version 1.4.3

using more robust check for windows os
disabling batch support for mysql to fix issue #503 - more testing needs to be done
2026-01-15 08:13:43 +01:00 · 2016-09-06 07:04:34 -04:00 · 2016-09-06 06:42:12 -04:00 · 2016-09-06 06:36:08 -04:00 · 2016-09-06 06:23:55 -04:00 · 2016-09-06 05:48:12 -04:00
693 changed files with 364558 additions and 45844 deletions
--- a/.github/issue_template.md
+++ b/.github/issue_template.md
@@ -0,0 +1,18 @@
 ### Reporting Bugs/Errors
 When reporting errors, 99% of the time log file output is required. Please post the log file as a [gist](https://gist.github.com/) and provide a link in the new issue.
 ### Reporting False Positives
 When reporting a false positive please include:
 - The location of the dependency (Maven GAV, URL to download the dependency, etc.)
 - The CPE that is believed to be false positive
  - Please report the CPE not the CVE
 #### Example
 False positive on library foo.jar - reported as cpe:/a:apache:tomcat:7.0
 ```xml
 <dependency>
   <groupId>org.sample</groupId>
   <artifactId>foo</artifactId>
   <version>1.0</version>
 </dependency>
 ```
--- a/.gitignore
+++ b/.gitignore
@@ -1,4 +1,6 @@
 */target/**
 # IntelliJ test run side-effects
 dependency-check-core/data/
 # Intellij project files
 *.iml
 *.ipr
@@ -7,6 +9,10 @@
 # Eclipse project files
 .classpath
 .project
 .settings
 maven-eclipse.xml
 .externalToolBuilders
 .pmd
 # Netbeans configuration
 nb-configuration.xml
 /target/
@@ -17,4 +23,8 @@ Gemfile
 Gemfile.lock
 _site/**
 #unknown as to why these are showing up... but need to be ignored.
-.LCKpom.xml~
+.LCKpom.xml~
 #coverity
 /cov-int/
 /dependency-check-core/nbproject/
 cov-scan.bat
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,2 @@
 language: java
 jdk: oraclejdk7
--- a/README.md
+++ b/README.md
@@ -1,3 +1,5 @@
 [![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck)
 Dependency-Check
 ================
@@ -9,27 +11,35 @@ Current Releases
 -------------
 ### Jenkins Plugin
-For instructions on the use of the Jenkins plugin please see the [Jenkins dependency-check page](http://wiki.jenkins-ci.org/x/CwDgAQ).
+For instructions on the use of the Jenkins plugin please see the [OWASP Dependency-Check Plugin page](https://wiki.jenkins-ci.org/display/JENKINS/OWASP+Dependency-Check+Plugin).
 ### Command Line
-More detailed instructions can be found on the [dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+More detailed instructions can be found on the
-The latest CLI can be downloaded from bintray's [dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
+[dependency-check github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/).
 The latest CLI can be downloaded from bintray's
 [dependency-check page](https://bintray.com/jeremy-long/owasp/dependency-check).
 On *nix
 ```
 $ ./bin/dependency-check.sh -h
-$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+$ ./bin/dependency-check.sh --project Testing --out . --scan [path to jar files to be scanned]
 ```
 On Windows
 ```
 > bin/dependency-check.bat -h
-> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+> bin/dependency-check.bat --project Testing --out . --scan [path to jar files to be scanned]
 ```
 On Mac with [Homebrew](http://brew.sh)
 ```
 $ brew update && brew install dependency-check
 $ dependency-check -h
 $ dependency-check --project Testing --out . --scan [path to jar files to be scanned]
 ```
 ### Maven Plugin
-More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/usage.html).
+More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven).
 The plugin can be configured using the following:
 ```xml
@@ -40,7 +50,6 @@ The plugin can be configured using the following:
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
              <version>1.0.2</version>
              <executions>
                  <execution>
                      <goals>
@@ -59,27 +68,31 @@ The plugin can be configured using the following:
 ### Ant Task
-For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant).
 Development Usage
 -------------
 The following instructions outline how to compile and use the current snapshot. While every intention is to maintain a stable snapshot it is recommended
 that the release versions listed above be used.
-Note, currently the install goal may take a long time to execute the integration tests. However, if this takes more then 30 minutes it is likely that the
+The repository has some large files due to test resources. The team has tried to cleanup the history as much as possible.
-download of data from the NVD is having an issue. This issue is still being researched and a solution should be published soon.
+However, it is recommended that you perform a shallow clone to save yourself time:
 ```bash
 git clone --depth 1 git@github.com:jeremylong/DependencyCheck.git
 ```
 On *nix
 ```
 $ mvn install
 $ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
-$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --project Testing --out . --scan ./src/test/resources
 ```
 On Windows
 ```
 > mvn install
 > dependency-check-cli/target/release/bin/dependency-check.bat -h
-> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+> dependency-check-cli/target/release/bin/dependency-check.bat --project Testing --out . --scan ./src/test/resources
 ```
 Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
@@ -96,9 +109,9 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
@@ -106,4 +119,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
  [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt
--- a/dependency-check-ant/NOTICE.txt
+++ b/dependency-check-ant/NOTICE.txt
@@ -1,9 +1,6 @@
-----------------------------
+OWASP dependency-check
 ---begin dependency-check----
 -----------------------------
 dependency-check
-Copyright (c) 2012-2013 Jeremy Long. All Rights Reserved.
+Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
 The licenses for the software listed below can be found in the META-INF/licenses/[dependency name].
@@ -19,11 +16,3 @@ An original copy of the license agreement can be found at: http://www.h2database
 This product includes data from the Common Weakness Enumeration (CWE): http://cwe.mitre.org/
 This product downloads and utilizes data from the National Vulnerability Database hosted by NIST: http://nvd.nist.gov/download.cfm
 -----------------------------
 ---end dependency-check------
 -----------------------------
 Notices below are from dependent libraries and have been included via maven-shade-plugin.
 -----------------------------
--- a/dependency-check-ant/README.md
+++ b/dependency-check-ant/README.md
@@ -6,7 +6,7 @@ performed are a "best effort" and as such, there could be false positives as wel
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html).
 Mailing List
 ------------
@@ -20,6 +20,6 @@ Copyright & License
 Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
-Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-ant/blob/master/NOTICES.txt) file for more information.
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.
--- a/dependency-check-ant/config/checkstyle-checks.xml
+++ b/dependency-check-ant/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE module PUBLIC
          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
 <module name="Checker">
  <!--
      If you set the basedir property below, then all reported file
      names will be relative to the specified directory. See
      http://checkstyle.sourceforge.net/5.x/config.html#Checker
      <property name="basedir" value="${basedir}"/>
  -->
  <property name="severity" value="error"/>
  <module name="SuppressionFilter">
    <property name="file" value="${checkstyle.suppressions.file}"/>
  </module>
  <module name="JavadocPackage">
    <property name="allowLegacy" value="false"/>
  </module>
  <module name="Translation">
    <property name="severity" value="warning"/>
  </module>
  <module name="FileTabCharacter">
    <property name="eachLine" value="false"/>
  </module>
  <module name="FileLength">
    <property name="fileExtensions" value="java"/>
  </module>
  <module name="NewlineAtEndOfFile">
  <property name="fileExtensions" value="java"/>
  <property name="lineSeparator" value="lf"/>
  </module>
  <module name="RegexpHeader">
    <property name="headerFile" value="${checkstyle.header.file}"/>
    <property name="fileExtensions" value="java"/>
    <property name="id" value="header"/>
  </module>
  <module name="RegexpSingleline">
    <property name="format" value="\s+$"/>
    <property name="minimum" value="0"/>
    <property name="maximum" value="0"/>
  </module>
  <module name="TreeWalker">
    <property name="tabWidth" value="4"/>
    <module name="AvoidStarImport"/>
    <module name="ConstantName"/>
    <module name="EmptyBlock"/>
    <module name="EmptyForIteratorPad"/>
    <module name="EqualsHashCode"/>
    <module name="OneStatementPerLine"/>
    <!-- module name="IllegalCatch"/ -->
    <!--module name="ImportControl">
      <property name="file" value="${checkstyle.importcontrol.file}"/>
    </module-->
    <module name="IllegalImport"/>
    <module name="IllegalInstantiation"/>
    <module name="IllegalThrows"/>
    <module name="InnerAssignment"/>
    <module name="JavadocType">
      <property name="authorFormat" value="\S"/>
    </module>
    <module name="JavadocMethod">
      <property name="allowUndeclaredRTE" value="true"/>
      <property name="allowThrowsTagsForSubclasses" value="true"/>
      <property name="allowMissingPropertyJavadoc" value="true"/>
    </module>
    <module name="JavadocVariable"/>
    <module name="JavadocStyle">
      <property name="scope" value="public"/>
    </module>
    <module name="LeftCurly">
      <property name="option" value="eol"/>
      <property name="tokens" value="CLASS_DEF"/>
      <property name="tokens" value="CTOR_DEF"/>
      <property name="tokens" value="INTERFACE_DEF"/>
      <property name="tokens" value="METHOD_DEF"/>
      <property name="tokens" value="LITERAL_CATCH"/>
      <property name="tokens" value="LITERAL_DO"/>
      <property name="tokens" value="LITERAL_ELSE"/>
      <property name="tokens" value="LITERAL_FINALLY"/>
      <property name="tokens" value="LITERAL_FOR"/>
      <property name="tokens" value="LITERAL_IF"/>
      <property name="tokens" value="LITERAL_SWITCH"/>
      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
      <property name="tokens" value="LITERAL_TRY"/>
      <property name="tokens" value="LITERAL_WHILE"/>
    </module>
    <module name="OuterTypeNumber"/>
    <module name="LineLength">
      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
    <property name="max" value="150"/>
    </module>
    <module name="MethodCount">
      <property name="maxTotal" value="40"/>
    </module>
    <module name="LocalFinalVariableName"/>
    <module name="LocalVariableName"/>
    <module name="MemberName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="MethodLength">
        <property name="max" value="160"/>
        <property name="countEmpty" value="false"/>
    </module>
    <module name="MethodName"/>
    <module name="MethodParamPad"/>
    <module name="ModifierOrder"/>
    <module name="NeedBraces"/>
    <module name="NoWhitespaceAfter">
      <property name="tokens" value="ARRAY_INIT"/>
      <property name="tokens" value="BNOT"/>
      <property name="tokens" value="DEC"/>
      <property name="tokens" value="DOT"/>
      <property name="tokens" value="INC"/>
      <property name="tokens" value="LNOT"/>
      <property name="tokens" value="UNARY_MINUS"/>
      <property name="tokens" value="UNARY_PLUS"/>
    </module>
    <module name="NoWhitespaceBefore"/>
    <module name="NoWhitespaceBefore">
      <property name="tokens" value="DOT"/>
      <property name="allowLineBreaks" value="true"/>
    </module>
    <module name="OperatorWrap"/>
    <module name="OperatorWrap">
      <property name="tokens" value="ASSIGN"/>
      <property name="tokens" value="DIV_ASSIGN"/>
      <property name="tokens" value="PLUS_ASSIGN"/>
      <property name="tokens" value="MINUS_ASSIGN"/>
      <property name="tokens" value="STAR_ASSIGN"/>
      <property name="tokens" value="MOD_ASSIGN"/>
      <property name="tokens" value="SR_ASSIGN"/>
      <property name="tokens" value="BSR_ASSIGN"/>
      <property name="tokens" value="SL_ASSIGN"/>
      <property name="tokens" value="BXOR_ASSIGN"/>
      <property name="tokens" value="BOR_ASSIGN"/>
      <property name="tokens" value="BAND_ASSIGN"/>
      <property name="option" value="eol"/>
    </module>
    <module name="PackageName"/>
    <module name="ParameterName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="ParameterNumber">
      <property name="id" value="paramNum"/>
    </module>
    <module name="ParenPad"/>
    <module name="TypecastParenPad"/>
    <module name="RedundantImport"/>
    <module name="RedundantModifier"/>
    <module name="RightCurly">
      <property name="option" value="same"/>
    </module>
    <module name="SimplifyBooleanExpression"/>
    <module name="SimplifyBooleanReturn"/>
    <module name="StaticVariableName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="TypeName"/>
    <module name="UnusedImports"/>
    <module name="UpperEll"/>
    <module name="VisibilityModifier"/>
    <module name="WhitespaceAfter"/>
    <module name="WhitespaceAround"/>
    <module name="GenericWhitespace"/>
    <module name="FinalClass"/>
    <module name="MissingSwitchDefault"/>
    <!--module name="MagicNumber"/-->
    <!--module name="Indentation">
      <property name="basicOffset" value="4"/>
      <property name="braceAdjustment" value="0"/>
      <property name="caseIndent" value="0"/>
    </module-->
    <module name="ArrayTrailingComma"/>
    <module name="FinalLocalVariable"/>
    <module name="EqualsAvoidNull"/>
    <module name="ParameterAssignment"/>
    <!-- Generates quite a few errors -->
    <module name="CyclomaticComplexity">
      <property name="severity" value="ignore"/>
    </module>
    <module name="NestedForDepth">
      <property name="max" value="2"/>
    </module>
    <module name="NestedIfDepth">
      <property name="max" value="4"/>
    </module>
    <module name="NestedTryDepth">
        <property name="max" value="2"/>
    </module>
    <!--module name="ExplicitInitialization"/-->
    <module name="AnnotationUseStyle"/>
    <module name="MissingDeprecated"/>
    <module name="MissingOverride">
      <property name="javaFiveCompatibility" value="true"/>
    </module>
    <module name="PackageAnnotation"/>
    <module name="SuppressWarnings"/>
    <module name="OuterTypeFilename"/>
    <module name="HideUtilityClassConstructor"/>
  </module>
 </module>
--- a/dependency-check-ant/config/checkstyle-header.txt
+++ b/dependency-check-ant/config/checkstyle-header.txt
@@ -1,18 +0,0 @@
 ^/\*\s*$
 ^ \* This file is part of dependency-check-ant\.\s*$
 ^ \*\s*$
 ^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
 ^ \* you may not use this file except in compliance with the License.\s*$
 ^ \* You may obtain a copy of the License at\s*$
 ^ \*\s*$
 ^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
 ^ \*\s*$
 ^ \* Unless required by applicable law or agreed to in writing, software\s*$
 ^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
 ^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
 ^ \* See the License for the specific language governing permissions and\s*$
 ^ \* limitations under the License\.\s*$
 ^ \*\s*$
 ^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package
--- a/dependency-check-ant/config/checkstyle-suppressions.xml
+++ b/dependency-check-ant/config/checkstyle-suppressions.xml
@@ -1,9 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE suppressions PUBLIC
     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
 <suppressions>
    <suppress checks=".*" files=".*[\\/]package-info\.java" />
 </suppressions>
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -15,20 +15,19 @@ limitations under the License.
 Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.4.3</version>
    </parent>
    <artifactId>dependency-check-ant</artifactId>
    <packaging>jar</packaging>
    <name>Dependency-Check Ant Task</name>
-    <description>Dependency-check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -69,7 +68,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
                <version>2.6</version>
                <configuration>
                    <escapeWindowsPaths>false</escapeWindowsPaths>
                </configuration>
@@ -194,54 +192,41 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-shade-plugin</artifactId>
+                <artifactId>maven-jar-plugin</artifactId>
                <version>2.1</version>
                <configuration>
-                    <transformers>
+                    <archive>
-                        <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
+                        <manifest>
-                        <transformer implementation="org.apache.maven.plugins.shade.resource.AppendingTransformer">
+                            <addClasspath>true</addClasspath>
-                            <resource>META-INF/NOTICE.txt</resource>
+                            <classpathPrefix>lib/</classpathPrefix>
-                        </transformer>
+                        </manifest>
-                        <transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
+                    </archive>
-                            <resource>META-INF/NOTICE</resource>
+                </configuration>
-                        </transformer>
+            </plugin>
-                        <transformer implementation="org.apache.maven.plugins.shade.resource.DontIncludeResourceTransformer">
+            <plugin>
-                            <resource>META-INF/LICENSE</resource>
+                <groupId>org.apache.maven.plugins</groupId>
-                        </transformer>
+                <artifactId>maven-assembly-plugin</artifactId>
-                    </transformers>
+                <configuration>
                    <attach>false</attach> <!-- don't install/deploy this archive -->
                </configuration>
                <executions>
                    <execution>
                        <id>create-distribution</id>
                        <phase>package</phase>
                        <goals>
-                            <goal>shade</goal>
+                            <goal>single</goal>
                        </goals>
                        <configuration>
                            <descriptors>
                                <descriptor>src/main/assembly/release.xml</descriptor>
                            </descriptors>
                        </configuration>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
                <version>2.4</version>
                <configuration>
                    <archive>
                        <manifest>
                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                        </manifest>
                    </archive>
                    <excludes>
                        <exclude>**/checkstyle*</exclude>
                    </excludes>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>cobertura-maven-plugin</artifactId>
                <version>2.6</version>
                <configuration>
                    <instrumentation>
                        <ignoreTrivial>true</ignoreTrivial>
                    </instrumentation>
                    <check>
                        <branchRate>85</branchRate>
                        <lineRate>85</lineRate>
@@ -270,8 +255,8 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.16</version>
                <configuration>
                    <argLine>-Dfile.encoding=UTF-8</argLine>
                    <systemProperties>
                        <property>
                            <name>data.directory</name>
@@ -280,156 +265,55 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                    </systemProperties>
                </configuration>
            </plugin>
        </plugins>
    </build>
    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>3.1</version>
+                <version>${reporting.checkstyle-plugin.version}</version>
                <configuration>
-                    <showDeprecation>false</showDeprecation>
+                    <enableRulesSummary>false</enableRulesSummary>
-                    <source>1.6</source>
+                    <enableFilesSummary>false</enableFilesSummary>
-                    <target>1.6</target>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
+                <artifactId>maven-pmd-plugin</artifactId>
-                <version>3.3</version>
+                <version>${reporting.pmd-plugin.version}</version>
                <dependencies>
                    <dependency>
                        <groupId>org.apache.maven.doxia</groupId>
                        <artifactId>doxia-module-markdown</artifactId>
                        <version>1.5</version>
                    </dependency>
                </dependencies>
                <configuration>
-                    <skipDeploy>true</skipDeploy>
+                    <targetJdk>1.6</targetJdk>
-                    <reportPlugins>
+                    <linkXref>true</linkXref>
-                        <plugin>
+                    <sourceEncoding>utf-8</sourceEncoding>
-                            <groupId>org.apache.maven.plugins</groupId>
+                    <excludes>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
+                        <exclude>**/generated/*.java</exclude>
-                            <version>2.7</version>
+                    </excludes>
-                            <reportSets>
+                    <rulesets>
-                                <reportSet>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <reports>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
-                                        <report>index</report>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
-                                        <report>summary</report>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                        <report>license</report>
+                    </rulesets>
                                        <report>help</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-javadoc-plugin</artifactId>
                            <version>2.9.1</version>
                            <reportSets>
                                <reportSet>
                                    <id>default</id>
                                    <reports>
                                        <report>javadoc</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>versions-maven-plugin</artifactId>
                            <version>2.1</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>dependency-updates-report</report>
                                        <report>plugin-updates-report</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-jxr-plugin</artifactId>
                            <version>2.4</version>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>cobertura-maven-plugin</artifactId>
                            <version>2.6</version>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-surefire-report-plugin</artifactId>
                            <version>2.16</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>report-only</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>taglist-maven-plugin</artifactId>
                            <version>2.4</version>
                            <configuration>
                                <tagListOptions>
                                    <tagClasses>
                                        <tagClass>
                                            <displayName>Todo Work</displayName>
                                            <tags>
                                                <tag>
                                                    <matchString>todo</matchString>
                                                    <matchType>ignoreCase</matchType>
                                                </tag>
                                                <tag>
                                                    <matchString>FIXME</matchString>
                                                    <matchType>exact</matchType>
                                                </tag>
                                            </tags>
                                        </tagClass>
                                    </tagClasses>
                                </tagListOptions>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-checkstyle-plugin</artifactId>
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
                            <version>3.0.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
                                <sourceEncoding>utf-8</sourceEncoding>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>findbugs-maven-plugin</artifactId>
                            <version>2.5.3</version>
                        </plugin>
                    </reportPlugins>
                </configuration>
            </plugin>
        </plugins>
-    </build>
+    </reporting>
    <dependencies>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-utils</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
@@ -440,12 +324,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant</artifactId>
-            <version>1.9.3</version>
+            <scope>provided</scope>
        </dependency>
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant-testutil</artifactId>
            <version>1.9.3</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
--- a/dependency-check-ant/src/main/assembly/release.xml
+++ b/dependency-check-ant/src/main/assembly/release.xml
@@ -12,18 +12,25 @@
        <format>zip</format>
    </formats>
    <includeBaseDirectory>false</includeBaseDirectory>
-    <fileSets>
+    <!--fileSets>
        <fileSet>
-            <outputDirectory>/</outputDirectory>
+            <outputDirectory>dependency-check</outputDirectory>
            <directory>${project.build.directory}</directory>
            <includes>
                <include>dependency-check*.jar</include>
            </includes>
        </fileSet>
-    </fileSets>
+    </fileSets-->
    <files>
        <file>
            <source>${project.build.directory}/${project.artifactId}-${project.version}.jar</source>
            <outputDirectory>dependency-check-ant</outputDirectory>
            <destName>dependency-check-ant.jar</destName>
        </file>
    </files>
    <dependencySets>
        <dependencySet>
-            <outputDirectory>/lib</outputDirectory>
+            <outputDirectory>dependency-check-ant/lib</outputDirectory>
            <scope>runtime</scope>
        </dependencySet>
    </dependencySets>
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
@@ -0,0 +1,273 @@
 /*
 * This file is part of dependency-check-ant.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
 */
 package org.owasp.dependencycheck.ant.logging;
 import org.apache.tools.ant.Project;
 import org.apache.tools.ant.Task;
 import org.slf4j.helpers.FormattingTuple;
 import org.slf4j.helpers.MarkerIgnoringBase;
 import org.slf4j.helpers.MessageFormatter;
 /**
 * An instance of {@link org.slf4j.Logger} which simply calls the log method on the delegate Ant task.
 *
 * @author colezlaw
 */
 public class AntLoggerAdapter extends MarkerIgnoringBase {
    /**
     * A reference to the Ant task used for logging.
     */
    private Task task;
    /**
     * Constructs an Ant Logger Adapter.
     *
     * @param task the Ant Task to use for logging
     */
    public AntLoggerAdapter(Task task) {
        super();
        this.task = task;
    }
    /**
     * Sets the current Ant task to use for logging.
     *
     * @param task the Ant task to use for logging
     */
    public void setTask(Task task) {
        this.task = task;
    }
    @Override
    public boolean isTraceEnabled() {
        // Might be a more efficient way to do this, but Ant doesn't enable or disable
        // various levels globally - it just fires things at registered Listeners.
        return true;
    }
    @Override
    public void trace(String msg) {
        if (task != null) {
            task.log(msg, Project.MSG_VERBOSE);
        }
    }
    @Override
    public void trace(String format, Object arg) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg);
            task.log(tp.getMessage(), Project.MSG_VERBOSE);
        }
    }
    @Override
    public void trace(String format, Object arg1, Object arg2) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
            task.log(tp.getMessage(), Project.MSG_VERBOSE);
        }
    }
    @Override
    public void trace(String format, Object... arguments) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arguments);
            task.log(tp.getMessage(), Project.MSG_VERBOSE);
        }
    }
    @Override
    public void trace(String msg, Throwable t) {
        if (task != null) {
            task.log(msg, t, Project.MSG_VERBOSE);
        }
    }
    @Override
    public boolean isDebugEnabled() {
        return true;
    }
    @Override
    public void debug(String msg) {
        if (task != null) {
            task.log(msg, Project.MSG_DEBUG);
        }
    }
    @Override
    public void debug(String format, Object arg) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg);
            task.log(tp.getMessage(), Project.MSG_DEBUG);
        }
    }
    @Override
    public void debug(String format, Object arg1, Object arg2) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
            task.log(tp.getMessage(), Project.MSG_DEBUG);
        }
    }
    @Override
    public void debug(String format, Object... arguments) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arguments);
            task.log(tp.getMessage(), Project.MSG_DEBUG);
        }
    }
    @Override
    public void debug(String msg, Throwable t) {
        if (task != null) {
            task.log(msg, t, Project.MSG_DEBUG);
        }
    }
    @Override
    public boolean isInfoEnabled() {
        return true;
    }
    @Override
    public void info(String msg) {
        if (task != null) {
            task.log(msg, Project.MSG_INFO);
        }
    }
    @Override
    public void info(String format, Object arg) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg);
            task.log(tp.getMessage(), Project.MSG_INFO);
        }
    }
    @Override
    public void info(String format, Object arg1, Object arg2) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
            task.log(tp.getMessage(), Project.MSG_INFO);
        }
    }
    @Override
    public void info(String format, Object... arguments) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arguments);
            task.log(tp.getMessage(), Project.MSG_INFO);
        }
    }
    @Override
    public void info(String msg, Throwable t) {
        if (task != null) {
            task.log(msg, t, Project.MSG_INFO);
        }
    }
    @Override
    public boolean isWarnEnabled() {
        return true;
    }
    @Override
    public void warn(String msg) {
        if (task != null) {
            task.log(msg, Project.MSG_WARN);
        }
    }
    @Override
    public void warn(String format, Object arg) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg);
            task.log(tp.getMessage(), Project.MSG_WARN);
        }
    }
    @Override
    public void warn(String format, Object... arguments) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arguments);
            task.log(tp.getMessage(), Project.MSG_WARN);
        }
    }
    @Override
    public void warn(String format, Object arg1, Object arg2) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
            task.log(tp.getMessage(), Project.MSG_WARN);
        }
    }
    @Override
    public void warn(String msg, Throwable t) {
        if (task != null) {
            task.log(msg, t, Project.MSG_WARN);
        }
    }
    @Override
    public boolean isErrorEnabled() {
        return true;
    }
    @Override
    public void error(String msg) {
        if (task != null) {
            task.log(msg, Project.MSG_ERR);
        }
    }
    @Override
    public void error(String format, Object arg) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg);
            task.log(tp.getMessage(), Project.MSG_ERR);
        }
    }
    @Override
    public void error(String format, Object arg1, Object arg2) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arg1, arg2);
            task.log(tp.getMessage(), Project.MSG_ERR);
        }
    }
    @Override
    public void error(String format, Object... arguments) {
        if (task != null) {
            final FormattingTuple tp = MessageFormatter.format(format, arguments);
            task.log(tp.getMessage(), Project.MSG_ERR);
        }
    }
    @Override
    public void error(String msg, Throwable t) {
        if (task != null) {
            task.log(msg, t, Project.MSG_ERR);
        }
    }
 }
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerFactory.java
@@ -0,0 +1,56 @@
 /*
 * This file is part of dependency-check-ant.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
 */
 package org.owasp.dependencycheck.ant.logging;
 import org.apache.tools.ant.Task;
 import org.slf4j.ILoggerFactory;
 import org.slf4j.Logger;
 /**
 * An implementation of {@link org.slf4j.ILoggerFactory} which always returns {@link AntLoggerAdapter} instances.
 *
 * @author colezlaw
 */
 public class AntLoggerFactory implements ILoggerFactory {
    /**
     * A reference to the Ant logger Adapter.
     */
    private final AntLoggerAdapter antLoggerAdapter;
    /**
     * Constructs a new Ant Logger Factory.
