version 1.1.3

Former-commit-id: af8a66cf2ecda07b7005d20f9de9dbe14d61e187

.gitignore

@@ -16,3 +16,5 @@ dependency-reduced-pom.xml
 Gemfile
 Gemfile.lock
 _site/**
+#unknown as to why these are showing up... but need to be ignored.
+.LCKpom.xml~

dependency-check-ant/pom.xml

@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.2</version>
+        <version>1.1.3</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -753,6 +753,28 @@ public class DependencyCheckTask extends Task {
     public void setCveUrl20Base(String cveUrl20Base) {
         this.cveUrl20Base = cveUrl20Base;
     }
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+
+    /**
+     * Get the value of pathToMono.
+     *
+     * @return the value of pathToMono
+     */
+    public String getPathToMono() {
+        return pathToMono;
+    }
+
+    /**
+     * Set the value of pathToMono.
+     *
+     * @param pathToMono new value of pathToMono
+     */
+    public void setPathToMono(String pathToMono) {
+        this.pathToMono = pathToMono;
+    }
 
     @Override
     public void execute() throws BuildException {
@@ -920,6 +942,9 @@ public class DependencyCheckTask extends Task {
         if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
     }
 
     /**

dependency-check-ant/src/site/markdown/configuration.md

@@ -48,3 +48,4 @@ cveUrl12Modified      | URL for the modified CVE 1.2 | Optional | http://nvd.nis
 cveUrl20Modified      | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cveUrl12Base          | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
 cveUrl20Base          | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+pathToMono            | The path to Mono for .NET assembly analysis on non-windows systems | Optional |  

dependency-check-cli/pom.xml

@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.2</version>
+        <version>1.1.3</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -160,13 +160,13 @@ public class App {
         final String suppressionFile = cli.getSuppressionFile();
         final boolean nexusDisabled = cli.isNexusDisabled();
         final String nexusUrl = cli.getNexusUrl();
-        final boolean nexusUsesProxy = cli.isNexusUsesProxy();
         final String databaseDriverName = cli.getDatabaseDriverName();
         final String databaseDriverPath = cli.getDatabaseDriverPath();
         final String connectionString = cli.getConnectionString();
         final String databaseUser = cli.getDatabaseUser();
         final String databasePassword = cli.getDatabasePassword();
         final String additionalZipExtensions = cli.getAdditionalZipExtensions();
+        final String pathToMono = cli.getPathToMono();
 
         if (propertiesFile != null) {
             try {
@@ -181,6 +181,10 @@ public class App {
                 Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
             }
         }
+        // We have to wait until we've merged the properties before attempting to set whether we use
+        // the proxy for Nexus since it could be disabled in the properties, but not explicitly stated
+        // on the command line
+        final boolean nexusUsesProxy = cli.isNexusUsesProxy();
         if (dataDirectory != null) {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else if (System.getProperty("basedir") != null) {
@@ -235,5 +239,8 @@ public class App {
         if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
             Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
         }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.cli;
 
 import java.io.File;
 import java.io.FileNotFoundException;
+
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -29,6 +30,7 @@ import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.cli.PosixParser;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -84,8 +86,11 @@ public final class CliParser {
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
         if (isRunScan()) {
-            validatePathExists(getScanFiles(), "scan");
+            validatePathExists(getScanFiles(), ArgumentName.SCAN);
-            validatePathExists(getReportDirectory(), "out");
+            validatePathExists(getReportDirectory(), ArgumentName.OUT);
+            if (getPathToMono() != null) {
+                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
+            }
             if (!line.hasOption(ArgumentName.APP_NAME)) {
                 throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
             }
@@ -121,14 +126,14 @@ public final class CliParser {
      * FileNotFoundException is thrown.
      *
      * @param path the paths to validate if they exists
-     * @param optType the option being validated (e.g. scan, out, etc.)
+     * @param argumentName the argument being validated (e.g. scan, out, etc.)
      * @throws FileNotFoundException is thrown if the path being validated does not exist.
      */
-    private void validatePathExists(String path, String optType) throws FileNotFoundException {
+    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
         final File f = new File(path);
         if (!f.exists()) {
             isValid = false;
-            final String msg = String.format("Invalid '%s' argument: '%s'", optType, path);
+            final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
             throw new FileNotFoundException(msg);
         }
     }
@@ -196,24 +201,6 @@ public final class CliParser {
                 .withDescription("The file path to the suppression XML file.")
                 .create();
 
