } finally {
             if (out != null) {
                 try {
                     out.close();
                 } catch (IOException ex) {
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                 }
             }
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -0,0 +1,315 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InputStreamReader;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathExpressionException;
+import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.utils.Settings;
+import org.w3c.dom.Document;
+import org.xml.sax.SAXException;
+
+/**
+ * Analyzer for getting company, product, and version information from a .NET assembly.
+ *
+ * @author colezlaw
+ *
+ */
+public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The analyzer name
+     */
+    private static final String ANALYZER_NAME = "Assembly Analyzer";
+    /**
+     * The analysis phase
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+    /**
+     * The list of supported extensions
+     */
+    private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
+    /**
+     * The temp value for GrokAssembly.exe
+     */
+    private File grokAssemblyExe = null;
+    /**
+     * The DocumentBuilder for parsing the XML
+     */
+    private DocumentBuilder builder;
+    /**
+     * Logger
+     */
+    private static final Logger LOG = Logger.getLogger(AssemblyAnalyzer.class.getName());
+
+    /**
+     * Builds the beginnings of a List for ProcessBuilder
+     *
+     * @return the list of arguments to begin populating the ProcessBuilder
+     */
+    private List<String> buildArgumentList() {
+        // Use file.separator as a wild guess as to whether this is Windows
+        final List<String> args = new ArrayList<String>();
+        if (!"\\".equals(System.getProperty("file.separator"))) {
+            if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
+                args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
+            } else {
+                args.add("mono");
+            }
+        }
+        args.add(grokAssemblyExe.getPath());
+
+        return args;
+    }
+
+    /**
+     * Performs the analysis on a single Dependency.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine to perform the analysis under
+     * @throws AnalysisException if anything goes sideways
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        if (grokAssemblyExe == null) {
+            LOG.warning("GrokAssembly didn't get deployed");
+            return;
+        }
+
+        final List<String> args = buildArgumentList();
+        args.add(dependency.getActualFilePath());
+        final ProcessBuilder pb = new ProcessBuilder(args);
+        BufferedReader rdr = null;
+        try {
+            final Process proc = pb.start();
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream()));
+            String line = null;
+            while (rdr.ready() && (line = rdr.readLine()) != null) {
+                LOG.log(Level.WARNING, "Error from GrokAssembly: {0}", line);
+            }
+            int rc = 0;
+            final Document doc = builder.parse(proc.getInputStream());
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+
+            // First, see if there was an error
+            final String error = xpath.evaluate("/assembly/error", doc);
+            if (error != null && !"".equals(error)) {
+                throw new AnalysisException(error);
+            }
+
+            final String version = xpath.evaluate("/assembly/version", doc);
+            if (version != null) {
+                dependency.getVersionEvidence().addEvidence(new Evidence("grokassembly", "version",
+                        version, Confidence.HIGHEST));
+            }
+
+            final String vendor = xpath.evaluate("/assembly/company", doc);
+            if (vendor != null) {
+                dependency.getVendorEvidence().addEvidence(new Evidence("grokassembly", "vendor",
+                        vendor, Confidence.HIGH));
+            }
+
+            final String product = xpath.evaluate("/assembly/product", doc);
+            if (product != null) {
+                dependency.getProductEvidence().addEvidence(new Evidence("grokassembly", "product",
+                        product, Confidence.HIGH));
+            }
+
+            try {
+                rc = proc.waitFor();
+            } catch (InterruptedException ie) {
+                return;
+            }
+            if (rc == 3) {
+                LOG.log(Level.INFO, "{0} is not a valid assembly", dependency.getActualFilePath());
+                return;
+            } else if (rc != 0) {
+                LOG.log(Level.WARNING, "Return code {0} from GrokAssembly", rc);
+            }
+
+        } catch (IOException ioe) {
+            throw new AnalysisException(ioe);
+        } catch (SAXException saxe) {
+            throw new AnalysisException("Couldn't parse GrokAssembly result", saxe);
+        } catch (XPathExpressionException xpe) {
+            // This shouldn't happen
+            throw new AnalysisException(xpe);
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(AssemblyAnalyzer.class.getName()).log(Level.FINEST, "ignore", ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     *
+     * @throws Exception if anything goes wrong
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
+        FileOutputStream fos = null;
+        InputStream is = null;
+        try {
+            fos = new FileOutputStream(tempFile);
+            is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
+            final byte[] buff = new byte[4096];
+            int bread = -1;
+            while ((bread = is.read(buff)) >= 0) {
+                fos.write(buff, 0, bread);
+            }
+            grokAssemblyExe = tempFile;
+            // Set the temp file to get deleted when we're done
+            grokAssemblyExe.deleteOnExit();
+            LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
+        } catch (IOException ioe) {
+            LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
+            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
+        } finally {
+            if (fos != null) {
+                try {
+                    fos.close();
+                } catch (Throwable e) {
+                    LOG.fine("Error closing output stream");
+                }
+            }
+            if (is != null) {
+                try {
+                    is.close();
+                } catch (Throwable e) {
+                    LOG.fine("Error closing input stream");
+                }
+            }
+        }
+
+        // Now, need to see if GrokAssembly actually runs from this location.
+        final List<String> args = buildArgumentList();
+        BufferedReader rdr = null;
+        try {
+            final ProcessBuilder pb = new ProcessBuilder(args);
+            final Process p = pb.start();
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream()));
+            String line;
+            while (rdr.ready() && (line = rdr.readLine()) != null) {
+                // We expect this to complain
+            }
+            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+            final String error = xpath.evaluate("/assembly/error", doc);
+            if (p.waitFor() != 1 || error == null || "".equals(error)) {
+                LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
+                LOG.fine("GrokAssembly.exe is not working properly");
+                grokAssemblyExe = null;
+                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
+            }
+        } catch (Throwable e) {
+            LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
+                    + "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
+            LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
+            throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    Logger.getLogger(AssemblyAnalyzer.class.getName()).log(Level.FINEST, "ignore", ex);
+                }
+            }
+        }
+
+        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+    }
+
+    @Override
+    public void close() throws Exception {
+        super.close();
+        try {
+            if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
+                grokAssemblyExe.deleteOnExit();
+            }
+        } catch (SecurityException se) {
+            LOG.fine("Can't delete temporary GrokAssembly.exe");
+        }
+    }
+
+    /**
+     * Gets the set of extensions supported by this analyzer.
+     *
+     * @return the list of supported extensions
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Gets this analyzer's name.
+     *
+     * @return the analyzer name
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase this analyzer runs under.
+     *
+     * @return the phase this runs under
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -34,26 +33,26 @@ import org.apache.lucene.queryparser.classic.ParseException;
 import org.apache.lucene.search.ScoreDoc;
 import org.apache.lucene.search.TopDocs;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.lucene.LuceneUtils;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.dependency.Evidence.Confidence;
-import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.Fields;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.data.cpe.IndexException;
+import org.owasp.dependencycheck.data.lucene.LuceneUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
 /**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts
- * to discern if there is an associated CPE. It uses the evidence contained
- * within the dependency to search the Lucene index.
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
+ * It uses the evidence contained within the dependency to search the Lucene index.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -68,18 +67,15 @@ public class CPEAnalyzer implements Analyzer {
      */
     static final String WEIGHTING_BOOST = "^5";
     /**
-     * A string representation of a regular expression defining characters
-     * utilized within the CPE Names.
+     * A string representation of a regular expression defining characters utilized within the CPE Names.
      */
     static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
     /**
-     * A string representation of a regular expression used to remove all but
-     * alpha characters.
+     * A string representation of a regular expression used to remove all but alpha characters.
      */
     static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
     /**
-     * The additional size to add to a new StringBuilder to account for extra
-     * data that will be written into the string.
+     * The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
      */
     static final int STRING_BUILDER_BUFFER = 20;
     /**
@@ -91,13 +87,42 @@ public class CPEAnalyzer implements Analyzer {
      */
     private CveDB cve;
 
+    /**
+     * Returns the name of this analyzer.
+     *
+     * @return the name of this analyzer.
+     */
+    @Override
+    public String getName() {
+        return "CPE Analyzer";
+    }
+
+    /**
+     * Returns the analysis phase that this analyzer should run in.
+     *
+     * @return the analysis phase that this analyzer should run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.IDENTIFIER_ANALYSIS;
+    }
+
+    /**
+     * Creates the CPE Lucene Index.
+     *
+     * @throws Exception is thrown if there is an issue opening the index.
+     */
+    @Override
+    public void initialize() throws Exception {
+        this.open();
+    }
+
     /**
      * Opens the data source.
      *
-     * @throws IOException when the Lucene directory to be queried does not
-     * exist or is corrupt.
-     * @throws DatabaseException when the database throws an exception. This
-     * usually occurs when the database is in use by another process.
+     * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
+     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
+     * by another process.
      */
     public void open() throws IOException, DatabaseException {
         Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
@@ -127,9 +152,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Searches the data store of CPE entries, trying to identify the CPE for
-     * the given dependency based on the evidence contained within. The
-     * dependency passed in is updated with any identified CPE values.
+     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
+     * contained within. The dependency passed in is updated with any identified CPE values.
      *
      * @param dependency the dependency to search for CPE entries on.
      * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -175,10 +199,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Returns the text created by concatenating the text and the values from
-     * the EvidenceCollection (filtered for a specific confidence). This
-     * attempts to prevent duplicate terms from being added.<br/<br/> Note, if
-     * the evidence is longer then 200 characters it will be truncated.
+     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
+     * specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
+     * is longer then 200 characters it will be truncated.
      *
      * @param text the base text.
      * @param ec an EvidenceCollection
@@ -208,8 +231,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Reduces the given confidence by one level. This returns LOW if the
-     * confidence passed in is not HIGH.
+     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
      *
      * @param c the confidence to reduce.
      * @return One less then the confidence passed in.
@@ -225,18 +247,18 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * <p>Searches the Lucene CPE index to identify possible CPE entries
-     * associated with the supplied vendor, product, and version.</p>
+     * <p>
+     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
+     * version.</p>
      *
-     * <p>If either the vendorWeightings or productWeightings lists have been
-     * populated this data is used to add weighting factors to the search.</p>
+     * <p>
+     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
+     * factors to the search.</p>
      *
      * @param vendor the text used to search the vendor field
      * @param product the text used to search the product field
-     * @param vendorWeightings a list of strings to use to add weighting factors
-     * to the vendor field
-     * @param productWeightings Adds a list of strings that will be used to add
-     * weighting factors to the product search
+     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
+     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
      * @return a list of possible CPE values
      * @throws CorruptIndexException when the Lucene index is corrupt
      * @throws IOException when the Lucene index is not found
@@ -276,19 +298,17 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * <p>Builds a Lucene search string by properly escaping data and
-     * constructing a valid search query.</p>
+     * <p>
+     * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
      *
-     * <p>If either the possibleVendor or possibleProducts lists have been
-     * populated this data is used to add weighting factors to the search string
-     * generated.</p>
+     * <p>
+     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
+     * factors to the search string generated.</p>
      *
      * @param vendor text to search the vendor field
      * @param product text to search the product field
-     * @param vendorWeighting a list of strings to apply to the vendor to boost
-     * the terms weight
-     * @param productWeightings a list of strings to apply to the product to
-     * boost the terms weight
+     * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
+     * @param productWeightings a list of strings to apply to the product to boost the terms weight
      * @return the Lucene query
      */
     protected String buildSearch(String vendor, String product,
@@ -309,17 +329,14 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * This method constructs a Lucene query for a given field. The searchText
-     * is split into separate words and if the word is within the list of
-     * weighted words then an additional weighting is applied to the term as it
-     * is appended into the query.
+     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
+     * word is within the list of weighted words then an additional weighting is applied to the term as it is appended
+     * into the query.
      *
      * @param sb a StringBuilder that the query text will be appended to.
-     * @param field the field within the Lucene index that the query is
-     * searching.
+     * @param field the field within the Lucene index that the query is searching.
      * @param searchText text used to construct the query.
-     * @param weightedText a list of terms that will be considered higher
-     * importance when searching.
+     * @param weightedText a list of terms that will be considered higher importance when searching.
      * @return if the append was successful.
      */
     private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
@@ -358,8 +375,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Removes characters from the input text that are not used within the CPE
-     * index.
+     * Removes characters from the input text that are not used within the CPE index.
      *
      * @param text is the text to remove the characters from.
      * @return the text having removed some characters.
@@ -369,8 +385,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Compares two strings after lower casing them and removing the non-alpha
-     * characters.
+     * Compares two strings after lower casing them and removing the non-alpha characters.
      *
      * @param l string one to compare.
      * @param r string two to compare.
@@ -387,9 +402,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Ensures that the CPE Identified matches the dependency. This validates
-     * that the product, vendor, and version information for the CPE are
-     * contained within the dependencies evidence.
+     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
+     * information for the CPE are contained within the dependencies evidence.
      *
      * @param entry a CPE entry.
      * @param dependency the dependency that the CPE entries could be for.
@@ -425,7 +439,6 @@ public class CPEAnalyzer implements Analyzer {
         //            }
         //        }
         //</editor-fold>
-
         //TODO - likely need to change the split... not sure if this will work for CPE with special chars
         if (text == null) {
             return false;
@@ -435,9 +448,9 @@ public class CPEAnalyzer implements Analyzer {
         String tempWord = null;
         for (String word : words) {
             /*
-            single letter words should be concatenated with the next word.
-            so { "m", "core", "sample" } -> { "mcore", "sample" }
-            */
+             single letter words should be concatenated with the next word.
+             so { "m", "core", "sample" } -> { "mcore", "sample" }
+             */
             if (tempWord != null) {
                 list.add(tempWord + word);
                 tempWord = null;
@@ -459,13 +472,11 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes a dependency and attempts to determine if there are any CPE
-     * identifiers for this dependency.
+     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze.
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the
-     * dependency.
+     * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -481,62 +492,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    @Override
-    public Set<String> getSupportedExtensions() {
-        return null;
-    }
-
-    /**
-     * Returns the name of this analyzer.
-     *
-     * @return the name of this analyzer.
-     */
-    @Override
-    public String getName() {
-        return "CPE Analyzer";
-    }
-
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
-    /**
-     * Returns the analysis phase that this analyzer should run in.
-     *
-     * @return the analysis phase that this analyzer should run in.
-     */
-    @Override
-    public AnalysisPhase getAnalysisPhase() {
-        return AnalysisPhase.IDENTIFIER_ANALYSIS;
-    }
-
-    /**
-     * Opens the CPE Lucene Index.
-     *
-     * @throws Exception is thrown if there is an issue opening the index.
-     */
-    @Override
-    public void initialize() throws Exception {
-        this.open();
-    }
-
-    /**
-     * Retrieves a list of CPE values from the CveDB based on the vendor and
-     * product passed in. The list is then validated to find only CPEs that are
-     * valid for the given dependency. It is possible that the CPE identified is
-     * a best effort "guess" based on the vendor, product, and version
-     * information.
+     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
+     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
+     * best effort "guess" based on the vendor, product, and version information.
      *
      * @param dependency the Dependency being analyzed
      * @param vendor the vendor for the CPE being analyzed
@@ -601,7 +559,13 @@ public class CPEAnalyzer implements Analyzer {
         for (IdentifierMatch m : collected) {
             if (bestIdentifierQuality.equals(m.getConfidence())
                     && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
-                dependency.addIdentifier(m.getIdentifier());
+                final Identifier i = m.getIdentifier();
+                if (bestIdentifierQuality == IdentifierConfidence.BEST_GUESS) {
+                    i.setConfidence(Confidence.LOW);
+                } else {
+                    i.setConfidence(bestEvidenceQuality);
+                }
+                dependency.addIdentifier(i);
             }
         }
     }
@@ -622,8 +586,7 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * A simple object to hold an identifier and carry information about the
-     * confidence in the identifier.
+     * A simple object to hold an identifier and carry information about the confidence in the identifier.
      */
     private static class IdentifierMatch implements Comparable<IdentifierMatch> {
 