     *
     * @param task the Ant task to use for logging
     */
    public AntLoggerFactory(Task task) {
        super();
        this.antLoggerAdapter = new AntLoggerAdapter(task);
    }
    /**
     * Returns the Ant logger adapter.
     *
     * @param name ignored in this implementation
     * @return the Ant logger adapter
     */
    @Override
    public Logger getLogger(String name) {
        return antLoggerAdapter;
    }
 }
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/package-info.java
@@ -0,0 +1,4 @@
 /**
 * This package includes the Ant task definitions.
 */
 package org.owasp.dependencycheck.ant.logging;
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java
@@ -0,0 +1,170 @@
 /*
 * This file is part of dependency-check-ant.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.taskdefs;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Project;
 import org.apache.tools.ant.Task;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.impl.StaticLoggerBinder;
 /**
 * An Ant task definition to execute dependency-check during an Ant build.
 *
 * @author Jeremy Long
 */
 public class Purge extends Task {
    /**
     * The properties file location.
     */
    private static final String PROPERTIES_FILE = "task.properties";
    /**
     * Construct a new DependencyCheckTask.
     */
    public Purge() {
        super();
        // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
        // core end up coming through this tasks logger
        StaticLoggerBinder.getSingleton().setTask(this);
    }
    /**
     * The location of the data directory that contains
     */
    private String dataDirectory = null;
    /**
     * Get the value of dataDirectory.
     *
     * @return the value of dataDirectory
     */
    public String getDataDirectory() {
        return dataDirectory;
    }
    /**
     * Set the value of dataDirectory.
     *
     * @param dataDirectory new value of dataDirectory
     */
    public void setDataDirectory(String dataDirectory) {
        this.dataDirectory = dataDirectory;
    }
    /**
     * Indicates if dependency-check should fail the build if an exception
     * occurs.
     */
    private boolean failOnError = true;
    /**
     * Get the value of failOnError.
     *
     * @return the value of failOnError
     */
    public boolean isFailOnError() {
        return failOnError;
    }
    /**
     * Set the value of failOnError.
     *
     * @param failOnError new value of failOnError
     */
    public void setFailOnError(boolean failOnError) {
        this.failOnError = failOnError;
    }
    @Override
    public void execute() throws BuildException {
        populateSettings();
        File db;
        try {
            db = new File(Settings.getDataDirectory(), "dc.h2.db");
            if (db.exists()) {
                if (db.delete()) {
                    log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
                } else {
                    final String msg = String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath());
                    if (this.failOnError) {
                        throw new BuildException(msg);
                    }
                    log(msg, Project.MSG_ERR);
                }
            } else {
                final String msg = String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath());
                if (this.failOnError) {
                    throw new BuildException(msg);
                }
                log(msg, Project.MSG_ERR);
            }
        } catch (IOException ex) {
            final String msg = "Unable to delete the database";
            if (this.failOnError) {
                throw new BuildException(msg);
            }
            log(msg, Project.MSG_ERR);
        } finally {
            Settings.cleanup(true);
        }
    }
    /**
     * Takes the properties supplied and updates the dependency-check settings.
     * Additionally, this sets the system properties required to change the
     * proxy server, port, and connection timeout.
     *
     * @throws BuildException thrown if the properties file cannot be read.
     */
    protected void populateSettings() throws BuildException {
        Settings.initialize();
        InputStream taskProperties = null;
        try {
            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
            Settings.mergeProperties(taskProperties);
        } catch (IOException ex) {
            final String msg = "Unable to load the dependency-check ant task.properties file.";
            if (this.failOnError) {
                throw new BuildException(msg, ex);
            }
            log(msg, ex, Project.MSG_WARN);
        } finally {
            if (taskProperties != null) {
                try {
                    taskProperties.close();
                } catch (IOException ex) {
                    log("", ex, Project.MSG_DEBUG);
                }
            }
        }
        if (dataDirectory != null) {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
        } else {
            final File jarPath = new File(Purge.class.getProtectionDomain().getCodeSource().getLocation().getPath());
            final File base = jarPath.getParentFile();
            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
            final File dataDir = new File(base, sub);
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
        }
    }
 }
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
@@ -0,0 +1,453 @@
 /*
 * This file is part of dependency-check-ant.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.taskdefs;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Project;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.impl.StaticLoggerBinder;
 /**
 * An Ant task definition to execute dependency-check update. This will download
 * the latest data from the National Vulnerability Database (NVD) and store a
 * copy in the local database.
 *
 * @author Jeremy Long
 */
 public class Update extends Purge {
    /**
     * Construct a new UpdateTask.
     */
    public Update() {
        super();
        // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
        // core end up coming through this tasks logger
        StaticLoggerBinder.getSingleton().setTask(this);
    }
    /**
     * The Proxy Server.
     */
    private String proxyServer;
    /**
     * Get the value of proxyServer.
     *
     * @return the value of proxyServer
     */
    public String getProxyServer() {
        return proxyServer;
    }
    /**
     * Set the value of proxyServer.
     *
     * @param server new value of proxyServer
     */
    public void setProxyServer(String server) {
        this.proxyServer = server;
    }
    /**
     * The Proxy Port.
     */
    private String proxyPort;
    /**
     * Get the value of proxyPort.
     *
     * @return the value of proxyPort
     */
    public String getProxyPort() {
        return proxyPort;
    }
    /**
     * Set the value of proxyPort.
     *
     * @param proxyPort new value of proxyPort
     */
    public void setProxyPort(String proxyPort) {
        this.proxyPort = proxyPort;
    }
    /**
     * The Proxy username.
     */
    private String proxyUsername;
    /**
     * Get the value of proxyUsername.
     *
     * @return the value of proxyUsername
     */
    public String getProxyUsername() {
        return proxyUsername;
    }
    /**
     * Set the value of proxyUsername.
     *
     * @param proxyUsername new value of proxyUsername
     */
    public void setProxyUsername(String proxyUsername) {
        this.proxyUsername = proxyUsername;
    }
    /**
     * The Proxy password.
     */
    private String proxyPassword;
    /**
     * Get the value of proxyPassword.
     *
     * @return the value of proxyPassword
     */
    public String getProxyPassword() {
        return proxyPassword;
    }
    /**
     * Set the value of proxyPassword.
     *
     * @param proxyPassword new value of proxyPassword
     */
    public void setProxyPassword(String proxyPassword) {
        this.proxyPassword = proxyPassword;
    }
    /**
     * The Connection Timeout.
     */
    private String connectionTimeout;
    /**
     * Get the value of connectionTimeout.
     *
     * @return the value of connectionTimeout
     */
    public String getConnectionTimeout() {
        return connectionTimeout;
    }
    /**
     * Set the value of connectionTimeout.
     *
     * @param connectionTimeout new value of connectionTimeout
     */
    public void setConnectionTimeout(String connectionTimeout) {
        this.connectionTimeout = connectionTimeout;
    }
    /**
     * The database driver name; such as org.h2.Driver.
     */
    private String databaseDriverName;
    /**
     * Get the value of databaseDriverName.
     *
     * @return the value of databaseDriverName
     */
    public String getDatabaseDriverName() {
        return databaseDriverName;
    }
    /**
     * Set the value of databaseDriverName.
     *
     * @param databaseDriverName new value of databaseDriverName
     */
    public void setDatabaseDriverName(String databaseDriverName) {
        this.databaseDriverName = databaseDriverName;
    }
    /**
     * The path to the database driver JAR file if it is not on the class path.
     */
    private String databaseDriverPath;
    /**
     * Get the value of databaseDriverPath.
     *
     * @return the value of databaseDriverPath
     */
    public String getDatabaseDriverPath() {
        return databaseDriverPath;
    }
    /**
     * Set the value of databaseDriverPath.
     *
     * @param databaseDriverPath new value of databaseDriverPath
     */
    public void setDatabaseDriverPath(String databaseDriverPath) {
        this.databaseDriverPath = databaseDriverPath;
    }
    /**
     * The database connection string.
     */
    private String connectionString;
    /**
     * Get the value of connectionString.
     *
     * @return the value of connectionString
     */
    public String getConnectionString() {
        return connectionString;
    }
    /**
     * Set the value of connectionString.
     *
     * @param connectionString new value of connectionString
     */
    public void setConnectionString(String connectionString) {
        this.connectionString = connectionString;
    }
    /**
     * The user name for connecting to the database.
     */
    private String databaseUser;
    /**
     * Get the value of databaseUser.
     *
     * @return the value of databaseUser
     */
    public String getDatabaseUser() {
        return databaseUser;
    }
    /**
     * Set the value of databaseUser.
     *
     * @param databaseUser new value of databaseUser
     */
    public void setDatabaseUser(String databaseUser) {
        this.databaseUser = databaseUser;
    }
    /**
     * The password to use when connecting to the database.
     */
    private String databasePassword;
    /**
     * Get the value of databasePassword.
     *
     * @return the value of databasePassword
     */
    public String getDatabasePassword() {
        return databasePassword;
    }
    /**
     * Set the value of databasePassword.
     *
     * @param databasePassword new value of databasePassword
     */
    public void setDatabasePassword(String databasePassword) {
        this.databasePassword = databasePassword;
    }
    /**
     * The url for the modified NVD CVE (1.2 schema).
     */
    private String cveUrl12Modified;
    /**
     * Get the value of cveUrl12Modified.
     *
     * @return the value of cveUrl12Modified
     */
    public String getCveUrl12Modified() {
        return cveUrl12Modified;
    }
    /**
     * Set the value of cveUrl12Modified.
     *
     * @param cveUrl12Modified new value of cveUrl12Modified
     */
    public void setCveUrl12Modified(String cveUrl12Modified) {
        this.cveUrl12Modified = cveUrl12Modified;
    }
    /**
     * The url for the modified NVD CVE (2.0 schema).
     */
    private String cveUrl20Modified;
    /**
     * Get the value of cveUrl20Modified.
     *
     * @return the value of cveUrl20Modified
     */
    public String getCveUrl20Modified() {
        return cveUrl20Modified;
    }
    /**
     * Set the value of cveUrl20Modified.
     *
     * @param cveUrl20Modified new value of cveUrl20Modified
     */
    public void setCveUrl20Modified(String cveUrl20Modified) {
        this.cveUrl20Modified = cveUrl20Modified;
    }
    /**
     * Base Data Mirror URL for CVE 1.2.
     */
    private String cveUrl12Base;
    /**
     * Get the value of cveUrl12Base.
     *
     * @return the value of cveUrl12Base
     */
    public String getCveUrl12Base() {
        return cveUrl12Base;
    }
    /**
     * Set the value of cveUrl12Base.
     *
     * @param cveUrl12Base new value of cveUrl12Base
     */
    public void setCveUrl12Base(String cveUrl12Base) {
        this.cveUrl12Base = cveUrl12Base;
    }
    /**
     * Data Mirror URL for CVE 2.0.
     */
    private String cveUrl20Base;
    /**
     * Get the value of cveUrl20Base.
     *
     * @return the value of cveUrl20Base
     */
    public String getCveUrl20Base() {
        return cveUrl20Base;
    }
    /**
     * Set the value of cveUrl20Base.
     *
     * @param cveUrl20Base new value of cveUrl20Base
     */
    public void setCveUrl20Base(String cveUrl20Base) {
        this.cveUrl20Base = cveUrl20Base;
    }
    /**
     * The number of hours to wait before re-checking for updates.
     */
    private Integer cveValidForHours;
    /**
     * Get the value of cveValidForHours.
     *
     * @return the value of cveValidForHours
     */
    public Integer getCveValidForHours() {
        return cveValidForHours;
    }
    /**
     * Set the value of cveValidForHours.
     *
     * @param cveValidForHours new value of cveValidForHours
     */
    public void setCveValidForHours(Integer cveValidForHours) {
        this.cveValidForHours = cveValidForHours;
    }
    /**
     * Executes the update by initializing the settings, downloads the NVD XML
     * data, and then processes the data storing it in the local database.
     *
     * @throws BuildException thrown if a connection to the local database
     * cannot be made.
     */
    @Override
    public void execute() throws BuildException {
        populateSettings();
        Engine engine = null;
        try {
            engine = new Engine(Update.class.getClassLoader());
            try {
                engine.doUpdates();
            } catch (UpdateException ex) {
                if (this.isFailOnError()) {
                    throw new BuildException(ex);
                }
                log(ex.getMessage(), Project.MSG_ERR);
            }
        } catch (DatabaseException ex) {
            final String msg = "Unable to connect to the dependency-check database; unable to update the NVD data";
            if (this.isFailOnError()) {
                throw new BuildException(msg, ex);
            }
            log(msg, Project.MSG_ERR);
        } finally {
            Settings.cleanup(true);
            if (engine != null) {
                engine.cleanup();
            }
        }
    }
    /**
     * Takes the properties supplied and updates the dependency-check settings.
     * Additionally, this sets the system properties required to change the
     * proxy server, port, and connection timeout.
     *
     * @throws BuildException thrown when an invalid setting is configured.
     */
    @Override
    protected void populateSettings() throws BuildException {
        super.populateSettings();
        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
        if (cveValidForHours != null) {
            if (cveValidForHours >= 0) {
                Settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
            } else {
                throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
            }
        }
    }
 }
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/package-info.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/package-info.java
@@ -1,11 +1,4 @@
 /**
- * <html>
+ * This package includes the a slf4j logging implementation that wraps the Ant logger.
 * <head>
 * <title>org.owasp.dependencycheck.taskdefs</title>
 * </head>
 * <body>
 * This package includes the Ant task definitions.
 * </body>
 * </html>
 */
 package org.owasp.dependencycheck.taskdefs;
--- a/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
+++ b/dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java
@@ -0,0 +1,114 @@
 /*
 * This file is part of dependency-check-ant.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
 */
 package org.slf4j.impl;
 import org.apache.tools.ant.Task;
 import org.owasp.dependencycheck.ant.logging.AntLoggerFactory;
 import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 /**
 * The binding of org.slf4j.LoggerFactory class with an actual instance of
 * org.slf4j.ILoggerFactory is performed using information returned by this
 * class.
 *
 * @author colezlaw
 */
 //CSOFF: FinalClass
 public class StaticLoggerBinder implements LoggerFactoryBinder {
 //CSON: FinalClass
    /**
     * The unique instance of this class
     */
    private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
    /**
     * Return the singleton of this class.
     *
     * @return the StaticLoggerBinder singleton
     */
    public static final StaticLoggerBinder getSingleton() {
        return SINGLETON;
    }
    /**
     * Ant tasks have the log method we actually want to call. So we hang onto
     * the task as a delegate
     */
    private Task task = null;
    /**
     * Set the Task which will this is to log through.
     *
     * @param task the task through which to log
     */
    public void setTask(Task task) {
        this.task = task;
        loggerFactory = new AntLoggerFactory(task);
    }
    /**
     * Declare the version of the SLF4J API this implementation is compiled
     * against. The value of this filed is usually modified with each release.
     */
    // to avoid constant folding by the compiler, this field must *not* be final
    //CSOFF: StaticVariableName
    //CSOFF: VisibilityModifier
    public static String REQUESTED_API_VERSION = "1.7.12"; // final
    //CSON: VisibilityModifier
    //CSON: StaticVariableName
    /**
     * The logger factory class string.
     */
    private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName();
    /**
     * The ILoggerFactory instance returned by the {@link #getLoggerFactory}
     * method should always be the smae object
     */
    private ILoggerFactory loggerFactory;
    /**
     * Constructs a new static logger binder.
     */
    private StaticLoggerBinder() {
        loggerFactory = new AntLoggerFactory(task);
    }
    /**
     * Returns the logger factory.
     *
     * @return the logger factory
     */
    @Override
    public ILoggerFactory getLoggerFactory() {
        return loggerFactory;
    }
    /**
     * Returns the logger factory class string.
     *
     * @return the logger factory class string
     */
    @Override
    public String getLoggerFactoryClassStr() {
        return LOGGER_FACTORY_CLASS;
    }
 }
--- a/dependency-check-ant/src/main/java/org/slf4j/impl/package-info.java
+++ b/dependency-check-ant/src/main/java/org/slf4j/impl/package-info.java
@@ -0,0 +1,4 @@
 /**
 * This package contains the static binder for the slf4j-ant logger.
 */
 package org.slf4j.impl;
--- a/dependency-check-ant/src/main/resources/dependency-check-taskdefs.properties
+++ b/dependency-check-ant/src/main/resources/dependency-check-taskdefs.properties
@@ -0,0 +1,3 @@
 dependency-check=org.owasp.dependencycheck.taskdefs.Check
 dependency-check-purge=org.owasp.dependencycheck.taskdefs.Purge
 dependency-check-update=org.owasp.dependencycheck.taskdefs.Update
--- a/dependency-check-ant/src/main/resources/log.properties
+++ b/dependency-check-ant/src/main/resources/log.properties
@@ -1,23 +0,0 @@
 handlers=java.util.logging.ConsoleHandler, java.util.logging.FileHandler
 # logging levels
 # FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
 # Configure the ConsoleHandler.
 java.util.logging.ConsoleHandler.level=INFO
 #org.owasp.dependencycheck.data.nvdcve.xml
 # Configure the FileHandler.
 #java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
 #java.util.logging.FileHandler.level=FINEST
 # The following special tokens can be used in the pattern property
 # which specifies the location and name of the log file.
 #   / - standard path separator
 #   %t - system temporary directory
 #   %h - value of the user.home system property
 #   %g - generation number for rotating logs
 #   %u - unique number to avoid conflicts
 # FileHandler writes to %h/demo0.log by default.
 #java.util.logging.FileHandler.pattern=./target/dependency-check.log
--- a/dependency-check-ant/src/main/resources/task.properties
+++ b/dependency-check-ant/src/main/resources/task.properties
@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=dependency-check-data
+data.directory=data/3.0
--- a/dependency-check-ant/src/main/resources/taskdefs.properties
+++ b/dependency-check-ant/src/main/resources/taskdefs.properties
@@ -1,3 +0,0 @@
 # define custom tasks here
 dependencycheck=org.owasp.dependencycheck.taskdefs.DependencyCheckTask
--- a/dependency-check-ant/src/site/markdown/config-purge.md
+++ b/dependency-check-ant/src/site/markdown/config-purge.md
@@ -0,0 +1,20 @@
 Configuration
 ====================
 The dependency-check-purge task deletes the local copy of the NVD. This task
 should rarely be used, if ever. This is included as a convenience method in
 the rare circumstance that the local H2 database because corrupt.
 ```xml
 <target name="dependency-check-purge" description="Dependency-Check purge">
    <dependency-check-purge />
 </target>
 ```
 Configuration: dependency-check-purge Task
 --------------------
 The following properties can be set on the dependency-check-purge task.
 Property              | Description                                                            | Default Value
 ----------------------|------------------------------------------------------------------------|------------------
 dataDirectory         | Data directory that is used to store the local copy of the NVD         | data
 failOnError           | Whether the build should fail if there is an error executing the purge | true
--- a/dependency-check-ant/src/site/markdown/config-update.md
+++ b/dependency-check-ant/src/site/markdown/config-update.md
@@ -0,0 +1,45 @@
 Configuration
 ====================
 The dependency-check-update task downloads and updates the local copy of the NVD.
 There are several reasons that one may want to use this task; primarily, creating
 an update that will be run only once a day or once every few days (but not greater
 then 7 days) and then use the `autoUpdate="false"` setting on individual
 dependency-check scans. See [Internet Access Required](https://jeremylong.github.io/DependencyCheck/data/index.html)
 for more information on why this task would be used.
 ```xml
 <target name="dependency-check-update" description="Dependency-Check Update">
    <dependency-check-update />
 </target>
 ```
 Configuration: dependency-check-update Task
 --------------------
 The following properties can be set on the dependency-check task.
 Property              | Description                        | Default Value
 ----------------------|------------------------------------|------------------
 proxyServer           | The Proxy Server.                  | &nbsp;
 proxyPort             | The Proxy Port.                    | &nbsp;
 proxyUsername         | Defines the proxy user name.       | &nbsp;
 proxyPassword         | Defines the proxy password.        | &nbsp;
 connectionTimeout     | The URL Connection Timeout.        | &nbsp;
 failOnError           | Whether the build should fail if there is an error executing the update | true
 Advanced Configuration
 ====================
 The following properties can be configured in the plugin. However, they are less frequently changed. One exception
 may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
 Property             | Description                                                                                           | Default Value
 ---------------------|-------------------------------------------------------------------------------------------------------|------------------
 cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                              | &nbsp;
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path.           | &nbsp;
 connectionString     | The connection string used to connect to the database.                                                | &nbsp;
 databaseUser         | The username used when connecting to the database.                                                    | &nbsp;
 databasePassword     | The password used when connecting to the database.                                                    | &nbsp;
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -1,5 +1,11 @@
 Configuration
 ====================
 Once dependency-check-ant has been [installed](index.html) the defined tasks can be used.
 * dependency-check - the primary task used to check the project dependencies. Configuration options are below.
 * dependency-check-purge - deletes the local copy of the NVD; this should rarely be used (if ever). See the [purge configuration](config-purge.html) for more information.
 * dependency-check-update - downloads and updates the local copy of the NVD. See the [update configuration](config-update.html) for more information.
 To configure the dependency-check task you can add it to a target and include a
 file based [resource collection](http://ant.apache.org/manual/Types/resources.html#collection)
 such as a [FileSet](http://ant.apache.org/manual/Types/fileset.html), [DirSet](http://ant.apache.org/manual/Types/dirset.html),
@@ -8,7 +14,7 @@ the project's dependencies.
 ```xml
 <target name="dependency-check" description="Dependency-Check Analysis">
-    <dependency-check applicationname="Hello World"
+    <dependency-check projectname="Hello World"
                      reportoutputdirectory="${basedir}"
                      reportformat="ALL">
@@ -18,34 +24,71 @@ the project's dependencies.
    </dependency-check>
 </target>
 ```
 The following table lists the configurable properties:
-Property              | Description | Requirement | Default Value
+Configuration: dependency-check Task
----------------------|-------------|-------------|------------
+--------------------
-applicationName       | The name of the application to use in the generated report. | Required | &nbsp;
+The following properties can be set on the dependency-check task.
-reportFormat          | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
+
-reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | &nbsp;
+Property              | Description                                                                                                                                                                                        | Default Value
-failBuildOn           | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11
+----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
-autoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true
+autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                 | true
-dataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | &nbsp;
+cveValidForHours      | Sets the number of hours to wait before checking for new updates from the NVD                                                                                                                      | 4
-logFile               | The file path to write verbose logging information. | Optional | &nbsp;
+failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
-suppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | &nbsp;
+failOnError           | Whether the build should fail if there is an error executing the dependency-check analysis                                                                                                         | true
-proxyUrl              | Defines the proxy used to connect to the Internet. | Optional | &nbsp;
+projectName           | The name of the project being scanned.                                                                                                                                                             | Dependency-Check
-proxyPort             | Defines the port for the proxy. | Optional | &nbsp;
+reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                   | HTML
-proxyUsername         | Defines the proxy user name. | Optional | &nbsp;
+reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                 | 'target'
-proxyPassword         | Defines the proxy password. | Optional | &nbsp;
+suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)                                                                                       | &nbsp;
-connectionTimeout     | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
+proxyServer           | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                                        | &nbsp;
-nexusAnalyzerEnabled  | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
+proxyPort             | The Proxy Port.                                                                                                                                                                                    | &nbsp;
-nexusUrl              | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
+proxyUsername         | Defines the proxy user name.                                                                                                                                                                       | &nbsp;
-nexusUsesProxy        | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true
+proxyPassword         | Defines the proxy password.                                                                                                                                                                        | &nbsp;
-databaseDriverName    | The name of the database driver. Example: org.h2.Driver. | Optional | &nbsp;
+connectionTimeout     | The URL Connection Timeout.                                                                                                                                                                        | &nbsp;
-databaseDriverPath    | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | &nbsp;
+enableExperimental    | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used.                                                                             | false
-connectionString      | The connection string used to connect to the database. | Optional | &nbsp;
+
-databaseUser          | The username used when connecting to the database. | Optional | dcuser
+Analyzer Configuration
-databasePassword      | The password used when connecting to the database. | Optional | &nbsp;
+====================
-zipExtensions         | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | &nbsp;
+The following properties are used to configure the various file type analyzers.
-cveUrl12Modified      | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml
+These properties can be used to turn off specific analyzers if it is not needed.
-cveUrl20Modified      | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+Note, that specific analyzers will automatically disable themselves if no file
-cveUrl12Base          | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
+types that they support are detected - so specifically disabling them may not
-cveUrl20Base          | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+be needed.
-pathToMono            | The path to Mono for .NET assembly analysis on non-windows systems | Optional | &nbsp;
+
 Property                      | Description                                                                       | Default Value
 ------------------------------|-----------------------------------------------------------------------------------|------------------
 archiveAnalyzerEnabled        | Sets whether the Archive Analyzer will be used.                                   | true
 zipExtensions                 | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
 jarAnalyzer                   | Sets whether the Jar Analyzer will be used.                                       | true
 centralAnalyzerEnabled        | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
 nexusAnalyzerEnabled          | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
 nexusUrl                      | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
 nexusUsesProxy                | Whether or not the defined proxy should be used when connecting to Nexus.         | true
 pyDistributionAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.        | true
 pyPackageAnalyzerEnabled      | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.             | true
 rubygemsAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.               | true
 opensslAnalyzerEnabled        | Sets whether the openssl Analyzer should be used.                                 | true
 cmakeAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used.                    | true
 autoconfAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used.                 | true
 composerAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used.   | true
 nodeAnalyzerEnabled           | Sets whether the [experimental](../analyzers/index.html) Node.js Analyzer should be used.                  | true
 nuspecAnalyzerEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                         | true
 assemblyAnalyzerEnabled       | Sets whether the .NET Assembly Analyzer should be used.                           | true
 pathToMono                    | The path to Mono for .NET assembly analysis on non-windows systems.               | &nbsp;
 Advanced Configuration
 ====================
 The following properties can be configured in the plugin. However, they are less frequently changed. One exception
 may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
 Property             | Description                                                              | Default Value
 ---------------------|--------------------------------------------------------------------------|------------------
 cveUrl12Modified     | URL for the modified CVE 1.2.                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
 cveUrl20Modified     | URL for the modified CVE 2.0.                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
 cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    | &nbsp;
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
 connectionString     | The connection string used to connect to the database.                                      | &nbsp;
 databaseUser         | The username used when connecting to the database.                                          | &nbsp;
 databasePassword     | The password used when connecting to the database.                                          | &nbsp;
--- a/dependency-check-ant/src/site/markdown/index.md.vm
+++ b/dependency-check-ant/src/site/markdown/index.md.vm
@@ -0,0 +1,38 @@
 About
 ====================
 OWASP dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly
 disclosed vulnerabilities associated with the project's dependencies. The task will
 generate a report listing the dependency, any identified Common Platform Enumeration (CPE)
 identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
 Installation
 ====================
 1. Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}-release.zip).
 2. Unzip the archive
 3. Add the taskdef to your build.xml:
    ```xml
    <!-- Set the value to the installation directory's path -->
    <property name="dependency-check.home" value="C:/tools/dependency-check-ant"/>
    <path id="dependency-check.path">
       <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
        <fileset dir="${dependency-check.home}/lib">
            <include name="*.jar"/>
        </fileset>
    </path>
    <taskdef resource="dependency-check-taskdefs.properties">
       <classpath refid="dependency-check.path" />
    </taskdef>
    ```
 4. Use the defined taskdefs:
    * [dependency-check](configuration.html) - the primary task used to check the project dependencies.