-        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
-                .withDescription("Disable the Nexus Analyzer.")
-                .create();
-
-        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
-                .withDescription("The url to the Nexus Server.")
-                .create();
-
-        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
-                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
-                .create();
-
-        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
-                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
-                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
-                        + "(ZIP, EAR, WAR are already treated as zip files)")
-                .create();
-
         //This is an option group because it can be specified more then once.
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
@@ -228,11 +215,7 @@ public final class CliParser {
                 .addOption(noUpdate)
                 .addOption(props)
                 .addOption(verboseLog)
-                .addOption(suppressionFile)
+                .addOption(suppressionFile);
-                .addOption(disableNexusAnalyzer)
-                .addOption(nexusUrl)
-                .addOption(nexusUsesProxy)
-                .addOption(additionalZipExtensions);
     }
 
     /**
@@ -272,19 +255,45 @@ public final class CliParser {
         final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
                 .withDescription("The connection string to the database.")
                 .create();
+
         final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
                 .withDescription("The username used to connect to the database.")
                 .create();
+
         final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
                 .withDescription("The password for connecting to the database.")
                 .create();
+
         final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
                 .withDescription("The database driver name.")
                 .create();
+
         final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
                 .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
                 .create();
 
+        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
+                .withDescription("Disable the Nexus Analyzer.")
+                .create();
+
+        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
+                .withDescription("The url to the Nexus Server.")
+                .create();
+
+        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
+                .create();
+
+        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
+                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
+                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+                        + "(ZIP, EAR, WAR are already treated as zip files)")
+                .create();
+
+        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
+                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
+                .create();
+
         options.addOption(proxyPort)
                 .addOption(proxyUrl)
                 .addOption(proxyUsername)
@@ -295,7 +304,12 @@ public final class CliParser {
                 .addOption(data)
                 .addOption(dbPassword)
                 .addOption(dbDriver)
-                .addOption(dbDriverPath);
+                .addOption(dbDriverPath)
+                .addOption(disableNexusAnalyzer)
+                .addOption(nexusUrl)
+                .addOption(nexusUsesProxy)
+                .addOption(additionalZipExtensions)
+                .addOption(pathToMono);
     }
 
     /**
@@ -354,8 +368,14 @@ public final class CliParser {
      * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
      */
     public boolean isNexusUsesProxy() {
+        // If they didn't specify whether Nexus needs to use the proxy, we should
+        // still honor the property if it's set.
         if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
-            return true;
+            try {
+                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
+            } catch (InvalidSettingException ise) {
+                return true;
+            }
         } else {
             return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
         }
@@ -403,6 +423,15 @@ public final class CliParser {
         return line.getOptionValue(ArgumentName.OUT, ".");
     }
 
+    /**
+     * Returns the path to Mono for .NET Assembly analysis on non-windows systems.
+     *
+     * @return the path to Mono
+     */
+    public String getPathToMono() {
+        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
+    }
+
     /**
      * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
      *
@@ -683,7 +712,7 @@ public final class CliParser {
         /**
          * The short CLI argument name for setting the location of an additional properties file.
          */
-        public static final String PROP_SHORT = "p";
+        public static final String PROP_SHORT = "P";
         /**
          * The CLI argument name for setting the location of an additional properties file.
          */
@@ -740,6 +769,10 @@ public final class CliParser {
          * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
          */
         public static final String DB_DRIVER_PATH = "dbDriverPath";
+        /**
+         * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
+         */
+        public static final String PATH_TO_MONO = "mono";
         /**
          * The CLI argument name for setting extra extensions.
          */

dependency-check-cli/src/site/markdown/arguments.md

@@ -30,3 +30,4 @@ Short  | Argument Name         | Parameter       | Description | Requirement
        | \-\-nexus             | \<url\>         | The url to the Nexus Server. | Optional
        | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
        | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems. | Optional