@@ -633,10 +596,8 @@ public class CPEAnalyzer implements Analyzer {
          * @param type the type of identifier (such as CPE)
          * @param value the value of the identifier
          * @param url the URL of the identifier
-         * @param identifierConfidence the confidence in the identifier: best
-         * guess or exact match
-         * @param evidenceConfidence the confidence of the evidence used to find
-         * the identifier
+         * @param identifierConfidence the confidence in the identifier: best guess or exact match
+         * @param evidenceConfidence the confidence of the evidence used to find the identifier
          */
         IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
             this.identifier = new Identifier(type, value, url);
@@ -767,8 +728,8 @@ public class CPEAnalyzer implements Analyzer {
         //</editor-fold>
 
         /**
-         * Standard implementation of compareTo that compares identifier
-         * confidence, evidence confidence, and then the identifier.
+         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
+         * identifier.
          *
          * @param o the IdentifierMatch to compare to
          * @return the natural ordering of IdentifierMatch

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -1,31 +1,30 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.suppression.SuppressionRule;
 
 /**
- * The suppression analyzer processes an externally defined XML document that
- * complies with the suppressions.xsd schema. Any identified CPE entries within
- * the dependencies that match will be removed.
+ * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
+ * Any identified CPE entries within the dependencies that match will be removed.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,19 +27,20 @@ import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.LogUtils;
 
 /**
- * <p>This analyzer ensures dependencies that should be grouped together, to
- * remove excess noise from the report, are grouped. An example would be Spring,
- * Spring Beans, Spring MVC, etc. If they are all for the same version and have
- * the same relative path then these should be grouped into a single dependency
- * under the core/main library.</p>
- * <p>Note, this grouping only works on dependencies with identified CVE
- * entries</p>
+ * <p>
+ * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
+ * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
+ * same relative path then these should be grouped into a single dependency under the core/main library.</p>
+ * <p>
+ * Note, this grouping only works on dependencies with identified CVE entries</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -57,10 +57,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     private boolean analyzed = false;
     //</editor-fold>
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
     /**
      * The name of the analyzer.
      */
@@ -70,15 +66,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
 
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
     /**
      * Returns the name of the analyzer.
      *
@@ -88,17 +75,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         return ANALYZER_NAME;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
@@ -110,14 +86,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     //</editor-fold>
 
     /**
-     * Analyzes a set of dependencies. If they have been found to have the same
-     * base path and the same set of identifiers they are likely related. The
-     * related dependencies are bundled into a single reportable item.
+     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
+     * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
      *
      * @param ignore this analyzer ignores the dependency being analyzed
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
-     * file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
      */
     @Override
     public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
@@ -132,29 +106,26 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                     final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                     while (subIterator.hasNext()) {
                         final Dependency nextDependency = subIterator.next();
-
-                        if (identifiersMatch(dependency, nextDependency)
+                        if (isShadedJar(dependency, nextDependency)) {
+                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
+                                dependenciesToRemove.add(dependency);
+                            } else {
+                                dependenciesToRemove.add(nextDependency);
+                            }
+                        } else if (hashesMatch(dependency, nextDependency)) {
+                            if (isCore(dependency, nextDependency)) {
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                            } else {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                            }
+                        } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                 && hasSameBasePath(dependency, nextDependency)
                                 && fileNameMatch(dependency, nextDependency)) {
 
                             if (isCore(dependency, nextDependency)) {
-                                dependency.addRelatedDependency(nextDependency);
-                                //move any "related dependencies" to the new "parent" dependency
-                                final Iterator<Dependency> i = nextDependency.getRelatedDependencies().iterator();
-                                while (i.hasNext()) {
-                                    dependency.addRelatedDependency(i.next());
-                                    i.remove();
-                                }
-                                dependenciesToRemove.add(nextDependency);
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
-                                nextDependency.addRelatedDependency(dependency);
-                                //move any "related dependencies" to the new "parent" dependency
-                                final Iterator<Dependency> i = dependency.getRelatedDependencies().iterator();
-                                while (i.hasNext()) {
-                                    nextDependency.addRelatedDependency(i.next());
-                                    i.remove();
-                                }
-                                dependenciesToRemove.add(dependency);
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                             }
                         }
                     }
@@ -168,6 +139,25 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         }
     }
 
+    /**
+     * Adds the relatedDependency to the dependency's related dependencies.
+     *
+     * @param dependency the main dependency
+     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
+     * source of dependencies to remove
+     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
+     * function adds to this collection
+     */
+    private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
+        dependency.addRelatedDependency(relatedDependency);
+        final Iterator<Dependency> i = relatedDependency.getRelatedDependencies().iterator();
+        while (i.hasNext()) {
+            dependency.addRelatedDependency(i.next());
+            i.remove();
+        }
+        dependenciesToRemove.add(relatedDependency);
+    }
+
     /**
      * Attempts to trim a maven repo to a common base path. This is typically
      * [drive]\[repo_location]\repository\[path1]\[path2].
@@ -195,13 +185,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Returns true if the file names (and version if it exists) of the two
-     * dependencies are sufficiently similar.
+     * Returns true if the file names (and version if it exists) of the two dependencies are sufficiently similar.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are
-     * equal
+     * @return true if the identifiers in the two supplied dependencies are equal
      */
     private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getFileName() == null
@@ -248,21 +236,38 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Returns true if the identifiers in the two supplied dependencies are
-     * equal.
+     * Returns true if the CPE identifiers in the two supplied dependencies are equal.
      *
      * @param dependency1 a dependency2 to compare
      * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are
-     * equal
+     * @return true if the identifiers in the two supplied dependencies are equal
      */
-    private boolean identifiersMatch(Dependency dependency1, Dependency dependency2) {
+    private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
         if (dependency1 == null || dependency1.getIdentifiers() == null
                 || dependency2 == null || dependency2.getIdentifiers() == null) {
             return false;
         }
-        final boolean matches = dependency1.getIdentifiers().size() > 0
-                && dependency2.getIdentifiers().equals(dependency1.getIdentifiers());
+        boolean matches = false;
+        int cpeCount1 = 0;
+        int cpeCount2 = 0;
+        for (Identifier i : dependency1.getIdentifiers()) {
+            if ("cpe".equals(i.getType())) {
+                cpeCount1 += 1;
+            }
+        }
+        for (Identifier i : dependency2.getIdentifiers()) {
+            if ("cpe".equals(i.getType())) {
+                cpeCount2 += 1;
+            }
+        }
+        if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
+            for (Identifier i : dependency1.getIdentifiers()) {
+                matches |= dependency2.getIdentifiers().contains(i);
+                if (!matches) {
+                    break;
+                }
+            }
+        }
         if (LogUtils.isVerboseLoggingEnabled()) {
             final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
             Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
@@ -295,25 +300,38 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             left = getBaseRepoPath(left);
             right = getBaseRepoPath(right);
         }
-        return left.equalsIgnoreCase(right);
+        if (left.equalsIgnoreCase(right)) {
+            return true;
+        }
+        //new code
+        for (Dependency child : dependency2.getRelatedDependencies()) {
+            if (hasSameBasePath(dependency1, child)) {
+                return true;
+            }
+        }
+        return false;
     }
 
     /**
-     * This is likely a very broken attempt at determining if the 'left'
-     * dependency is the 'core' library in comparison to the 'right' library.
+     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
+     * to the 'right' library.
      *
      * @param left the dependency to test
      * @param right the dependency to test against
-     * @return a boolean indicating whether or not the left dependency should be
-     * considered the "core" version.
+     * @return a boolean indicating whether or not the left dependency should be considered the "core" version.
      */
-    private boolean isCore(Dependency left, Dependency right) {
+    boolean isCore(Dependency left, Dependency right) {
         final String leftName = left.getFileName().toLowerCase();
         final String rightName = right.getFileName().toLowerCase();
+
         final boolean returnVal;
-        if (rightName.contains("core") && !leftName.contains("core")) {
+        if (!rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
+                || rightName.contains("core") && !leftName.contains("core")
+                || rightName.contains("kernel") && !leftName.contains("kernel")) {
             returnVal = false;
-        } else if (!rightName.contains("core") && leftName.contains("core")) {
+        } else if (rightName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+") && !leftName.matches(".*\\.(tar|tgz|gz|zip|ear|war).+")
+                || !rightName.contains("core") && leftName.contains("core")
+                || !rightName.contains("kernel") && leftName.contains("kernel")) {
             returnVal = true;
         } else {
             /*
@@ -333,4 +351,38 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         }
         return returnVal;
     }
+
+    /**
+     * Compares the SHA1 hashes of two dependencies to determine if they are equal.
+     *
+     * @param dependency1 a dependency object to compare
+     * @param dependency2 a dependency object to compare
+     * @return true if the sha1 hashes of the two dependencies match; otherwise false
+     */
+    private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
+        if (dependency1 == null || dependency2 == null || dependency1.getSha1sum() == null || dependency2.getSha1sum() == null) {
+            return false;
+        }
+        return dependency1.getSha1sum().equals(dependency2.getSha1sum());
+    }
+
+    /**
+     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
+     * dependency should be removed.
+     *
+     * @param dependency a dependency to check
+     * @param nextDependency another dependency to check
+     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
+     * otherwise false
+     */
+    private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
+        final String mainName = dependency.getFileName().toLowerCase();
+        final String nextName = nextDependency.getFileName().toLowerCase();
+        if (mainName.endsWith(".jar") && nextName.endsWith("pom.xml")) {
+            return dependency.getIdentifiers().containsAll(nextDependency.getIdentifiers());
+        } else if (nextName.endsWith(".jar") && mainName.endsWith("pom.xml")) {
+            return nextDependency.getIdentifiers().containsAll(dependency.getIdentifiers());
+        }
+        return false;
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -31,23 +30,19 @@ import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 
 /**
- * This analyzer attempts to remove some well known false positives -
- * specifically regarding the java runtime.
+ * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 
     //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
     /**
      * The name of the analyzer.
      */
@@ -57,15 +52,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
 
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
     /**
      * Returns the name of the analyzer.
      *
@@ -75,17 +61,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         return ANALYZER_NAME;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
@@ -97,13 +72,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     //</editor-fold>
 
     /**
-     * Analyzes the dependencies and removes bad/incorrect CPE associations
-     * based on various heuristics.
+     * Analyzes the dependencies and removes bad/incorrect CPE associations based on various heuristics.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
-     * file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -115,15 +88,17 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * <p>Intended to remove spurious CPE entries. By spurious we mean
-     * duplicate, less specific CPE entries.</p>
-     * <p>Example:</p>
+     * <p>
+     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
+     * <p>
+     * Example:</p>
      * <code>
      * cpe:/a:some-vendor:some-product
      * cpe:/a:some-vendor:some-product:1.5
      * cpe:/a:some-vendor:some-product:1.5.2
      * </code>
-     * <p>Should be trimmed to:</p>
+     * <p>
+     * Should be trimmed to:</p>
      * <code>
      * cpe:/a:some-vendor:some-product:1.5.2
      * </code>
@@ -178,8 +153,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         }
     }
     /**
-     * Regex to identify core java libraries and a few other commonly
-     * misidentified ones.
+     * Regex to identify core java libraries and a few other commonly misidentified ones.
      */
     public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
             + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
@@ -190,8 +164,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
 
     /**
-     * Removes any CPE entries for the JDK/JRE unless the filename ends with
-     * rt.jar
+     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
      *
      * @param dependency the dependency to remove JRE CPEs from
      */
@@ -251,9 +224,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * Removes bad CPE matches for a dependency. Unfortunately, right now these
-     * are hard-coded patches for specific problems identified when testing this
-     * on a LARGE volume of jar files.
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific
+     * problems identified when testing this on a LARGE volume of jar files.
      *
      * @param dependency the dependency to analyze
      */
@@ -266,10 +238,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
          * found based on LOW confidence evidence should have a different CPE type? (this
          * might be a better solution then just removing the URL for "best-guess" matches).
          */
-
         //Set<Evidence> groupId = dependency.getVendorEvidence().getEvidence("pom", "groupid");
         //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
-
         while (itr.hasNext()) {
             final Identifier i = itr.next();
             //TODO move this startswith expression to a configuration file?
@@ -283,19 +253,25 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                         || i.getValue().startsWith("cpe:/a:cvs:cvs")
                         || i.getValue().startsWith("cpe:/a:ftp:ftp")
                         || i.getValue().startsWith("cpe:/a:ssh:ssh"))
-                        && dependency.getFileName().toLowerCase().endsWith(".jar")) {
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                     itr.remove();
                 } else if (i.getValue().startsWith("cpe:/a:apache:maven")
                         && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
                     itr.remove();
+                } else if (i.getValue().startsWith("cpe:/a:m-core:m-core")
+                        && !dependency.getEvidenceUsed().containsUsedString("m-core")) {
+                    itr.remove();
+                } else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
+                        && !dependency.getFileName().toLowerCase().matches("jboss-[\\d\\.]+(GA)?\\.jar")) {
+                    itr.remove();
                 }
             }
         }
     }
 