    * [dependency-check-purge](config-purge.html) - deletes the local copy of the NVD; this should rarely be used (if ever).
    * [dependency-check-update](config-update.html) - downloads and updates the local copy of the NVD.
 It is important to understand that the first time this task is executed it may
 take 10 minutes or more as it downloads and processes the data from the National
 Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
 After the first batch download, as long as the task is executed at least once every
 seven days the update will only take a few seconds.
--- a/dependency-check-ant/src/site/markdown/installation.md.vm
+++ b/dependency-check-ant/src/site/markdown/installation.md.vm
@@ -1,13 +0,0 @@
 Installation
 ====================
 Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
 To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
 the lib directory of your Ant instalation directory. Once installed you can add
 the taskdef to you build.xml and add the task to a new or existing target.
 It is important to understand that the first time this task is executed it may
 take 20 minutes or more as it downloads and processes the data from the National
 Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
 After the first batch download, as long as the task is executed at least once every
 seven days the update will only take a few seconds.
--- a/dependency-check-ant/src/site/markdown/usage.md
+++ b/dependency-check-ant/src/site/markdown/usage.md
@@ -1,25 +0,0 @@
 Usage
 ====================
 First, add the dependency-check-ant taskdef to your build.xml:
 ```xml
 <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
 ```
 Next, add the task to a target of your choosing:
 ```xml
 <target name="dependency-check" description="Dependency-Check Analysis">
    <dependency-check applicationname="Hello World"
                      autoupdate="true"
                      reportoutputdirectory="${basedir}"
                      reportformat="HTML">
        <fileset dir="lib">
            <include name="**/*.jar"/>
        </fileset>
    </dependency-check>
 </target>
 ```
 See the [configuration guide](configuration.html) for more information.
--- a/dependency-check-ant/src/site/resources/images/dc-ant.svg
+++ b/dependency-check-ant/src/site/resources/images/dc-ant.svg
--- a/dependency-check-ant/src/site/site.xml
+++ b/dependency-check-ant/src/site/site.xml
@@ -18,18 +18,18 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 -->
 <project name="dependency-check-ant">
    <bannerLeft>
-        <name>dependency-check-ant</name>
+        <name>OWASP dependency-check-ant</name>
        <alt>OWASP dependency-check-ant</alt>
        <src>./images/dc-ant.svg</src>
    </bannerLeft>
    <body>
        <breadcrumbs>
            <item name="dependency-check" href="../index.html"/>
        </breadcrumbs>
        <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
            <item name="Usage" href="usage.html"/>
            <item name="Configuration" href="configuration.html"/>
        </menu>
        <menu ref="Project Documentation" />
        <menu ref="reports" />
    </body>
 </project>
--- a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
+++ b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
@@ -18,45 +18,45 @@
 package org.owasp.dependencycheck.taskdefs;
 import java.io.File;
-import static junit.framework.TestCase.assertTrue;
+
-import org.apache.tools.ant.BuildFileTest;
+import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.BuildFileRule;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
-import org.junit.BeforeClass;
+import org.junit.Rule;
 import org.junit.Test;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.junit.rules.ExpectedException;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 import static org.junit.Assert.assertTrue;
 /**
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
-public class DependencyCheckTaskTest extends BuildFileTest {
+public class DependencyCheckTaskTest {
-    public DependencyCheckTaskTest() {
+    @Rule
-    }
+    public BuildFileRule buildFileRule = new BuildFileRule();
-    @BeforeClass
+    @Rule
-    public static void setUpClass() {
+    public ExpectedException expectedException = ExpectedException.none();
    }
    @AfterClass
    public static void tearDownClass() {
    }
    @Before
    @Override
    public void setUp() throws Exception {
        Settings.initialize();
        BaseDBTestCase.ensureDBExists();
        final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
-        configureProject(buildFile);
+        buildFileRule.configureProject(buildFile);
    }
    @After
    @Override
    public void tearDown() {
        //no cleanup...
        //executeTarget("cleanup");
        Settings.cleanup(true);
    }
    /**
@@ -64,13 +64,13 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddFileSet() throws Exception {
-        File report = new File("target/DependencyCheck-Report.html");
+        File report = new File("target/dependency-check-report.html");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
            }
        }
-        executeTarget("test.fileset");
+        buildFileRule.executeTarget("test.fileset");
        assertTrue("DependencyCheck report was not generated", report.exists());
@@ -83,13 +83,13 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddFileList() throws Exception {
-        File report = new File("target/DependencyCheck-Report.xml");
+        File report = new File("target/dependency-check-report.xml");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
            }
        }
-        executeTarget("test.filelist");
+        buildFileRule.executeTarget("test.filelist");
        assertTrue("DependencyCheck report was not generated", report.exists());
    }
@@ -101,13 +101,13 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddDirSet() throws Exception {
-        File report = new File("target/DependencyCheck-Vulnerability.html");
+        File report = new File("target/dependency-check-vulnerability.html");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
            }
        }
-        executeTarget("test.dirset");
+        buildFileRule.executeTarget("test.dirset");
        assertTrue("DependencyCheck report was not generated", report.exists());
    }
@@ -116,7 +116,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testGetFailBuildOnCVSS() {
-        expectBuildException("failCVSS", "asdfasdfscore");
+        expectedException.expect(BuildException.class);
-        System.out.println(this.getOutput());
+        buildFileRule.executeTarget("failCVSS");
    }
 }
--- a/dependency-check-ant/src/test/resources/build.xml
+++ b/dependency-check-ant/src/test/resources/build.xml
@@ -1,7 +1,7 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <project name="Dependency-Check Test Build" default="test.fileset" basedir=".">
-    <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask" />
+    <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.Check" />
    <target name="test.fileset">
        <dependency-check
--- a/dependency-check-cli/README.md
+++ b/dependency-check-cli/README.md
@@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html).
 Mailing List
 ------------
@@ -19,6 +19,6 @@ Copyright & License
 Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
-Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/NOTICES.txt) file for more information.
+Dependency-Check Command Line makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-cli/NOTICE.txt) file for more information.
--- a/dependency-check-cli/config/checkstyle-checks.xml
+++ b/dependency-check-cli/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE module PUBLIC
          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
 <module name="Checker">
  <!--
      If you set the basedir property below, then all reported file
      names will be relative to the specified directory. See
      http://checkstyle.sourceforge.net/5.x/config.html#Checker
      <property name="basedir" value="${basedir}"/>
  -->
  <property name="severity" value="error"/>
  <module name="SuppressionFilter">
    <property name="file" value="${checkstyle.suppressions.file}"/>
  </module>
  <module name="JavadocPackage">
    <property name="allowLegacy" value="false"/>
  </module>
  <module name="Translation">
    <property name="severity" value="warning"/>
  </module>
  <module name="FileTabCharacter">
    <property name="eachLine" value="false"/>
  </module>
  <module name="FileLength">
    <property name="fileExtensions" value="java"/>
  </module>
  <module name="NewlineAtEndOfFile">
  <property name="fileExtensions" value="java"/>
  <property name="lineSeparator" value="lf"/>
  </module>
  <module name="RegexpHeader">
    <property name="headerFile" value="${checkstyle.header.file}"/>
    <property name="fileExtensions" value="java"/>
    <property name="id" value="header"/>
  </module>
  <module name="RegexpSingleline">
    <property name="format" value="\s+$"/>
    <property name="minimum" value="0"/>
    <property name="maximum" value="0"/>
  </module>
  <module name="TreeWalker">
    <property name="tabWidth" value="4"/>
    <module name="AvoidStarImport"/>
    <module name="ConstantName"/>
    <module name="EmptyBlock"/>
    <module name="EmptyForIteratorPad"/>
    <module name="EqualsHashCode"/>
    <module name="OneStatementPerLine"/>
    <!-- module name="IllegalCatch"/ -->
    <!--module name="ImportControl">
      <property name="file" value="${checkstyle.importcontrol.file}"/>
    </module-->
    <module name="IllegalImport"/>
    <module name="IllegalInstantiation"/>
    <module name="IllegalThrows"/>
    <module name="InnerAssignment"/>
    <module name="JavadocType">
      <property name="authorFormat" value="\S"/>
    </module>
    <module name="JavadocMethod">
      <property name="allowUndeclaredRTE" value="true"/>
      <property name="allowThrowsTagsForSubclasses" value="true"/>
      <property name="allowMissingPropertyJavadoc" value="true"/>
    </module>
    <module name="JavadocVariable"/>
    <module name="JavadocStyle">
      <property name="scope" value="public"/>
    </module>
    <module name="LeftCurly">
      <property name="option" value="eol"/>
      <property name="tokens" value="CLASS_DEF"/>
      <property name="tokens" value="CTOR_DEF"/>
      <property name="tokens" value="INTERFACE_DEF"/>
      <property name="tokens" value="METHOD_DEF"/>
      <property name="tokens" value="LITERAL_CATCH"/>
      <property name="tokens" value="LITERAL_DO"/>
      <property name="tokens" value="LITERAL_ELSE"/>
      <property name="tokens" value="LITERAL_FINALLY"/>
      <property name="tokens" value="LITERAL_FOR"/>
      <property name="tokens" value="LITERAL_IF"/>
      <property name="tokens" value="LITERAL_SWITCH"/>
      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
      <property name="tokens" value="LITERAL_TRY"/>
      <property name="tokens" value="LITERAL_WHILE"/>
    </module>
    <module name="OuterTypeNumber"/>
    <module name="LineLength">
      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
    <property name="max" value="150"/>
    </module>
    <module name="MethodCount">
      <property name="maxTotal" value="40"/>
    </module>
    <module name="LocalFinalVariableName"/>
    <module name="LocalVariableName"/>
    <module name="MemberName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="MethodLength">
        <property name="max" value="160"/>
        <property name="countEmpty" value="false"/>
    </module>
    <module name="MethodName"/>
    <module name="MethodParamPad"/>
    <module name="ModifierOrder"/>
    <module name="NeedBraces"/>
    <module name="NoWhitespaceAfter">
      <property name="tokens" value="ARRAY_INIT"/>
      <property name="tokens" value="BNOT"/>
      <property name="tokens" value="DEC"/>
      <property name="tokens" value="DOT"/>
      <property name="tokens" value="INC"/>
      <property name="tokens" value="LNOT"/>
      <property name="tokens" value="UNARY_MINUS"/>
      <property name="tokens" value="UNARY_PLUS"/>
    </module>
    <module name="NoWhitespaceBefore"/>
    <module name="NoWhitespaceBefore">
      <property name="tokens" value="DOT"/>
      <property name="allowLineBreaks" value="true"/>
    </module>
    <module name="OperatorWrap"/>
    <module name="OperatorWrap">
      <property name="tokens" value="ASSIGN"/>
      <property name="tokens" value="DIV_ASSIGN"/>
      <property name="tokens" value="PLUS_ASSIGN"/>
      <property name="tokens" value="MINUS_ASSIGN"/>
      <property name="tokens" value="STAR_ASSIGN"/>
      <property name="tokens" value="MOD_ASSIGN"/>
      <property name="tokens" value="SR_ASSIGN"/>
      <property name="tokens" value="BSR_ASSIGN"/>
      <property name="tokens" value="SL_ASSIGN"/>
      <property name="tokens" value="BXOR_ASSIGN"/>
      <property name="tokens" value="BOR_ASSIGN"/>
      <property name="tokens" value="BAND_ASSIGN"/>
      <property name="option" value="eol"/>
    </module>
    <module name="PackageName"/>
    <module name="ParameterName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="ParameterNumber">
      <property name="id" value="paramNum"/>
    </module>
    <module name="ParenPad"/>
    <module name="TypecastParenPad"/>
    <module name="RedundantImport"/>
    <module name="RedundantModifier"/>
    <module name="RightCurly">
      <property name="option" value="same"/>
    </module>
    <module name="SimplifyBooleanExpression"/>
    <module name="SimplifyBooleanReturn"/>
    <module name="StaticVariableName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="TypeName"/>
    <module name="UnusedImports"/>
    <module name="UpperEll"/>
    <module name="VisibilityModifier"/>
    <module name="WhitespaceAfter"/>
    <module name="WhitespaceAround"/>
    <module name="GenericWhitespace"/>
    <module name="FinalClass"/>
    <module name="MissingSwitchDefault"/>
    <!--module name="MagicNumber"/-->
    <!--module name="Indentation">
      <property name="basicOffset" value="4"/>
      <property name="braceAdjustment" value="0"/>
      <property name="caseIndent" value="0"/>
    </module-->
    <module name="ArrayTrailingComma"/>
    <module name="FinalLocalVariable"/>
    <module name="EqualsAvoidNull"/>
    <module name="ParameterAssignment"/>
    <!-- Generates quite a few errors -->
    <module name="CyclomaticComplexity">
      <property name="severity" value="ignore"/>
    </module>
    <module name="NestedForDepth">
      <property name="max" value="2"/>
    </module>
    <module name="NestedIfDepth">
      <property name="max" value="4"/>
    </module>
    <module name="NestedTryDepth">
        <property name="max" value="2"/>
    </module>
    <!--module name="ExplicitInitialization"/-->
    <module name="AnnotationUseStyle"/>
    <module name="MissingDeprecated"/>
    <module name="MissingOverride">
      <property name="javaFiveCompatibility" value="true"/>
    </module>
    <module name="PackageAnnotation"/>
    <module name="SuppressWarnings"/>
    <module name="OuterTypeFilename"/>
    <module name="HideUtilityClassConstructor"/>
  </module>
 </module>
--- a/dependency-check-cli/config/checkstyle-suppressions.xml
+++ b/dependency-check-cli/config/checkstyle-suppressions.xml
@@ -1,9 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE suppressions PUBLIC
     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
 <suppressions>
    <suppress checks=".*" files=".*[\\/]package-info\.java" />
 </suppressions>
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -15,20 +15,19 @@ limitations under the License.
 Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.4.3</version>
    </parent>
    <artifactId>dependency-check-cli</artifactId>
    <packaging>jar</packaging>
    <name>Dependency-Check Command Line</name>
-    <description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -45,6 +44,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                <directory>src/main/resources</directory>
                <includes>
                    <include>**/*.properties</include>
                    <include>logback.xml</include>
                </includes>
                <filtering>true</filtering>
            </resource>
@@ -61,27 +61,21 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
                <version>2.4</version>
                <configuration>
                    <archive>
                        <manifest>
                            <mainClass>org.owasp.dependencycheck.App</mainClass>
                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                        </manifest>
                    </archive>
                    <excludes>
                        <exclude>**/checkstyle*</exclude>
                    </excludes>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>cobertura-maven-plugin</artifactId>
                <version>2.6</version>
                <configuration>
-                    <instrumentation>
+                    <!--instrumentation>
                        <ignoreTrivial>true</ignoreTrivial>
-                    </instrumentation>
+                    </instrumentation-->
                    <check>
                        <branchRate>85</branchRate>
                        <lineRate>85</lineRate>
@@ -115,8 +109,8 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.16</version>
                <configuration>
                    <argLine>-Dfile.encoding=UTF-8</argLine>
                    <systemProperties>
                        <property>
                            <name>cpe</name>
@@ -131,159 +125,14 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                    </systemProperties>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.1</version>
                <configuration>
                    <showDeprecation>false</showDeprecation>
                    <source>1.6</source>
                    <target>1.6</target>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.3</version>
                <dependencies>
                    <dependency>
                        <groupId>org.apache.maven.doxia</groupId>
                        <artifactId>doxia-module-markdown</artifactId>
                        <version>1.5</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <skipDeploy>true</skipDeploy>
                    <reportPlugins>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-project-info-reports-plugin</artifactId>
                            <version>2.7</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>index</report>
                                        <report>summary</report>
                                        <report>license</report>
                                        <report>help</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-javadoc-plugin</artifactId>
                            <version>2.9.1</version>
                            <reportSets>
                                <reportSet>
                                    <id>default</id>
                                    <reports>
                                        <report>javadoc</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>versions-maven-plugin</artifactId>
                            <version>2.1</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>dependency-updates-report</report>
                                        <report>plugin-updates-report</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-jxr-plugin</artifactId>
                            <version>2.4</version>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>cobertura-maven-plugin</artifactId>
                            <version>2.6</version>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-surefire-report-plugin</artifactId>
                            <version>2.16</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>report-only</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>taglist-maven-plugin</artifactId>
                            <version>2.4</version>
                            <configuration>
                                <tagListOptions>
                                    <tagClasses>
                                        <tagClass>
                                            <displayName>Todo Work</displayName>
                                            <tags>
                                                <tag>
                                                    <matchString>todo</matchString>
                                                    <matchType>ignoreCase</matchType>
                                                </tag>
                                                <tag>
                                                    <matchString>FIXME</matchString>
                                                    <matchType>exact</matchType>
                                                </tag>
                                            </tags>
                                        </tagClass>
                                    </tagClasses>
                                </tagListOptions>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-checkstyle-plugin</artifactId>
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
                            <version>3.0.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
                                <sourceEncoding>utf-8</sourceEncoding>
                                <excludes>
                                    <exclude>**/generated/*.java</exclude>
                                </excludes>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>findbugs-maven-plugin</artifactId>
                            <version>2.5.3</version>
                        </plugin>
                    </reportPlugins>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>appassembler-maven-plugin</artifactId>
                <version>1.7</version>
                <configuration>
                    <programs>
                        <program>
                            <mainClass>org.owasp.dependencycheck.App</mainClass>
-                            <name>dependency-check</name>
+                            <id>dependency-check</id>
                        </program>
                    </programs>
                    <assembleDirectory>${project.build.directory}/release</assembleDirectory>
@@ -324,16 +173,78 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            </plugin>
        </plugins>
    </build>
    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
                <version>${reporting.checkstyle-plugin.version}</version>
                <configuration>
                    <enableRulesSummary>false</enableRulesSummary>
                    <enableFilesSummary>false</enableFilesSummary>
                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-pmd-plugin</artifactId>
                <version>${reporting.pmd-plugin.version}</version>
                <configuration>
                    <targetJdk>1.6</targetJdk>
                    <linkXref>true</linkXref>
                    <sourceEncoding>utf-8</sourceEncoding>
                    <excludes>
                        <exclude>**/generated/*.java</exclude>
                    </excludes>
                    <rulesets>
                        <ruleset>../src/main/config/dcrules.xml</ruleset>
                        <ruleset>/rulesets/java/basic.xml</ruleset>
                        <ruleset>/rulesets/java/imports.xml</ruleset>
                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
                    </rulesets>
                </configuration>
            </plugin>
        </plugins>
    </reporting>
    <dependencies>
        <dependency>
            <groupId>commons-cli</groupId>
            <artifactId>commons-cli</artifactId>
            <version>1.2</version>
        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-utils</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
        <dependency>
            <groupId>org.slf4j</groupId>
            <artifactId>slf4j-api</artifactId>
        </dependency>
        <dependency>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-core</artifactId>
        </dependency>
        <dependency>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant</artifactId>
            <exclusions>
                <exclusion>
                    <groupId>org.apache.ant</groupId>
                    <artifactId>ant-launcher</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
    </dependencies>
 </project>
--- a/dependency-check-cli/src/main/assembly/release.xml
+++ b/dependency-check-cli/src/main/assembly/release.xml
@@ -2,11 +2,8 @@
 <assembly
    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
-    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd">
      http://maven.apache.org/xsd/assembly-1.1.2.xsd
  "
 >
    <id>release</id>
    <formats>
        <format>zip</format>
@@ -14,25 +11,41 @@
    <includeBaseDirectory>false</includeBaseDirectory>
    <fileSets>
        <fileSet>
-            <outputDirectory>/</outputDirectory>
+            <outputDirectory>dependency-check/bin</outputDirectory>
-            <directory>${project.build.directory}/release</directory>
+            <directory>${project.build.directory}/release/bin</directory>
            <includes>
                <include>*.sh</include>
            </includes>
            <fileMode>0755</fileMode>
        </fileSet>
        <fileSet>
            <outputDirectory>dependency-check/bin</outputDirectory>
            <directory>${project.build.directory}/release/bin</directory>
            <includes>
                <include>*.bat</include>
            </includes>
        </fileSet>
        <fileSet>
            <outputDirectory>dependency-check/repo</outputDirectory>
            <directory>${project.build.directory}/release/repo</directory>
        </fileSet>
        <fileSet>
            <outputDirectory>dependency-check</outputDirectory>
            <includes>
                <include>LICENSE*</include>
                <include>NOTICE*</include>
            </includes>
        </fileSet>
        <fileSet>
-            <outputDirectory>licenses</outputDirectory>
+            <outputDirectory>dependency-check/licenses</outputDirectory>
            <directory>${basedir}/src/main/resources/META-INF/licenses</directory>
        </fileSet>
        <fileSet>
-            <outputDirectory>licenses</outputDirectory>
+            <outputDirectory>dependency-check/licenses</outputDirectory>
            <directory>${basedir}/../dependency-check-core/src/main/resources/META-INF/licenses</directory>
        </fileSet>
        <fileSet>
-            <outputDirectory>/</outputDirectory>
+            <outputDirectory>dependency-check</outputDirectory>
            <directory>${basedir}</directory>
            <includes>
                <include>README.md</include>
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -17,34 +17,43 @@
 */
 package org.owasp.dependencycheck;
 import ch.qos.logback.classic.LoggerContext;
 import ch.qos.logback.classic.encoder.PatternLayoutEncoder;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
-import java.io.InputStream;
+import java.util.ArrayList;
 import java.util.HashSet;
 import java.util.List;
-import java.util.logging.Level;
+import java.util.Set;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
 import org.owasp.dependencycheck.cli.CliParser;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.apache.tools.ant.DirectoryScanner;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import ch.qos.logback.core.FileAppender;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.exception.ExceptionCollection;
 import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.slf4j.impl.StaticLoggerBinder;
 /**
 * The command line interface for the DependencyCheck application.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class App {
    /**
-     * The location of the log properties configuration file.
+     * The logger.
     */
-    private static final String LOG_PROPERTIES_FILE = "log.properties";
+    private static final Logger LOGGER = LoggerFactory.getLogger(App.class);
    /**
     * The main method for the application.
@@ -52,91 +61,269 @@ public class App {
     * @param args the command line arguments
     */
    public static void main(String[] args) {
-        final App app = new App();
+        int exitCode = 0;
-        app.run(args);
+        try {
            Settings.initialize();
            final App app = new App();
            exitCode = app.run(args);
            LOGGER.debug("Exit code: " + exitCode);
        } finally {
            Settings.cleanup(true);
        }
        System.exit(exitCode);
    }
    /**
     * Main CLI entry-point into the application.
     *
     * @param args the command line arguments
     * @return the exit code to return
     */
-    public void run(String[] args) {
+    public int run(String[] args) {
-
+        int exitCode = 0;
        final CliParser cli = new CliParser();
        try {
            cli.parse(args);
        } catch (FileNotFoundException ex) {
            System.err.println(ex.getMessage());
            cli.printHelp();
-            return;
+            return -1;
        } catch (ParseException ex) {
            System.err.println(ex.getMessage());
            cli.printHelp();
-            return;
+            return -2;
        }
-        final InputStream in = App.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+        if (cli.getVerboseLog() != null) {
-        LogUtils.prepareLogger(in, cli.getVerboseLog());
+            prepareLogger(cli.getVerboseLog());
        }
-        if (cli.isGetVersion()) {
+        if (cli.isPurge()) {
            if (cli.getConnectionString() != null) {
                LOGGER.error("Unable to purge the database when using a non-default connection string");
                exitCode = -3;
            } else {
                try {
                    populateSettings(cli);
                } catch (InvalidSettingException ex) {
                    LOGGER.error(ex.getMessage());
                    LOGGER.debug("Error loading properties file", ex);
                    exitCode = -4;
                }
                File db;
                try {
                    db = new File(Settings.getDataDirectory(), "dc.h2.db");
                    if (db.exists()) {
                        if (db.delete()) {
                            LOGGER.info("Database file purged; local copy of the NVD has been removed");
                        } else {
                            LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath());
                            exitCode = -5;
                        }
                    } else {
                        LOGGER.error("Unable to purge database; the database file does not exists: {}", db.getAbsolutePath());
                        exitCode = -6;
                    }
                } catch (IOException ex) {
                    LOGGER.error("Unable to delete the database");
                    exitCode = -7;
                }
            }
        } else if (cli.isGetVersion()) {
            cli.printVersionInfo();
        } else if (cli.isUpdateOnly()) {
            try {
                populateSettings(cli);
            } catch (InvalidSettingException ex) {
                LOGGER.error(ex.getMessage());
                LOGGER.debug("Error loading properties file", ex);
                exitCode = -4;
            }
            try {
                runUpdateOnly();
            } catch (UpdateException ex) {
                LOGGER.error(ex.getMessage());
                exitCode = -8;
            } catch (DatabaseException ex) {
                LOGGER.error(ex.getMessage());
                exitCode = -9;
            }
        } else if (cli.isRunScan()) {
-            updateSettings(cli);
+            try {
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
+                populateSettings(cli);
            } catch (InvalidSettingException ex) {
                LOGGER.error(ex.getMessage());
                LOGGER.debug("Error loading properties file", ex);
                exitCode = -4;
            }
            try {
                final String[] scanFiles = cli.getScanFiles();
                if (scanFiles != null) {
                    runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), scanFiles,
                            cli.getExcludeList(), cli.getSymLinkDepth());
                } else {
                    LOGGER.error("No scan files configured");
                }
            } catch (InvalidScanPathException ex) {
                LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths");
                exitCode = -10;
            } catch (DatabaseException ex) {
                LOGGER.error(ex.getMessage());
                exitCode = -11;
            } catch (ReportException ex) {
                LOGGER.error(ex.getMessage());
                exitCode = -12;
            } catch (ExceptionCollection ex) {
                if (ex.isFatal()) {
                    exitCode = -13;
                    LOGGER.error("One or more fatal errors occured");
                } else {
                    exitCode = -14;
                }
                for (Throwable e : ex.getExceptions()) {
                    LOGGER.error(e.getMessage());
                }
            }
        } else {
            cli.printHelp();
        }
        return exitCode;
    }
    /**
-     * Scans the specified directories and writes the dependency reports to the reportDirectory.
+     * Scans the specified directories and writes the dependency reports to the
     * reportDirectory.
     *
-     * @param reportDirectory the path to the directory where the reports will be written
+     * @param reportDirectory the path to the directory where the reports will
     * be written
     * @param outputFormat the output format of the report
     * @param applicationName the application name for the report
     * @param files the files/directories to scan
     * @param excludes the patterns for files/directories to exclude
     * @param symLinkDepth the depth that symbolic links will be followed
     *
     * @throws InvalidScanPathException thrown if the path to scan starts with
     * "//"
     * @throws ReportException thrown when the report cannot be generated
     * @throws DatabaseException thrown when there is an error connecting to the
     * database
     * @throws ExceptionCollection thrown when an exception occurs during
     * analysis; there may be multiple exceptions contained within the
     * collection.