dependency-check-core/pom.xml

@@ -21,7 +21,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.2</version>
+        <version>1.1.3</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -18,13 +18,20 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.regex.Pattern;
 import org.owasp.dependencycheck.suppression.SuppressionParseException;
 import org.owasp.dependencycheck.suppression.SuppressionParser;
 import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -95,17 +102,55 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
      * @throws SuppressionParseException thrown if the XML cannot be parsed.
      */
     private void loadSuppressionData() throws SuppressionParseException {
-        final File file = Settings.getFile(Settings.KEYS.SUPPRESSION_FILE);
+        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
-        if (file != null) {
+        if (suppressionFilePath == null) {
-            final SuppressionParser parser = new SuppressionParser();
+            return;
-            try {
+        }
-                rules = parser.parseSuppressionRules(file);
+        File file = null;
-            } catch (SuppressionParseException ex) {
+        boolean deleteTempFile = false;
-                final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
+        try {
-                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
+            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
-                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
+            if (uriRx.matcher(suppressionFilePath).matches()) {
-                Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                deleteTempFile = true;
-                throw ex;
+                file = FileUtils.getTempFile("suppression", "xml");
+                final URL url = new URL(suppressionFilePath);
+                try {
+                    Downloader.fetchFile(url, file, false);
+                } catch (DownloadFailedException ex) {
+                    Downloader.fetchFile(url, file, true);
+                }
+            }
+
+            if (file != null) {
+                final SuppressionParser parser = new SuppressionParser();
+                try {
+                    rules = parser.parseSuppressionRules(file);
+                } catch (SuppressionParseException ex) {
+                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
+                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                    throw ex;
+                }
+            }
+        } catch (DownloadFailedException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+                    "Unable to fetch the configured suppression file");
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+            throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
+        } catch (MalformedURLException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+                    "Configured suppression file has an invalid URL");
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+            throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
+        } catch (IOException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+                    "Unable to create temp file for suppressions");
+            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
+            throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
+        } finally {
+            if (deleteTempFile && file != null) {
+                FileUtils.delete(file);
             }
         }
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -158,7 +158,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     @Override
     public void initialize() throws Exception {
         super.initialize();
-        final File tempFile = File.createTempFile("GKA", ".exe");
+        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
         FileOutputStream fos = null;
         InputStream is = null;
         try {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java

@@ -29,6 +29,7 @@ import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  * A callable object to download two files.
@@ -53,8 +54,8 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
         final File file2;
 
         try {
-            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml");
+            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
-            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml");
+            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
         } catch (IOException ex) {
             return;
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -46,68 +46,101 @@ public final class Downloader {
     /**
      * Retrieves a file from a given URL and saves it to the outputPath.
      *
-     * @param url the URL of the file to download.
+     * @param url the URL of the file to download
-     * @param outputPath the path to the save the file to.
+     * @param outputPath the path to the save the file to
-     * @throws DownloadFailedException is thrown if there is an error downloading the file.
+     * @throws DownloadFailedException is thrown if there is an error downloading the file
      */
     public static void fetchFile(URL url, File outputPath) throws DownloadFailedException {
-        HttpURLConnection conn = null;
+        fetchFile(url, outputPath, true);
-        try {
+    }
-            conn = URLConnectionFactory.createHttpURLConnection(url);
-            conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
-            conn.connect();
-        } catch (IOException ex) {
-            try {
-                if (conn != null) {
-                    conn.disconnect();
-                }
-            } finally {
-                conn = null;
-            }
-            throw new DownloadFailedException("Error downloading file.", ex);
-        }
-        final String encoding = conn.getContentEncoding();
 