     /**
-     * Removes CPE matches for the wrong version of a dependency. Currently,
-     * this only covers Axis 1 & 2.
+     * Removes CPE matches for the wrong version of a dependency. Currently, this only covers Axis 1 & 2.
      *
      * @param dependency the dependency to analyze
      */
@@ -328,9 +304,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     }
 
     /**
-     * There are some known CPE entries, specifically regarding sun and oracle
-     * products due to the acquisition and changes in product names, that based
-     * on given evidence we can add the related CPE entries to ensure a complete
+     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and
+     * changes in product names, that based on given evidence we can add the related CPE entries to ensure a complete
      * list of CVE entries.
      *
      * @param dependency the dependency being analyzed

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -1,28 +1,27 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
@@ -43,19 +42,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
 
     /**
      * Returns the name of the analyzer.
@@ -66,17 +52,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
         return ANALYZER_NAME;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
@@ -92,8 +67,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
-     * file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR file.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
@@ -111,23 +85,31 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
         //add version evidence
         final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
         if (version != null) {
+            // If the version number is just a number like 2 or 23, reduce the confidence
+            // a shade. This should hopefully correct for cases like log4j.jar or
+            // struts2-core.jar
+            if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
+                dependency.getVersionEvidence().addEvidence("file", "name",
+                        version.toString(), Confidence.MEDIUM);
+            } else {
+                dependency.getVersionEvidence().addEvidence("file", "name",
+                        version.toString(), Confidence.HIGHEST);
+            }
             dependency.getVersionEvidence().addEvidence("file", "name",
-                    version.toString(), Evidence.Confidence.HIGHEST);
-            dependency.getVersionEvidence().addEvidence("file", "name",
-                    fileName, Evidence.Confidence.MEDIUM);
+                    fileName, Confidence.MEDIUM);
         }
 
         //add as vendor and product evidence
         if (fileName.contains("-")) {
             dependency.getProductEvidence().addEvidence("file", "name",
-                    fileName, Evidence.Confidence.HIGHEST);
+                    fileName, Confidence.HIGHEST);
             dependency.getVendorEvidence().addEvidence("file", "name",
-                    fileName, Evidence.Confidence.HIGHEST);
+                    fileName, Confidence.HIGHEST);
         } else {
             dependency.getProductEvidence().addEvidence("file", "name",
-                    fileName, Evidence.Confidence.HIGH);
+                    fileName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",
-                    fileName, Evidence.Confidence.HIGH);
+                    fileName, Confidence.HIGH);
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java

@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ * An Analyzer that scans specific file types.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public interface FileTypeAnalyzer extends Analyzer {
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    boolean supportsExtension(String extension);
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -22,6 +21,8 @@ import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 
@@ -40,88 +41,64 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
 
     /**
      * Returns the name of the analyzer.
      *
      * @return the name of the analyzer.
      */
+    @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
     //</editor-fold>
 
     /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional
-     * information to help in identification of identifiers or vulnerabilities.
+     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
+     * identifiers or vulnerabilities.
      *
      * @param dependency The dependency being analyzed
      * @param engine The scanning engine
-     * @throws AnalysisException is thrown if there is an exception analyzing
-     * the dependency.
+     * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
      */
     @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         final Evidence springTest1 = new Evidence("Manifest",
                 "Implementation-Title",
                 "Spring Framework",
-                Evidence.Confidence.HIGH);
+                Confidence.HIGH);
 
         final Evidence springTest2 = new Evidence("Manifest",
                 "Implementation-Title",
                 "org.springframework.core",
-                Evidence.Confidence.HIGH);
+                Confidence.HIGH);
 
         final Evidence springTest3 = new Evidence("Manifest",
                 "Bundle-Vendor",
                 "SpringSource",
-                Evidence.Confidence.HIGH);
-
+                Confidence.HIGH);
 
         Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
         if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Evidence.Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Evidence.Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
 
         evidence = dependency.getVendorEvidence().getEvidence();
         if (evidence.contains(springTest3)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Evidence.Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Evidence.Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
         final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
@@ -139,6 +116,5 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
             dependency.getVendorEvidence().addEvidence(e);
         }
 
-
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -1,36 +1,48 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
+import java.io.BufferedReader;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.FileReader;
+import java.io.IOException;
 import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * Used to load a JAR file and collect information that can be used to determine
- * the associated CPE.
+ * Used to analyze a JavaScript file to gather information to aid in identification of a CPE identifier.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
-public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(JavaScriptAnalyzer.class.getName());
 
     //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
     /**
@@ -51,6 +63,7 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @return a list of file EXTENSIONS supported by this analyzer.
      */
+    @Override
     public Set<String> getSupportedExtensions() {
         return EXTENSIONS;
     }
@@ -60,63 +73,69 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
      *
      * @return the name of the analyzer.
      */
+    @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this
-     * analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
     /**
      * Returns the phase that the analyzer is intended to run in.
      *
      * @return the phase that the analyzer is intended to run in.
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
     //</editor-fold>
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_JAVASCRIPT_ENABLED;
+    }
 
     /**
-     * Loads a specified JAR file and collects information from the manifest and
-     * checksums to identify the correct CPE information.
+     * Loads a specified JavaScript file and collects information from the copyright information contained within.
      *
      * @param dependency the dependency to analyze.
      * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR
-     * file.
+     * @throws AnalysisException is thrown if there is an error reading the JavaScript file.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)");
-
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        BufferedReader fin = null;;
+        try {
+            //  /\*([^\*][^/]|[\r\n\f])+?\*/
+            final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);
+            File file = dependency.getActualFile();
+            fin = new BufferedReader(new FileReader(file));
+            StringBuilder sb = new StringBuilder(2000);
+            String text;
+            while ((text = fin.readLine()) != null) {
+                sb.append(text);
+            }
+        } catch (FileNotFoundException ex) {
+            final String msg = String.format("Dependency file not found: '%s'", dependency.getActualFilePath());
+            throw new AnalysisException(msg, ex);
+        } catch (IOException ex) {
+            LOGGER.log(Level.SEVERE, null, ex);
+        } finally {
+            if (fin != null) {
+                try {
+                    fin.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+        }
     }
 
-    /**
-     * The initialize method does nothing for this Analyzer.
-     *
-     * @throws Exception thrown if there is an exception
-     */
     @Override
-    public void initialize() throws Exception {
-        //do nothing
-    }
+    protected void initializeFileTypeAnalyzer() throws Exception {
 
-    /**
-     * The close method does nothing for this Analyzer.
-     *
-     * @throws Exception thrown if there is an exception
-     */
-    @Override
-    public void close() throws Exception {
-        //do nothing
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -1,20 +1,19 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
@@ -23,45 +22,44 @@ import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
+import java.util.logging.Level;
 import java.util.logging.Logger;
-
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Analyzer which will attempt to locate a dependency on a Nexus service
- * by SHA-1 digest of the dependency.
+ * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
  *
  * There are two settings which govern this behavior:
  *
  * <ul>
- *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
- * determines whether this analyzer is even enabled. This can be overridden by
- * setting the system property.</li>
- *   <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
- * the URL to a Nexus service to search by SHA-1. There is an expected <code>%s</code>
- * in this where the SHA-1 will get entered.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
+ * even enabled. This can be overridden by setting the system property.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
+ * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
  */
-public class NexusAnalyzer extends AbstractAnalyzer {
+public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
+
     /**
-     * The logger
+     * The logger.
      */
     private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
 
     /**
-     * The name of the analyzer
+     * The name of the analyzer.
      */
     private static final String ANALYZER_NAME = "Nexus Analyzer";
 
     /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
@@ -70,11 +68,6 @@ public class NexusAnalyzer extends AbstractAnalyzer {
      */
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
-    /**
-     * Whether this is actually enabled. Will get set during initialization
-     */
-    private boolean enabled = false;
-
     /**
      * The Nexus Search to be set up for this analyzer.
      */
@@ -83,21 +76,26 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
-     * @throws Exception if there's an error during initialization.
+     * @throws Exception if there's an error during initialization
      */
-    public void initialize() throws Exception {
-        enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
-
-        final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
-
-        if (enabled) {
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        LOGGER.fine("Initializing Nexus Analyzer");
+        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
+        if (isEnabled()) {
+            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
+            LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
             try {
                 searcher = new NexusSearch(new URL(searchUrl));
+                if (!searcher.preflightRequest()) {
+                    LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
+                    setEnabled(false);
+                }
             } catch (MalformedURLException mue) {
                 // I know that initialize can throw an exception, but we'll
                 // just disable the analyzer if the URL isn't valid
-                LOGGER.warning(String.format("Property %s not a valid URL. Nexus searching disabled",
-                            searchUrl));
+                LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
+                setEnabled(false);
             }
         }
     }
@@ -107,15 +105,27 @@ public class NexusAnalyzer extends AbstractAnalyzer {
      *
      * @return the name of the analyzer
      */
+    @Override
     public String getName() {
         return ANALYZER_NAME;
     }
 
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
+    }
+
     /**
      * Returns the analysis phase under which the analyzer runs.
      *
      * @return the phase under which this analyzer runs
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
@@ -125,20 +135,11 @@ public class NexusAnalyzer extends AbstractAnalyzer {
      *
      * @return the extensions for which this Analyzer runs
      */
+    @Override
     public Set<String> getSupportedExtensions() {
         return SUPPORTED_EXTENSIONS;
     }
 
-    /**
-     * Determines whether the incoming extension is supported.
-     *
-     * @param extension the extension to check for support
-     * @return whether the extension is supported
-     */
-    public boolean supportsExtension(String extension) {
-        return SUPPORTED_EXTENSIONS.contains(extension);
-    }
-
     /**
      * Performs the analysis.
      *
@@ -146,37 +147,32 @@ public class NexusAnalyzer extends AbstractAnalyzer {
      * @param engine the engine
      * @throws AnalysisException when there's an exception during analysis
      */
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        // Make a quick exit if this analyzer is disabled
-        if (!enabled) {
-            return;
-        }
-
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
             if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
-                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(),
-                        Evidence.Confidence.HIGH);
+                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
             }
             if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
-                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(),
-                        Evidence.Confidence.HIGH);
+                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
             }
             if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
-                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(),
-                        Evidence.Confidence.HIGH);
+                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
             }
             if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
-                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl());
+                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
             }
         } catch (IllegalArgumentException iae) {
-            dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
+            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
+            LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
         } catch (FileNotFoundException fnfe) {
-            dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
+            //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
+            LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
+            LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
         } catch (IOException ioe) {
-            dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
+            //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
+            LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
         }
     }
 }
-
-// vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java

@@ -0,0 +1,156 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nuget.NugetPackage;
+import org.owasp.dependencycheck.data.nuget.NuspecParseException;
+import org.owasp.dependencycheck.data.nuget.NuspecParser;
+import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Analyzer which will parse a Nuspec file to gather module information.
+ *
+ * @author colezlaw
+ */
+public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NuspecAnalyzer.class.getName());
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Nuspec Analyzer";
+
+    /**
+     * The phase in which the analyzer runs.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The types of files on which this will work.
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("nuspec");
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @throws Exception if there's an error during initialization
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NUSPEC_ENABLED;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which this analyzer runs
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the extensions for which this Analyzer runs.
+     *
+     * @return the extensions for which this Analyzer runs
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        LOGGER.log(Level.FINE, "Checking Nuspec file {0}", dependency.toString());
+        try {
+            final NuspecParser parser = new XPathNuspecParser();
+            NugetPackage np = null;
+            FileInputStream fis = null;
+            try {
+                fis = new FileInputStream(dependency.getActualFilePath());
+                np = parser.parse(fis);
+            } catch (NuspecParseException ex) {
+                throw new AnalysisException(ex);
+            } catch (FileNotFoundException ex) {
+                throw new AnalysisException(ex);
+            } finally {
+                if (fis != null) {
+                    try {
+                        fis.close();
+                    } catch (IOException e) {
+                        LOGGER.fine("Error closing input stream");
+                    }
+                }
+            }
+
+            if (np.getOwners() != null) {
+                dependency.getVendorEvidence().addEvidence("nuspec", "owners", np.getOwners(), Confidence.HIGHEST);
+            }
+            dependency.getVendorEvidence().addEvidence("nuspec", "authors", np.getAuthors(), Confidence.HIGH);
+            dependency.getVersionEvidence().addEvidence("nuspec", "version", np.getVersion(), Confidence.HIGHEST);
+            dependency.getProductEvidence().addEvidence("nuspec", "id", np.getId(), Confidence.HIGHEST);
+            if (np.getTitle() != null) {
+                dependency.getProductEvidence().addEvidence("nuspec", "title", np.getTitle(), Confidence.MEDIUM);
+            }
+        } catch (Throwable e) {
+            throw new AnalysisException(e);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,18 +20,17 @@ package org.owasp.dependencycheck.analyzer;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Vulnerability;
-import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 
 /**
- * NvdCveAnalyzer is a utility class that takes a project dependency and
- * attempts to discern if there is an associated CVEs. It uses the the
- * identifiers found by other analyzers to lookup the CVE data.
+ * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
+ * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -53,8 +51,7 @@ public class NvdCveAnalyzer implements Analyzer {
      * @throws SQLException thrown when there is a SQL Exception
      * @throws IOException thrown when there is an IO Exception
      * @throws DatabaseException thrown when there is a database exceptions
-     * @throws ClassNotFoundException thrown if the h2 database driver cannot be
-     * loaded
+     * @throws ClassNotFoundException thrown if the h2 database driver cannot be loaded
      */
     public void open() throws SQLException, IOException, DatabaseException, ClassNotFoundException {
         cveDB = new CveDB();
@@ -64,6 +61,7 @@ public class NvdCveAnalyzer implements Analyzer {
     /**
      * Closes the data source.
      */
+    @Override
     public void close() {
         cveDB.close();
         cveDB = null;
@@ -92,14 +90,13 @@ public class NvdCveAnalyzer implements Analyzer {
     }
 
     /**
-     * Analyzes a dependency and attempts to determine if there are any CPE
-     * identifiers for this dependency.
+     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the
-     * dependency
+     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
      */
+    @Override
     public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         for (Identifier id : dependency.getIdentifiers()) {
             if ("cpe".equals(id.getType())) {
@@ -114,48 +111,32 @@ public class NvdCveAnalyzer implements Analyzer {
         }
     }
 
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    public Set<String> getSupportedExtensions() {
-        return null;
-    }
-
     /**
      * Returns the name of this analyzer.
      *
      * @return the name of this analyzer.
      */
+    @Override
     public String getName() {
         return "NVD CVE Analyzer";
     }
 
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
     /**
      * Returns the analysis phase that this analyzer should run in.
      *
      * @return the analysis phase that this analyzer should run in.
      */
+    @Override
     public AnalysisPhase getAnalysisPhase() {
         return AnalysisPhase.FINDING_ANALYSIS;
     }
 
     /**
-     * Opens the NVD CVE Lucene Index.
+     * Opens the database used to gather NVD CVE data.
      *
      * @throws Exception is thrown if there is an issue opening the index.
      */
+    @Override
     public void initialize() throws Exception {
         this.open();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -1,31 +1,30 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.analyzer;
 
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.suppression.SuppressionRule;
 
 /**
- * The suppression analyzer processes an externally defined XML document that
- * complies with the suppressions.xsd schema. Any identified Vulnerability
- * entries within the dependencies that match will be removed.
+ * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
+ * Any identified Vulnerability entries within the dependencies that match will be removed.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/AnalysisException.java

@@ -1,22 +1,21 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.analyzer;
+package org.owasp.dependencycheck.analyzer.exception;
 
 /**
  * An exception thrown when the analysis of a dependency fails.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/ArchiveExtractionException.java

@@ -1,22 +1,21 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.analyzer;
+package org.owasp.dependencycheck.analyzer.exception;
 
 /**
  * An exception thrown when files in an archive cannot be extracted.