     */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
-        Engine scanner = null;
+            String[] excludes, int symLinkDepth) throws InvalidScanPathException, DatabaseException, ExceptionCollection, ReportException {
        Engine engine = null;
        try {
-            scanner = new Engine();
+            engine = new Engine();
-
+            final List<String> antStylePaths = new ArrayList<String>();
            for (String file : files) {
-                scanner.scan(file);
+                final String antPath = ensureCanonicalPath(file);
                antStylePaths.add(antPath);
            }
-            scanner.analyzeDependencies();
+            final Set<File> paths = new HashSet<File>();
-            final List<Dependency> dependencies = scanner.getDependencies();
+            for (String file : antStylePaths) {
                LOGGER.debug("Scanning {}", file);
                final DirectoryScanner scanner = new DirectoryScanner();
                String include = file.replace('\\', '/');
                File baseDir;
                if (include.startsWith("//")) {
                    throw new InvalidScanPathException("Unable to scan paths specified by //");
                } else {
                    final int pos = getLastFileSeparator(include);
                    final String tmpBase = include.substring(0, pos);
                    final String tmpInclude = include.substring(pos + 1);
                    if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
                            || (new File(include)).isFile()) {
                        baseDir = new File(tmpBase);
                        include = tmpInclude;
                    } else {
                        baseDir = new File(tmpBase, tmpInclude);
                        include = "**/*";
                    }
                }
                scanner.setBasedir(baseDir);
                final String[] includes = {include};
                scanner.setIncludes(includes);
                scanner.setMaxLevelsOfSymlinks(symLinkDepth);
                if (symLinkDepth <= 0) {
                    scanner.setFollowSymlinks(false);
                }
                if (excludes != null && excludes.length > 0) {
                    scanner.addExcludes(excludes);
                }
                scanner.scan();
                if (scanner.getIncludedFilesCount() > 0) {
                    for (String s : scanner.getIncludedFiles()) {
                        final File f = new File(baseDir, s);
                        LOGGER.debug("Found file {}", f.toString());
                        paths.add(f);
                    }
                }
            }
            engine.scan(paths);
            ExceptionCollection exCol = null;
            try {
                engine.analyzeDependencies();
            } catch (ExceptionCollection ex) {
                if (ex.isFatal()) {
                    throw ex;
                }
                exCol = ex;
            }
            final List<Dependency> dependencies = engine.getDependencies();
            DatabaseProperties prop = null;
            CveDB cve = null;
            try {
                cve = new CveDB();
                cve.open();
                prop = cve.getDatabaseProperties();
            } catch (DatabaseException ex) {
                Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
            } finally {
                if (cve != null) {
                    cve.close();
                }
            }
-            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
+            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop);
            try {
                report.generateReports(reportDirectory, outputFormat);
-            } catch (IOException ex) {
+            } catch (ReportException ex) {
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+                if (exCol != null) {
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                    exCol.addException(ex);
-            } catch (Throwable ex) {
+                    throw exCol;
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
+                } else {
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                    throw ex;
                }
            }
            if (exCol != null && exCol.getExceptions().size() > 0) {
                throw exCol;
            }
        } catch (DatabaseException ex) {
            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
            Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
        } finally {
-            if (scanner != null) {
+            if (engine != null) {
-                scanner.cleanup();
+                engine.cleanup();
            }
        }
    }
    /**
     * Only executes the update phase of dependency-check.
     *
     * @throws UpdateException thrown if there is an error updating
     * @throws DatabaseException thrown if a fatal error occurred and a
     * connection to the database could not be established
     */
    private void runUpdateOnly() throws UpdateException, DatabaseException {
        Engine engine = null;
        try {
            engine = new Engine();
            engine.doUpdates();
        } finally {
            if (engine != null) {
                engine.cleanup();
            }
        }
    }
@@ -144,21 +331,22 @@ public class App {
    /**
     * Updates the global Settings.
     *
-     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
+     * @param cli a reference to the CLI Parser that contains the command line
-     * settings in the core engine.
+     * arguments used to set the corresponding settings in the core engine.
     *
     * @throws InvalidSettingException thrown when a user defined properties
     * file is unable to be loaded.
     */
-    private void updateSettings(CliParser cli) {
+    private void populateSettings(CliParser cli) throws InvalidSettingException {
        final boolean autoUpdate = cli.isAutoUpdate();
        final String connectionTimeout = cli.getConnectionTimeout();
-        final String proxyUrl = cli.getProxyUrl();
+        final String proxyServer = cli.getProxyServer();
        final String proxyPort = cli.getProxyPort();
        final String proxyUser = cli.getProxyUsername();
        final String proxyPass = cli.getProxyPassword();
        final String dataDirectory = cli.getDataDirectory();
        final File propertiesFile = cli.getPropertiesFile();
        final String suppressionFile = cli.getSuppressionFile();
        final boolean nexusDisabled = cli.isNexusDisabled();
        final String nexusUrl = cli.getNexusUrl();
        final String databaseDriverName = cli.getDatabaseDriverName();
        final String databaseDriverPath = cli.getDatabaseDriverPath();
@@ -167,18 +355,20 @@ public class App {
        final String databasePassword = cli.getDatabasePassword();
        final String additionalZipExtensions = cli.getAdditionalZipExtensions();
        final String pathToMono = cli.getPathToMono();
        final String cveMod12 = cli.getModifiedCve12Url();
        final String cveMod20 = cli.getModifiedCve20Url();
        final String cveBase12 = cli.getBaseCve12Url();
        final String cveBase20 = cli.getBaseCve20Url();
        final Integer cveValidForHours = cli.getCveValidForHours();
        final boolean experimentalEnabled = cli.isExperimentalEnabled();
        if (propertiesFile != null) {
            try {
                Settings.mergeProperties(propertiesFile);
            } catch (FileNotFoundException ex) {
-                final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
+                throw new InvalidSettingException("Unable to find properties file '" + propertiesFile.getPath() + "'", ex);
                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
            } catch (IOException ex) {
-                final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
+                throw new InvalidSettingException("Error reading properties file '" + propertiesFile.getPath() + "'", ex);
                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
            }
        }
        // We have to wait until we've merged the properties before attempting to set whether we use
@@ -198,49 +388,136 @@ public class App {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
        //File Type Analyzer Settings
        Settings.setBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        if (cveBase12 != null && !cveBase12.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);
            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveMod12);
            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveMod20);
        }
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+    }
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+
    /**
     * Creates a file appender and adds it to logback.
     *
     * @param verboseLog the path to the verbose log file
     */
    private void prepareLogger(String verboseLog) {
        final StaticLoggerBinder loggerBinder = StaticLoggerBinder.getSingleton();
        final LoggerContext context = (LoggerContext) loggerBinder.getLoggerFactory();
        final PatternLayoutEncoder encoder = new PatternLayoutEncoder();
        encoder.setPattern("%d %C:%L%n%-5level - %msg%n");
        encoder.setContext(context);
        encoder.start();
        final FileAppender fa = new FileAppender();
        fa.setAppend(true);
        fa.setEncoder(encoder);
        fa.setContext(context);
        fa.setFile(verboseLog);
        final File f = new File(verboseLog);
        String name = f.getName();
        final int i = name.lastIndexOf('.');
        if (i > 1) {
            name = name.substring(0, i);
        }
-        if (proxyUser != null && !proxyUser.isEmpty()) {
+        fa.setName(name);
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
+        fa.start();
        final ch.qos.logback.classic.Logger rootLogger = context.getLogger(ch.qos.logback.classic.Logger.ROOT_LOGGER_NAME);
        rootLogger.addAppender(fa);
    }
    /**
     * Takes a path and resolves it to be a canonical &amp; absolute path. The
     * caveats are that this method will take an Ant style file selector path
     * (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at
     * least to the left of the first * or ?).
     *
     * @param path the path to canonicalize
     * @return the canonical path
     */
    protected String ensureCanonicalPath(String path) {
        String basePath;
        String wildCards = null;
        final String file = path.replace('\\', '/');
        if (file.contains("*") || file.contains("?")) {
            int pos = getLastFileSeparator(file);
            if (pos < 0) {
                return file;
            }
            pos += 1;
            basePath = file.substring(0, pos);
            wildCards = file.substring(pos);
        } else {
            basePath = file;
        }
-        if (proxyPass != null && !proxyPass.isEmpty()) {
+
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
+        File f = new File(basePath);
        try {
            f = f.getCanonicalFile();
            if (wildCards != null) {
                f = new File(f, wildCards);
            }
        } catch (IOException ex) {
            LOGGER.warn("Invalid path '{}' was provided.", path);
            LOGGER.debug("Invalid path provided", ex);
        }
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+        return f.getAbsolutePath().replace('\\', '/');
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+    }
-        }
+
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+    /**
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+     * Returns the position of the last file separator.
-        }
+     *
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
+     * @param file a file path
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+     * @return the position of the last file separator
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+     */
-        }
+    private int getLastFileSeparator(String file) {
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        if (file.contains("*") || file.contains("?")) {
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            int p1 = file.indexOf('*');
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+            int p2 = file.indexOf('?');
-        }
+            p1 = p1 > 0 ? p1 : file.length();
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            p2 = p2 > 0 ? p2 : file.length();
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+            int pos = p1 < p2 ? p1 : p2;
-        }
+            pos = file.lastIndexOf('/', pos);
-        if (connectionString != null && !connectionString.isEmpty()) {
+            return pos;
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        } else {
-        }
+            return file.lastIndexOf('/');
        if (databaseUser != null && !databaseUser.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
        }
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
        }
        if (pathToMono != null && !pathToMono.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        }
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
@@ -0,0 +1,66 @@
 /*
 * This file is part of dependency-check-cli.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck;
 /**
 * Thrown if an invalid path is encountered.
 *
 * @author Jeremy Long
 */
 public class InvalidScanPathException extends Exception {
    /**
     * The serial version UID for serialization.
     */
    private static final long serialVersionUID = 1L;
    /**
     * Creates a new InvalidScanPathException.
     */
    public InvalidScanPathException() {
        super();
    }
    /**
     * Creates a new InvalidScanPathException.
     *
     * @param msg a message for the exception
     */
    public InvalidScanPathException(String msg) {
        super(msg);
    }
    /**
     * Creates a new InvalidScanPathException.
     *
     * @param ex the cause of the exception
     */
    public InvalidScanPathException(Throwable ex) {
        super(ex);
    }
    /**
     * Creates a new InvalidScanPathException.
     *
     * @param msg a message for the exception
     * @param ex the cause of the exception
     */
    public InvalidScanPathException(String msg, Throwable ex) {
        super(msg, ex);
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
@@ -1,781 +0,0 @@
 /*
 * This file is part of dependency-check-cli.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.cli;
 import java.io.File;
 import java.io.FileNotFoundException;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
 import org.apache.commons.cli.Option;
 import org.apache.commons.cli.OptionBuilder;
 import org.apache.commons.cli.OptionGroup;
 import org.apache.commons.cli.Options;
 import org.apache.commons.cli.ParseException;
 import org.apache.commons.cli.PosixParser;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 * A utility to parse command line arguments for the DependencyCheck.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class CliParser {
    /**
     * The command line.
     */
    private CommandLine line;
    /**
     * Indicates whether the arguments are valid.
     */
    private boolean isValid = true;
    /**
     * Parses the arguments passed in and captures the results for later use.
     *
     * @param args the command line arguments
     * @throws FileNotFoundException is thrown when a 'file' argument does not point to a file that exists.
     * @throws ParseException is thrown when a Parse Exception occurs.
     */
    public void parse(String[] args) throws FileNotFoundException, ParseException {
        line = parseArgs(args);
        if (line != null) {
            validateArgs();
        }
    }
    /**
     * Parses the command line arguments.
     *
     * @param args the command line arguments
     * @return the results of parsing the command line arguments
     * @throws ParseException if the arguments are invalid
     */
    private CommandLine parseArgs(String[] args) throws ParseException {
        final CommandLineParser parser = new PosixParser();
        final Options options = createCommandLineOptions();
        return parser.parse(options, args);
    }
    /**
     * Validates that the command line arguments are valid.
     *
     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
     * does not exist.
     * @throws ParseException is thrown if there is an exception parsing the command line.
     */
    private void validateArgs() throws FileNotFoundException, ParseException {
        if (isRunScan()) {
            validatePathExists(getScanFiles(), ArgumentName.SCAN);
            validatePathExists(getReportDirectory(), ArgumentName.OUT);
            if (getPathToMono() != null) {
                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
            }
            if (!line.hasOption(ArgumentName.APP_NAME)) {
                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
            }
            if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
                final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
                try {
                    Format.valueOf(format);
                } catch (IllegalArgumentException ex) {
                    final String msg = String.format("An invalid 'format' of '%s' was specified. "
                            + "Supported output formats are XML, HTML, VULN, or ALL", format);
                    throw new ParseException(msg);
                }
            }
        }
    }
    /**
     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
     * file a FileNotFoundException is thrown.
     *
     * @param paths the paths to validate if they exists
     * @param optType the option being validated (e.g. scan, out, etc.)
     * @throws FileNotFoundException is thrown if one of the paths being validated does not exist.
     */
    private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
        for (String path : paths) {
            validatePathExists(path, optType);
        }
    }
    /**
     * Validates whether or not the path points at a file that exists; if the path does not point to an existing file a
     * FileNotFoundException is thrown.
     *
     * @param path the paths to validate if they exists
     * @param argumentName the argument being validated (e.g. scan, out, etc.)
     * @throws FileNotFoundException is thrown if the path being validated does not exist.
     */
    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
        final File f = new File(path);
        if (!f.exists()) {
            isValid = false;
            final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
            throw new FileNotFoundException(msg);
        }
    }
    /**
     * Generates an Options collection that is used to parse the command line and to display the help message.
     *
     * @return the command line options used for parsing the command line
     */
    @SuppressWarnings("static-access")
    private Options createCommandLineOptions() {
        final Options options = new Options();
        addStandardOptions(options);
        addAdvancedOptions(options);
        return options;
    }
    /**
     * Adds the standard command line options to the given options collection.
     *
     * @param options a collection of command line arguments
     * @throws IllegalArgumentException thrown if there is an exception
     */
    @SuppressWarnings("static-access")
    private void addStandardOptions(final Options options) throws IllegalArgumentException {
        final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
                "Print this message.");
        final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
                .withDescription("Print the advanced help message.").create();
        final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
                false, "Print the version information.");
        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
                false, "Disables the automatic updating of the CPE data.");
        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
                .withDescription("The name of the application being scanned. This is a required argument.")
                .create(ArgumentName.APP_NAME_SHORT);
        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
                .withDescription("The path to scan - this option can be specified multiple times.")
                .create(ArgumentName.SCAN_SHORT);
        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
                .withDescription("A property file to load.")
                .create(ArgumentName.PROP_SHORT);
        final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
                .withDescription("The folder to write reports to. This defaults to the current directory.")
                .create(ArgumentName.OUT_SHORT);
        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
                .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
                .create(ArgumentName.OUTPUT_FORMAT_SHORT);
        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
                .withDescription("The file path to write verbose logging information.")
                .create(ArgumentName.VERBOSE_LOG_SHORT);
        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
                .withDescription("The file path to the suppression XML file.")
                .create();
        //This is an option group because it can be specified more then once.
        final OptionGroup og = new OptionGroup();
        og.addOption(path);
        options.addOptionGroup(og)
                .addOption(out)
                .addOption(outputFormat)
                .addOption(appName)
                .addOption(version)
                .addOption(help)
                .addOption(advancedHelp)
                .addOption(noUpdate)
                .addOption(props)
                .addOption(verboseLog)
                .addOption(suppressionFile);
    }
    /**
     * Adds the advanced command line options to the given options collection. These are split out for purposes of being
     * able to display two different help messages.
     *
     * @param options a collection of command line arguments
     * @throws IllegalArgumentException thrown if there is an exception
     */
    @SuppressWarnings("static-access")
    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
                .withDescription("The location of the H2 Database file. This option should generally not be set.")
                .create(ArgumentName.DATA_DIRECTORY_SHORT);
        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
                .withDescription("The proxy url to use when downloading resources.")
                .create(ArgumentName.PROXY_URL_SHORT);
        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
                .withDescription("The proxy port to use when downloading resources.")
                .create(ArgumentName.PROXY_PORT_SHORT);
        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
                .withDescription("The proxy username to use when downloading resources.")
                .create();
        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
                .withDescription("The proxy password to use when downloading resources.")
                .create();
        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
                .withDescription("The connection string to the database.")
                .create();
        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
                .withDescription("The username used to connect to the database.")
                .create();
        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
                .withDescription("The password for connecting to the database.")
                .create();
        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
                .withDescription("The database driver name.")
                .create();
        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
                .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
                .create();
        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
                .withDescription("Disable the Nexus Analyzer.")
                .create();
        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
                .withDescription("The url to the Nexus Server.")
                .create();
        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
                .create();
        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
                        + "(ZIP, EAR, WAR are already treated as zip files)")
                .create();
        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
                .create();
        options.addOption(proxyPort)
                .addOption(proxyUrl)
                .addOption(proxyUsername)
                .addOption(proxyPassword)
                .addOption(connectionTimeout)
                .addOption(connectionString)
                .addOption(dbUser)
                .addOption(data)
                .addOption(dbPassword)
                .addOption(dbDriver)
                .addOption(dbDriverPath)
                .addOption(disableNexusAnalyzer)
                .addOption(nexusUrl)
                .addOption(nexusUsesProxy)
                .addOption(additionalZipExtensions)
                .addOption(pathToMono);
    }
    /**
     * Determines if the 'version' command line argument was passed in.
     *
     * @return whether or not the 'version' command line argument was passed in
     */
    public boolean isGetVersion() {
        return (line != null) && line.hasOption(ArgumentName.VERSION);
    }
    /**
     * Determines if the 'help' command line argument was passed in.
     *
     * @return whether or not the 'help' command line argument was passed in
     */
    public boolean isGetHelp() {
        return (line != null) && line.hasOption(ArgumentName.HELP);
    }
    /**
     * Determines if the 'scan' command line argument was passed in.
     *
     * @return whether or not the 'scan' command line argument was passed in
     */
    public boolean isRunScan() {
        return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
    }
    /**
     * Returns true if the disableNexus command line argument was specified.
     *
     * @return true if the disableNexus command line argument was specified; otherwise false
     */
    public boolean isNexusDisabled() {
        return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
    }
    /**
     * Returns the url to the nexus server if one was specified.
     *
     * @return the url to the nexus server; if none was specified this will return null;
     */
    public String getNexusUrl() {
        if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
            return null;
        } else {
            return line.getOptionValue(ArgumentName.NEXUS_URL);
        }
    }
    /**
     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
     * returned.
     *
     * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
     */
    public boolean isNexusUsesProxy() {
        // If they didn't specify whether Nexus needs to use the proxy, we should
        // still honor the property if it's set.
        if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
            try {
                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
            } catch (InvalidSettingException ise) {
                return true;
            }
        } else {
            return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
        }
    }
    /**
     * Displays the command line help message to the standard output.
     */
    public void printHelp() {
        final HelpFormatter formatter = new HelpFormatter();
        final Options options = new Options();
        addStandardOptions(options);
        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
            addAdvancedOptions(options);
        }
        final String helpMsg = String.format("%n%s"
                + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
                + "%s will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.%n%n",
                Settings.getString("application.name", "DependencyCheck"),
                Settings.getString("application.name", "DependencyCheck"));
        formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
                helpMsg,
                options,
                "",
                true);
    }
    /**
     * Retrieves the file command line parameter(s) specified for the 'scan' argument.
     *
     * @return the file paths specified on the command line for scan
     */
    public String[] getScanFiles() {
        return line.getOptionValues(ArgumentName.SCAN);
    }
    /**
     * Returns the directory to write the reports to specified on the command line.
     *
     * @return the path to the reports directory.
     */
    public String getReportDirectory() {
        return line.getOptionValue(ArgumentName.OUT, ".");
    }
    /**
     * Returns the path to Mono for .NET Assembly analysis on non-windows systems.
     *
     * @return the path to Mono
     */
    public String getPathToMono() {
        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
    }
    /**
     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
     *
     * @return the output format name.
     */
    public String getReportFormat() {
        return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
    }
    /**
     * Returns the application name specified on the command line.
     *
     * @return the application name.
     */
    public String getApplicationName() {
        return line.getOptionValue(ArgumentName.APP_NAME);
    }
    /**
     * Returns the connection timeout.
     *
     * @return the connection timeout
     */
    public String getConnectionTimeout() {
        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
    }
    /**
     * Returns the proxy url.
     *
     * @return the proxy url
     */
    public String getProxyUrl() {
        return line.getOptionValue(ArgumentName.PROXY_URL);
    }
    /**
     * Returns the proxy port.
     *
     * @return the proxy port
     */
    public String getProxyPort() {
        return line.getOptionValue(ArgumentName.PROXY_PORT);
    }
    /**
     * Returns the proxy username.
     *
     * @return the proxy username
     */
    public String getProxyUsername() {
        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
    }
    /**
     * Returns the proxy password.
     *
     * @return the proxy password
     */
    public String getProxyPassword() {
        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
    }
    /**
     * Get the value of dataDirectory.
     *
     * @return the value of dataDirectory
     */
    public String getDataDirectory() {
        return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
    }
    /**
     * Returns the properties file specified on the command line.
     *
     * @return the properties file specified on the command line
     */
    public File getPropertiesFile() {
        final String path = line.getOptionValue(ArgumentName.PROP);
        if (path != null) {
            return new File(path);
        }
        return null;
    }
    /**
     * Returns the path to the verbose log file.
     *
     * @return the path to the verbose log file
     */
    public String getVerboseLog() {
        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
    }
    /**
     * Returns the path to the suppression file.
     *
     * @return the path to the suppression file
     */
    public String getSuppressionFile() {
        return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
    }
    /**
     * <p>
     * Prints the manifest information to standard output.</p>
     * <ul><li>Implementation-Title: ${pom.name}</li>
     * <li>Implementation-Version: ${pom.version}</li></ul>
     */
    public void printVersionInfo() {
        final String version = String.format("%s version %s",
                Settings.getString("application.name", "DependencyCheck"),
                Settings.getString("application.version", "Unknown"));
        System.out.println(version);
    }
    /**
     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
     * return false.
     *
     * @return if auto-update is allowed.
     */
    public boolean isAutoUpdate() {
        return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
    }
    /**
     * Returns the database driver name if specified; otherwise null is returned.
     *
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverName() {
        return line.getOptionValue(ArgumentName.DB_DRIVER);
    }
    /**
     * Returns the database driver path if specified; otherwise null is returned.
     *
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverPath() {
        return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
    }
    /**
     * Returns the database connection string if specified; otherwise null is returned.
     *
     * @return the database connection string if specified; otherwise null is returned
     */
    public String getConnectionString() {
        return line.getOptionValue(ArgumentName.CONNECTION_STRING);
    }
    /**
     * Returns the database database user name if specified; otherwise null is returned.
     *
     * @return the database database user name if specified; otherwise null is returned
     */
    public String getDatabaseUser() {
        return line.getOptionValue(ArgumentName.DB_NAME);
    }
    /**
     * Returns the database database password if specified; otherwise null is returned.
     *
     * @return the database database password if specified; otherwise null is returned
     */
    public String getDatabasePassword() {
        return line.getOptionValue(ArgumentName.DB_PASSWORD);
    }
    /**
     * Returns the additional Extensions if specified; otherwise null is returned.
     *
     * @return the additional Extensions; otherwise null is returned
     */
    public String getAdditionalZipExtensions() {
        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
    }
    /**
     * A collection of static final strings that represent the possible command line arguments.
     */
    public static class ArgumentName {
        /**
         * The long CLI argument name specifying the directory/file to scan.
         */
        public static final String SCAN = "scan";
        /**
         * The short CLI argument name specifying the directory/file to scan.
         */
        public static final String SCAN_SHORT = "s";
        /**
         * The long CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
         */
        public static final String DISABLE_AUTO_UPDATE = "noupdate";
        /**
         * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
         */
        public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
        /**
         * The long CLI argument name specifying the directory to write the reports to.
         */
        public static final String OUT = "out";
        /**
         * The short CLI argument name specifying the directory to write the reports to.
         */
        public static final String OUT_SHORT = "o";
        /**
         * The long CLI argument name specifying the output format to write the reports to.
         */
        public static final String OUTPUT_FORMAT = "format";
        /**
         * The short CLI argument name specifying the output format to write the reports to.
         */
        public static final String OUTPUT_FORMAT_SHORT = "f";
        /**
         * The long CLI argument name specifying the name of the application to be scanned.
         */
        public static final String APP_NAME = "app";
        /**
         * The short CLI argument name specifying the name of the application to be scanned.
         */
        public static final String APP_NAME_SHORT = "a";
        /**
         * The long CLI argument name asking for help.
         */
        public static final String HELP = "help";
        /**
         * The long CLI argument name asking for advanced help.
         */
        public static final String ADVANCED_HELP = "advancedHelp";
        /**
         * The short CLI argument name asking for help.
         */
        public static final String HELP_SHORT = "h";
        /**
         * The long CLI argument name asking for the version.
         */
        public static final String VERSION_SHORT = "v";
        /**
         * The short CLI argument name asking for the version.
         */
        public static final String VERSION = "version";
        /**
         * The short CLI argument name indicating the proxy port.
         */
        public static final String PROXY_PORT_SHORT = "p";
        /**
         * The CLI argument name indicating the proxy port.
         */
        public static final String PROXY_PORT = "proxyport";
        /**
         * The short CLI argument name indicating the proxy url.
         */
        public static final String PROXY_URL_SHORT = "u";
        /**
         * The CLI argument name indicating the proxy url.
         */
        public static final String PROXY_URL = "proxyurl";
        /**
         * The CLI argument name indicating the proxy username.
         */
        public static final String PROXY_USERNAME = "proxyuser";
        /**
         * The CLI argument name indicating the proxy password.
         */
        public static final String PROXY_PASSWORD = "proxypass";
        /**
         * The short CLI argument name indicating the connection timeout.
         */
        public static final String CONNECTION_TIMEOUT_SHORT = "c";
        /**
         * The CLI argument name indicating the connection timeout.
         */
        public static final String CONNECTION_TIMEOUT = "connectiontimeout";
        /**
         * The short CLI argument name for setting the location of an additional properties file.
         */
        public static final String PROP_SHORT = "P";
        /**
         * The CLI argument name for setting the location of an additional properties file.
         */
        public static final String PROP = "propertyfile";
        /**
         * The CLI argument name for setting the location of the data directory.
         */
        public static final String DATA_DIRECTORY = "data";
        /**
         * The short CLI argument name for setting the location of the data directory.
         */
        public static final String DATA_DIRECTORY_SHORT = "d";
        /**
         * The CLI argument name for setting the location of the data directory.
         */
        public static final String VERBOSE_LOG = "log";
        /**
         * The short CLI argument name for setting the location of the data directory.
         */
        public static final String VERBOSE_LOG_SHORT = "l";
        /**
         * The CLI argument name for setting the location of the suppression file.
         */
        public static final String SUPPRESION_FILE = "suppression";
        /**
         * Disables the Nexus Analyzer.
         */
        public static final String DISABLE_NEXUS = "disableNexus";
        /**
         * The URL of the nexus server.
         */
        public static final String NEXUS_URL = "nexus";
        /**
         * Whether or not the defined proxy should be used when connecting to Nexus.
         */
        public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
        /**
         * The CLI argument name for setting the connection string.
         */
        public static final String CONNECTION_STRING = "connectionString";
        /**
         * The CLI argument name for setting the database user name.
         */
        public static final String DB_NAME = "dbUser";
        /**
         * The CLI argument name for setting the database password.
         */
        public static final String DB_PASSWORD = "dbPassword";
        /**
         * The CLI argument name for setting the database driver name.
         */
        public static final String DB_DRIVER = "dbDriverName";
        /**
         * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
         */
        public static final String DB_DRIVER_PATH = "dbDriverPath";
        /**
         * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
         */
        public static final String PATH_TO_MONO = "mono";
        /**
         * The CLI argument name for setting extra extensions.