-        BufferedOutputStream writer = null;
+    /**
-        InputStream reader = null;
+     * Retrieves a file from a given URL and saves it to the outputPath.
-        try {
+     *
-            if (encoding != null && "gzip".equalsIgnoreCase(encoding)) {
+     * @param url the URL of the file to download
-                reader = new GZIPInputStream(conn.getInputStream());
+     * @param outputPath the path to the save the file to
-            } else if (encoding != null && "deflate".equalsIgnoreCase(encoding)) {
+     * @param useProxy whether to use the configured proxy when downloading files
-                reader = new InflaterInputStream(conn.getInputStream());
+     * @throws DownloadFailedException is thrown if there is an error downloading the file
+     */
+    public static void fetchFile(URL url, File outputPath, boolean useProxy) throws DownloadFailedException {
+        if ("file".equalsIgnoreCase(url.getProtocol())) {
+            File file;
+            try {
+                file = new File(url.toURI());
+            } catch (URISyntaxException ex) {
+                final String msg = String.format("Download failed, unable to locate '%s'", url.toString());
+                throw new DownloadFailedException(msg);
+            }
+            if (file.exists()) {
+                try {
+                    org.apache.commons.io.FileUtils.copyFile(file, outputPath);
+                } catch (IOException ex) {
+                    final String msg = String.format("Download failed, unable to copy '%s'", url.toString());
+                    throw new DownloadFailedException(msg);
+                }
             } else {
-                reader = conn.getInputStream();
+                final String msg = String.format("Download failed, file does not exist '%s'", url.toString());
-            }
+                throw new DownloadFailedException(msg);
-
-            writer = new BufferedOutputStream(new FileOutputStream(outputPath));
-            final byte[] buffer = new byte[4096];
-            int bytesRead;
-            while ((bytesRead = reader.read(buffer)) > 0) {
-                writer.write(buffer, 0, bytesRead);
-            }
-        } catch (Throwable ex) {
-            throw new DownloadFailedException("Error saving downloaded file.", ex);
-        } finally {
-            if (writer != null) {
-                try {
-                    writer.close();
-                } catch (Throwable ex) {
-                    Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
-                            "Error closing the writer in Downloader.", ex);
-                }
-            }
-            if (reader != null) {
-                try {
-                    reader.close();
-                } catch (Throwable ex) {
-                    Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
-                            "Error closing the reader in Downloader.", ex);
-                }
             }
+        } else {
+            HttpURLConnection conn = null;
             try {
-                conn.disconnect();
+                conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+                conn.setRequestProperty("Accept-Encoding", "gzip, deflate");
+                conn.connect();
+            } catch (IOException ex) {
+                try {
+                    if (conn != null) {
+                        conn.disconnect();
+                    }
+                } finally {
+                    conn = null;
+                }
+                throw new DownloadFailedException("Error downloading file.", ex);
+            }
+            final String encoding = conn.getContentEncoding();
+
+            BufferedOutputStream writer = null;
+            InputStream reader = null;
+            try {
+                if (encoding != null && "gzip".equalsIgnoreCase(encoding)) {
+                    reader = new GZIPInputStream(conn.getInputStream());
+                } else if (encoding != null && "deflate".equalsIgnoreCase(encoding)) {
+                    reader = new InflaterInputStream(conn.getInputStream());
+                } else {
+                    reader = conn.getInputStream();
+                }
+
+                writer = new BufferedOutputStream(new FileOutputStream(outputPath));
+                final byte[] buffer = new byte[4096];
+                int bytesRead;
+                while ((bytesRead = reader.read(buffer)) > 0) {
+                    writer.write(buffer, 0, bytesRead);
+                }
+            } catch (Throwable ex) {
+                throw new DownloadFailedException("Error saving downloaded file.", ex);
             } finally {
-                conn = null;
+                if (writer != null) {
+                    try {
+                        writer.close();
+                    } catch (Throwable ex) {
+                        Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
+                                "Error closing the writer in Downloader.", ex);
+                    }
+                }
+                if (reader != null) {
+                    try {
+                        reader.close();
+                    } catch (Throwable ex) {
+                        Logger.getLogger(Downloader.class.getName()).log(Level.FINEST,
+                                "Error closing the reader in Downloader.", ex);
+                    }
+                }
+                try {
+                    conn.disconnect();
+                } finally {
+                    conn = null;
+                }
             }
         }
     }
@@ -122,20 +155,11 @@ public final class Downloader {
      */
     public static long getLastModified(URL url) throws DownloadFailedException {
         long timestamp = 0;
-        //TODO add the FPR protocol?
+        //TODO add the FTP protocol?
         if ("file".equalsIgnoreCase(url.getProtocol())) {
             File lastModifiedFile;
             try {
-//                if (System.getProperty("os.name").toLowerCase().startsWith("windows")) {
-//                    String filePath = url.toString();
-//                    if (filePath.matches("file://[a-zA-Z]:.*")) {
-//                        f = new File(filePath.substring(7));
-//                    } else {
-//                        f = new File(url.toURI());
-//                    }
-//                } else {
                 lastModifiedFile = new File(url.toURI());
-//                }
             } catch (URISyntaxException ex) {
                 final String msg = String.format("Unable to locate '%s'; is the cve.url-2.0.modified property set correctly?", url.toString());
                 throw new DownloadFailedException(msg);