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/package-info.java

@@ -0,0 +1,12 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.analyzer.exception</title>
+ * </head>
+ * <body>
+ * <p>
+ * A collection of exception classes used within the analyzers.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.analyzer.exception;

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/DirectoryLockException.java

@@ -1,67 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.concurrency;
-
-/**
- * If thrown, indicates that a problem occurred when locking a directory.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- */
-public class DirectoryLockException extends Exception {
-
-    /**
-     * Default serial version UID.
-     */
-    private static final long serialVersionUID = 1L;
-
-    /**
-     * Constructs a new Directory Lock Exception.
-     */
-    public DirectoryLockException() {
-        super();
-    }
-
-    /**
-     * Constructs a new Directory Lock Exception.
-     *
-     * @param msg the message describing the exception
-     */
-    public DirectoryLockException(String msg) {
-        super(msg);
-    }
-
-    /**
-     * Constructs a new Directory Lock Exception.
-     *
-     * @param ex the cause of the exception
-     */
-    public DirectoryLockException(Throwable ex) {
-        super(ex);
-    }
-
-    /**
-     * Constructs a new Directory Lock Exception.
-     *
-     * @param msg the message describing the exception
-     * @param ex the cause of the exception
-     */
-    public DirectoryLockException(String msg, Throwable ex) {
-        super(msg, ex);
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/DirectorySpinLock.java

@@ -1,267 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.concurrency;
-
-import java.io.Closeable;
-import java.io.File;
-import java.io.FileNotFoundException;
-import java.io.IOException;
-import java.io.RandomAccessFile;
-import java.nio.channels.AsynchronousCloseException;
-import java.nio.channels.ClosedChannelException;
-import java.nio.channels.FileChannel;
-import java.nio.channels.FileLock;
-import java.nio.channels.FileLockInterruptionException;
-import java.nio.channels.NonWritableChannelException;
-import java.nio.channels.OverlappingFileLockException;
-import java.util.logging.Level;
-import java.util.logging.Logger;
-
-/**
- * Implements a spin lock on a given directory. If the lock cannot be obtained,
- * the process will "spin" waiting for an opportunity to obtain the lock
- * requested.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- */
-public class DirectorySpinLock implements Closeable /*, AutoCloseable*/ {
-
-    /**
-     * The name of the lock file.
-     */
-    public static final String LOCK_NAME = "data.lock";
-    /**
-     * The maximum wait period used when attempting to obtain a lock.
-     */
-    public static final int MAX_SPIN = 100;
-    /**
-     * The file channel used to perform the lock.
-     */
-    private FileChannel channel = null;
-    /**
-     * The file used to perform the lock.
-     */
-    private File lockFile = null;
-    /**
-     * The lock object.
-     */
-    private FileLock lock = null;
-    /**
-     * The maximum number of seconds that the spin lock will wait while trying
-     * to obtain a lock.
-     */
-    private long maxWait = MAX_SPIN;
-
-    /**
-     * Get the maximum wait time, in seconds, that the spin lock will wait while
-     * trying to obtain a lock.
-     *
-     * @return the number of seconds the spin lock will wait
-     */
-    public long getMaxWait() {
-        return maxWait / 2; //sleep is for 500, so / 2
-    }
-
-    /**
-     * Set the maximum wait time, in seconds, that the spin lock will wait while
-     * trying to obtain a lock.
-     *
-     * @param maxWait the number of seconds the spin lock will wait
-     */
-    public void setMaxWait(long maxWait) {
-        this.maxWait = maxWait * 2; //sleep is for 500, so * 2
-    }
-
-    /**
-     * Constructs a new spin lock on the given directory.
-     *
-     * @param directory the directory to monitor/lock
-     * @throws InvalidDirectoryException thrown if there is an issue with the
-     * directory provided
-     * @throws DirectoryLockException thrown there is an issue obtaining a
-     * handle to the lock file
-     */
-    public DirectorySpinLock(File directory) throws InvalidDirectoryException, DirectoryLockException {
-        checkDirectory(directory);
-        lockFile = new File(directory, LOCK_NAME);
-        RandomAccessFile file = null;
-        try {
-            file = new RandomAccessFile(lockFile, "rw");
-        } catch (FileNotFoundException ex) {
-            throw new DirectoryLockException("Lock file not found", ex);
-        }
-        channel = file.getChannel();
-    }
-
-    /**
-     * Attempts to obtain an exclusive lock; an exception is thrown if the lock
-     * could not be obtained. This method may block for a few seconds if a lock
-     * cannot be obtained.
-     *
-     * @throws DirectoryLockException thrown if there is an exception obtaining
-     * the lock
-     */
-    public void obtainSharedLock() throws DirectoryLockException {
-        obtainLock(true);
-    }
-
-    /**
-     * Attempts to obtain an exclusive lock; an exception is thrown if the lock
-     * could not be obtained. This method may block for a few seconds if a lock
-     * cannot be obtained.
-     *
-     * @throws DirectoryLockException thrown if there is an exception obtaining
-     * the lock
-     */
-    public void obtainExclusiveLock() throws DirectoryLockException {
-        obtainLock(false);
-    }
-
-    /**
-     * Attempts to obtain a lock; an exception is thrown if the lock could not
-     * be obtained. This method may block for a few seconds if a lock cannot be
-     * obtained.
-     *
-     * @param shared true if the lock is shared, otherwise false
-     * @param maxWait the maximum time to wait, in seconds, while trying to
-     * obtain the lock
-     * @throws DirectoryLockException thrown if there is an exception obtaining
-     * the lock
-     */
-    protected void obtainLock(boolean shared, long maxWait) throws DirectoryLockException {
-        setMaxWait(maxWait);
-        obtainLock(shared);
-    }
-
-    /**
-     * Attempts to obtain a lock; an exception is thrown if the lock could not
-     * be obtained. This method may block for a few seconds if a lock cannot be
-     * obtained.
-     *
-     * @param shared true if the lock is shared, otherwise false
-     * @throws DirectoryLockException thrown if there is an exception obtaining
-     * the lock
-     */
-    protected void obtainLock(boolean shared) throws DirectoryLockException {
-        if (lock != null) {
-            release();
-        }
-        if (channel == null) {
-            throw new DirectoryLockException("Unable to create lock, no file channel exists");
-        }
-        int count = 0;
-        Exception lastException = null;
-        while (lock == null && count++ < maxWait) {
-            try {
-                lock = channel.lock(0, Long.MAX_VALUE, shared);
-            } catch (AsynchronousCloseException ex) {
-                lastException = ex;
-            } catch (ClosedChannelException ex) {
-                lastException = ex;
-            } catch (FileLockInterruptionException ex) {
-                lastException = ex;
-            } catch (OverlappingFileLockException ex) {
-                lastException = ex;
-            } catch (NonWritableChannelException ex) {
-                lastException = ex;
-            } catch (IOException ex) {
-                lastException = ex;
-            }
-            try {
-                Thread.sleep(500);
-            } catch (InterruptedException ex) {
-                Thread.currentThread().interrupt();
-            }
-        }
-        if (lock == null) {
-            if (lastException == null) {
-                throw new DirectoryLockException("Unable to obtain lock");
-            } else {
-                throw new DirectoryLockException("Unable to obtain lock", lastException);
-            }
-        }
-    }
-
-    /**
-     * Performs a few simple rudimentary checks on the specified directory.
-     * Specifically, does the file exist and is it a directory.
-     *
-     * @param directory the File object to inspect
-     * @throws InvalidDirectoryException thrown if the directory is null or is
-     * not a directory
-     */
-    private void checkDirectory(File directory) throws InvalidDirectoryException {
-        if (directory == null) {
-            throw new InvalidDirectoryException("Unable to obtain lock on a null File");
-        }
-        if (!directory.isDirectory()) {
-            final String msg = String.format("File, '%s', does not exist or is not a directory", directory.getAbsolutePath());
-            throw new InvalidDirectoryException(msg);
-        }
-    }
-
-    /**
-     * Releases any locks and closes the underlying channel.
-     *
-     * @throws IOException if an IO Exception occurs
-     */
-    @Override
-    public void close() throws IOException {
-        release();
-// TODO uncomment this once support for 1.6 is dropped.
-//        if (lock != null) {
-//            try {
-//                lock.close();
-//            } catch (IOException ex) {
-//                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to close file lock due to IO Exception", ex);
-//            }
-//        }
-        if (channel != null) {
-            try {
-                channel.close();
-            } catch (IOException ex) {
-                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to close the channel for the file lock", ex);
-            }
-        }
-        if (lockFile != null) {
-            if (lockFile.exists()) {
-                /* yes, this delete could fail which is totally fine. The other
-                 * thread holding the lock while delete it.
-                 */
-                lockFile.delete();
-            }
-        }
-    }
-
-    /**
-     * Releases the lock. Any exceptions that are thrown by the underlying lock
-     * during the release are ignored.
-     */
-    public void release() {
-        if (lock != null) {
-            try {
-                lock.release();
-            } catch (ClosedChannelException ex) {
-                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to release file lock", ex);
-            } catch (IOException ex) {
-                Logger.getLogger(DirectorySpinLock.class.getName()).log(Level.FINEST, "Unable to release file lock due to IO Exception", ex);
-            }
-        }
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/InvalidDirectoryException.java

@@ -1,67 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
- *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
- *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
- *
- * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.concurrency;
-
-/**
- * If thrown, indicates that there is a problem with a directory.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- */
-public class InvalidDirectoryException extends Exception {
-
-    /**
-     * Default serial version UID.
-     */
-    private static final long serialVersionUID = 1L;
-
-    /**
-     * Constructs a new Invalid Directory Exception.
-     */
-    public InvalidDirectoryException() {
-        super();
-    }
-
-    /**
-     * Constructs a new Invalid Directory Exception.
-     *
-     * @param msg the message describing the exception
-     */
-    public InvalidDirectoryException(String msg) {
-        super(msg);
-    }
-
-    /**
-     * Constructs a new Invalid Directory Exception.
-     *
-     * @param ex the cause of the exception
-     */
-    public InvalidDirectoryException(Throwable ex) {
-        super(ex);
-    }
-
-    /**
-     * Constructs a new Invalid Directory Exception.
-     *
-     * @param msg the message describing the exception
-     * @param ex the cause of the exception
-     */
-    public InvalidDirectoryException(String msg, Throwable ex) {
-        super(msg, ex);
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/concurrency/package-info.java

@@ -1,11 +0,0 @@
-/**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.concurrency</title>
- * </head>
- * <body>
- * Contains classes used to create shared and exclusive locks on directories.
- * </body>
- * </html>
- */
-package org.owasp.dependencycheck.concurrency;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -1,28 +1,26 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.cpe;
 
 import java.io.IOException;
-import java.sql.ResultSet;
-import java.sql.SQLException;
 import java.util.HashMap;
 import java.util.Map;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.lucene.analysis.Analyzer;
@@ -41,15 +39,17 @@ import org.apache.lucene.queryparser.classic.QueryParser;
 import org.apache.lucene.search.IndexSearcher;
 import org.apache.lucene.search.Query;
 import org.apache.lucene.search.TopDocs;
-import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.apache.lucene.store.RAMDirectory;
+import org.owasp.dependencycheck.data.lucene.FieldAnalyzer;
 import org.owasp.dependencycheck.data.lucene.LuceneUtils;
 import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.utils.Pair;
 
 /**
- * An in memory lucene index that contains the vendor/product combinations from
- * the CPE (application) identifiers within the NVD CVE data.
+ * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
+ * the NVD CVE data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -211,7 +211,7 @@ public final class CpeMemoryIndex {
     }
 
     /**
-     * Builds the lucene index based off of the data within the CveDB.
+     * Builds the CPE Lucene Index based off of the data within the CveDB.
      *
      * @param cve the data base containing the CPE data
      * @throws IndexException thrown if there is an issue creating the index
@@ -223,15 +223,12 @@ public final class CpeMemoryIndex {
             analyzer = createIndexingAnalyzer();
             final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
             indexWriter = new IndexWriter(index, conf);
-            final ResultSet rs = cve.getVendorProductList();
-            if (rs == null) {
-                throw new IndexException("No data exists");
-            }
             try {
-                while (rs.next()) {
-                    saveEntry(rs.getString(1), rs.getString(2), indexWriter);
+                final Set<Pair<String, String>> data = cve.getVendorProductList();
+                for (Pair<String, String> pair : data) {
+                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
                 }
-            } catch (SQLException ex) {
+            } catch (DatabaseException ex) {
                 Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
                 throw new IndexException("Error reading CPE data", ex);
             }
@@ -278,8 +275,7 @@ public final class CpeMemoryIndex {
      * @param maxQueryResults the maximum number of documents to return
      * @return the TopDocs found by the search
      * @throws ParseException thrown when the searchString is invalid
-     * @throws IOException is thrown if there is an issue with the underlying
-     * Index
+     * @throws IOException is thrown if there is an issue with the underlying Index
      */
     public TopDocs search(String searchString, int maxQueryResults) throws ParseException, IOException {
         if (searchString == null || searchString.trim().isEmpty()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -1,26 +1,24 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.cpe;
 
 /**
- * Fields is a collection of field names used within the Lucene index for CPE
- * entries.
+ * Fields is a collection of field names used within the Lucene index for CPE entries.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -126,16 +125,18 @@ public class IndexEntry implements Serializable {
     }
 
     /**
-     * <p>Parses a name attribute value, from the cpe.xml, into its
-     * corresponding parts: vendor, product.</p>
-     * <p>Example:</p>
+     * <p>
+     * Parses a name attribute value, from the cpe.xml, into its corresponding parts: vendor, product.</p>
+     * <p>
+     * Example:</p>
      * <code>nbsp;nbsp;nbsp;cpe:/a:apache:struts:1.1:rc2</code>
      *
-     * <p>Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
+     * <p>
+     * Results in:</p> <ul> <li>Vendor: apache</li> <li>Product: struts</li>
      * </ul>
-     * <p>If it is necessary to parse the CPE into more parts (i.e. to include
-     * version and revision) then you should use the
-     * {@link org.owasp.dependencycheck.dependency.VulnerableSoftware#parseName VulnerableSoftware.parseName()}.
+     * <p>
+     * If it is necessary to parse the CPE into more parts (i.e. to include version and revision) then you should use
+     * the {@link org.owasp.dependencycheck.dependency.VulnerableSoftware#parseName VulnerableSoftware.parseName()}.
      *
      * @param cpeName the cpe name
      * @throws UnsupportedEncodingException should never be thrown...