         */
        public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java
@@ -1,12 +0,0 @@
 /**
 * <html>
 * <head>
 * <title>org.owasp.dependencycheck.cli</title>
 * </head>
 * <body>
 * Includes utility classes such as the CLI Parser,
 * </body>
 * </html>
 */
 package org.owasp.dependencycheck.cli;
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/package-info.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/package-info.java
@@ -1,12 +1,4 @@
 /**
 * <html>
 * <head>
 * <title>org.owasp.dependencycheck</title>
 * </head>
 * <body>
 * Includes the main entry point for the DependencyChecker.
- * </body>
+ */
 * </html>
 */
 package org.owasp.dependencycheck;
--- a/dependency-check-cli/src/main/resources/log.properties
+++ b/dependency-check-cli/src/main/resources/log.properties
@@ -1,22 +0,0 @@
 handlers=java.util.logging.ConsoleHandler
 #, java.util.logging.FileHandler
 # logging levels
 # FINEST, FINER, FINE, CONFIG, INFO, WARNING and SEVERE.
 # Configure the ConsoleHandler.
 java.util.logging.ConsoleHandler.level=INFO
 # Configure the FileHandler.
 java.util.logging.FileHandler.formatter=java.util.logging.SimpleFormatter
 java.util.logging.FileHandler.level=FINE
 # The following special tokens can be used in the pattern property
 # which specifies the location and name of the log file.
 #   / - standard path separator
 #   %t - system temporary directory
 #   %h - value of the user.home system property
 #   %g - generation number for rotating logs
 #   %u - unique number to avoid conflicts
 # FileHandler writes to %h/demo0.log by default.
 java.util.logging.FileHandler.pattern=./dependency-check.log
--- a/dependency-check-cli/src/main/resources/logback.xml
+++ b/dependency-check-cli/src/main/resources/logback.xml
@@ -0,0 +1,16 @@
 <configuration>
    <contextName>dependency-check</contextName>
    <!-- Logging configuration -->
    <appender name="console" class="ch.qos.logback.core.ConsoleAppender">
        <Target>System.out</Target>
        <filter class="ch.qos.logback.classic.filter.ThresholdFilter">
            <level>INFO</level>
        </filter>
        <encoder>
            <pattern>[%level] %msg%n</pattern>
        </encoder>
    </appender>
    <root level="DEBUG">
        <appender-ref ref="console"/>
    </root>
 </configuration>
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -1,33 +1,64 @@
 Command Line Arguments
-====================
+======================
 The following table lists the command line arguments:
-Short  | Argument Name         | Parameter       | Description | Requirement
+Short  | Argument&nbsp;Name&nbsp;&nbsp; | Parameter       | Description | Requirement
 -------|-----------------------|-----------------|-------------|------------
- \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
+       | \-\-project           | \<name\>        | The name of the project being scanned. | Required
- \-c   | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | Optional
+ \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required
- \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
+       | \-\-exclude           | \<pattern\>     | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional
       | \-\-symLink           | \<depth\>       | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional
 \-o   | \-\-out               | \<path\>        | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional
 \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
 \-h   | \-\-help              |                 | Print the help message. | Optional
 \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
 \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
- \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
+       | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../general/suppression.html). | Optional
- \-p   | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | Optional
+ \-h   | \-\-help              |                 | Print the help message. | Optional
       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | Optional
       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | Optional
 \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. | Required
       | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
 \-u   | \-\-proxyurl          | \<url\>         | The proxy url to use when downloading resources. | Optional
 \-v   | \-\-version           |                 | Print the version information. | Optional
       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
-       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | Optional
+ \-v   | \-\-version           |                 | Print the version information. | Optional
-       | \-\-dbDriverName      | \<driver\>      | The database driver name. | Optional
+       | \-\-cveValidForHours  | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
-       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
+       | \-\-experimental      |                 | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional
-       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | Optional
+
-       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | Optional
+Advanced Options
-       | \-\-disableNexus      |                 | Disable the Nexus Analyzer. | Optional
+================
-       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | Optional
+Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                     | Default&nbsp;Value
-       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
+-------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
-       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
+       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems. | Optional
+       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
       | \-\-updateonly        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
       | \-\-disablePyDist     |                 | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.                      | false
       | \-\-disablePyPkg      |                 | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.                           | false
       | \-\-disableNodeJS     |                 | Sets whether the [experimental](../analyzers/index.html) Node.js Package Analyzer will be used.                          | false
       | \-\-disableRubygems   |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                             | false
       | \-\-disableBundleAudit |               | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                             | false
       | \-\-disableAutoconf   |                 | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used.                                 | false
       | \-\-disableOpenSSL    |                 | Sets whether the OpenSSL Analyzer will be used.                                  | false
       | \-\-disableCmake      |                 | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled.                                | false
       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be disabled.                              | false
       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
       | \-\-disableJar        |                 | Sets whether the Jar Analyzer will be disabled.                                  | false
       | \-\-disableComposer   |                 | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled.               | false
       | \-\-disableCentral    |                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
       | \-\-disableNexus      |                 | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
       | \-\-nexus             | \<url\>         | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.        | true
       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
       | \-\-mono              | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
       | \-\-bundleAudit       |                 | The path to the bundle-audit executable. | &nbsp;
       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;
       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                                | &nbsp;
       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.      | &nbsp;
       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources.                            | &nbsp;
       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources.                            | &nbsp;
       | \-\-connectionString  | \<connStr\>     | The connection string to the database.                                           | &nbsp;
       | \-\-dbDriverName      | \<driver\>      | The database driver name.                                                        | &nbsp;
       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
       | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                     | &nbsp;
       | \-\-dbUser            | \<user\>        | The username used to connect to the database.                                    | &nbsp;
 \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
       | \-\-purge             |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.   | &nbsp;
--- a/dependency-check-cli/src/site/markdown/index.md.vm
+++ b/dependency-check-cli/src/site/markdown/index.md.vm
@@ -0,0 +1,39 @@
 About
 ====================
 OWASP dependency-check-cli is an command line tool that uses dependency-check-core to detect
 publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool
 will generate a report listing the dependency, any identified Common Platform Enumeration (CPE)
 identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
 Installation & Usage
 ====================
 Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
 Extract the zip file to a location on your computer and put the 'bin' directory into the
 path environment variable. On \*nix systems you will likely need to make the shell
 script executable:
    $ chmod +777 dependency-check.sh
 #set( $H = '#' )
 $H$H$H Homebrew
    $ brew install dependency-check
 This puts an executable `dependency-check` script in the `/bin` directory of
 your homebrew installation.
 To scan a folder on the system you can run:
 $H$H$H Windows
    dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"
 $H$H$H *nix
    dependency-check.sh --project "My App Name" --scan "/java/application/lib"
 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
 $H$H$H Windows
    dependency-check.bat --help
 $H$H$H *nix
    dependency-check.sh --help
--- a/dependency-check-cli/src/site/markdown/installation.md.vm
+++ b/dependency-check-cli/src/site/markdown/installation.md.vm
@@ -1,27 +0,0 @@
 Installation & Usage
 ====================
 Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
 Extract the zip file to a location on your computer and put the 'bin' directory into the
 path environment variable. On \*nix systems you will likely need to make the shell
 script executable:
    $ chmod +777 dependency-check.sh
 To scan a folder on the system you can run:
 Windows
 -------
    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
 \*nix
 -------
    dependency-check.sh --app "My App Name" --scan "/java/application/lib"
 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
 Windows
 -------
    dependency-check.bat --help
 \*nix
 -------
    dependency-check.sh --help
--- a/dependency-check-cli/src/site/resources/images/dc-cli.svg
+++ b/dependency-check-cli/src/site/resources/images/dc-cli.svg
--- a/dependency-check-cli/src/site/site.xml
+++ b/dependency-check-cli/src/site/site.xml
@@ -18,17 +18,18 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 -->
 <project name="dependency-check-cli">
    <bannerLeft>
-        <name>dependency-check-cli</name>
+        <name>OWASP dependency-check-cli</name>
        <alt>OWASP dependency-check-cli</alt>
        <src>./images/dc-cli.svg</src>
    </bannerLeft>
    <body>
        <breadcrumbs>
            <item name="dependency-check" href="../index.html"/>
        </breadcrumbs>
        <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
            <item name="Configuration" href="arguments.html"/>
        </menu>
        <menu ref="Project Documentation" />
        <menu ref="reports" />
    </body>
 </project>
--- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java
+++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/AppTest.java
@@ -0,0 +1,75 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 The OWASP Foundatio. All Rights Reserved.
 */
 package org.owasp.dependencycheck;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import static org.junit.Assert.*;
 /**
 *
 * @author jeremy
 */
 public class AppTest {
    public AppTest() {
    }
    @BeforeClass
    public static void setUpClass() {
    }
    @AfterClass
    public static void tearDownClass() {
    }
    @Before
    public void setUp() {
    }
    @After
    public void tearDown() {
    }
    /**
     * Test of ensureCanonicalPath method, of class App.
     */
    @Test
    public void testEnsureCanonicalPath() {
        String file = "../*.jar";
        App instance = new App();
        String result = instance.ensureCanonicalPath(file);
        assertFalse(result.contains(".."));
        assertTrue(result.endsWith("*.jar"));
    }
    /**
     * Test of ensureCanonicalPath method, of class App.
     */
    @Test
    public void testEnsureCanonicalPath2() {
        String file = "../some/skip/../path/file.txt";
        App instance = new App();
        String expResult = "/some/path/file.txt";
        String result = instance.ensureCanonicalPath(file);
        assertTrue("result=" + result, result.endsWith(expResult));
    }
 }
--- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
+++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
@@ -15,8 +15,9 @@
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
-package org.owasp.dependencycheck.cli;
+package org.owasp.dependencycheck;
 import org.owasp.dependencycheck.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -29,19 +30,22 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class CliParserTest {
    @BeforeClass
    public static void setUpClass() throws Exception {
        Settings.initialize();
    }
    @AfterClass
    public static void tearDownClass() throws Exception {
        Settings.cleanup(true);
    }
    @Before
--- a/dependency-check-core/README.md
+++ b/dependency-check-core/README.md
@@ -17,7 +17,7 @@ Copyright & License
 Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://github.com/jeremylong/DependencyCheck/dependency-check-cli/blob/master/LICENSE.txt) file for the full license.
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
@@ -25,4 +25,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
  [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/NOTICE.txt
--- a/dependency-check-core/config/checkstyle-checks.xml
+++ b/dependency-check-core/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE module PUBLIC
          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
 <module name="Checker">
  <!--
      If you set the basedir property below, then all reported file
      names will be relative to the specified directory. See
      http://checkstyle.sourceforge.net/5.x/config.html#Checker
      <property name="basedir" value="${basedir}"/>
  -->
  <property name="severity" value="error"/>
  <module name="SuppressionFilter">
    <property name="file" value="${checkstyle.suppressions.file}"/>
  </module>
  <module name="JavadocPackage">
    <property name="allowLegacy" value="false"/>
  </module>
  <module name="Translation">
    <property name="severity" value="warning"/>
  </module>
  <module name="FileTabCharacter">
    <property name="eachLine" value="false"/>
  </module>
  <module name="FileLength">
    <property name="fileExtensions" value="java"/>
  </module>
  <module name="NewlineAtEndOfFile">
  <property name="fileExtensions" value="java"/>
  <property name="lineSeparator" value="lf"/>
  </module>
  <module name="RegexpHeader">
    <property name="headerFile" value="${checkstyle.header.file}"/>
    <property name="fileExtensions" value="java"/>
    <property name="id" value="header"/>
  </module>
  <module name="RegexpSingleline">
    <property name="format" value="\s+$"/>
    <property name="minimum" value="0"/>
    <property name="maximum" value="0"/>
  </module>
  <module name="TreeWalker">
    <property name="tabWidth" value="4"/>
    <module name="AvoidStarImport"/>
    <module name="ConstantName"/>
    <module name="EmptyBlock"/>
    <module name="EmptyForIteratorPad"/>
    <module name="EqualsHashCode"/>
    <module name="OneStatementPerLine"/>
    <!-- module name="IllegalCatch"/ -->
    <!--module name="ImportControl">
      <property name="file" value="${checkstyle.importcontrol.file}"/>
    </module-->
    <module name="IllegalImport"/>
    <module name="IllegalInstantiation"/>
    <module name="IllegalThrows"/>
    <module name="InnerAssignment"/>
    <module name="JavadocType">
      <property name="authorFormat" value="\S"/>
    </module>
    <module name="JavadocMethod">
      <property name="allowUndeclaredRTE" value="true"/>
      <property name="allowThrowsTagsForSubclasses" value="true"/>
      <property name="allowMissingPropertyJavadoc" value="true"/>
    </module>
    <module name="JavadocVariable"/>
    <module name="JavadocStyle">
      <property name="scope" value="public"/>
    </module>
    <module name="LeftCurly">
      <property name="option" value="eol"/>
      <property name="tokens" value="CLASS_DEF"/>
      <property name="tokens" value="CTOR_DEF"/>
      <property name="tokens" value="INTERFACE_DEF"/>
      <property name="tokens" value="METHOD_DEF"/>
      <property name="tokens" value="LITERAL_CATCH"/>
      <property name="tokens" value="LITERAL_DO"/>
      <property name="tokens" value="LITERAL_ELSE"/>
      <property name="tokens" value="LITERAL_FINALLY"/>
      <property name="tokens" value="LITERAL_FOR"/>
      <property name="tokens" value="LITERAL_IF"/>
      <property name="tokens" value="LITERAL_SWITCH"/>
      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
      <property name="tokens" value="LITERAL_TRY"/>
      <property name="tokens" value="LITERAL_WHILE"/>
    </module>
    <module name="OuterTypeNumber"/>
    <module name="LineLength">
      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
    <property name="max" value="150"/>
    </module>
    <module name="MethodCount">
      <property name="maxTotal" value="40"/>
    </module>
    <module name="LocalFinalVariableName"/>
    <module name="LocalVariableName"/>
    <module name="MemberName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="MethodLength">
        <property name="max" value="160"/>
        <property name="countEmpty" value="false"/>
    </module>
    <module name="MethodName"/>
    <module name="MethodParamPad"/>
    <module name="ModifierOrder"/>
    <module name="NeedBraces"/>
    <module name="NoWhitespaceAfter">
      <property name="tokens" value="ARRAY_INIT"/>
      <property name="tokens" value="BNOT"/>
      <property name="tokens" value="DEC"/>
      <property name="tokens" value="DOT"/>
      <property name="tokens" value="INC"/>
      <property name="tokens" value="LNOT"/>
      <property name="tokens" value="UNARY_MINUS"/>
      <property name="tokens" value="UNARY_PLUS"/>
    </module>
    <module name="NoWhitespaceBefore"/>
    <module name="NoWhitespaceBefore">
      <property name="tokens" value="DOT"/>
      <property name="allowLineBreaks" value="true"/>
    </module>
    <module name="OperatorWrap"/>
    <module name="OperatorWrap">
      <property name="tokens" value="ASSIGN"/>
      <property name="tokens" value="DIV_ASSIGN"/>
      <property name="tokens" value="PLUS_ASSIGN"/>
      <property name="tokens" value="MINUS_ASSIGN"/>
      <property name="tokens" value="STAR_ASSIGN"/>
      <property name="tokens" value="MOD_ASSIGN"/>
      <property name="tokens" value="SR_ASSIGN"/>
      <property name="tokens" value="BSR_ASSIGN"/>
      <property name="tokens" value="SL_ASSIGN"/>
      <property name="tokens" value="BXOR_ASSIGN"/>
      <property name="tokens" value="BOR_ASSIGN"/>
      <property name="tokens" value="BAND_ASSIGN"/>
      <property name="option" value="eol"/>
    </module>
    <module name="PackageName"/>
    <module name="ParameterName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="ParameterNumber">
      <property name="id" value="paramNum"/>
    </module>
    <module name="ParenPad"/>
    <module name="TypecastParenPad"/>
    <module name="RedundantImport"/>
    <module name="RedundantModifier"/>
    <module name="RightCurly">
      <property name="option" value="same"/>
    </module>
    <module name="SimplifyBooleanExpression"/>
    <module name="SimplifyBooleanReturn"/>
    <module name="StaticVariableName">
      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
    </module>
    <module name="TypeName"/>
    <module name="UnusedImports"/>
    <module name="UpperEll"/>
    <module name="VisibilityModifier"/>
    <module name="WhitespaceAfter"/>
    <module name="WhitespaceAround"/>
    <module name="GenericWhitespace"/>
    <module name="FinalClass"/>
    <module name="MissingSwitchDefault"/>
    <!--module name="MagicNumber"/-->
    <!--module name="Indentation">
      <property name="basicOffset" value="4"/>
      <property name="braceAdjustment" value="0"/>
      <property name="caseIndent" value="0"/>
    </module-->
    <module name="ArrayTrailingComma"/>
    <module name="FinalLocalVariable"/>
    <module name="EqualsAvoidNull"/>
    <module name="ParameterAssignment"/>
    <!-- Generates quite a few errors -->
    <module name="CyclomaticComplexity">
      <property name="severity" value="ignore"/>
    </module>
    <module name="NestedForDepth">
      <property name="max" value="2"/>
    </module>
    <module name="NestedIfDepth">
      <property name="max" value="4"/>
    </module>
    <module name="NestedTryDepth">
        <property name="max" value="2"/>
    </module>
    <!--module name="ExplicitInitialization"/-->
    <module name="AnnotationUseStyle"/>
    <module name="MissingDeprecated"/>
    <module name="MissingOverride">
      <property name="javaFiveCompatibility" value="true"/>
    </module>
    <module name="PackageAnnotation"/>
    <module name="SuppressWarnings"/>
    <module name="OuterTypeFilename"/>
    <module name="HideUtilityClassConstructor"/>
  </module>
 </module>
--- a/dependency-check-core/config/checkstyle-header.txt
+++ b/dependency-check-core/config/checkstyle-header.txt
@@ -1,18 +0,0 @@
 ^/\*\s*$
 ^ \* This file is part of dependency-check-core\.\s*$
 ^ \*\s*$
 ^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
 ^ \* you may not use this file except in compliance with the License.\s*$
 ^ \* You may obtain a copy of the License at\s*$
 ^ \*\s*$
 ^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
 ^ \*\s*$
 ^ \* Unless required by applicable law or agreed to in writing, software\s*$
 ^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
 ^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
 ^ \* See the License for the specific language governing permissions and\s*$
 ^ \* limitations under the License\.\s*$
 ^ \*\s*$
 ^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
 ^ \*/\s*$
 ^package
--- a/dependency-check-core/config/checkstyle-suppressions.xml
+++ b/dependency-check-core/config/checkstyle-suppressions.xml
@@ -1,12 +0,0 @@
 <?xml version="1.0"?>
 <!DOCTYPE suppressions PUBLIC
     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
 <suppressions>
    <suppress checks=".*" files=".*[\\/]package-info\.java" />
    <suppress checks=".*" files=".*org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Filter.java" />
    <suppress checks=".*" files=".*org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Checksum.java" />
    <suppress checks=".*" files=".*[\\/]generated[\\/].*.java" />
 </suppressions>
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -15,19 +15,19 @@ limitations under the License.
 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 -->
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.4.3</version>
    </parent>
    <artifactId>dependency-check-core</artifactId>
    <packaging>jar</packaging>
    <name>Dependency-Check Core</name>
    <description>dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -83,9 +83,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            </testResource>
            <testResource>
                <directory>${basedir}/src/test/resources</directory>
                <excludes>
                    <exclude>**/mysql-connector-java-5.1.27-bin.jar</exclude>
                </excludes>
                <filtering>false</filtering>
            </testResource>
        </testResources>
@@ -93,7 +90,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
                <version>2.8</version>
                <executions>
                    <execution>
                        <phase>generate-resources</phase>
@@ -102,7 +98,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                        </goals>
                        <configuration>
                            <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
-                            <includeScope>provided</includeScope>
+                            <includeScope>test</includeScope>
                        </configuration>
                    </execution>
                </executions>
@@ -110,41 +106,27 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
                <version>2.4</version>
                <executions>
                    <execution>
                        <id>jar</id>
                        <phase>package</phase>
                        <goals>
                            <goal>jar</goal>
                        </goals>
                    </execution>
                    <execution>
                        <id>test-jar</id>
                        <phase>package</phase>
                        <goals>
                            <goal>test-jar</goal>
                        </goals>
                        <configuration>
                            <includes>
                                <include>**/*.class</include>
                            </includes>
                        </configuration>
                    </execution>
                </executions>
                <configuration>
                    <archive>
                        <manifest>
                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                        </manifest>
                    </archive>
                    <excludes>
                        <exclude>**/checkstyle*</exclude>
                    </excludes>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>cobertura-maven-plugin</artifactId>
                <version>2.6</version>
                <configuration>
                    <instrumentation>
-                        <ignoreTrivial>true</ignoreTrivial>
+                        <!--ignoreTrivial>true</ignoreTrivial-->
                        <ignores>
                            <ignore>.*\$KEYS\.class</ignore>
                            <ignore>.*\$Element\.class</ignore>
@@ -192,8 +174,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
                <version>2.16</version>
                <configuration>
                    <argLine>-Dfile.encoding=UTF-8</argLine>
                    <systemProperties>
                        <property>
                            <name>data.directory</name>
@@ -213,348 +195,209 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-failsafe-plugin</artifactId>
                <version>2.16</version>
                <configuration>
                    <systemProperties>
                        <property>
                            <name>data.directory</name>
                            <value>${project.build.directory}/data</value>
                        </property>
                        <property>
                            <name>temp.directory</name>
                            <value>${project.build.directory}/temp</value>
                        </property>
                    </systemProperties>
                    <includes>
                        <include>**/*IntegrationTest.java</include>
                    </includes>
                </configuration>
                <executions>
                    <execution>
                        <goals>
                            <goal>integration-test</goal>
                            <goal>verify</goal>
                        </goals>
                    </execution>
                </executions>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-site-plugin</artifactId>
                <version>3.3</version>
                <dependencies>
                    <dependency>
                        <groupId>org.apache.maven.doxia</groupId>
                        <artifactId>doxia-module-markdown</artifactId>
                        <version>1.5</version>
                    </dependency>
                </dependencies>
                <configuration>
                    <skipDeploy>true</skipDeploy>
                    <reportPlugins>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-project-info-reports-plugin</artifactId>
                            <version>2.7</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>index</report>
                                        <report>summary</report>
                                        <report>license</report>
                                        <report>help</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-javadoc-plugin</artifactId>
                            <version>2.9.1</version>
                            <reportSets>
                                <reportSet>
                                    <id>default</id>
                                    <reports>
                                        <report>javadoc</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>versions-maven-plugin</artifactId>
                            <version>2.1</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>dependency-updates-report</report>
                                        <report>plugin-updates-report</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-jxr-plugin</artifactId>
                            <version>2.4</version>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>cobertura-maven-plugin</artifactId>
                            <version>2.6</version>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-surefire-report-plugin</artifactId>
                            <version>2.16</version>
                            <reportSets>
                                <reportSet>
                                    <reports>
                                        <report>report-only</report>
                                    </reports>
                                </reportSet>
                                <reportSet>
                                    <id>integration-tests</id>
                                    <reports>
                                        <report>report-only</report>
                                        <report>failsafe-report-only</report>
                                    </reports>
                                </reportSet>
                            </reportSets>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>taglist-maven-plugin</artifactId>
                            <version>2.4</version>
                            <configuration>
                                <tagListOptions>
                                    <tagClasses>
                                        <tagClass>
                                            <displayName>Todo Work</displayName>
                                            <tags>
                                                <tag>
                                                    <matchString>todo</matchString>
                                                    <matchType>ignoreCase</matchType>
                                                </tag>
                                                <tag>
                                                    <matchString>FIXME</matchString>
                                                    <matchType>exact</matchType>
                                                </tag>
                                            </tags>
                                        </tagClass>
                                    </tagClasses>
                                </tagListOptions>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-checkstyle-plugin</artifactId>
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
                            <version>3.0.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
                                <sourceEncoding>utf-8</sourceEncoding>
                                <excludes>
                                    <exclude>**/generated/*.java</exclude>
                                </excludes>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>findbugs-maven-plugin</artifactId>
                            <version>2.5.3</version>
                        </plugin>
                        <dependency>
                            <groupId>org.codehaus.mojo</groupId>
                            <artifactId>javancss-maven-plugin</artifactId>
                            <version>2.0</version>
                        </dependency>
                    </reportPlugins>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
                <version>3.1</version>
                <configuration>
                    <showDeprecation>false</showDeprecation>
                    <source>1.6</source>
                    <target>1.6</target>
                </configuration>
            </plugin>
        </plugins>
    </build>
    <reporting>
        <plugins>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-report-plugin</artifactId>
                <reportSets>
                    <reportSet>
                        <id>integration-tests</id>
                        <reports>
                            <report>report-only</report>
                            <report>failsafe-report-only</report>
                        </reports>
                    </reportSet>
                </reportSets>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-checkstyle-plugin</artifactId>
                <version>${reporting.checkstyle-plugin.version}</version>
                <configuration>
                    <enableRulesSummary>false</enableRulesSummary>
                    <enableFilesSummary>false</enableFilesSummary>
                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-pmd-plugin</artifactId>
                <version>${reporting.pmd-plugin.version}</version>
                <configuration>
                    <targetJdk>1.6</targetJdk>
                    <linkXref>true</linkXref>
                    <sourceEncoding>utf-8</sourceEncoding>
                    <excludes>
                        <exclude>**/generated/*.java</exclude>
                    </excludes>
                    <rulesets>
                        <ruleset>../src/main/config/dcrules.xml</ruleset>
                        <ruleset>/rulesets/java/basic.xml</ruleset>
                        <ruleset>/rulesets/java/imports.xml</ruleset>
                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
                    </rulesets>
                </configuration>
            </plugin>
        </plugins>
    </reporting>
    <dependencies>
-        <dependency>
+        <!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-test-framework</artifactId>
            <version>4.3.1</version>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>annotations</artifactId>
            <version>2.0.1</version>
            <optional>true</optional>
        </dependency>
        <dependency>
-            <groupId>commons-cli</groupId>
+            <groupId>org.slf4j</groupId>
-            <artifactId>commons-cli</artifactId>
+            <artifactId>slf4j-api</artifactId>
-            <version>1.2</version>
+        </dependency>
        <!-- Set this to test so that each project that uses this has to have its own implementation of SLF4J -->
        <dependency>
            <groupId>ch.qos.logback</groupId>
            <artifactId>logback-classic</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
-            <groupId>commons-io</groupId>
+            <groupId>org.owasp</groupId>
-            <artifactId>commons-io</artifactId>
+            <artifactId>dependency-check-utils</artifactId>
-            <version>2.4</version>
+            <version>${project.parent.version}</version>
        </dependency>
        <dependency>
            <groupId>commons-lang</groupId>
            <artifactId>commons-lang</artifactId>
            <version>2.5</version>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
-            <artifactId>lucene-core</artifactId>
+            <artifactId>lucene-test-framework</artifactId>
-            <version>4.5.1</version>
+            <scope>test</scope>
        </dependency>
        <dependency>
-            <groupId>org.apache.lucene</groupId>
+            <groupId>org.jmockit</groupId>
-            <artifactId>lucene-analyzers-common</artifactId>
+            <artifactId>jmockit</artifactId>
-            <version>4.5.1</version>
+            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-queryparser</artifactId>
            <version>4.5.1</version>
        </dependency>
        <dependency>
            <groupId>org.apache.velocity</groupId>
            <artifactId>velocity</artifactId>
            <version>1.7</version>
        </dependency>
        <dependency>
            <groupId>org.apache.velocity</groupId>
            <artifactId>velocity-tools</artifactId>
            <version>2.0</version>
            <!-- very limited use of the velocity-tools, not all of the dependencies are needed-->
            <exclusions>
                <exclusion>
                    <groupId>commons-chain</groupId>
                    <artifactId>commons-chain</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>javax.servlet</groupId>
                    <artifactId>servlet-api</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>commons-validator</groupId>
                    <artifactId>commons-validator</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>dom4j</groupId>
                    <artifactId>dom4j</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>sslext</groupId>
                    <artifactId>sslext</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.struts</groupId>