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileUtils.java

@@ -26,6 +26,7 @@ import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLDecoder;
+import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.zip.ZipEntry;
@@ -86,6 +87,26 @@ public final class FileUtils {
         return success;
     }
 
+    /**
+     * Generates a new temporary file name that is guaranteed to be unique.
+     *
+     * @param prefix the prefix for the file name to generate
+     * @param extension the extension of the generated file name
+     * @return a temporary File
+     */
+    public static File getTempFile(String prefix, String extension) {
+        final File dir = Settings.getTempDirectory();
+        if (!dir.exists()) {
+            dir.mkdirs();
+        }
+        final String tempFileName = String.format("%s%s.%s", prefix, UUID.randomUUID().toString(), extension);
+        final File tempFile = new File(dir, tempFileName);
+        if (tempFile.exists()) {
+            return getTempFile(prefix, extension);
+        }
+        return tempFile;
+    }
+
     /**
      * Returns the data directory. If a path was specified in dependencycheck.properties or was specified using the
      * Settings object, and the path exists, that path will be returned as a File object. If it does not exist, then a

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java

@@ -0,0 +1,133 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.net.MalformedURLException;
+import java.net.URISyntaxException;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.junit.After;
+import org.junit.AfterClass;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertNull;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class AbstractSuppressionAnalyzerTest {
+
+    public AbstractSuppressionAnalyzerTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+        try {
+            final String uri = this.getClass().getClassLoader().getResource("suppressions.xml").toURI().toURL().toString();
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, uri);
+        } catch (URISyntaxException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (MalformedURLException ex) {
+            Logger.getLogger(AbstractSuppressionAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        }
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of getSupportedExtensions method, of class AbstractSuppressionAnalyzer.
+     */
+    @Test
+    public void testGetSupportedExtensions() {
+        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
+        Set<String> result = instance.getSupportedExtensions();
+        assertNull(result);
+    }
+
+    /**
+     * Test of supportsExtension method, of class AbstractSuppressionAnalyzer.
+     */
+    @Test
+    public void testSupportsExtension() {
+        String extension = "jar";
+        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
+        boolean expResult = true;
+        boolean result = instance.supportsExtension(extension);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of initialize method, of class AbstractSuppressionAnalyzer.
+     */
+    @Test
+    public void testInitialize() throws Exception {
+        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
+        instance.initialize();
+    }
+
+    /**
+     * Test of getRules method, of class AbstractSuppressionAnalyzer.
+     */
+    @Test
+    public void testGetRules() throws Exception {
+        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
+        instance.initialize();
+        int expCount = 5;
+        List<SuppressionRule> result = instance.getRules();
+        assertEquals(expCount, result.size());
+    }
+
+    public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {
+
+        @Override
+        public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+            throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        }
+
+        @Override
+        public String getName() {
+            throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        }
+
+        @Override
+        public AnalysisPhase getAnalysisPhase() {
+            throw new UnsupportedOperationException("Not supported yet."); //To change body of generated methods, choose Tools | Templates.
+        }
+    }
+
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java

@@ -74,7 +74,7 @@ public class AssemblyAnalyzerTest {
         File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
         Dependency d = new Dependency(f);
         analyzer.analyze(d, null);
-        assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.0.5140.29700", Confidence.HIGHEST)));
+        assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.0.5176.23901", Confidence.HIGHEST)));
     }
 