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -73,7 +72,8 @@ public final class CweDB {
     }
 
     /**
-     * <p>Returns the full CWE name from the CWE ID.</p>
+     * <p>
+     * Returns the full CWE name from the CWE ID.</p>
      *
      * @param cweId the CWE ID
      * @return the full name of the CWE

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -24,8 +23,7 @@ import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
 /**
- * An abstract tokenizing filter that can be used as the base for a tokenizing
- * filter.
+ * An abstract tokenizing filter that can be used as the base for a tokenizing filter.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AlphaNumericTokenizer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -23,8 +22,7 @@ import org.apache.lucene.analysis.util.CharTokenizer;
 import org.apache.lucene.util.Version;
 
 /**
- * Tokenizes the input breaking it into tokens when non-alpha/numeric characters
- * are found.
+ * Tokenizes the input breaking it into tokens when non-alpha/numeric characters are found.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -32,12 +31,10 @@ public class DependencySimilarity extends DefaultSimilarity {
     private static final long serialVersionUID = 1L;
 
     /**
-     * <p>Override the default idf implementation so that frequency within all
-     * document is ignored.</p>
+     * <p>
+     * Override the default idf implementation so that frequency within all document is ignored.</p>
      *
-     * See <a
-     * href="http://www.lucenetutorial.com/advanced-topics/scoring.html">this
-     * article</a> for more details.
+     * See <a href="http://www.lucenetutorial.com/advanced-topics/scoring.html">this article</a> for more details.
      *
      * @param docFreq - the number of documents which contain the term
      * @param numDocs - the total number of documents in the collection

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -29,9 +28,9 @@ import org.apache.lucene.analysis.miscellaneous.WordDelimiterFilter;
 import org.apache.lucene.util.Version;
 
 /**
- * <p>A Lucene Analyzer that utilizes the WhitespaceTokenizer,
- * WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended purpose of
- * this Analyzer is to index the CPE fields vendor and product.</p>
+ * <p>
+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
+ * intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,16 +20,16 @@ package org.owasp.dependencycheck.data.lucene;
 import org.apache.lucene.util.Version;
 
 /**
- * <p>Lucene utils is a set of utilize written to make constructing Lucene
- * queries simpler.</p>
+ * <p>
+ * Lucene utils is a set of utilize written to make constructing Lucene queries simpler.</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public final class LuceneUtils {
 
     /**
-     * The current version of Lucene being used. Declaring this one place so an
-     * upgrade doesn't require hunting through the code base.
+     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
+     * the code base.
      */
     public static final Version CURRENT_VERSION = Version.LUCENE_45;
 
@@ -41,8 +40,7 @@ public final class LuceneUtils {
     }
 
     /**
-     * Appends the text to the supplied StringBuilder escaping Lucene control
-     * characters in the process.
+     * Appends the text to the supplied StringBuilder escaping Lucene control characters in the process.
      *
      * @param buf a StringBuilder to append the escaped text to
      * @param text the data to be escaped
@@ -88,8 +86,7 @@ public final class LuceneUtils {
     }
 
     /**
-     * Escapes the text passed in so that it is treated as data instead of
-     * control characters.
+     * Escapes the text passed in so that it is treated as data instead of control characters.
      *
      * @param text data to be escaped
      * @return the escaped text.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -40,8 +39,8 @@ public class SearchFieldAnalyzer extends Analyzer {
      */
     private final Version version;
     /**
-     * A local reference to the TokenPairConcatenatingFilter so that we can
-     * clear any left over state if this analyzer is re-used.
+     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
+     * is re-used.
      */
     private TokenPairConcatenatingFilter concatenatingFilter;
 
@@ -85,10 +84,11 @@ public class SearchFieldAnalyzer extends Analyzer {
     }
 
     /**
-     * <p>Resets the analyzer and clears any internal state data that may have
-     * been left-over from previous uses of the analyzer.</p>
-     * <p><b>If this analyzer is re-used this method must be called between
-     * uses.</b></p>
+     * <p>
+     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
+     * analyzer.</p>
+     * <p>
+     * <b>If this analyzer is re-used this method must be called between uses.</b></p>
      */
     public void clear() {
         if (concatenatingFilter != null) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -27,8 +26,7 @@ import org.apache.lucene.analysis.core.WhitespaceTokenizer;
 import org.apache.lucene.util.Version;
 
 /**
- * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version
- * information.
+ * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  * @deprecated version information is no longer stored in lucene

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -25,10 +24,10 @@ import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
 /**
- * <p>Takes a TokenStream and adds additional tokens by concatenating pairs of
- * words.</p>
- * <p><b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework
- * Framework FrameworkCore Core".</p>
+ * <p>
+ * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
+ * <p>
+ * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -76,9 +75,8 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
-     * construct an expanded set of tokens by concatenating tokens with the
-     * previous token.
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * concatenating tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs
@@ -113,10 +111,11 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
     }
 
     /**
-     * <p>Resets the Filter and clears any internal state data that may have
-     * been left-over from previous uses of the Filter.</p>
-     * <p><b>If this Filter is re-used this method must be called between
-     * uses.</b></p>
+     * <p>
+     * Resets the Filter and clears any internal state data that may have been left-over from previous uses of the
+     * Filter.</p>
+     * <p>
+     * <b>If this Filter is re-used this method must be called between uses.</b></p>
      */
     public void clear() {
         previousWord = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -29,10 +28,10 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
 
 /**
- * <p>Takes a TokenStream and splits or adds tokens to correctly index version
- * numbers.</p>
- * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
- * 3.0.0.RELEASE".</p>
+ * <p>
+ * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
+ * <p>
+ * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -48,9 +47,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
-     * construct an expanded set of tokens by concatenating tokens with the
-     * previous token.
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * concatenating tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs
@@ -69,7 +67,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
                             final List<String> data = UrlStringUtils.extractImportantUrlData(part);
                             tokens.addAll(data);
                         } catch (MalformedURLException ex) {
-                            Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.INFO, "error parsing " + part, ex);
+                            Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.FINE, "error parsing " + part, ex);
                             tokens.add(part);
                         }
                     } else {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -24,10 +23,10 @@ import org.apache.lucene.analysis.TokenStream;
 import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 
 /**
- * <p>Takes a TokenStream and splits or adds tokens to correctly index version
- * numbers.</p>
- * <p><b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE
- * 3.0.0.RELEASE".</p>
+ * <p>
+ * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
+ * <p>
+ * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  * @deprecated version information is no longer stored in lucene
@@ -45,9 +44,8 @@ public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to
-     * construct an expanded set of tokens by concatenating tokens with the
-     * previous token.
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * concatenating tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs
@@ -69,13 +67,13 @@ public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * <p>Analyzes the version and adds several copies of the version as
-     * different tokens. For example, the version 1.2.7 would create the tokens
-     * 1 1.2 1.2.7. This is useful in discovering the correct version -
-     * sometimes a maintenance or build number will throw off the version
-     * identification.</p>
+     * <p>
+     * Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
+     * would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
+     * or build number will throw off the version identification.</p>
      *
-     * <p>expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
+     * <p>
+     * expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
      *
      * @param version the version to analyze
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -1,20 +1,19 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nexus;
 
@@ -24,6 +23,7 @@ package org.owasp.dependencycheck.data.nexus;
  * @author colezlaw
  */
 public class MavenArtifact {
+
     /**
      * The groupId
      */
@@ -40,12 +40,10 @@ public class MavenArtifact {
     private String version;
 
     /**
-     * The artifact url. This may change depending on which Nexus
-     * server the search took place.
+     * The artifact url. This may change depending on which Nexus server the search took place.
      */
     private String artifactUrl;
 
-
     /**
      * Creates an empty MavenArtifact.
      */
@@ -95,42 +93,54 @@ public class MavenArtifact {
      *
      * @param groupId the groupId
      */
-    public void setGroupId(String groupId) { this.groupId = groupId; }
+    public void setGroupId(String groupId) {
+        this.groupId = groupId;
+    }
 
     /**
      * Gets the groupId.
      *
      * @return the groupId
      */
-    public String getGroupId() { return groupId; }
+    public String getGroupId() {
+        return groupId;
+    }
 
     /**
      * Sets the artifactId.
      *
      * @param artifactId the artifactId
      */
-    public void setArtifactId(String artifactId) { this.artifactId = artifactId; }
+    public void setArtifactId(String artifactId) {
+        this.artifactId = artifactId;
+    }
 
     /**
      * Gets the artifactId.
      *
      * @return the artifactId
      */
-    public String getArtifactId() { return artifactId; }
+    public String getArtifactId() {
+        return artifactId;
+    }
 
     /**
      * Sets the version.
      *
      * @param version the version
      */
-    public void setVersion(String version) { this.version = version; }
+    public void setVersion(String version) {
+        this.version = version;
+    }
 
     /**
      * Gets the version.
      *
      * @return the version
      */
-    public String getVersion() { return version; }
+    public String getVersion() {
+        return version;
+    }
 
     /**
      * Sets the artifactUrl.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -1,32 +1,36 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nexus;
 
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.HttpURLConnection;
 import java.net.URL;
 import java.net.URLConnection;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.w3c.dom.Document;
 
 /**
@@ -35,46 +39,72 @@ import org.w3c.dom.Document;
  * @author colezlaw
  */
 public class NexusSearch {
+
     /**
      * The root URL for the Nexus repository service
      */
     private final URL rootURL;
 
+    /**
+     * Whether to use the Proxy when making requests
+     */
+    private boolean useProxy;
+
     /**
      * Used for logging.
      */
-    private static final Logger LOGGER = Logger.getLogger(NexusSearch.class.getName());
+    private static final Logger LOGGER = Logger.getLogger(NexusSearch.class
+            .getName());
 
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the root URL of the repository on which searches should execute.
-     *        full URL's are calculated relative to this URL, so it should end with a /
+     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
+     * relative to this URL, so it should end with a /
      */
     public NexusSearch(URL rootURL) {
         this.rootURL = rootURL;
+        try {
+            if (null != Settings.getString(Settings.KEYS.PROXY_URL)
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
+                useProxy = true;
+                LOGGER.fine("Using proxy");
+            } else {
+                useProxy = false;
+                LOGGER.fine("Not using proxy");
+            }
+        } catch (InvalidSettingException ise) {
+            useProxy = false;
+        }
     }
 
     /**
-     * Searches the configured Nexus repository for the given sha1
-     * hash. If the artifact is found, a <code>MavenArtifact</code> is populated
-     * with the coordinate information.
+     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
+     * <code>MavenArtifact</code> is populated with the coordinate information.
      *
      * @param sha1 The SHA-1 hash string for which to search
      * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repositor or
-     *         if the specified artifact is not found.
+     * @throws IOException if it's unable to connect to the specified repositor or if the specified artifact is not
+     * found.
      */
     public MavenArtifact searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
             throw new IllegalArgumentException("Invalid SHA1 format");
         }
 
-        final URL url = new URL(rootURL, String.format("identify/sha1/%s", sha1.toLowerCase()));
+        final URL url = new URL(rootURL, String.format("identify/sha1/%s",
+                sha1.toLowerCase()));
 
         LOGGER.fine(String.format("Searching Nexus url %s", url.toString()));
 
-        final URLConnection conn = url.openConnection();
+        // Determine if we need to use a proxy. The rules:
+        // 1) If the proxy is set, AND the setting is set to true, use the proxy
+        // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
+        // or proxy is specifically
+        // set to false
+        URLConnection conn = null;
+        conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+
         conn.setDoOutput(true);
 