                    <artifactId>struts-core</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>antlr</groupId>
                    <artifactId>antlr</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.struts</groupId>
                    <artifactId>struts-taglib</artifactId>
                </exclusion>
                <exclusion>
                    <groupId>org.apache.struts</groupId>
                    <artifactId>struts-tiles</artifactId>
                </exclusion>
            </exclusions>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <version>1.3.172</version>
        </dependency>
        <dependency>
            <groupId>org.jsoup</groupId>
            <artifactId>jsoup</artifactId>
            <version>1.7.2</version>
            <type>jar</type>
        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-compress</artifactId>
-            <version>1.5</version>
+        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-lang3</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-core</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-analyzers-common</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-queryparser</artifactId>
        </dependency>
        <dependency>
            <groupId>org.apache.velocity</groupId>
            <artifactId>velocity</artifactId>
        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
            <scope>runtime</scope>
        </dependency>
        <dependency>
            <groupId>org.glassfish</groupId>
            <artifactId>javax.json</artifactId>
        </dependency>
        <dependency>
            <groupId>org.jsoup</groupId>
            <artifactId>jsoup</artifactId>
        </dependency>
        <dependency>
            <groupId>com.sun.mail</groupId>
            <artifactId>mailapi</artifactId>
        </dependency>
        <!-- The following dependencies are only used during testing -->
        <dependency>
            <groupId>org.apache.maven.scm</groupId>
            <artifactId>maven-scm-provider-cvsexe</artifactId>
            <version>1.8.1</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework</groupId>
            <artifactId>spring-webmvc</artifactId>
            <version>2.5.5</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.security</groupId>
            <artifactId>spring-security-web</artifactId>
            <version>3.0.0.RELEASE</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>com.hazelcast</groupId>
            <artifactId>hazelcast</artifactId>
            <version>2.5</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>net.sf.ehcache</groupId>
            <artifactId>ehcache-core</artifactId>
            <version>2.2.0</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.apache.struts</groupId>
            <artifactId>struts2-core</artifactId>
            <version>2.1.2</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.mortbay.jetty</groupId>
            <artifactId>jetty</artifactId>
            <version>6.1.0</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.apache.axis2</groupId>
            <artifactId>axis2-spring</artifactId>
            <version>1.4.1</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.apache.axis2</groupId>
            <artifactId>axis2-adb</artifactId>
            <version>1.4.1</version>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
@@ -562,7 +405,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <artifactId>daytrader-ear</artifactId>
            <version>2.1.7</version>
            <type>ear</type>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
@@ -570,7 +413,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <artifactId>war</artifactId>
            <version>4.0</version>
            <type>war</type>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
@@ -578,7 +421,49 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <artifactId>dojo-war</artifactId>
            <version>1.3.0</version>
            <type>war</type>
-            <scope>provided</scope>
+            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.apache.openjpa</groupId>
            <artifactId>openjpa</artifactId>
            <version>2.0.1</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>com.google.inject</groupId>
            <artifactId>guice</artifactId>
            <version>3.0</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>org.springframework.retry</groupId>
            <artifactId>spring-retry</artifactId>
            <version>1.1.0.RELEASE</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>uk.ltd.getahead</groupId>
            <artifactId>dwr</artifactId>
            <version>1.1.1</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>xalan</groupId>
            <artifactId>xalan</artifactId>
            <version>2.7.0</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
        <dependency>
            <groupId>com.thoughtworks.xstream</groupId>
            <artifactId>xstream</artifactId>
            <version>1.4.8</version>
            <scope>test</scope>
            <optional>true</optional>
        </dependency>
    </dependencies>
@@ -588,7 +473,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <activation>
                <property>
                    <name>mysql</name>
                    <!--value>test</value-->
                </property>
            </activation>
            <build>
@@ -596,7 +480,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <version>2.16</version>
                        <configuration>
                            <skip>true</skip>
                        </configuration>
@@ -604,12 +487,68 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-failsafe-plugin</artifactId>
                        <version>2.16</version>
                        <configuration>
                            <systemProperties>
                                <property>
                                    <name>data.driver_path</name>
-                                    <value>${basedir}/${driver_path}</value>
+                                    <value>${driver_path}</value>
                                </property>
                                <property>
                                    <name>data.driver_name</name>
                                    <value>${driver_name}</value>
                                </property>
                                <property>
                                    <name>data.connection_string</name>
                                    <value>${connection_string}</value>
                                </property>
                            </systemProperties>
                            <includes>
                                <include>**/*MySQLTest.java</include>
                            </includes>
                        </configuration>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>integration-test</goal>
                                    <goal>verify</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>
        <profile>
            <id>Postgresql-IntegrationTest</id>
            <activation>
                <property>
                    <name>postgresql</name>
                </property>
            </activation>
            <dependencies>
                <dependency>
                    <groupId>org.postgresql</groupId>
                    <artifactId>postgresql</artifactId>
                    <version>9.4-1204-jdbc42</version>
                </dependency>
            </dependencies>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <configuration>
                            <skip>true</skip>
                        </configuration>
                    </plugin>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-failsafe-plugin</artifactId>
                        <configuration>
                            <systemProperties>
                                <property>
                                    <name>data.driver_path</name>
                                    <value>${driver_path}</value>
                                </property>
                                <property>
                                    <name>data.driver_name</name>
@@ -642,31 +581,150 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            Additionally, these are only added when using "allTests" to
            make the build slightly faster in most cases. -->
            <id>False Positive Tests</id>
-            <!--activation>
+            <activation>
                <property>
                    <name>allTests</name>
                </property>
-            </activation-->
+            </activation>
            <dependencies>
                <dependency>
                    <groupId>org.apache.xmlgraphics</groupId>
                    <artifactId>batik-util</artifactId>
                    <version>1.7</version>
-                    <scope>provided</scope>
+                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.thoughtworks.xstream</groupId>
                    <artifactId>xstream</artifactId>
                    <version>1.4.2</version>
                    <scope>provided</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.apache.ws.security</groupId>
                    <artifactId>wss4j</artifactId>
                    <version>1.5.7</version>
-                    <scope>provided</scope>
+                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.ganyo</groupId>
                    <artifactId>gcm-server</artifactId>
                    <version>1.0.2</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.python</groupId>
                    <artifactId>jython-standalone</artifactId>
                    <version>2.7-b1</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.jruby</groupId>
                    <artifactId>jruby-complete</artifactId>
                    <version>1.7.4</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.jruby</groupId>
                    <artifactId>jruby</artifactId>
                    <version>1.6.3</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.glassfish.jersey.core</groupId>
                    <artifactId>jersey-client</artifactId>
                    <version>2.12</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.sun.jersey</groupId>
                    <artifactId>jersey-client</artifactId>
                    <version>1.11.1</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.sun.faces</groupId>
                    <artifactId>jsf-impl</artifactId>
                    <version>2.2.8-02</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.google.inject</groupId>
                    <artifactId>guice</artifactId>
                    <version>3.0</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.opensaml</groupId>
                    <artifactId>xmltooling</artifactId>
                    <version>1.4.1</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.springframework</groupId>
                    <artifactId>spring-webmvc</artifactId>
                    <version>3.2.12.RELEASE</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.google.code.gson</groupId>
                    <artifactId>gson</artifactId>
                    <version>2.3.1</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.google.gerrit</groupId>
                    <artifactId>gerrit-extension-api</artifactId>
                    <version>2.11</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.google.apis</groupId>
                    <artifactId>google-api-services-sqladmin</artifactId>
                    <version>v1beta4-rev5-1.20.0</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.google.gwt.google-apis</groupId>
                    <artifactId>gwt-gears</artifactId>
                    <version>1.2.1</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>org.mozilla</groupId>
                    <artifactId>rhino</artifactId>
                    <version>1.7.6</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.microsoft.windowsazure</groupId>
                    <artifactId>microsoft-azure-api-media</artifactId>
                    <version>0.5.0</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.microsoft.windowsazure</groupId>
                    <artifactId>microsoft-azure-api-management-sql</artifactId>
                    <version>0.5.0</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
                <dependency>
                    <groupId>com.microsoft.bingads</groupId>
                    <artifactId>microsoft.bingads</artifactId>
                    <version>9.3.4</version>
                    <scope>test</scope>
                    <optional>true</optional>
                </dependency>
            </dependencies>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -17,21 +17,11 @@
 */
 package org.owasp.dependencycheck;
 import java.io.File;
 import java.util.ArrayList;
 import java.util.EnumMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
 import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.IndexException;
 import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -40,52 +30,89 @@ import org.owasp.dependencycheck.data.update.UpdateService;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.NoDataException;
-import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.EnumMap;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Set;
 /**
- * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the
+ * Scans files, directories, etc. for Dependencies. Analyzers are loaded and
- * scan, if a file is encountered and an Analyzer is associated with the file type then the file is turned into a
+ * used to process the files found by the scan, if a file is encountered and an
 * Analyzer is associated with the file type then the file is turned into a
 * dependency.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
-public class Engine {
+public class Engine implements FileFilter {
    /**
     * The list of dependencies.
     */
-    private final List<Dependency> dependencies;
+    private List<Dependency> dependencies = new ArrayList<Dependency>();
    /**
     * A Map of analyzers grouped by Analysis phase.
     */
-    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
+    private final Map<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
    /**
-     * A set of extensions supported by the analyzers.
+     * A Map of analyzers grouped by Analysis phase.
     */
-    private final Set<String> extensions;
+    private final Set<FileTypeAnalyzer> fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
    /**
     * The ClassLoader to use when dynamically loading Analyzer and Update
     * services.
     */
    private ClassLoader serviceClassLoader = Thread.currentThread().getContextClassLoader();
    /**
     * The Logger for use throughout the class.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(Engine.class);
    /**
     * Creates a new Engine.
     *
-     * @throws DatabaseException thrown if there is an error connecting to the database
+     * @throws DatabaseException thrown if there is an error connecting to the
     * database
     */
    public Engine() throws DatabaseException {
-        this.extensions = new HashSet<String>();
+        initializeEngine();
-        this.dependencies = new ArrayList<Dependency>();
+    }
        this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
        ConnectionFactory.initialize();
-        boolean autoUpdate = true;
+    /**
-        try {
+     * Creates a new Engine.
-            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+     *
-        } catch (InvalidSettingException ex) {
+     * @param serviceClassLoader a reference the class loader being used
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
+     * @throws DatabaseException thrown if there is an error connecting to the
-        }
+     * database
-        if (autoUpdate) {
+     */
-            doUpdates();
+    public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
-        }
+        this.serviceClassLoader = serviceClassLoader;
        initializeEngine();
    }
    /**
     * Creates a new Engine using the specified classloader to dynamically load
     * Analyzer and Update services.
     *
     * @throws DatabaseException thrown if there is an error connecting to the
     * database
     */
    protected final void initializeEngine() throws DatabaseException {
        ConnectionFactory.initialize();
        loadAnalyzers();
    }
@@ -97,21 +124,23 @@ public class Engine {
    }
    /**
-     * Loads the analyzers specified in the configuration file (or system properties).
+     * Loads the analyzers specified in the configuration file (or system
     * properties).
     */
    private void loadAnalyzers() {
-
+        if (!analyzers.isEmpty()) {
            return;
        }
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            analyzers.put(phase, new ArrayList<Analyzer>());
        }
-        final AnalyzerService service = AnalyzerService.getInstance();
+        final AnalyzerService service = new AnalyzerService(serviceClassLoader);
-        final Iterator<Analyzer> iterator = service.getAnalyzers();
+        final List<Analyzer> iterator = service.getAnalyzers();
-        while (iterator.hasNext()) {
+        for (Analyzer a : iterator) {
            final Analyzer a = iterator.next();
            analyzers.get(a.getAnalysisPhase()).add(a);
-            if (a.getSupportedExtensions() != null) {
+            if (a instanceof FileTypeAnalyzer) {
-                extensions.addAll(a.getSupportedExtensions());
+                this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
            }
        }
    }
@@ -136,259 +165,338 @@ public class Engine {
    }
    /**
-     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
+     * Sets the dependencies.
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param dependencies the dependencies
     *
     * @param paths an array of paths to files or directories to be analyzed.
     */
-    public void scan(String[] paths) {
+    public void setDependencies(List<Dependency> dependencies) {
        this.dependencies = dependencies;
    }
    /**
     * Scans an array of files or directories. If a directory is specified, it
     * will be scanned recursively. Any dependencies identified are added to the
     * dependency collection.
     *
     * @param paths an array of paths to files or directories to be analyzed
     * @return the list of dependencies scanned
     * @since v0.3.2.5
     */
    public List<Dependency> scan(String[] paths) {
        final List<Dependency> deps = new ArrayList<Dependency>();
        for (String path : paths) {
-            final File file = new File(path);
+            final List<Dependency> d = scan(path);
-            scan(file);
+            if (d != null) {
-        }
+                deps.addAll(d);
    }
    /**
     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
     * @param path the path to a file or directory to be analyzed.
     */
    public void scan(String path) {
        final File file = new File(path);
        scan(file);
    }
    /**
     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
     * @since v0.3.2.5
     *
     * @param files an array of paths to files or directories to be analyzed.
     */
    public void scan(File[] files) {
        for (File file : files) {
            scan(file);
        }
    }
    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
     * @since v0.3.2.5
     *
     * @param files a set of paths to files or directories to be analyzed.
     */
    public void scan(Set<File> files) {
        for (File file : files) {
            scan(file);
        }
    }
    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
     * @since v0.3.2.5
     *
     * @param files a set of paths to files or directories to be analyzed.
     */
    public void scan(List<File> files) {
        for (File file : files) {
            scan(file);
        }
    }
    /**
     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
     * @since v0.3.2.4
     *
     * @param file the path to a file or directory to be analyzed.
     */
    public void scan(File file) {
        if (file.exists()) {
            if (file.isDirectory()) {
                scanDirectory(file);
            } else {
                scanFile(file);
            }
        }
        return deps;
    }
    /**
-     * Recursively scans files and directories. Any dependencies identified are added to the dependency collection.
+     * Scans a given file or directory. If a directory is specified, it will be
     * scanned recursively. Any dependencies identified are added to the
     * dependency collection.
     *
-     * @param dir the directory to scan.
+     * @param path the path to a file or directory to be analyzed
     * @return the list of dependencies scanned
     */
-    protected void scanDirectory(File dir) {
+    public List<Dependency> scan(String path) {
-        final File[] files = dir.listFiles();
+        final File file = new File(path);
-        if (files != null) {
+        return scan(file);
-            for (File f : files) {
+    }
-                if (f.isDirectory()) {
+
-                    scanDirectory(f);
+    /**
-                } else {
+     * Scans an array of files or directories. If a directory is specified, it
-                    scanFile(f);
+     * will be scanned recursively. Any dependencies identified are added to the
     * dependency collection.
     *
     * @param files an array of paths to files or directories to be analyzed.
     * @return the list of dependencies
     * @since v0.3.2.5
     */
    public List<Dependency> scan(File[] files) {
        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
            final List<Dependency> d = scan(file);
            if (d != null) {
                deps.addAll(d);
            }
        }
        return deps;
    }
    /**
     * Scans a collection of files or directories. If a directory is specified,
     * it will be scanned recursively. Any dependencies identified are added to
     * the dependency collection.
     *
     * @param files a set of paths to files or directories to be analyzed
     * @return the list of dependencies scanned
     * @since v0.3.2.5
     */
    public List<Dependency> scan(Collection<File> files) {
        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
            final List<Dependency> d = scan(file);
            if (d != null) {
                deps.addAll(d);
            }
        }
        return deps;
    }
    /**
     * Scans a given file or directory. If a directory is specified, it will be
     * scanned recursively. Any dependencies identified are added to the
     * dependency collection.
     *
     * @param file the path to a file or directory to be analyzed
     * @return the list of dependencies scanned
     * @since v0.3.2.4
     */
    public List<Dependency> scan(File file) {
        if (file.exists()) {
            if (file.isDirectory()) {
                return scanDirectory(file);
            } else {
                final Dependency d = scanFile(file);
                if (d != null) {
                    final List<Dependency> deps = new ArrayList<Dependency>();
                    deps.add(d);
                    return deps;
                }
            }
        }
        return null;
    }
    /**
-     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
+     * Recursively scans files and directories. Any dependencies identified are
     * added to the dependency collection.
     *
-     * @param file The file to scan.
+     * @param dir the directory to scan
     * @return the list of Dependency objects scanned
     */
-    protected void scanFile(File file) {
+    protected List<Dependency> scanDirectory(File dir) {
-        if (!file.isFile()) {
+        final File[] files = dir.listFiles();
-            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
+        final List<Dependency> deps = new ArrayList<Dependency>();
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+        if (files != null) {
-            return;
+            for (File f : files) {
                if (f.isDirectory()) {
                    final List<Dependency> d = scanDirectory(f);
                    if (d != null) {
                        deps.addAll(d);
                    }
                } else {
                    final Dependency d = scanFile(f);
                    deps.add(d);
                }
            }
        }
-        final String fileName = file.getName();
+        return deps;
-        final String extension = FileUtils.getFileExtension(fileName);
+    }
-        if (extension != null) {
+
-            if (extensions.contains(extension)) {
+    /**
-                final Dependency dependency = new Dependency(file);
+     * Scans a specified file. If a dependency is identified it is added to the
     * dependency collection.
     *
     * @param file The file to scan
     * @return the scanned dependency
     */
    protected Dependency scanFile(File file) {
        Dependency dependency = null;
        if (file.isFile()) {
            if (accept(file)) {
                dependency = new Dependency(file);
                dependencies.add(dependency);
            }
        } else {
-            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
+            LOGGER.debug("Path passed to scanFile(File) is not a file: {}. Skipping the file.", file);
                    file.toString());
            Logger.getLogger(Engine.class.getName()).log(Level.FINEST, msg);
        }
        return dependency;
    }
    /**
-     * Runs the analyzers against all of the dependencies.
+     * Runs the analyzers against all of the dependencies. Since the mutable
     * dependencies list is exposed via {@link #getDependencies()}, this method
     * iterates over a copy of the dependencies list. Thus, the potential for
     * {@link java.util.ConcurrentModificationException}s is avoided, and
     * analyzers may safely add or remove entries from the dependencies list.
     *
     * Every effort is made to complete analysis on the dependencies. In some
     * cases an exception will occur with part of the analysis being performed
     * which may not affect the entire analysis. If an exception occurs it will
     * be included in the thrown exception collection.
     *
     * @throws ExceptionCollection a collections of any exceptions that occurred
     * during analysis
     */
-    public void analyzeDependencies() {
+    public void analyzeDependencies() throws ExceptionCollection {
        final List<Throwable> exceptions = new ArrayList<Throwable>();
        boolean autoUpdate = true;
        try {
            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
        } catch (InvalidSettingException ex) {
            LOGGER.debug("Invalid setting for auto-update; using true.");
            exceptions.add(ex);
        }
        if (autoUpdate) {
            try {
                doUpdates();
            } catch (UpdateException ex) {
                exceptions.add(ex);
                LOGGER.warn("Unable to update Cached Web DataSource, using local "
                        + "data instead. Results may not include recent vulnerabilities.");
                LOGGER.debug("Update Error", ex);
            }
        }
        //need to ensure that data exists
        try {
            ensureDataExists();
        } catch (NoDataException ex) {
-            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            LOGGER.error("{}\n\nUnable to continue dependency-check analysis.", ex.getMessage());
-            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            LOGGER.debug("", ex);
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            exceptions.add(ex);
-            return;
+            throw new ExceptionCollection("Unable to continue dependency-check analysis.", exceptions, true);
        } catch (DatabaseException ex) {
-            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
+            LOGGER.error("{}\n\nUnable to continue dependency-check analysis.", ex.getMessage());
-            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
+            LOGGER.debug("", ex);
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            exceptions.add(ex);
-            return;
+            throw new ExceptionCollection("Unable to connect to the dependency-check database", exceptions, true);
        }
-        final String logHeader = String.format("%n"
+        LOGGER.debug("\n----------------------------------------------------\nBEGIN ANALYSIS\n----------------------------------------------------");
-                + "----------------------------------------------------%n"
+        LOGGER.info("Analysis Started");
-                + "BEGIN ANALYSIS%n"
+        final long analysisStart = System.currentTimeMillis();
                + "----------------------------------------------------");
        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
        //phase one initialize
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);
            for (Analyzer a : analyzerList) {
                try {
                    final String msg = String.format("Initializing %s", a.getName());
                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
                    a.initialize();
                } catch (Throwable ex) {
                    final String msg = String.format("Exception occurred initializing %s.", a.getName());
                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
                    try {
                        a.close();
                    } catch (Throwable ex1) {
                        Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
                    }
                }
            }
        }
        // analysis phases
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);
            for (Analyzer a : analyzerList) {
                try {
                    a = initializeAnalyzer(a);
                } catch (InitializationException ex) {
                    exceptions.add(ex);
                    continue;
                }
                /* need to create a copy of the collection because some of the
                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
                 * This is okay for adds/deletes because it happens per analyzer.
                 */
-                final String msg = String.format("Begin Analyzer '%s'", a.getName());
+                LOGGER.debug("Begin Analyzer '{}'", a.getName());
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+                final Set<Dependency> dependencySet = new HashSet<Dependency>(dependencies);
                final Set<Dependency> dependencySet = new HashSet<Dependency>();
                dependencySet.addAll(dependencies);
                for (Dependency d : dependencySet) {
-                    if (a.supportsExtension(d.getFileExtension())) {
+                    boolean shouldAnalyze = true;
-                        final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
+                    if (a instanceof FileTypeAnalyzer) {
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
+                        final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
                        shouldAnalyze = fAnalyzer.accept(d.getActualFile());
                    }
                    if (shouldAnalyze) {
                        LOGGER.debug("Begin Analysis of '{}'", d.getActualFilePath());
                        try {
                            a.analyze(d, this);
                        } catch (AnalysisException ex) {
-                            final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
+                            LOGGER.warn("An error occurred while analyzing '{}'.", d.getActualFilePath());
-                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
+                            LOGGER.debug("", ex);
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
+                            exceptions.add(ex);
                        } catch (Throwable ex) {
                            final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
                            //final AnalysisException ax = new AnalysisException(axMsg, ex);
-                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
+                            LOGGER.warn("An unexpected error occurred during analysis of '{}'", d.getActualFilePath());
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
+                            LOGGER.debug("", ex);
                            exceptions.add(ex);
                        }
                    }
                }
            }
        }
        //close/cleanup
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);
            for (Analyzer a : analyzerList) {
-                final String msg = String.format("Closing Analyzer '%s'", a.getName());
+                closeAnalyzer(a);
                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
                try {
                    a.close();
                } catch (Throwable ex) {
                    Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
                }
            }
        }
-        final String logFooter = String.format("%n"
+        LOGGER.debug("\n----------------------------------------------------\nEND ANALYSIS\n----------------------------------------------------");
-                + "----------------------------------------------------%n"
+        LOGGER.info("Analysis Complete ({} ms)", System.currentTimeMillis() - analysisStart);
-                + "END ANALYSIS%n"
+        if (exceptions.size() > 0) {
-                + "----------------------------------------------------");
+            throw new ExceptionCollection("One or more exceptions occured during dependency-check analysis", exceptions);
-        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
+        }
        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Complete");
    }
    /**
-     * Cycles through the cached web data sources and calls update on all of them.
+     * Initializes the given analyzer.
     *
     * @param analyzer the analyzer to initialize
     * @return the initialized analyzer
     * @throws InitializationException thrown when there is a problem
     * initializing the analyzer
     */
-    private void doUpdates() {
+    protected Analyzer initializeAnalyzer(Analyzer analyzer) throws InitializationException {
-        final UpdateService service = UpdateService.getInstance();
+        try {
            LOGGER.debug("Initializing {}", analyzer.getName());
            analyzer.initialize();
        } catch (InitializationException ex) {
            LOGGER.error("Exception occurred initializing {}.", analyzer.getName());
            LOGGER.debug("", ex);
            try {
                analyzer.close();
            } catch (Throwable ex1) {
                LOGGER.trace("", ex1);
            }
            throw ex;
        } catch (Throwable ex) {
            LOGGER.error("Unexpected exception occurred initializing {}.", analyzer.getName());
            LOGGER.debug("", ex);
            try {
                analyzer.close();
            } catch (Throwable ex1) {
                LOGGER.trace("", ex1);
            }
            throw new InitializationException("Unexpected Exception", ex);
        }
        return analyzer;
    }
    /**
     * Closes the given analyzer.
     *
     * @param analyzer the analyzer to close
     */
    protected void closeAnalyzer(Analyzer analyzer) {
        LOGGER.debug("Closing Analyzer '{}'", analyzer.getName());
        try {
            analyzer.close();
        } catch (Throwable ex) {
            LOGGER.trace("", ex);
        }
    }
    /**
     * Cycles through the cached web data sources and calls update on all of
     * them.
     *
     * @throws UpdateException thrown if the operation fails
     */
    public void doUpdates() throws UpdateException {
        LOGGER.info("Checking for updates");
        final long updateStart = System.currentTimeMillis();
        final UpdateService service = new UpdateService(serviceClassLoader);
        final Iterator<CachedWebDataSource> iterator = service.getDataSources();
        while (iterator.hasNext()) {
            final CachedWebDataSource source = iterator.next();
-            try {
+            source.update();
                source.update();
            } catch (UpdateException ex) {
                Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
                Logger.getLogger(Engine.class.getName()).log(Level.FINE,
                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
            }
        }
        LOGGER.info("Check for updates complete ({} ms)", System.currentTimeMillis() - updateStart);
    }
    /**
-     * Returns a full list of all of the analyzers. This is useful for reporting which analyzers where used.
+     * Returns a full list of all of the analyzers. This is useful for reporting
     * which analyzers where used.
     *
     * @return a list of Analyzers
     */
@@ -404,47 +512,52 @@ public class Engine {
    /**
     * Checks all analyzers to see if an extension is supported.
     *
-     * @param ext a file extension
+     * @param file a file extension
-     * @return true or false depending on whether or not the file extension is supported
+     * @return true or false depending on whether or not the file extension is
     * supported
     */
-    public boolean supportsExtension(String ext) {
+    @Override
-        if (ext == null) {
+    public boolean accept(File file) {
        if (file == null) {
            return false;
        }
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
+        boolean scan = false;
-            final List<Analyzer> analyzerList = analyzers.get(phase);
+        for (FileTypeAnalyzer a : this.fileTypeAnalyzers) {
-            for (Analyzer a : analyzerList) {
+            /* note, we can't break early on this loop as the analyzers need to know if
-                if (a.getSupportedExtensions() != null && a.supportsExtension(ext)) {
+             they have files to work on prior to initialization */
-                    return true;
+            scan |= a.accept(file);
                }
            }
        }
-        return false;
+        return scan;
    }
    /**
-     * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
+     * Returns the set of file type analyzers.
     *
     * @return the set of file type analyzers
     */
    public Set<FileTypeAnalyzer> getFileTypeAnalyzers() {
        return this.fileTypeAnalyzers;
    }
    /**
     * Checks the CPE Index to ensure documents exists. If none exist a
     * NoDataException is thrown.