     @Test

dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/FileUtilsTest.java

@@ -73,7 +73,7 @@ public class FileUtilsTest {
     @Test
     public void testDelete() throws Exception {
 
-        File file = File.createTempFile("tmp", "deleteme");
+        File file = File.createTempFile("tmp", "deleteme", Settings.getTempDirectory());
         if (!file.exists()) {
             fail("Unable to create a temporary file.");
         }

dependency-check-jenkins/pom.xml

@@ -6,7 +6,7 @@
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.2</version>
+        <version>1.1.3</version>
     </parent>
 
     <groupId>org.owasp</groupId>

dependency-check-maven/pom.xml

@@ -23,7 +23,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.2</version>
+        <version>1.1.3</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/DependencyCheckMojo.java

@@ -92,17 +92,17 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     @Parameter(property = "report-name", defaultValue = "dependency-check-report")
     private String reportName;
     /**
-     * The path to the verbose log
+     * The path to the verbose log.
      */
     @Parameter(property = "logfile", defaultValue = "")
     private String logFile;
     /**
-     * The name of the report to be displayed in the Maven Generated Reports page
+     * The name of the report to be displayed in the Maven Generated Reports page.
      */
     @Parameter(property = "name", defaultValue = "Dependency-Check")
     private String name;
     /**
-     * The description of the Dependency-Check report to be displayed in the Maven Generated Reports page
+     * The description of the Dependency-Check report to be displayed in the Maven Generated Reports page.
      */
     @Parameter(property = "description", defaultValue = "A report providing details on any published "
             + "vulnerabilities within project dependencies. This report is a best effort but may contain "
@@ -117,6 +117,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
      * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
      * which means since the CVSS scores are 0-10, by default the build will never fail.
      */
+    @SuppressWarnings("CanBeFinal")
     @Parameter(property = "failBuildOnCVSS", defaultValue = "11", required = true)
     private float failBuildOnCVSS = 11;
     /**
@@ -128,7 +129,7 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
      * false. Default is true.
      */
-    @SuppressWarnings({"CanBeFinal", "FieldCanBeLocal"})
+    @SuppressWarnings("CanBeFinal")
     @Parameter(property = "autoupdate", defaultValue = "true", required = true)
     private boolean autoUpdate = true;
     /**
@@ -240,18 +241,21 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     @Parameter(property = "zipExtensions", required = false)
     private String zipExtensions;
     /**
-     * Skip Analisys for Test Scope Dependencies
+     * Skip Analisys for Test Scope Dependencies.
      */
+    @SuppressWarnings("CanBeFinal")
     @Parameter(property = "skipTestScope", defaultValue = "true", required = false)
     private boolean skipTestScope = true;
     /**
-     * Skip Analisys for Runtime Scope Dependencies
+     * Skip Analisys for Runtime Scope Dependencies.
      */
+    @SuppressWarnings("CanBeFinal")
     @Parameter(property = "skipRuntimeScope", defaultValue = "false", required = false)
     private boolean skipRuntimeScope = false;
     /**
-     * Skip Analisys for Provided Scope Dependencies
+     * Skip Analisys for Provided Scope Dependencies.
      */
+    @SuppressWarnings("CanBeFinal")
     @Parameter(property = "skipProvidedScope", defaultValue = "false", required = false)
     private boolean skipProvidedScope = false;
     /**
@@ -260,26 +264,32 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
     @Parameter(property = "dataDirectory", defaultValue = "", required = false)
     private String dataDirectory;
     /**
-     * Data Mirror URL for CVE 1.2
+     * Data Mirror URL for CVE 1.2.
      */
     @Parameter(property = "cveUrl12Modified", defaultValue = "", required = false)
     private String cveUrl12Modified;
     /**
-     * Data Mirror URL for CVE 2.0
+     * Data Mirror URL for CVE 2.0.
      */
     @Parameter(property = "cveUrl20Modified", defaultValue = "", required = false)
     private String cveUrl20Modified;
     /**
-     * Base Data Mirror URL for CVE 1.2
+     * Base Data Mirror URL for CVE 1.2.
      */
     @Parameter(property = "cveUrl12Base", defaultValue = "", required = false)
     private String cveUrl12Base;
     /**
-     * Data Mirror URL for CVE 2.0
+     * Data Mirror URL for CVE 2.0.
      */
     @Parameter(property = "cveUrl20Base", defaultValue = "", required = false)
     private String cveUrl20Base;
 