         // JSON would be more elegant, but there's not currently a dependency
@@ -83,23 +113,64 @@ public class NexusSearch {
         conn.connect();
 
         try {
-            final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            final DocumentBuilder builder = DocumentBuilderFactory
+                    .newInstance().newDocumentBuilder();
             final Document doc = builder.parse(conn.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
-            final String groupId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/groupId", doc);
-            final String artifactId = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactId", doc);
-            final String version = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/version", doc);
-            final String link = xpath.evaluate("/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink", doc);
+            final String groupId = xpath
+                    .evaluate(
+                            "/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
+                            doc);
+            final String artifactId = xpath.evaluate(
+                    "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
+                    doc);
+            final String version = xpath
+                    .evaluate(
+                            "/org.sonatype.nexus.rest.model.NexusArtifact/version",
+                            doc);
+            final String link = xpath
+                    .evaluate(
+                            "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
+                            doc);
             return new MavenArtifact(groupId, artifactId, version, link);
         } catch (FileNotFoundException fnfe) {
-            // This is what we get when the SHA1 they sent doesn't exist in Nexus. This
-            // is useful upstream for recovery, so we just re-throw it
+            /* This is what we get when the SHA1 they sent doesn't exist in
+             * Nexus. This is useful upstream for recovery, so we just re-throw it
+             */
             throw fnfe;
-        } catch (Exception e) {
-            // Anything else is jacked-up XML stuff that we really can't recover from well
+        } catch (Throwable e) {
+            // Anything else is jacked-up XML stuff that we really can't recover
+            // from well
             throw new IOException(e.getMessage(), e);
         }
     }
+
+    /**
+     * Do a preflight request to see if the repository is actually working.
+     *
+     * @return whether the repository is listening and returns the /status URL correctly
+     */
+    public boolean preflightRequest() {
+        try {
+            final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy);
+            conn.addRequestProperty("Accept", "application/xml");
+            conn.connect();
+            if (conn.getResponseCode() != 200) {
+                LOGGER.log(Level.WARNING, "Expected 200 result from Nexus, got {0}", conn.getResponseCode());
+                return false;
+            }
+            final DocumentBuilder builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
+            final Document doc = builder.parse(conn.getInputStream());
+            if (!"status".equals(doc.getDocumentElement().getNodeName())) {
+                LOGGER.log(Level.WARNING, "Expected root node name of status, got {0}", doc.getDocumentElement().getNodeName());
+                return false;
+            }
+        } catch (Throwable e) {
+            return false;
+        }
+
+        return true;
+    }
 }
 
 // vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -4,9 +4,11 @@
  * <title>org.owasp.dependencycheck.data.nexus</title>
  * </head>
  * <body>
- * <p>Contains classes related to searching a Nexus repository.</p>
- * <p>These are used to abstract Nexus searching away from
- * OWASP Dependency Check so they can be reused elsewhere.</p>
+ * <p>
+ * Contains classes related to searching a Nexus repository.</p>
+ * <p>
+ * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
  * </body>
  * </html>
  */
+package org.owasp.dependencycheck.data.nexus;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NugetPackage.java

@@ -0,0 +1,186 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+/**
+ * Represents the contents of a Nuspec manifest.
+ *
+ * @author colezlaw
+ */
+public class NugetPackage {
+    /**
+     * The id.
+     */
+    private String id;
+
+    /**
+     * The version.
+     */
+    private String version;
+
+    /**
+     * The title.
+     */
+    private String title;
+
+    /**
+     * The authors.
+     */
+    private String authors;
+
+    /**
+     * The owners.
+     */
+    private String owners;
+
+    /**
+     * The licenseUrl.
+     */
+    private String licenseUrl;
+
+    /**
+     * Creates an empty NugetPackage.
+     */
+    public NugetPackage() {
+    }
+
+    /**
+     * Sets the id.
+     * @param id the id
+     */
+    public void setId(String id) {
+        this.id = id;
+    }
+
+    /**
+     * Gets the id.
+     * @return the id
+     */
+    public String getId() {
+        return id;
+    }
+
+    /**
+     * Sets the version.
+     * @param version the version
+     */
+    public void setVersion(String version) {
+        this.version = version;
+    }
+
+    /**
+     * Gets the version.
+     * @return the version
+     */
+    public String getVersion() {
+        return version;
+    }
+
+    /**
+     * Sets the title.
+     * @param title the title
+     */
+    public void setTitle(String title) {
+        this.title = title;
+    }
+
+    /**
+     * Gets the title.
+     * @return the title
+     */
+    public String getTitle() {
+        return title;
+    }
+
+    /**
+     * Sets the authors.
+     * @param authors the authors
+     */
+    public void setAuthors(String authors) {
+        this.authors = authors;
+    }
+
+    /**
+     * Gets the authors.
+     * @return the authors
+     */
+    public String getAuthors() {
+        return authors;
+    }
+
+    /**
+     * Sets the owners.
+     * @param owners the owners
+     */
+    public void setOwners(String owners) {
+        this.owners = owners;
+    }
+
+    /**
+     * Gets the owners.
+     * @return the owners
+     */
+    public String getOwners() {
+        return owners;
+    }
+
+    /**
+     * Sets the licenseUrl.
+     * @param licenseUrl the licenseUrl
+     */
+    public void setLicenseUrl(String licenseUrl) {
+        this.licenseUrl = licenseUrl;
+    }
+
+    /**
+     * Gets the licenseUrl.
+     * @return the licenseUrl
+     */
+    public String getLicenseUrl() {
+        return licenseUrl;
+    }
+
+    @Override
+    public boolean equals(Object other) {
+        if (this == other) {
+            return true;
+        }
+        if (other == null || other.getClass() != this.getClass()) {
+            return false;
+        }
+        final NugetPackage o = (NugetPackage) other;
+        return o.getId().equals(id)
+                && o.getVersion().equals(version)
+                && o.getTitle().equals(title)
+                && o.getAuthors().equals(authors)
+                && o.getOwners().equals(owners)
+                && o.getLicenseUrl().equals(licenseUrl);
+    }
+
+    @Override
+    public int hashCode() {
+        int hash = 7;
+        hash = 31 * hash + (null == id ? 0 : id.hashCode());
+        hash = 31 * hash + (null == version ? 0 : version.hashCode());
+        hash = 31 * hash + (null == title ? 0 : title.hashCode());
+        hash = 31 * hash + (null == authors ? 0 : authors.hashCode());
+        hash = 31 * hash + (null == owners ? 0 : owners.hashCode());
+        hash = 31 * hash + (null == licenseUrl ? 0 : licenseUrl.hashCode());
+        return hash;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java

@@ -0,0 +1,67 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+/**
+ * Exception during the parsing of a Nuspec file.
+ *
+ * @author colezlaw
+ */
+public class NuspecParseException extends Exception {
+
+    /**
+     * The serialVersionUID
+     */
+    private static final long serialVersionUID = 1;
+
+    /**
+     * Constructs a new exception with <code>null</code> as its detail message.
+     *
+     * The cause is not initialized, and may subsequently be initialized by a call to
+     * {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
+     */
+    public NuspecParseException() {
+        super();
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message. The cause is not initialized, and may subsequently
+     * be initialized by a call to {@link java.lang.Throwable#initCause(java.lang.Throwable)}.
+     *
+     * @param message the detail message. The detail message is saved for later retrieval by the
+     * {@link java.lang.Throwable#getMessage()} method.
+     */
+    public NuspecParseException(String message) {
+        super(message);
+    }
+
+    /**
+     * Constructs a new exception with the specified detail message and cause.
+     *
+     * Note that the detail message associated with <code>cause</code> is <em>not</em>
+     * automatically incorporated in this exception's detail message.
+     *
+     * @param message the detail message (whcih is saved for later retrieval by the
+     * {@link java.lang.Throwable#getMessage()} method.
+     * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
+     * (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).
+     */
+    public NuspecParseException(String message, Throwable cause) {
+        super(message, cause);
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParser.java

@@ -0,0 +1,37 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+import java.io.InputStream;
+
+/**
+ * Interface defining methods for parsing a Nuspec file.
+ *
+ * @author colezlaw
+ *
+ */
+public interface NuspecParser {
+    /**
+     * Parse an input stream and return the resulting {@link NugetPackage}.
+     *
+     * @param stream the input stream to parse
+     * @return the populated bean
+     * @throws NuspecParseException when an exception occurs
+     */
+    NugetPackage parse(InputStream stream) throws NuspecParseException;
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/XPathNuspecParser.java

@@ -0,0 +1,81 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.nuget;
+
+import java.io.InputStream;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.Node;
+
+/**
+ * Parse a Nuspec file using XPath.
+ *
+ * @author colezlaw
+ */
+public class XPathNuspecParser implements NuspecParser {
+
+    /**
+     * Gets the string value of a node or null if it's not present
+     *
+     * @param n the node to test
+     * @return the string content of the node, or null if the node itself is null
+     */
+    private String getOrNull(Node n) {
+        if (n != null) {
+            return n.getTextContent();
+        } else {
+            return null;
+        }
+    }
+
+    /**
+     * Parse an input stream and return the resulting {@link NugetPackage}.
+     *
+     * @param stream the input stream to parse
+     * @return the populated bean
+     * @throws NuspecParseException when an exception occurs
+     */
+    @Override
+    public NugetPackage parse(InputStream stream) throws NuspecParseException {
+        try {
+            final Document d = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(stream);
+            final XPath xpath = XPathFactory.newInstance().newXPath();
+            final NugetPackage nuspec = new NugetPackage();
+
+            if (xpath.evaluate("/package/metadata/id", d, XPathConstants.NODE) == null
+                    || xpath.evaluate("/package/metadata/version", d, XPathConstants.NODE) == null
+                    || xpath.evaluate("/package/metadata/authors", d, XPathConstants.NODE) == null
+                    || xpath.evaluate("/package/metadata/description", d, XPathConstants.NODE) == null) {
+                throw new NuspecParseException("Invalid Nuspec format");
+            }
+
+            nuspec.setId(xpath.evaluate("/package/metadata/id", d));
+            nuspec.setVersion(xpath.evaluate("/package/metadata/version", d));
+            nuspec.setAuthors(xpath.evaluate("/package/metadata/authors", d));
+            nuspec.setOwners(getOrNull((Node) xpath.evaluate("/package/metadata/owners", d, XPathConstants.NODE)));
+            nuspec.setLicenseUrl(getOrNull((Node) xpath.evaluate("/package/metadata/licenseUrl", d, XPathConstants.NODE)));
+            nuspec.setTitle(getOrNull((Node) xpath.evaluate("/package/metadata/title", d, XPathConstants.NODE)));
+            return nuspec;
+        } catch (Throwable e) {
+            throw new NuspecParseException("Unable to parse nuspec", e);
+        }
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -0,0 +1,15 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.data.nuget</title>
+ * </head>
+ * <body>
+ * <p>
+ * Contains classes related to parsing Nuget related files</p>
+ * <p>
+ * These are used to abstract away Nuget-related handling from Dependency Check
+ * so they can be used elsewhere.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
@@ -25,6 +24,7 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.sql.CallableStatement;
 import java.sql.Connection;
+import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.SQLException;
@@ -46,11 +46,27 @@ public final class ConnectionFactory {
     /**
      * The version of the current DB Schema.
      */
-    public static final String DB_SCHEMA_VERSION = "2.8";
+    public static final String DB_SCHEMA_VERSION = "2.9";
     /**
      * Resource location for SQL file used to create the database schema.
      */
     public static final String DB_STRUCTURE_RESOURCE = "data/initialize.sql";
+    /**
+     * The database driver used to connect to the database.
+     */
+    private static Driver driver = null;
+    /**
+     * The database connection string.
+     */
+    private static String connectionString = null;
+    /**
+     * The username to connect to the database.
+     */
+    private static String userName = null;
+    /**
+     * The password for the database.
+     */
+    private static String password = null;
 
     /**
      * Private constructor for this factory class; no instance is ever needed.
@@ -59,60 +75,138 @@ public final class ConnectionFactory {
     }
 