     *
     * @throws NoDataException thrown if no data exists in the CPE Index
-     * @throws DatabaseException thrown if there is an exception opening the database
+     * @throws DatabaseException thrown if there is an exception opening the
     * database
     */
    private void ensureDataExists() throws NoDataException, DatabaseException {
        final CpeMemoryIndex cpe = CpeMemoryIndex.getInstance();
        final CveDB cve = new CveDB();
        try {
            cve.open();
-            cpe.open(cve);
+            if (!cve.dataExists()) {
-        } catch (IndexException ex) {
+                throw new NoDataException("No documents exist");
-            throw new NoDataException(ex.getMessage(), ex);
+            }
        } catch (DatabaseException ex) {
            throw new NoDataException(ex.getMessage(), ex);
        } finally {
            cve.close();
        }
        if (cpe.numDocs() <= 0) {
            cpe.close();
            throw new NoDataException("No documents exist");
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
@@ -1,5 +1,5 @@
 /*
- * This file is part of dependency-check-ant.
+ * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
@@ -13,24 +13,13 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
- * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Steve Springett. All Rights Reserved.
 */
-package org.owasp.dependencycheck.taskdefs;
+package org.owasp.dependencycheck.agent;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Task;
 import org.apache.tools.ant.types.EnumeratedAttribute;
 import org.apache.tools.ant.types.Reference;
 import org.apache.tools.ant.types.Resource;
 import org.apache.tools.ant.types.ResourceCollection;
 import org.apache.tools.ant.types.resources.FileProvider;
 import org.apache.tools.ant.types.resources.Resources;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -38,112 +27,50 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.ExceptionCollection;
 import org.owasp.dependencycheck.exception.ScanAgentException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
- * An Ant task definition to execute dependency-check during an Ant build.
+ * This class provides a way to easily conduct a scan solely based on existing
 * evidence metadata rather than collecting evidence from the files themselves.
 * This class is based on the Ant task and Maven plugin with the exception that
 * it takes a list of dependencies that can be programmatically added from data
 * in a spreadsheet, database or some other datasource and conduct a scan based
 * on this pre-defined evidence.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * <h2>Example:</h2>
 * <pre>
 * List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
 * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
 * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
 * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
 * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
 * dependencies.add(dependency);
 *
 * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
 * scan.setDependencies(dependencies);
 * scan.setReportFormat(ReportGenerator.Format.ALL);
 * scan.setReportOutputDirectory(System.getProperty("user.home"));
 * scan.execute();
 * </pre>
 *
 * @author Steve Springett
 */
-public class DependencyCheckTask extends Task {
+@SuppressWarnings("unused")
 public class DependencyCheckScanAgent {
    /**
     * The properties file location.
     */
    private static final String PROPERTIES_FILE = "task.properties";
    /**
     * Name of the logging properties file.
     */
    private static final String LOG_PROPERTIES_FILE = "log.properties";
    /**
     * System specific new line character.
     */
    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
    /**
-     * Construct a new DependencyCheckTask.
+     * Logger for use throughout the class.
     */
-    public DependencyCheckTask() {
+    private static final Logger LOGGER = LoggerFactory.getLogger(DependencyCheckScanAgent.class);
        super();
    }
    //The following code was copied Apache Ant PathConvert
    //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
    /**
     * Path to be converted
     */
    private Resources path = null;
    /**
     * Reference to path/fileset to convert
     */
    private Reference refid = null;
    /**
     * Add an arbitrary ResourceCollection.
     *
     * @param rc the ResourceCollection to add.
     * @since Ant 1.7
     */
    public void add(ResourceCollection rc) {
        if (isReference()) {
            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
        }
        getPath().add(rc);
    }
    /**
     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the
     * path object.
     *
     * @return the path
     */
    private synchronized Resources getPath() {
        if (path == null) {
            path = new Resources(getProject());
            path.setCache(true);
        }
        return path;
    }
    /**
     * Learn whether the refid attribute of this element been set.
     *
     * @return true if refid is valid.
     */
    public boolean isReference() {
        return refid != null;
    }
    /**
     * Add a reference to a Path, FileSet, DirSet, or FileList defined elsewhere.
     *
     * @param r the reference to a path, fileset, dirset or filelist.
     */
    public void setRefid(Reference r) {
        if (path != null) {
            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
        }
        refid = r;
    }
    /**
     * If this is a reference, this method will add the referenced resource collection to the collection of paths.
     *
     * @throws BuildException if the reference is not to a resource collection
     */
    private void dealWithReferences() throws BuildException {
        if (isReference()) {
            final Object o = refid.getReferencedObject(getProject());
            if (!(o instanceof ResourceCollection)) {
                throw new BuildException("refid '" + refid.getRefId()
                        + "' does not refer to a resource collection.");
            }
            getPath().add((ResourceCollection) o);
        }
    }
    // END COPY from org.apache.tools.ant.taskdefs
    /**
     * The application name for the report.
     */
@@ -166,6 +93,30 @@ public class DependencyCheckTask extends Task {
    public void setApplicationName(String applicationName) {
        this.applicationName = applicationName;
    }
    /**
     * The pre-determined dependencies to scan
     */
    private List<Dependency> dependencies;
    /**
     * Returns a list of pre-determined dependencies.
     *
     * @return returns a list of dependencies
     */
    public List<Dependency> getDependencies() {
        return dependencies;
    }
    /**
     * Sets the list of dependencies to scan.
     *
     * @param dependencies new value of dependencies
     */
    public void setDependencies(List<Dependency> dependencies) {
        this.dependencies = dependencies;
    }
    /**
     * The location of the data directory that contains
     */
@@ -188,10 +139,12 @@ public class DependencyCheckTask extends Task {
    public void setDataDirectory(String dataDirectory) {
        this.dataDirectory = dataDirectory;
    }
    /**
-     * Specifies the destination directory for the generated Dependency-Check report.
+     * Specifies the destination directory for the generated Dependency-Check
     * report.
     */
-    private String reportOutputDirectory = ".";
+    private String reportOutputDirectory;
    /**
     * Get the value of reportOutputDirectory.
@@ -210,10 +163,13 @@ public class DependencyCheckTask extends Task {
    public void setReportOutputDirectory(String reportOutputDirectory) {
        this.reportOutputDirectory = reportOutputDirectory;
    }
    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
+     * Specifies if the build should be failed if a CVSS score above a specified
-     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
+     * level is identified. The default is 11 which means since the CVSS scores
-     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     * are 0-10, by default the build will never fail and the CVSS score is set
     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
     * anything above 10 will not cause the build to fail.
     */
    private float failBuildOnCVSS = 11;
@@ -234,9 +190,10 @@ public class DependencyCheckTask extends Task {
    public void setFailBuildOnCVSS(float failBuildOnCVSS) {
        this.failBuildOnCVSS = failBuildOnCVSS;
    }
    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
-     * false. Default is true.
+     * recommended that this be turned to false. Default is true.
     */
    private boolean autoUpdate = true;
@@ -257,18 +214,43 @@ public class DependencyCheckTask extends Task {
    public void setAutoUpdate(boolean autoUpdate) {
        this.autoUpdate = autoUpdate;
    }
    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
+     * flag indicating whether or not to generate a report of findings.
     * within the Site plugin unless the externalReport is set to true. Default is HTML.
     */
-    private String reportFormat = "HTML";
+    private boolean generateReport = true;
    /**
     * Get the value of generateReport.
     *
     * @return the value of generateReport
     */
    public boolean isGenerateReport() {
        return generateReport;
    }
    /**
     * Set the value of generateReport.
     *
     * @param generateReport new value of generateReport
     */
    public void setGenerateReport(boolean generateReport) {
        this.generateReport = generateReport;
    }
    /**
     * The report format to be generated (HTML, XML, VULN, ALL). This
     * configuration option has no affect if using this within the Site plugin
     * unless the externalReport is set to true. Default is HTML.
     */
    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
    /**
     * Get the value of reportFormat.
     *
     * @return the value of reportFormat
     */
-    public String getReportFormat() {
+    public ReportGenerator.Format getReportFormat() {
        return reportFormat;
    }
@@ -277,31 +259,58 @@ public class DependencyCheckTask extends Task {
     *
     * @param reportFormat new value of reportFormat
     */
-    public void setReportFormat(ReportFormats reportFormat) {
+    public void setReportFormat(ReportGenerator.Format reportFormat) {
-        this.reportFormat = reportFormat.getValue();
+        this.reportFormat = reportFormat;
    }
    /**
     * The Proxy URL.
     */
    private String proxyUrl;
    /**
-     * Get the value of proxyUrl.
+     * The Proxy Server.
     *
     * @return the value of proxyUrl
     */
    private String proxyServer;
    /**
     * Get the value of proxyServer.
     *
     * @return the value of proxyServer
     */
    public String getProxyServer() {
        return proxyServer;
    }
    /**
     * Set the value of proxyServer.
     *
     * @param proxyServer new value of proxyServer
     */
    public void setProxyServer(String proxyServer) {
        this.proxyServer = proxyServer;
    }
    /**
     * Get the value of proxyServer.
     *
     * @return the value of proxyServer
     * @deprecated use
     * {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()}
     * instead
     */
    @Deprecated
    public String getProxyUrl() {
-        return proxyUrl;
+        return proxyServer;
    }
    /**
-     * Set the value of proxyUrl.
+     * Set the value of proxyServer.
     *
-     * @param proxyUrl new value of proxyUrl
+     * @param proxyUrl new value of proxyServer
     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#setProxyServer(java.lang.String)
     * } instead
     */
    @Deprecated
    public void setProxyUrl(String proxyUrl) {
-        this.proxyUrl = proxyUrl;
+        this.proxyServer = proxyUrl;
    }
    /**
     * The Proxy Port.
     */
@@ -324,6 +333,7 @@ public class DependencyCheckTask extends Task {
    public void setProxyPort(String proxyPort) {
        this.proxyPort = proxyPort;
    }
    /**
     * The Proxy username.
     */
@@ -346,6 +356,7 @@ public class DependencyCheckTask extends Task {
    public void setProxyUsername(String proxyUsername) {
        this.proxyUsername = proxyUsername;
    }
    /**
     * The Proxy password.
     */
@@ -368,6 +379,7 @@ public class DependencyCheckTask extends Task {
    public void setProxyPassword(String proxyPassword) {
        this.proxyPassword = proxyPassword;
    }
    /**
     * The Connection Timeout.
     */
@@ -390,6 +402,7 @@ public class DependencyCheckTask extends Task {
    public void setConnectionTimeout(String connectionTimeout) {
        this.connectionTimeout = connectionTimeout;
    }
    /**
     * The file path used for verbose logging.
     */
@@ -412,6 +425,7 @@ public class DependencyCheckTask extends Task {
    public void setLogFile(String logFile) {
        this.logFile = logFile;
    }
    /**
     * The path to the suppression file.
     */
@@ -434,6 +448,7 @@ public class DependencyCheckTask extends Task {
    public void setSuppressionFile(String suppressionFile) {
        this.suppressionFile = suppressionFile;
    }
    /**
     * flag indicating whether or not to show a summary of findings.
     */
@@ -457,6 +472,52 @@ public class DependencyCheckTask extends Task {
        this.showSummary = showSummary;
    }
    /**
     * Whether or not the Maven Central analyzer is enabled.
     */
    private boolean centralAnalyzerEnabled = true;
    /**
     * Get the value of centralAnalyzerEnabled.
     *
     * @return the value of centralAnalyzerEnabled
     */
    public boolean isCentralAnalyzerEnabled() {
        return centralAnalyzerEnabled;
    }
    /**
     * Set the value of centralAnalyzerEnabled.
     *
     * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
     */
    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
        this.centralAnalyzerEnabled = centralAnalyzerEnabled;
    }
    /**
     * The URL of Maven Central.
     */
    private String centralUrl;
    /**
     * Get the value of centralUrl.
     *
     * @return the value of centralUrl
     */
    public String getCentralUrl() {
        return centralUrl;
    }
    /**
     * Set the value of centralUrl.
     *
     * @param centralUrl new value of centralUrl
     */
    public void setCentralUrl(String centralUrl) {
        this.centralUrl = centralUrl;
    }
    /**
     * Whether or not the nexus analyzer is enabled.
     */
@@ -502,6 +563,7 @@ public class DependencyCheckTask extends Task {
    public void setNexusUrl(String nexusUrl) {
        this.nexusUrl = nexusUrl;
    }
    /**
     * Whether or not the defined proxy should be used when connecting to Nexus.
     */
@@ -570,6 +632,7 @@ public class DependencyCheckTask extends Task {
    public void setDatabaseDriverPath(String databaseDriverPath) {
        this.databaseDriverPath = databaseDriverPath;
    }
    /**
     * The database connection string.
     */
@@ -592,6 +655,7 @@ public class DependencyCheckTask extends Task {
    public void setConnectionString(String connectionString) {
        this.connectionString = connectionString;
    }
    /**
     * The user name for connecting to the database.
     */
@@ -639,8 +703,8 @@ public class DependencyCheckTask extends Task {
    }
    /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
+     * Additional ZIP File extensions to add analyze. This should be a
-     * like ZIP files.
+     * comma-separated list of file extensions to treat like ZIP files.
     */
    private String zipExtensions;
@@ -753,6 +817,7 @@ public class DependencyCheckTask extends Task {
    public void setCveUrl20Base(String cveUrl20Base) {
        this.cveUrl20Base = cveUrl20Base;
    }
    /**
     * The path to Mono for .NET assembly analysis on non-windows systems.
     */
@@ -776,111 +841,71 @@ public class DependencyCheckTask extends Task {
        this.pathToMono = pathToMono;
    }
-    @Override
+    /**
-    public void execute() throws BuildException {
+     * Executes the Dependency-Check on the dependent libraries.
-        final InputStream in = DependencyCheckTask.class.getClassLoader().getResourceAsStream(LOG_PROPERTIES_FILE);
+     *
-        LogUtils.prepareLogger(in, logFile);
+     * @return the Engine used to scan the dependencies.
-
+     * @throws ExceptionCollection a collection of one or more exceptions that
-        dealWithReferences();
+     * occurred during analysis.
-        validateConfiguration();
+     */
    private Engine executeDependencyCheck() throws ExceptionCollection {
        populateSettings();
-
+        final Engine engine;
        Engine engine = null;
        try {
            engine = new Engine();
            for (Resource resource : path) {
                final FileProvider provider = resource.as(FileProvider.class);
                if (provider != null) {
                    final File file = provider.getFile();
                    if (file != null && file.exists()) {
                        engine.scan(file);
                    }
                }
            }
            try {
                engine.analyzeDependencies();
                DatabaseProperties prop = null;
                CveDB cve = null;
                try {
                    cve = new CveDB();
                    cve.open();
                    prop = cve.getDatabaseProperties();
                } catch (DatabaseException ex) {
                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
                } finally {
                    if (cve != null) {
                        cve.close();
                    }
                }
                final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
                reporter.generateReports(reportOutputDirectory, reportFormat);
                if (this.failBuildOnCVSS <= 10) {
                    checkForFailure(engine.getDependencies());
                }
                if (this.showSummary) {
                    showSummary(engine.getDependencies());
                }
            } catch (IOException ex) {
                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
                        "Unable to generate dependency-check report", ex);
                throw new BuildException("Unable to generate dependency-check report", ex);
            } catch (Exception ex) {
                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
                        "An exception occurred; unable to continue task", ex);
                throw new BuildException("An exception occurred; unable to continue task", ex);
            }
        } catch (DatabaseException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
+            throw new ExceptionCollection(ex, true);
-                    "Unable to connect to the dependency-check database; analysis has stopped");
+        }
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
+        engine.setDependencies(this.dependencies);
        engine.analyzeDependencies();
        return engine;
    }
    /**
     * Generates the reports for a given dependency-check engine.
     *
     * @param engine a dependency-check engine
     * @param outDirectory the directory to write the reports to
     */
    private void generateExternalReports(Engine engine, File outDirectory) {
        DatabaseProperties prop = null;
        CveDB cve = null;
        try {
            cve = new CveDB();
            cve.open();
            prop = cve.getDatabaseProperties();
        } catch (DatabaseException ex) {
            LOGGER.debug("Unable to retrieve DB Properties", ex);
        } finally {
-            if (engine != null) {
+            if (cve != null) {
-                engine.cleanup();
+                cve.close();
            }
        }
-    }
+        final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
-
+        try {
-    /**
+            r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
-     * Validate the configuration to ensure the parameters have been properly configured/initialized.
+        } catch (IOException ex) {
-     *
+            LOGGER.error(
-     * @throws BuildException if the task was not configured correctly.
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
-     */
+            LOGGER.debug("", ex);
-    private void validateConfiguration() throws BuildException {
+        } catch (Throwable ex) {
-        if (path == null) {
+            LOGGER.error(
-            throw new BuildException("No project dependencies have been defined to analyze.");
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
-        }
+            LOGGER.debug("", ex);
        if (failBuildOnCVSS < 0 || failBuildOnCVSS > 11) {
            throw new BuildException("Invalid configuration, failBuildOnCVSS must be between 0 and 11.");
        }
    }
    /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
+     * Takes the properties supplied and updates the dependency-check settings.
-     * properties required to change the proxy url, port, and connection timeout.
+     * Additionally, this sets the system properties required to change the
     * proxy server, port, and connection timeout.
     */
    private void populateSettings() {
-        InputStream taskProperties = null;
+        Settings.initialize();
        try {
            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
            Settings.mergeProperties(taskProperties);
        } catch (IOException ex) {
            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
        } finally {
            if (taskProperties != null) {
                try {
                    taskProperties.close();
                } catch (IOException ex) {
                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
                }
            }
        }
        if (dataDirectory != null) {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
        } else {
-            final File jarPath = new File(DependencyCheckTask.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
            final File base = jarPath.getParentFile();
            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
            final File dataDir = new File(base, sub);
@@ -888,78 +913,82 @@ public class DependencyCheckTask extends Task {
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
        }
        if (proxyPassword != null && !proxyPassword.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
        }
        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        }
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        if (databaseUser != null && !databaseUser.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
        }
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
        if (zipExtensions != null && !zipExtensions.isEmpty()) {
            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
        }
        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
        }
        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
        }
        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
        }
        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
        }
        if (pathToMono != null && !pathToMono.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        }
    }
    /**
-     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * Executes the dependency-check and generates the report.
-     * configuration.
+     *
     * @return a reference to the engine used to perform the scan.
     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if
     * there is an exception executing the scan.
     */
    public Engine execute() throws ScanAgentException {
        Engine engine = null;
        try {
            engine = executeDependencyCheck();
            if (this.generateReport) {
                generateExternalReports(engine, new File(this.reportOutputDirectory));
            }
            if (this.showSummary) {
                showSummary(engine.getDependencies());
            }
            if (this.failBuildOnCVSS <= 10) {
                checkForFailure(engine.getDependencies());
            }
        } catch (ExceptionCollection ex) {
            if (ex.isFatal()) {
                LOGGER.error("A fatal exception occurred during analysis; analysis has stopped. Please see the debug log for more details.");
                LOGGER.debug("", ex);
            }
            throw new ScanAgentException("One or more exceptions occurred during analysis; please see the debug log for more details.", ex);
        } finally {
            Settings.cleanup(true);
            if (engine != null) {
                engine.cleanup();
            }
        }
        return engine;
    }
    /**
     * Checks to see if a vulnerability has been identified with a CVSS score
     * that is above the threshold set in the configuration.
     *
     * @param dependencies the list of dependency objects
-     * @throws BuildException thrown if a CVSS score is found that is higher then the threshold set
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if
     * there is an exception executing the scan.
     */
-    private void checkForFailure(List<Dependency> dependencies) throws BuildException {
+    private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
        final StringBuilder ids = new StringBuilder();
        for (Dependency d : dependencies) {
            boolean addName = true;
            for (Vulnerability v : d.getVulnerabilities()) {
                if (v.getCvssScore() >= failBuildOnCVSS) {
-                    if (ids.length() == 0) {
+                    if (addName) {
                        addName = false;
                        ids.append(NEW_LINE).append(d.getFileName()).append(": ");
                        ids.append(v.getName());
                    } else {
                        ids.append(", ").append(v.getName());
@@ -971,12 +1000,14 @@ public class DependencyCheckTask extends Task {
            final String msg = String.format("%n%nDependency-Check Failure:%n"
                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
-            throw new BuildException(msg);
+
            throw new ScanAgentException(msg);
        }
    }
    /**
-     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their
     * associated CPE and CVE entries.
     *
     * @param dependencies a list of dependency objects
     */
@@ -1008,32 +1039,10 @@ public class DependencyCheckTask extends Task {
            }
        }
        if (summary.length() > 0) {
-            final String msg = String.format("%n%n"
+            LOGGER.warn("\n\nOne or more dependencies were identified with known vulnerabilities:\n\n{}\n\n"
-                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+                    + "See the dependency-check report for more details.\n\n",
-                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
+                    summary.toString());
            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
        }
    }
    /**
     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", etc..
     */
    public static class ReportFormats extends EnumeratedAttribute {
        /**
         * Returns the list of values for the report format.
         *
         * @return the list of values for the report format
         */
        @Override
        public String[] getValues() {
            int i = 0;
            final Format[] formats = Format.values();
            final String[] values = new String[formats.length];
            for (Format format : formats) {
                values[i++] = format.name();
            }
            return values;
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java
@@ -0,0 +1,6 @@
 /**
 * The agent package holds an agent API that can be used by other applications that have information about dependencies; but would
 * rather implement something in their code directly rather then spawn a process to run the entire dependency-check engine. This
 * basically provides programmatic access to running a scan.
 */
 package org.owasp.dependencycheck.agent;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
@@ -17,40 +17,23 @@
 */
 package org.owasp.dependencycheck.analyzer;
-import java.util.Collections;
+import org.owasp.dependencycheck.exception.InitializationException;
 import java.util.HashSet;
 import java.util.Set;
 /**
 * Base class for analyzers to avoid code duplication of initialize and close
 * as most analyzers do not need these methods.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public abstract class AbstractAnalyzer implements Analyzer {
    /**
     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
     * final static declaration.<br/><br/>
     *
     * This implementation was copied from
     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction
     *
     * @param strings a list of strings to add to the set.
     * @return a Set of strings.
     */
    protected static Set<String> newHashSet(String... strings) {
        final Set<String> set = new HashSet<String>();
        Collections.addAll(set, strings);
        return set;
    }
    /**
     * The initialize method does nothing for this Analyzer.
     *
-     * @throws Exception thrown if there is an exception
+     * @throws InitializationException thrown if there is an exception
     */
    @Override
-    public void initialize() throws Exception {
+    public void initialize() throws InitializationException {
        //do nothing
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
@@ -0,0 +1,232 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.util.Collections;
 import java.util.HashSet;
 import java.util.Set;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * The base FileTypeAnalyzer that all analyzers that have specific file types
 * they analyze should extend.
 *
 * @author Jeremy Long
 */
 public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
    //<editor-fold defaultstate="collapsed" desc="Constructor">
    /**
     * Base constructor that all children must call. This checks the
     * configuration to determine if the analyzer is enabled.
     */
    public AbstractFileTypeAnalyzer() {
        reset();
    }
 //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="Field definitions">
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractFileTypeAnalyzer.class);
    /**
     * Whether the file type analyzer detected any files it needs to analyze.
     */
    private boolean filesMatched = false;
    /**
     * Get the value of filesMatched. A flag indicating whether the scan
     * included any file types this analyzer supports.
     *
     * @return the value of filesMatched
     */
    protected boolean isFilesMatched() {
        return filesMatched;
    }
    /**
     * Set the value of filesMatched. A flag indicating whether the scan
     * included any file types this analyzer supports.
     *
     * @param filesMatched new value of filesMatched
     */
    protected void setFilesMatched(boolean filesMatched) {
        this.filesMatched = filesMatched;
    }
    /**
     * A flag indicating whether or not the analyzer is enabled.
     */
    private boolean enabled = true;
    /**
     * Get the value of enabled.
     *
     * @return the value of enabled
     */
    public boolean isEnabled() {
        return enabled;
    }
    /**
     * Set the value of enabled.
     *
     * @param enabled new value of enabled
     */
    public void setEnabled(boolean enabled) {
        this.enabled = enabled;
    }
 //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
    /**
     * <p>
     * Returns the {@link java.io.FileFilter} used to determine which files are
     * to be analyzed. An example would be an analyzer that inspected Java jar
     * files. Implementors may use
     * {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
     * <p>
     * If the analyzer returns null it will not cause additional files to be
     * analyzed, but will be executed against every file loaded.</p>
     *
     * @return the file filter used to determine which files are to be analyzed
     */
    protected abstract FileFilter getFileFilter();
    /**
     * Initializes the file type analyzer.
     *
     * @throws InitializationException thrown if there is an exception during
     * initialization
     */
    protected abstract void initializeFileTypeAnalyzer() throws InitializationException;
    /**
     * Analyzes a given dependency. If the dependency is an archive, such as a
     * WAR or EAR, the contents are extracted, scanned, and added to the list of
     * dependencies within the engine.
     *
     * @param dependency the dependency to analyze
     * @param engine the engine scanning
     * @throws AnalysisException thrown if there is an analysis exception
     */
    protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
    /**
     * <p>
     * Returns the setting key to determine if the analyzer is enabled.</p>
     *
     * @return the key for the analyzer's enabled property
     */
    protected abstract String getAnalyzerEnabledSettingKey();
 //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
    /**
     * Initializes the analyzer.
     *
     * @throws InitializationException thrown if there is an exception during
     * initialization
     */
    @Override
    public final void initialize() throws InitializationException {
        if (filesMatched) {
            initializeFileTypeAnalyzer();
        } else {
            enabled = false;
        }
    }
    /**
     * Resets the enabled flag on the analyzer.
     */
    @Override
    public final void reset() {
        final String key = getAnalyzerEnabledSettingKey();
        try {
            enabled = Settings.getBoolean(key, true);
        } catch (InvalidSettingException ex) {
            LOGGER.warn("Invalid setting for property '{}'", key);
            LOGGER.debug("", ex);
            LOGGER.warn("{} has been disabled", getName());
        }
    }
    /**
     * Analyzes a given dependency. If the dependency is an archive, such as a
     * WAR or EAR, the contents are extracted, scanned, and added to the list of
     * dependencies within the engine.
     *
     * @param dependency the dependency to analyze
     * @param engine the engine scanning
     * @throws AnalysisException thrown if there is an analysis exception
     */
    @Override
    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        if (enabled) {
            analyzeFileType(dependency, engine);
        }
    }
    @Override
    public boolean accept(File pathname) {
        final FileFilter filter = getFileFilter();
        boolean accepted = false;
        if (null == filter) {
            LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName());
        } else if (enabled) {
            accepted = filter.accept(pathname);
            if (accepted) {
                filesMatched = true;
            }
        }
        return accepted;
    }
    //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="Static utility methods">
    /**
     * <p>
     * Utility method to help in the creation of the extensions set. This
     * constructs a new Set that can be used in a final static declaration.</p>
     * <p>
     * This implementation was copied from
     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
     *
     * @param strings a list of strings to add to the set.
     * @return a Set of strings.
     */
    protected static Set<String> newHashSet(String... strings) {
        final Set<String> set = new HashSet<String>(strings.length);
        Collections.addAll(set, strings);
        return set;
    }
 //</editor-fold>
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -19,28 +19,37 @@ package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
-import org.owasp.dependencycheck.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.exception.InitializationException;
-import org.owasp.dependencycheck.suppression.SuppressionParser;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
 import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 /**
- * Abstract base suppression analyzer that contains methods for parsing the suppression xml file.