+    /**
+     * The path to mono for .NET Assembly analysis on non-windows systems.
+     */
+    @Parameter(property = "pathToMono", defaultValue = "", required = false)
+    private String pathToMono;
+
     // </editor-fold>
     /**
      * Executes the Dependency-Check on the dependent libraries.
@@ -800,6 +810,9 @@ public class DependencyCheckMojo extends AbstractMojo implements MavenMultiPageR
         if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
     }
 
     /**

dependency-check-maven/src/site/markdown/configuration.md

@@ -8,27 +8,28 @@ autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is ena
 externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
 failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
 format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
-logFile              | The file path to write verbose logging information. |
+logFile              | The file path to write verbose logging information. |  
-suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |
+suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) |  
-connectionTimeout    | The Connection Timeout.            |
+connectionTimeout    | The Connection Timeout.            |  
-proxyUrl             | The Proxy URL.                     |
+proxyUrl             | The Proxy URL.                     |  
-proxyPort            | The Proxy Port.                    |
+proxyPort            | The Proxy Port.                    |  
-proxyUsername        | Defines the proxy user name.       |
+proxyUsername        | Defines the proxy user name.       |  
-proxyPassword        | Defines the proxy password.        |
+proxyPassword        | Defines the proxy password.        |  
-nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. |
+nexusAnalyzerEnabled | Sets whether Nexus Analyzer will be used. |  
-nexusUrl             | Defines the Nexus URL. |
+nexusUrl             | Defines the Nexus URL. |  
 nexusUsesProxy       | Whether or not the defined proxy should be used when connecting to Nexus. | true
-databaseDriverName   | The name of the database driver. Example: org.h2.Driver. |
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver. |  
-databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |  
-connectionString     | The connection string used to connect to the database. |
+connectionString     | The connection string used to connect to the database. |  
-databaseUser         | The username used when connecting to the database. |
+databaseUser         | The username used when connecting to the database. |  
-databasePassword     | The password used when connecting to the database. |
+databasePassword     | The password used when connecting to the database. |  
-zipExtensions        | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |
+zipExtensions        | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |  
-skipTestScope | Should be skip analysis for artifacts with Test Scope | true
+skipTestScope        | Should be skip analysis for artifacts with Test Scope | true
-skipProvidedScope | Should be skip analysis for artifacts with Provided Scope | false
+skipProvidedScope    | Should be skip analysis for artifacts with Provided Scope | false
-skipRuntimeScope | Should be skip analysis for artifacts with Runtime Scope | false
+skipRuntimeScope     | Should be skip analysis for artifacts with Runtime Scope | false
-dataDirectory | Data directory to hold SQL CVEs contents. This should generally not be changed. |
+dataDirectory        | Data directory to hold SQL CVEs contents. This should generally not be changed. |  
-cveUrl12Modified | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl12Modified     | URL for the modified CVE 1.2 | http://nvd.nist.gov/download/nvdcve-modified.xml
-cveUrl20Modified | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0 | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cveUrl12Base | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
-cveUrl20Base | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+pathToMono           | The path to Mono for .NET assembly analysis on non-windows systems |  

pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.1.2</version>
+    <version>1.1.3</version>
     <packaging>pom</packaging>
 
     <modules>

src/site/site.xml

@@ -50,7 +50,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
               title="built with maven"
               alt="built with maven"
               img="http://jeremylong.github.io/DependencyCheck/images/logos/maven-feather.png"/>
-        <logo name="IntelliJ" href="http://maven.apache.org/"
+        <logo name="IntelliJ" href="http://www.jetbrains.com/idea/"
               title="developed using" width="170px"
               alt="developed using"
               img="http://jeremylong.github.io/DependencyCheck/images/logos/logo_intellij_idea.png"/>