     /**
-     * Constructs a new database connection object per the database configuration. This will load the appropriate
-     * database driver, via the DriverManager, if configured.
+     * Initializes the connection factory. Ensuring that the appropriate drivers are loaded and that a connection can be
+     * made successfully.
+     *
+     * @throws DatabaseException thrown if we are unable to connect to the database
+     */
+    public static synchronized void initialize() throws DatabaseException {
+        //this only needs to be called once.
+        if (connectionString != null) {
+            return;
+        }
+        Connection conn = null;
+        try {
+            //load the driver if necessary
+            final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
+            if (!driverName.isEmpty()) { //likely need to load the correct driver
+                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
+                final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
+                try {
+                    if (!driverPath.isEmpty()) {
+                        Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
+                        driver = DriverLoader.load(driverName, driverPath);
+                    } else {
+                        driver = DriverLoader.load(driverName);
+                    }
+                } catch (DriverLoadException ex) {
+                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to load database driver", ex);
+                    throw new DatabaseException("Unable to load database driver");
+                }
+            }
+            userName = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
+            //yes, yes - hard-coded password - only if there isn't one in the properties file.
+            password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
+            try {
+                connectionString = getConnectionString();
+            } catch (IOException ex) {
+                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
+                        "Unable to retrieve the database connection string", ex);
+                throw new DatabaseException("Unable to retrieve the database connection string");
+            }
+            boolean shouldCreateSchema = false;
+            try {
+                if (connectionString.startsWith("jdbc:h2:file:")) { //H2
+                    shouldCreateSchema = !dbSchemaExists();
+                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
+                }
+            } catch (IOException ioex) {
+                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to verify database exists", ioex);
+                throw new DatabaseException("Unable to verify database exists");
+            }
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connectionString);
+            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", userName);
+
+            try {
+                conn = DriverManager.getConnection(connectionString, userName, password);
+            } catch (SQLException ex) {
+                if (ex.getMessage().contains("java.net.UnknownHostException") && connectionString.contains("AUTO_SERVER=TRUE;")) {
+                    connectionString = connectionString.replace("AUTO_SERVER=TRUE;", "");
+                    try {
+                        conn = DriverManager.getConnection(connectionString, userName, password);
+                        Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+                        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
+                                "Unable to start the database in server mode; reverting to single user mode");
+                    } catch (SQLException sqlex) {
+                        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
+                        throw new DatabaseException("Unable to connect to the database");
+                    }
+                } else {
+                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
+                    throw new DatabaseException("Unable to connect to the database");
+                }
+            }
+
+            if (shouldCreateSchema) {
+                try {
+                    createTables(conn);
+                } catch (DatabaseException dex) {
+                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
+                    throw new DatabaseException("Unable to create the database structure");
+                }
+            } else {
+                try {
+                    ensureSchemaVersion(conn);
+                } catch (DatabaseException dex) {
+                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
+                    throw new DatabaseException("Database schema does not match this version of dependency-check");
+                }
+            }
+        } finally {
+            if (conn != null) {
+                try {
+                    conn.close();
+                } catch (SQLException ex) {
+                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured closing the connection", ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Cleans up resources and unloads any registered database drivers. This needs to be called to ensure the driver is
+     * unregistered prior to the finalize method being called as during shutdown the class loader used to load the
+     * driver may be unloaded prior to the driver being de-registered.
+     */
+    public static synchronized void cleanup() {
+        if (driver != null) {
+            try {
+                DriverManager.deregisterDriver(driver);
+            } catch (SQLException ex) {
+                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured unloading the databse driver", ex);
+            }
+            driver = null;
+        }
+        connectionString = null;
+        userName = null;
+        password = null;
+    }
+
+    /**
+     * Constructs a new database connection object per the database configuration.
      *
      * @return a database connection object
      * @throws DatabaseException thrown if there is an exception loading the database connection
      */
     public static Connection getConnection() throws DatabaseException {
+        initialize();
         Connection conn = null;
         try {
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
-
-            final String connStr = getConnectionString();
-            final String user = Settings.getString(Settings.KEYS.DB_USER, "dcuser");
-            //yes, yes - hard-coded password - only if there isn't one in the properties file.
-            final String pass = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connStr);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", user);
-            boolean createTables = false;
-            if (connStr.startsWith("jdbc:h2:file:")) { //H2
-                createTables = needToCreateDatabaseStructure();
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", createTables);
-            }
-            final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
-            if (!driverName.isEmpty()) { //likely need to load the correct driver
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
-                final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
-                if (!driverPath.isEmpty()) { //ugh, driver is not on classpath?
-                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
-                    DriverLoader.load(driverName, driverPath);
-                } else {
-                    DriverLoader.load(driverName);
-                }
-            }
-
-            //JDBC4 drivers don't need this call.
-            //Class.forName("org.h2.Driver");
-            conn = DriverManager.getConnection(connStr, user, pass);
-            if (createTables) {
-                createTables(conn);
-            } else {
-                ensureSchemaVersion(conn);
-            }
-        } catch (IOException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
-            throw new DatabaseException("Unable to load database");
-        } catch (DriverLoadException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
-            throw new DatabaseException("Unable to load database driver");
+            conn = DriverManager.getConnection(connectionString, userName, password);
         } catch (SQLException ex) {
             Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
             throw new DatabaseException("Unable to connect to the database");
-        } catch (DatabaseException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
-            throw new DatabaseException("Unable to create the database structure");
         }
         return conn;
     }
@@ -127,9 +221,10 @@ public final class ConnectionFactory {
     private static String getConnectionString() throws IOException {
         final String connStr = Settings.getString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:h2:file:%s;AUTO_SERVER=TRUE");
         if (connStr.contains("%s")) {
-            final String fileName = getDataDirectory().getCanonicalPath();
-            final File file = new File(fileName, "cve." + DB_SCHEMA_VERSION);
-            return String.format(connStr, file.getAbsolutePath());
+            final String directory = getDataDirectory().getCanonicalPath();
+            final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
+            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
+            return String.format(connStr, dataFile.getAbsolutePath());
         }
         return connStr;
     }
@@ -157,11 +252,11 @@ public final class ConnectionFactory {
      * @return true if the H2 database file does not exist; otherwise false
      * @throws IOException thrown if the data directory does not exist and cannot be created
      */
-    private static boolean needToCreateDatabaseStructure() throws IOException {
+    private static boolean dbSchemaExists() throws IOException {
         final File dir = getDataDirectory();
         final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
         final File file = new File(dir, name);
-        return !file.exists();
+        return file.exists();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -1,26 +1,25 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
 /**
- * An exception used to indicate the db4o database is corrupt. This could be due
- * to invalid data or a complete failure of the db.
+ * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
+ * of the db.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -39,6 +38,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.DBUtils;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.Pair;
 
 /**
  * The database holding information about the NVD CVE data.
@@ -97,6 +97,10 @@ public class CveDB {
                 final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
                 Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
                 Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
+            } catch (Throwable ex) {
+                final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
+                Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
+                Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
             }
             conn = null;
         }
@@ -117,10 +121,10 @@ public class CveDB {
      * @throws SQLException thrown if a SQL Exception occurs
      */
     public void commit() throws SQLException {
-        if (conn != null) {
-            //temporary remove this as autocommit is on.
-            //conn.commit();
-        }
+        //temporary remove this as autocommit is on.
+        //if (conn != null) {
+        //    conn.commit();
+        //}
     }
 
     /**
@@ -129,7 +133,9 @@ public class CveDB {
      * @throws Throwable thrown if there is a problem
      */
     @Override
+    @SuppressWarnings("FinalizeDeclaration")
     protected void finalize() throws Throwable {
+        Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, "Entering finalize");
         close();
         super.finalize();
     }
@@ -290,19 +296,27 @@ public class CveDB {
     /**
      * Returns the entire list of vendor/product combinations.
      *
-     * @return the entire list of vendor/product combinations.
+     * @return the entire list of vendor/product combinations
+     * @throws DatabaseException thrown when there is an error retrieving the data from the DB
      */
-    public ResultSet getVendorProductList() {
+    public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
+        final HashSet data = new HashSet<Pair<String, String>>();
         ResultSet rs = null;
+        PreparedStatement ps = null;
         try {
-            final PreparedStatement ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
+            ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
             rs = ps.executeQuery();
+            while (rs.next()) {
+                data.add(new Pair(rs.getString(1), rs.getString(2)));
+            }
         } catch (SQLException ex) {
             final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
-        } // can't close the statement in the PS as the resultset is returned, closing PS would close the resultset
-        return rs;
+            throw new DatabaseException(msg, ex);
+        } finally {
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(ps);
+        }
+        return data;
     }
 
     /**
@@ -444,14 +458,17 @@ public class CveDB {
                 final String previous = rs.getString(3);
                 if (!cveEntries.contains(cveId) && isAffected(cpe.getVendor(), cpe.getProduct(), detectedVersion, cpeId, previous)) {
                     cveEntries.add(cveId);
+                    final Vulnerability v = getVulnerability(cveId);
+                    v.setMatchedCPE(cpeId, previous);
+                    vulnerabilities.add(v);
                 }
             }
             DBUtils.closeResultSet(rs);
             DBUtils.closeStatement(ps);
-            for (String cve : cveEntries) {
-                final Vulnerability v = getVulnerability(cve);
-                vulnerabilities.add(v);
-            }
+//            for (String cve : cveEntries) {
+//                final Vulnerability v = getVulnerability(cve);
+//                vulnerabilities.add(v);
+//            }
 
         } catch (SQLException ex) {
             throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -1,26 +1,33 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import com.hazelcast.logging.Logger;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Date;
+import java.util.Map;
+import java.util.Map.Entry;
 import java.util.Properties;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import java.util.TreeMap;
+import java.util.logging.Level;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 
 /**
  * This is a wrapper around a set of properties that are stored in the database.
@@ -30,21 +37,20 @@ import org.owasp.dependencycheck.data.update.NvdCveInfo;
 public class DatabaseProperties {
 
     /**
-     * Modified key word, used as a key to store information about the modified
-     * file (i.e. the containing the last 8 days of updates)..
+     * Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
+     * days of updates)..
      */
-    public static final String MODIFIED = "modified";
+    public static final String MODIFIED = "Modified";
     /**
-     * The properties file key for the last updated field - used to store the
-     * last updated time of the Modified NVD CVE xml file.
+     * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE
+     * xml file.
      */
-    public static final String LAST_UPDATED = "lastupdated.modified";
+    public static final String LAST_UPDATED = "NVD CVE Modified";
     /**
-     * Stores the last updated time for each of the NVD CVE files. These
-     * timestamps should be updated if we process the modified file within 7
-     * days of the last update.
+     * Stores the last updated time for each of the NVD CVE files. These timestamps should be updated if we process the
+     * modified file within 7 days of the last update.
      */
-    public static final String LAST_UPDATED_BASE = "lastupdated.";
+    public static final String LAST_UPDATED_BASE = "NVD CVE ";
     /**
      * A collection of properties about the data.
      */
@@ -81,8 +87,7 @@ public class DatabaseProperties {
     }
 
     /**
-     * Writes a properties file containing the last updated date to the
-     * VULNERABLE_CPE directory.
+     * Writes a properties file containing the last updated date to the VULNERABLE_CPE directory.
      *
      * @param updatedValue the updated NVD CVE entry
      * @throws UpdateException is thrown if there is an update exception
@@ -96,8 +101,8 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns the property value for the given key. If the key is not contained
-     * in the underlying properties null is returned.
+     * Returns the property value for the given key. If the key is not contained in the underlying properties null is
+     * returned.
      *
      * @param key the property key
      * @return the value of the property
@@ -107,8 +112,8 @@ public class DatabaseProperties {
     }
 
     /**
-     * Returns the property value for the given key. If the key is not contained
-     * in the underlying properties the default value is returned.
+     * Returns the property value for the given key. If the key is not contained in the underlying properties the
+     * default value is returned.
      *
      * @param key the property key
      * @param defaultValue the default value
@@ -117,4 +122,43 @@ public class DatabaseProperties {
     public String getProperty(String key, String defaultValue) {
         return properties.getProperty(key, defaultValue);
     }
+
+    /**
+     * Returns the collection of Database Properties as a properties collection.
+     *
+     * @return the collection of Database Properties
+     */
+    public Properties getProperties() {
+        return properties;
+    }
+
+    /**
+     * Returns a map of the meta data from the database properties. This primarily contains timestamps of when the NVD
+     * CVE information was last updated.
+     *
+     * @return a map of the database meta data
+     */
+    public Map getMetaData() {
+        final TreeMap map = new TreeMap();
+        for (Entry<Object, Object> entry : properties.entrySet()) {
+            final String key = (String) entry.getKey();
+            if (!"version".equals(key)) {
+                if (key.startsWith("NVD CVE ")) {
+                    try {
+                        final long epoch = Long.parseLong((String) entry.getValue());
+                        final Date date = new Date(epoch);
+                        final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
+                        final String formatted = format.format(date);
+                        map.put(key, formatted);
+                    } catch (Throwable ex) { //deliberatly being broad in this catch clause
+                        Logger.getLogger(DatabaseProperties.class.getName()).log(Level.FINE, "Unable to parse timestamp from DB", ex);
+                        map.put(key, entry.getValue());
+                    }
+                } else {
+                    map.put(key, entry.getValue());
+                }
+            }
+        }
+        return map;
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoadException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
@@ -48,11 +47,12 @@ public final class DriverLoader {
      * Loads the specified class using the system class loader and registers the driver with the driver manager.
      *
      * @param className the fully qualified name of the desired class
+     * @return the loaded Driver
      * @throws DriverLoadException thrown if the driver cannot be loaded
      */
-    public static void load(String className) throws DriverLoadException {
-        final ClassLoader loader = ClassLoader.getSystemClassLoader();
-        load(className, loader);
+    public static Driver load(String className) throws DriverLoadException {
+        final ClassLoader loader = DriverLoader.class.getClassLoader(); //ClassLoader.getSystemClassLoader();
+        return load(className, loader);
     }
 
     /**
@@ -65,9 +65,10 @@ public final class DriverLoader {
      * @param className the fully qualified name of the desired class
      * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list
      * of paths
+     * @return the loaded Driver
      * @throws DriverLoadException thrown if the driver cannot be loaded
      */
-    public static void load(String className, String pathToDriver) throws DriverLoadException {
+    public static Driver load(String className, String pathToDriver) throws DriverLoadException {
         final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
         final ArrayList<URL> urls = new ArrayList<URL>();
         final String[] paths = pathToDriver.split(File.pathSeparator);
@@ -104,7 +105,7 @@ public final class DriverLoader {
             }
         });
 
-        load(className, loader);
+        return load(className, loader);
     }
 
     /**
@@ -112,14 +113,18 @@ public final class DriverLoader {
      *
      * @param className the fully qualified name of the desired class
      * @param loader the class loader to use when loading the driver
+     * @return the loaded Driver
      * @throws DriverLoadException thrown if the driver cannot be loaded
      */
-    private static void load(String className, ClassLoader loader) throws DriverLoadException {
+    private static Driver load(String className, ClassLoader loader) throws DriverLoadException {
         try {
-            final Class c = loader.loadClass(className);
+            final Class c = Class.forName(className, true, loader);
+            //final Class c = loader.loadClass(className);
             final Driver driver = (Driver) c.newInstance();
+            final Driver shim = new DriverShim(driver);
             //using the DriverShim to get around the fact that the DriverManager won't register a driver not in the base class path
-            DriverManager.registerDriver(new DriverShim(driver));
+            DriverManager.registerDriver(shim);
+            return shim;
         } catch (ClassNotFoundException ex) {
             final String msg = String.format("Unable to load database driver '%s'", className);
             Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java

@@ -1,29 +1,31 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
 import java.sql.Connection;
 import java.sql.Driver;
 import java.sql.DriverPropertyInfo;
 import java.sql.SQLException;
 import java.sql.SQLFeatureNotSupportedException;
 import java.util.Properties;
+import java.util.logging.Level;
 import java.util.logging.Logger;
 
 /**
@@ -65,6 +67,20 @@ class DriverShim implements Driver {
         return this.driver.acceptsURL(url);
     }
 
+    /**
+     * Wraps the call to the underlying driver's connect method.
+     *
+     * @param url the URL of the database
+     * @param info a collection of string/value pairs
+     * @return a Connection object
+     * @throws SQLException thrown if there is an error connecting to the database
+     * @see java.sql.Driver#connect(java.lang.String, java.util.Properties)
+     */
+    @Override
+    public Connection connect(String url, Properties info) throws SQLException {
+        return this.driver.connect(url, info);
+    }
+
     /**
      * Returns the wrapped driver's major version number.
      *
@@ -88,28 +104,33 @@ class DriverShim implements Driver {
     }
 
     /**
-     * Returns whether or not the wrapped driver is jdbcCompliant.
+     * Wraps the call to the underlying driver's getParentLogger method.
      *
-     * @return true if the wrapped driver is JDBC compliant; otherwise false
-     * @see java.sql.Driver#jdbcCompliant()
+     * @return the parent's Logger
+     * @throws SQLFeatureNotSupportedException thrown if the feature is not supported
+     * @see java.sql.Driver#getParentLogger()
      */
-    @Override
-    public boolean jdbcCompliant() {
-        return this.driver.jdbcCompliant();
-    }
-
-    /**
-     * Wraps the call to the underlying driver's connect method.
-     *
-     * @param url the URL of the database
-     * @param info a collection of string/value pairs
-     * @return a Connection object
-     * @throws SQLException thrown if there is an error connecting to the database
-     * @see java.sql.Driver#connect(java.lang.String, java.util.Properties)
-     */
-    @Override
-    public Connection connect(String url, Properties info) throws SQLException {
-        return this.driver.connect(url, info);
+    //@Override
+    public Logger getParentLogger() throws SQLFeatureNotSupportedException {
+        //return driver.getParentLogger();
+        Method m = null;
+        try {
+            m = driver.getClass().getMethod("getParentLogger");
+        } catch (Throwable e) {
+            throw new SQLFeatureNotSupportedException();
+        }
+        if (m != null) {
+            try {
+                return (Logger) m.invoke(m);
+            } catch (IllegalAccessException ex) {
+                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+            } catch (IllegalArgumentException ex) {
+                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+            } catch (InvocationTargetException ex) {
+                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+            }
+        }
+        throw new SQLFeatureNotSupportedException();
     }
 
     /**
@@ -127,15 +148,14 @@ class DriverShim implements Driver {
     }
 
     /**
-     * Wraps the call to the underlying driver's getParentLogger method.
+     * Returns whether or not the wrapped driver is jdbcCompliant.
      *
-     * @return the parent's Logger
-     * @throws SQLFeatureNotSupportedException thrown if the feature is not supported
-     * @see java.sql.Driver#getParentLogger()
+     * @return true if the wrapped driver is JDBC compliant; otherwise false
+     * @see java.sql.Driver#jdbcCompliant()
      */
     @Override
-    public Logger getParentLogger() throws SQLFeatureNotSupportedException {
-        return this.driver.getParentLogger();
+    public boolean jdbcCompliant() {
+        return this.driver.jdbcCompliant();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CachedWebDataSource.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -21,20 +20,18 @@ package org.owasp.dependencycheck.data.update;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 
 /**
- * Defines a data source who's data is retrieved from the Internet. This data
- * can be downloaded and the local cache updated.
+ * Defines a data source who's data is retrieved from the Internet. This data can be downloaded and the local cache
+ * updated.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
 public interface CachedWebDataSource {
 
     /**
-     * Determines if an update to the current data store is needed, if it is the
-     * new data is downloaded from the Internet and imported into the current
-     * cached data store.
+     * Determines if an update to the current data store is needed, if it is the new data is downloaded from the
+     * Internet and imported into the current cached data store.
      *
-     * @throws UpdateException is thrown if there is an exception downloading
-     * the data or updating the data store.
+     * @throws UpdateException is thrown if there is an exception downloading the data or updating the data store.
      */
     void update() throws UpdateException;
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveInfo.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -1,27 +1,26 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update;
 
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import java.net.MalformedURLException;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 
 /**
@@ -32,11 +31,10 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
 public class NvdCveUpdater implements CachedWebDataSource {
 
     /**
-     * <p>Downloads the latest NVD CVE XML file from the web and imports it into
-     * the current CVE Database.</p>
+     * <p>
+     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
      *
-     * @throws UpdateException is thrown if there is an error updating the
-     * database
+     * @throws UpdateException is thrown if there is an error updating the database
      */
     @Override
     public void update() throws UpdateException {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java

@@ -1,28 +1,22 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update;
 
-import org.owasp.dependencycheck.data.update.task.ProcessTask;
-import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
-import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import java.net.MalformedURLException;
 import java.util.Calendar;
 import java.util.Date;
@@ -35,11 +29,16 @@ import java.util.concurrent.Future;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.utils.DownloadFailedException;
-import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
+import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
+import org.owasp.dependencycheck.data.update.task.ProcessTask;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * Class responsible for updating the NVDCVE data store.
@@ -53,8 +52,7 @@ public class StandardUpdate {
      */
     public static final int MAX_THREAD_POOL_SIZE = Settings.getInt(Settings.KEYS.MAX_DOWNLOAD_THREAD_POOL_SIZE, 3);
     /**
-     * Information about the timestamps and URLs for data that needs to be
-     * updated.
+     * Information about the timestamps and URLs for data that needs to be updated.
      */
     private DatabaseProperties properties;
     /**
@@ -79,10 +77,8 @@ public class StandardUpdate {
      * Constructs a new Standard Update Task.
      *
      * @throws MalformedURLException thrown if a configured URL is malformed
-     * @throws DownloadFailedException thrown if a timestamp cannot be checked
-     * on a configured URL
-     * @throws UpdateException thrown if there is an exception generating the
-     * update task
+     * @throws DownloadFailedException thrown if a timestamp cannot be checked on a configured URL
+     * @throws UpdateException thrown if there is an exception generating the update task
      */
     public StandardUpdate() throws MalformedURLException, DownloadFailedException, UpdateException {
         openDataStores();
@@ -91,11 +87,10 @@ public class StandardUpdate {
     }
 
     /**
-     * <p>Downloads the latest NVD CVE XML file from the web and imports it into
-     * the current CVE Database.</p>
+     * <p>
+     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
      *
-     * @throws UpdateException is thrown if there is an error updating the
-     * database
+     * @throws UpdateException is thrown if there is an error updating the database
      */
     public void update() throws UpdateException {
         int maxUpdates = 0;
@@ -139,20 +134,20 @@ public class StandardUpdate {
                     downloadExecutors.shutdownNow();
                     processExecutor.shutdownNow();
 
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download", ex);
-                    throw new UpdateException("The download was interupted", ex);
+                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
+                    throw new UpdateException("The download was interrupted", ex);
                 } catch (ExecutionException ex) {
                     downloadExecutors.shutdownNow();
                     processExecutor.shutdownNow();
 
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download execution", ex);
-                    throw new UpdateException("The execution of the download was interupted", ex);
+                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
+                    throw new UpdateException("The execution of the download was interrupted", ex);
                 }
                 if (task == null) {
                     downloadExecutors.shutdownNow();
                     processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during download");
-                    throw new UpdateException("The download was interupted; unable to complete the update");
+                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
+                    throw new UpdateException("The download was interrupted; unable to complete the update");
                 } else {
                     processFutures.add(task);
                 }
@@ -166,7 +161,7 @@ public class StandardUpdate {
                     }
                 } catch (InterruptedException ex) {
                     processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interupted during processing", ex);
+                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
                     throw new UpdateException(ex);
                 } catch (ExecutionException ex) {
                     processExecutor.shutdownNow();
@@ -187,18 +182,14 @@ public class StandardUpdate {
     }
 
     /**
-     * Determines if the index needs to be updated. This is done by fetching the
-     * NVD CVE meta data and checking the last update date. If the data needs to
-     * be refreshed this method will return the NvdCveUrl for the files that
-     * need to be updated.
+     * Determines if the index needs to be updated. This is done by fetching the NVD CVE meta data and checking the last
+     * update date. If the data needs to be refreshed this method will return the NvdCveUrl for the files that need to
+     * be updated.
      *
      * @return the collection of files that need to be updated
-     * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta
-     * data is incorrect
-     * @throws DownloadFailedException is thrown if there is an error.
-     * downloading the NVD CVE download data file
-     * @throws UpdateException Is thrown if there is an issue with the last
-     * updated properties file
+     * @throws MalformedURLException is thrown if the URL for the NVD CVE Meta data is incorrect
+     * @throws DownloadFailedException is thrown if there is an error. downloading the NVD CVE download data file
+     * @throws UpdateException Is thrown if there is an issue with the last updated properties file
      */
     protected final UpdateableNvdCve updatesNeeded() throws MalformedURLException, DownloadFailedException, UpdateException {
         UpdateableNvdCve updates = null;
@@ -244,7 +235,7 @@ public class StandardUpdate {
                                         DatabaseProperties.LAST_UPDATED_BASE, entry.getId());
                                 Logger
                                         .getLogger(StandardUpdate.class
-                                        .getName()).log(Level.FINE, msg, ex);
+                                                .getName()).log(Level.FINE, msg, ex);
                             }
                             if (currentTimestamp == entry.getTimestamp()) {
                                 entry.setNeedsUpdate(false);
@@ -254,11 +245,8 @@ public class StandardUpdate {
                 }
             } catch (NumberFormatException ex) {
                 final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
-                Logger
-                        .getLogger(StandardUpdate.class
-                        .getName()).log(Level.WARNING, msg);
-                Logger.getLogger(StandardUpdate.class
-                        .getName()).log(Level.FINE, null, ex);
+                Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
+                Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
             }
         }
         return updates;
@@ -268,12 +256,9 @@ public class StandardUpdate {
      * Retrieves the timestamps from the NVD CVE meta data file.
      *
      * @return the timestamp from the currently published nvdcve downloads page
-     * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data
-     * is incorrect.
-     * @throws DownloadFailedException thrown if there is an error downloading
-     * the nvd cve meta data file
-     * @throws InvalidDataException thrown if there is an exception parsing the
-     * timestamps
+     * @throws MalformedURLException thrown if the URL for the NVD CCE Meta data is incorrect.
+     * @throws DownloadFailedException thrown if there is an error downloading the nvd cve meta data file
+     * @throws InvalidDataException thrown if there is an exception parsing the timestamps
      * @throws InvalidSettingException thrown if the settings are invalid
      */
     private UpdateableNvdCve retrieveCurrentTimestampsFromWeb()
@@ -304,7 +289,7 @@ public class StandardUpdate {
         if (cveDB != null) {
             try {
                 cveDB.close();
-            } catch (Exception ignore) {
+            } catch (Throwable ignore) {
                 Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
             }
         }
@@ -330,10 +315,9 @@ public class StandardUpdate {
     }
 
     /**
-     * Determines if the epoch date is within the range specified of the
-     * compareTo epoch time. This takes the (compareTo-date)/1000/60/60/24 to
-     * get the number of days. If the calculated days is less then the range the
-     * date is considered valid.
+     * Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
+     * (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
+     * is considered valid.
      *
      * @param date the date to be checked.
      * @param compareTo the date to compare to.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -56,8 +55,7 @@ public final class UpdateService {
     }
 
     /**
-     * Returns an Iterator for all instances of the CachedWebDataSource
-     * interface.
+     * Returns an Iterator for all instances of the CachedWebDataSource interface.
      *
      * @return an iterator of CachedWebDataSource.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateableNvdCve.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
@@ -28,8 +27,8 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 
 /**
- * Contains a collection of updateable NvdCveInfo objects. This is used to
- * determine which files need to be downloaded and processed.
+ * Contains a collection of updateable NvdCveInfo objects. This is used to determine which files need to be downloaded
+ * and processed.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */
@@ -41,8 +40,7 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
 
     /**
-     * Returns the collection of NvdCveInfo objects. This method is mainly used
-     * for testing.
+     * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.
      *
      * @return the collection of NvdCveInfo objects
      */
@@ -69,8 +67,8 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
      *
      * @param id the key for the item to be added
      * @param url the URL to download the item
-     * @param oldUrl the URL for the old version of the item (the NVD CVE old
-     * schema still contains useful data we need).
+     * @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we
+     * need).
      * @throws MalformedURLException thrown if the URL provided is invalid
      * @throws DownloadFailedException thrown if the download fails.
      */
@@ -83,8 +81,8 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
      *
      * @param id the key for the item to be added
      * @param url the URL to download the item
-     * @param oldUrl the URL for the old version of the item (the NVD CVE old
-     * schema still contains useful data we need).
+     * @param oldUrl the URL for the old version of the item (the NVD CVE old schema still contains useful data we
+     * need).
      * @param needsUpdate whether or not the data needs to be updated
      * @throws MalformedURLException thrown if the URL provided is invalid
      * @throws DownloadFailedException thrown if the download fails.
@@ -121,8 +119,10 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     private Iterator<Entry<String, NvdCveInfo>> iterableContent = null;
 
     /**
-     * <p>Returns an iterator for the NvdCveInfo contained.</p>
-     * <p><b>This method is not thread safe.</b></p>
+     * <p>
+     * Returns an iterator for the NvdCveInfo contained.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      *
      * @return an NvdCveInfo Iterator
      */
@@ -133,11 +133,12 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     }
 
     /**
-     * <p>Returns whether or not there is another item in the collection.</p>
-     * <p><b>This method is not thread safe.</b></p>
+     * <p>
+     * Returns whether or not there is another item in the collection.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      *
-     * @return true or false depending on whether or not another item exists in
-     * the collection
+     * @return true or false depending on whether or not another item exists in the collection
      */
     @Override
     public boolean hasNext() {
@@ -145,8 +146,10 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     }
 
     /**
-     * <p>Returns the next item in the collection.</p>
-     * <p><b>This method is not thread safe.</b></p>
+     * <p>
+     * Returns the next item in the collection.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      *
      * @return the next NvdCveInfo item in the collection
      */
@@ -156,8 +159,10 @@ public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterato
     }
 
     /**
-     * <p>Removes the current NvdCveInfo object from the collection.</p>
-     * <p><b>This method is not thread safe.</b></p>
+     * <p>
+     * Removes the current NvdCveInfo object from the collection.</p>
+     * <p>
+     * <b>This method is not thread safe.</b></p>
      */
     @Override
     public void remove() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/InvalidDataException.java

@@ -1,26 +1,24 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
 package org.owasp.dependencycheck.data.update.exception;
 
 /**
- * An InvalidDataDataException is a generic exception used when trying to load
- * the NVD CVE meta data.
+ * An InvalidDataDataException is a generic exception used when trying to load the NVD CVE meta data.
  *
  * @author Jeremy Long <jeremy.long@owasp.org>
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/UpdateException.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java

@@ -1,18 +1,17 @@
 /*
  * This file is part of dependency-check-core.
  *
- * Dependency-check-core is free software: you can redistribute it and/or modify it
- * under the terms of the GNU General Public License as published by the Free
- * Software Foundation, either version 3 of the License, or (at your option) any
- * later version.
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
  *
- * Dependency-check-core is distributed in the hope that it will be useful, but
- * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
- * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more
- * details.
+ *     http://www.apache.org/licenses/LICENSE-2.0
  *
- * You should have received a copy of the GNU General Public License along with
- * dependency-check-core. If not, see http://www.gnu.org/licenses/.
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
  *
  * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
  */
@@ -30,6 +29,7 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * A callable object to download two files.
@@ -53,10 +53,9 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
         final File file1;
         final File file2;
 
-
         try {
-            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml");
-            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml");
+            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
         } catch (IOException ex) {
             return;
         }