+ * Abstract base suppression analyzer that contains methods for parsing the
 * suppression xml file.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
    /**
     * The Logger for use throughout the class
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSuppressionAnalyzer.class);
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
@@ -51,28 +60,22 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        return null;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support.
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    @Override
    public boolean supportsExtension(String extension) {
        return true;
    }
    //</editor-fold>
    /**
     * The initialize method loads the suppression XML file.
     *
-     * @throws Exception thrown if there is an exception
+     * @throws InitializationException thrown if there is an exception
     */
    @Override
-    public void initialize() throws Exception {
+    public void initialize() throws InitializationException {
        super.initialize();
-        loadSuppressionData();
+        try {
            loadSuppressionData();
        } catch (SuppressionParseException ex) {
            throw new InitializationException("Error initializing the suppression analyzer", ex);
        }
    }
    /**
     * The list of suppression rules
     */
@@ -102,11 +105,17 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     * @throws SuppressionParseException thrown if the XML cannot be parsed.
     */
    private void loadSuppressionData() throws SuppressionParseException {
        final SuppressionParser parser = new SuppressionParser();
        File file = null;
        try {
            rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
        } catch (SAXException ex) {
            throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
        }
        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
        if (suppressionFilePath == null) {
            return;
        }
        File file = null;
        boolean deleteTempFile = false;
        try {
            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
@@ -119,39 +128,66 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
                } catch (DownloadFailedException ex) {
                    Downloader.fetchFile(url, file, true);
                }
            } else {
                file = new File(suppressionFilePath);
                InputStream suppressionsFromClasspath = null;
                if (!file.exists()) {
                    try {
                        suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
                        if (suppressionsFromClasspath != null) {
                            deleteTempFile = true;
                            file = FileUtils.getTempFile("suppression", "xml");
                            try {
                                org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
                            } catch (IOException ex) {
                                throwSuppressionParseException("Unable to locate suppressions file in classpath", ex);
                            }
                        }
                    } finally {
                        if (suppressionsFromClasspath != null) {
                            try {
                                suppressionsFromClasspath.close();
                            } catch (IOException ex) {
                                LOGGER.debug("Failed to close stream", ex);
                            }
                        }
                    }
                }
            }
            if (file != null) {
                final SuppressionParser parser = new SuppressionParser();
                try {
-                    rules = parser.parseSuppressionRules(file);
+                    rules.addAll(parser.parseSuppressionRules(file));
                    LOGGER.debug("{} suppression rules were loaded.", rules.size());
                } catch (SuppressionParseException ex) {
-                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
+                    LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
+                    LOGGER.warn(ex.getMessage());
                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
                    throw ex;
                }
            }
        } catch (DownloadFailedException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+            throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
                    "Unable to fetch the configured suppression file");
            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
            throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
        } catch (MalformedURLException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+            throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
                    "Configured suppression file has an invalid URL");
            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
            throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
        } catch (IOException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
+            throwSuppressionParseException("Unable to create temp file for suppressions", ex);
                    "Unable to create temp file for suppressions");
            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
            throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
        } finally {
            if (deleteTempFile && file != null) {
                FileUtils.delete(file);
            }
        }
    }
    /**
     * Utility method to throw parse exceptions.
     *
     * @param message the exception message
     * @param exception the cause of the exception
     * @throws SuppressionParseException throws the generated
     * SuppressionParseException
     */
    private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
        LOGGER.warn(message);
        LOGGER.debug("", exception);
        throw new SuppressionParseException(message, exception);
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
 * An enumeration defining the phases of analysis.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public enum AnalysisPhase {
@@ -28,6 +28,10 @@ public enum AnalysisPhase {
     * Initialization phase.
     */
    INITIAL,
    /**
     * Pre information collection phase.
     */
    PRE_INFORMATION_COLLECTION,
    /**
     * Information collection phase.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
@@ -17,47 +17,34 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
- * An interface that defines an Analyzer that is used to identify Dependencies. An analyzer will collect information
+ * An interface that defines an Analyzer that is used to identify Dependencies.
- * about the dependency in the form of Evidence.
+ * An analyzer will collect information about the dependency in the form of
 * Evidence.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public interface Analyzer {
    /**
-     * Analyzes the given dependency. The analysis could be anything from identifying an Identifier for the dependency,
+     * Analyzes the given dependency. The analysis could be anything from
-     * to finding vulnerabilities, etc. Additionally, if the analyzer collects enough information to add a description
+     * identifying an Identifier for the dependency, to finding vulnerabilities,
-     * or license information for the dependency it should be added.
+     * etc. Additionally, if the analyzer collects enough information to add a
     * description or license information for the dependency it should be added.
     *
     * @param dependency a dependency to analyze.
-     * @param engine the engine that is scanning the dependencies - this is useful if we need to check other
+     * @param engine the engine that is scanning the dependencies - this is
-     * dependencies
+     * useful if we need to check other dependencies
-     * @throws AnalysisException is thrown if there is an error analyzing the dependency file
+     * @throws AnalysisException is thrown if there is an error analyzing the
     * dependency file
     */
    void analyze(Dependency dependency, Engine engine) throws AnalysisException;
    /**
     * <p>
     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
     * getSupportedExtensions function would return a set with a single element "jar".</p>
     *
     * <p>
     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
     *
     * @return The file extensions supported by this analyzer.
     *
     * <p>
     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
     * file loaded</p>
     */
    Set<String> getSupportedExtensions();
    /**
     * Returns the name of the analyzer.
     *
@@ -65,14 +52,6 @@ public interface Analyzer {
     */
    String getName();
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support.
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    boolean supportsExtension(String extension);
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -81,14 +60,17 @@ public interface Analyzer {
    AnalysisPhase getAnalysisPhase();
    /**
-     * The initialize method is called (once) prior to the analyze method being called on all of the dependencies.
+     * The initialize method is called (once) prior to the analyze method being
     * called on all of the dependencies.
     *
-     * @throws Exception is thrown if an exception occurs initializing the analyzer.
+     * @throws InitializationException is thrown if an exception occurs
     * initializing the analyzer.
     */
-    void initialize() throws Exception;
+    void initialize() throws InitializationException;
    /**
-     * The close method is called after all of the dependencies have been analyzed.
+     * The close method is called after all of the dependencies have been
     * analyzed.
     *
     * @throws Exception is thrown if an exception occurs closing the analyzer.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
@@ -17,49 +17,62 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
 import java.util.ServiceLoader;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.LoggerFactory;
 /**
 * The Analyzer Service Loader. This class loads all services that implement
 * org.owasp.dependencycheck.analyzer.Analyzer.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
-public final class AnalyzerService {
+public class AnalyzerService {
    /**
-     * The analyzer service singleton.
+     * The Logger for use throughout the class.
     */
-    private static AnalyzerService service;
+    private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(AnalyzerService.class);
    /**
     * The service loader for analyzers.
     */
-    private final ServiceLoader<Analyzer> loader;
+    private final ServiceLoader<Analyzer> service;
    /**
     * Creates a new instance of AnalyzerService.
     *
     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     */
-    private AnalyzerService() {
+    public AnalyzerService(ClassLoader classLoader) {
-        loader = ServiceLoader.load(Analyzer.class);
+        service = ServiceLoader.load(Analyzer.class, classLoader);
    }
    /**
-     * Retrieve the singleton instance of AnalyzerService.
+     * Returns a list of all instances of the Analyzer interface.
     *
-     * @return a singleton AnalyzerService.
+     * @return a list of Analyzers.
     */
-    public static synchronized AnalyzerService getInstance() {
+    public List<Analyzer> getAnalyzers() {
-        if (service == null) {
+        final List<Analyzer> analyzers = new ArrayList<Analyzer>();
-            service = new AnalyzerService();
+        final Iterator<Analyzer> iterator = service.iterator();
        boolean experimentalEnabled = false;
        try {
            experimentalEnabled = Settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
        } catch (InvalidSettingException ex) {
            LOGGER.error("invalide experimental setting", ex);
        }
-        return service;
+        while (iterator.hasNext()) {
-    }
+            final Analyzer a = iterator.next();
-
+            if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
-    /**
+                continue;
-     * Returns an Iterator for all instances of the Analyzer interface.
+            }
-     *
+            LOGGER.debug("Loaded Analyzer {}", a.getName());
-     * @return an iterator of Analyzers.
+            analyzers.add(a);
-     */
+        }
-    public Iterator<Analyzer> getAnalyzers() {
+        return analyzers;
        return loader.iterator();
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -18,49 +18,61 @@
 package org.owasp.dependencycheck.analyzer;
 import java.io.BufferedInputStream;
-import java.io.BufferedOutputStream;
+import java.io.Closeable;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
-import java.util.logging.Level;
+
 import java.util.logging.Logger;
 import org.apache.commons.compress.archivers.ArchiveEntry;
 import org.apache.commons.compress.archivers.ArchiveInputStream;
 import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
 import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
 import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
 import org.apache.commons.compress.archivers.zip.ZipFile;
 import org.apache.commons.compress.compressors.CompressorInputStream;
 import org.apache.commons.compress.compressors.bzip2.BZip2CompressorInputStream;
 import org.apache.commons.compress.compressors.bzip2.BZip2Utils;
 import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipUtils;
 import org.apache.commons.compress.utils.IOUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * <p>
- * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
+ * An analyzer that extracts files from archives and ensures any supported files
- * to the dependency list.</p>
+ * contained within the archive are added to the dependency list.</p>
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
-public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
    /**
-     * The buffer size to use when extracting files from the archive.
+     * The logger.
     */
-    private static final int BUFFER_SIZE = 4096;
+    private static final Logger LOGGER = LoggerFactory.getLogger(ArchiveAnalyzer.class);
    /**
-     * The count of directories created during analysis. This is used for creating temporary directories.
+     * The count of directories created during analysis. This is used for
     * creating temporary directories.
     */
    private static int dirCount = 0;
    /**
@@ -68,13 +80,15 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     */
    private File tempFileLocation = null;
    /**
-     * The max scan depth that the analyzer will recursively extract nested archives.
+     * The max scan depth that the analyzer will recursively extract nested
     * archives.
     */
    private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
    /**
     * Tracks the current scan/extraction depth for nested archives.
     */
    private int scanDepth = 0;
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
@@ -87,150 +101,232 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
    /**
     * The set of things we can handle with Zip methods
     */
-    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
+    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
    /**
-     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
+     * The set of file extensions supported by this analyzer. Note for
-     * to be explicitly handled in extractFiles().
+     * developers, any additions to this list will need to be explicitly handled
     * in {@link #extractFiles(File, File, Engine)}.
     */
-    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");
+    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
    /**
     * Detects files with extensions to remove from the engine's collection of
     * dependencies.
     */
    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2")
            .build();
    static {
        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
        if (additionalZipExt != null) {
-            final HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            final String[] ext = additionalZipExt.split("\\s*,\\s*");
-            ZIPPABLES.addAll(ext);
+            Collections.addAll(ZIPPABLES, ext);
        }
        EXTENSIONS.addAll(ZIPPABLES);
    }
    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
+     * The file filter used to filter supported files.
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
-    public Set<String> getSupportedExtensions() {
+    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
-        return EXTENSIONS;
+
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * Detects files with .zip extension.
     */
    private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support.
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    public boolean supportsExtension(String extension) {
        return EXTENSIONS.contains(extension);
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
    /**
-     * The initialize method does nothing for this Analyzer.
+     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
-     * @throws Exception is thrown if there is an exception deleting or creating temporary files
+     * @return the analyzer's enabled property setting key
     */
    @Override
-    public void initialize() throws Exception {
+    protected String getAnalyzerEnabledSettingKey() {
-        final File baseDir = Settings.getTempDirectory();
+        return Settings.KEYS.ANALYZER_ARCHIVE_ENABLED;
-        if (!baseDir.exists()) {
+    }
-            if (!baseDir.mkdirs()) {
+
-                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
+    /**
-                throw new AnalysisException(msg);
+     * The initialize method does nothing for this Analyzer.
     *
     * @throws InitializationException is thrown if there is an exception
     * deleting or creating temporary files
     */
    @Override
    public void initializeFileTypeAnalyzer() throws InitializationException {
        try {
            final File baseDir = Settings.getTempDirectory();
            tempFileLocation = File.createTempFile("check", "tmp", baseDir);
            if (!tempFileLocation.delete()) {
                setEnabled(false);
                final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
                throw new InitializationException(msg);
            }
-        }
+            if (!tempFileLocation.mkdirs()) {
-        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
+                setEnabled(false);
-        if (!tempFileLocation.delete()) {
+                final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
-            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
+                throw new InitializationException(msg);
-            throw new AnalysisException(msg);
+            }
-        }
+        } catch (IOException ex) {
-        if (!tempFileLocation.mkdirs()) {
+            setEnabled(false);
-            final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
+            throw new InitializationException("Unable to create a temporary file", ex);
            throw new AnalysisException(msg);
        }
    }
    /**
-     * The close method deletes any temporary files and directories created during analysis.
+     * The close method deletes any temporary files and directories created
     * during analysis.
     *
-     * @throws Exception thrown if there is an exception deleting temporary files
+     * @throws Exception thrown if there is an exception deleting temporary
     * files
     */
    @Override
    public void close() throws Exception {
        if (tempFileLocation != null && tempFileLocation.exists()) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
+            LOGGER.debug("Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success) {
+            if (!success && tempFileLocation.exists()) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING,
+                final String[] l = tempFileLocation.list();
-                        "Failed to delete some temporary files, see the log for more details");
+                if (l != null && l.length > 0) {
                    LOGGER.warn("Failed to delete some temporary files, see the log for more details");
                }
            }
        }
    }
    /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * Analyzes a given dependency. If the dependency is an archive, such as a
-     * scanned, and added to the list of dependencies within the engine.
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
     * dependencies within the engine.
     *
     * @param dependency the dependency to analyze
     * @param engine the engine scanning
     * @throws AnalysisException thrown if there is an analysis exception
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        final File f = new File(dependency.getActualFilePath());
        final File tmpDir = getNextTempDirectory();
        extractFiles(f, tmpDir, engine);
        //make a copy
-        final List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
+        final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
-        engine.scan(tmpDir);
+        if (!dependencySet.isEmpty()) {
        final List<Dependency> newDependencies = engine.getDependencies();
        if (dependencies.size() != newDependencies.size()) {
            //get the new dependencies
            final Set<Dependency> dependencySet = new HashSet<Dependency>();
            dependencySet.addAll(newDependencies);
            dependencySet.removeAll(dependencies);
            for (Dependency d : dependencySet) {
                //fix the dependency's display name and path
                final String displayPath = String.format("%s%s",
                        dependency.getFilePath(),
                        d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
-                final String displayName = String.format("%s%s%s",
+                final String displayName = String.format("%s: %s",
                        dependency.getFileName(),
                        File.separator,
                        d.getFileName());
                d.setFilePath(displayPath);
                d.setFileName(displayName);
                //TODO - can we get more evidence from the parent? EAR contains module name, etc.
                //analyze the dependency (i.e. extract files) if it is a supported type.
-                if (this.supportsExtension(d.getFileExtension()) && scanDepth < MAX_SCAN_DEPTH) {
+                if (this.accept(d.getActualFile()) && scanDepth < MAX_SCAN_DEPTH) {
                    scanDepth += 1;
                    analyze(d, engine);
                    scanDepth -= 1;
                }
            }
        }
        if (REMOVE_FROM_ANALYSIS.accept(dependency.getActualFile())) {
            addDisguisedJarsToDependencies(dependency, engine);
            engine.getDependencies().remove(dependency);
        }
        Collections.sort(engine.getDependencies());
    }
    /**
     * If a zip file was identified as a possible JAR, this method will add the
     * zip to the list of dependencies.
     *
     * @param dependency the zip file
     * @param engine the engine
     * @throws AnalysisException thrown if there is an issue
     */
    private void addDisguisedJarsToDependencies(Dependency dependency, Engine engine) throws AnalysisException {
        if (ZIP_FILTER.accept(dependency.getActualFile()) && isZipFileActuallyJarFile(dependency)) {
            final File tdir = getNextTempDirectory();
            final String fileName = dependency.getFileName();
            LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName);
            final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
            try {
                org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
                final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
                if (!dependencySet.isEmpty()) {
                    if (dependencySet.size() != 1) {
                        LOGGER.info("Deep copy of ZIP to JAR file resulted in more than one dependency?");
                    }
                    for (Dependency d : dependencySet) {
                        //fix the dependency's display name and path
                        d.setFilePath(dependency.getFilePath());
                        d.setDisplayFileName(dependency.getFileName());
                    }
                }
            } catch (IOException ex) {
                LOGGER.debug("Unable to perform deep copy on '{}'", dependency.getActualFile().getPath(), ex);
            }
        }
    }
    /**
     * An empty dependency set.
     */
    private static final Set<Dependency> EMPTY_DEPENDENCY_SET = Collections.emptySet();
    /**
     * Scan the given file/folder, and return any new dependencies found.
     *
     * @param engine used to scan
     * @param file target of scanning
     * @return any dependencies that weren't known to the engine before
     */
    private static Set<Dependency> findMoreDependencies(Engine engine, File file) {
        final List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
        engine.scan(file);
        final List<Dependency> after = engine.getDependencies();
        final boolean sizeChanged = before.size() != after.size();
        final Set<Dependency> newDependencies;
        if (sizeChanged) {
            //get the new dependencies
            newDependencies = new HashSet<Dependency>(after);
            newDependencies.removeAll(before);
        } else {
            newDependencies = EMPTY_DEPENDENCY_SET;
        }
        return newDependencies;
    }
    /**
     * Retrieves the next temporary directory to extract an archive too.
     *
@@ -260,43 +356,99 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException thrown if the archive is not found
     */
    private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
-        if (archive == null || destination == null) {
+        if (archive != null && destination != null) {
-            return;
+            String archiveExt = FileUtils.getFileExtension(archive.getName());
-        }
+            if (archiveExt == null) {
-
+                return;
        FileInputStream fis = null;
        try {
            fis = new FileInputStream(archive);
        } catch (FileNotFoundException ex) {
            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
            throw new AnalysisException("Archive file was not found.", ex);
        }
        final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
        try {
            if (ZIPPABLES.contains(archiveExt)) {
                extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
            } else if ("tar".equals(archiveExt)) {
                extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
            } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
                final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
                final String uncompressedExt = FileUtils.getFileExtension(uncompressedName).toLowerCase();
                if (engine.supportsExtension(uncompressedExt)) {
                    decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), new File(destination, uncompressedName));
                }
            }
-        } catch (ArchiveExtractionException ex) {
+            archiveExt = archiveExt.toLowerCase();
-            final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
+
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
+            FileInputStream fis;
            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
        } catch (IOException ex) {
            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
        } finally {
            try {
-                fis.close();
+                fis = new FileInputStream(archive);
            } catch (FileNotFoundException ex) {
                LOGGER.debug("", ex);
                throw new AnalysisException("Archive file was not found.", ex);
            }
            try {
                if (ZIPPABLES.contains(archiveExt)) {
                    final BufferedInputStream in = new BufferedInputStream(fis);
                    ensureReadableJar(archiveExt, in);
                    extractArchive(new ZipArchiveInputStream(in), destination, engine);
                } else if ("tar".equals(archiveExt)) {
                    extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
                } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
                    final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
                    final File f = new File(destination, uncompressedName);
                    if (engine.accept(f)) {
                        decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f);
                    }
                } else if ("bz2".equals(archiveExt) || "tbz2".equals(archiveExt)) {
                    final String uncompressedName = BZip2Utils.getUncompressedFilename(archive.getName());
                    final File f = new File(destination, uncompressedName);
                    if (engine.accept(f)) {
                        decompressFile(new BZip2CompressorInputStream(new BufferedInputStream(fis)), f);
                    }
                }
            } catch (ArchiveExtractionException ex) {
                LOGGER.warn("Exception extracting archive '{}'.", archive.getName());
                LOGGER.debug("", ex);
            } catch (IOException ex) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.warn("Exception reading archive '{}'.", archive.getName());
                LOGGER.debug("", ex);
            } finally {
                close(fis);
            }
        }
    }
    /**
     * Checks if the file being scanned is a JAR that begins with '#!/bin' which
     * indicates it is a fully executable jar. If a fully executable JAR is
     * identified the input stream will be advanced to the start of the actual
     * JAR file ( skipping the script).
     *
     * @see
     * <a href="http://docs.spring.io/spring-boot/docs/1.3.0.BUILD-SNAPSHOT/reference/htmlsingle/#deployment-install">Installing
     * Spring Boot Applications</a>
     * @param archiveExt the file extension
     * @param in the input stream
     * @throws IOException thrown if there is an error reading the stream
     */
    private void ensureReadableJar(final String archiveExt, BufferedInputStream in) throws IOException {
        if ("jar".equals(archiveExt) && in.markSupported()) {
            in.mark(7);
            final byte[] b = new byte[7];
            final int read = in.read(b);
            if (read == 7
                    && b[0] == '#'
                    && b[1] == '!'
                    && b[2] == '/'
                    && b[3] == 'b'
                    && b[4] == 'i'
                    && b[5] == 'n'
                    && b[6] == '/') {
                boolean stillLooking = true;
                int chr, nxtChr;
                while (stillLooking && (chr = in.read()) != -1) {
                    if (chr == '\n' || chr == '\r') {
                        in.mark(4);
                        if ((chr = in.read()) != -1) {
                            if (chr == 'P' && (chr = in.read()) != -1) {
                                if (chr == 'K' && (chr = in.read()) != -1) {
                                    if ((chr == 3 || chr == 5 || chr == 7) && (nxtChr = in.read()) != -1) {
                                        if (nxtChr == chr + 1) {
                                            stillLooking = false;
                                            in.reset();
                                        }
                                    }
                                }
                            }
                        }
                    }
                }
            } else {
                in.reset();
            }
        }
    }
@@ -307,77 +459,58 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @param input the archive to extract files from
     * @param destination the location to write the files too
     * @param engine the dependency-check engine
-     * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
+     * @throws ArchiveExtractionException thrown if there is an exception
     * extracting files from the archive
     */
    private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
        ArchiveEntry entry;
        try {
            while ((entry = input.getNextEntry()) != null) {
                final File file = new File(destination, entry.getName());
                if (entry.isDirectory()) {
-                    final File d = new File(destination, entry.getName());
+                    if (!file.exists() && !file.mkdirs()) {
-                    if (!d.exists()) {
+                        final String msg = String.format("Unable to create directory '%s'.", file.getAbsolutePath());
-                        if (!d.mkdirs()) {
+                        throw new AnalysisException(msg);
                            final String msg = String.format("Unable to create directory '%s'.", d.getAbsolutePath());
                            throw new AnalysisException(msg);
                        }
                    }
                } else {
                    final File file = new File(destination, entry.getName());
                    final String ext = FileUtils.getFileExtension(file.getName());
                    if (engine.supportsExtension(ext)) {
                        BufferedOutputStream bos = null;
                        FileOutputStream fos;
                        try {
                            final File parent = file.getParentFile();
                            if (!parent.isDirectory()) {
                                if (!parent.mkdirs()) {
                                    final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
                                    throw new AnalysisException(msg);
                                }
                            }
                            fos = new FileOutputStream(file);
                            bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                            int count;
                            final byte data[] = new byte[BUFFER_SIZE];
                            while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                                bos.write(data, 0, count);
                            }
                            bos.flush();
                        } catch (FileNotFoundException ex) {
                            Logger.getLogger(ArchiveAnalyzer.class
                                    .getName()).log(Level.FINE, null, ex);
                            final String msg = String.format("Unable to find file '%s'.", file.getName());
                            throw new AnalysisException(msg, ex);
                        } catch (IOException ex) {
                            Logger.getLogger(ArchiveAnalyzer.class
                                    .getName()).log(Level.FINE, null, ex);
                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
                            throw new AnalysisException(msg, ex);
                        } finally {
                            if (bos != null) {
                                try {
                                    bos.close();
                                } catch (IOException ex) {
                                    Logger.getLogger(ArchiveAnalyzer.class
                                            .getName()).log(Level.FINEST, null, ex);
                                }
                            }
                        }
                    }
                } else if (engine.accept(file)) {
                    extractAcceptedFile(input, file);
                }
            }
        } catch (IOException ex) {
            throw new ArchiveExtractionException(ex);
        } catch (Throwable ex) {
            throw new ArchiveExtractionException(ex);
        } finally {
-            if (input != null) {
+            close(input);
-                try {
+        }
-                    input.close();
+    }
-                } catch (IOException ex) {
+
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+    /**
-                }
+     * Extracts a file from an archive.
     *
     * @param input the archives input stream
     * @param file the file to extract
     * @throws AnalysisException thrown if there is an error
     */
    private static void extractAcceptedFile(ArchiveInputStream input, File file) throws AnalysisException {
        LOGGER.debug("Extracting '{}'", file.getPath());
        FileOutputStream fos = null;
        try {
            final File parent = file.getParentFile();
            if (!parent.isDirectory() && !parent.mkdirs()) {
                final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
                throw new AnalysisException(msg);
            }
            fos = new FileOutputStream(file);
            IOUtils.copy(input, fos);
        } catch (FileNotFoundException ex) {
            LOGGER.debug("", ex);
            final String msg = String.format("Unable to find file '%s'.", file.getName());
            throw new AnalysisException(msg, ex);
        } catch (IOException ex) {
            LOGGER.debug("", ex);
            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
            throw new AnalysisException(msg, ex);
        } finally {
            close(fos);
        }
    }
@@ -386,31 +519,73 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @param inputStream the compressed file
     * @param outputFile the location to write the decompressed file
-     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
+     * @throws ArchiveExtractionException thrown if there is an exception
     * decompressing the file
     */
    private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
        LOGGER.debug("Decompressing '{}'", outputFile.getPath());
        FileOutputStream out = null;
        try {
            out = new FileOutputStream(outputFile);
-            final byte[] buffer = new byte[BUFFER_SIZE];
+            IOUtils.copy(inputStream, out);
            int n = 0;
            while (-1 != (n = inputStream.read(buffer))) {
                out.write(buffer, 0, n);
            }
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.debug("", ex);
            throw new ArchiveExtractionException(ex);
        } catch (IOException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.debug("", ex);
            throw new ArchiveExtractionException(ex);
        } finally {
-            if (out != null) {
+            close(out);
-                try {
+        }
-                    out.close();
+    }
-                } catch (IOException ex) {
+
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+    /**
-                }
+     * Close the given {@link Closeable} instance, ignoring nulls, and logging
     * any thrown {@link IOException}.
     *
     * @param closeable to be closed
     */
    private static void close(Closeable closeable) {
        if (null != closeable) {
            try {
                closeable.close();
            } catch (IOException ex) {
                LOGGER.trace("", ex);
            }
        }
    }
    /**
     * Attempts to determine if a zip file is actually a JAR file.
     *
     * @param dependency the dependency to check
     * @return true if the dependency appears to be a JAR file; otherwise false
     */
    private boolean isZipFileActuallyJarFile(Dependency dependency) {
        boolean isJar = false;
        ZipFile zip = null;
        try {
            zip = new ZipFile(dependency.getActualFilePath());
            if (zip.getEntry("META-INF/MANIFEST.MF") != null
                    || zip.getEntry("META-INF/maven") != null) {
                final Enumeration<ZipArchiveEntry> entries = zip.getEntries();
                while (entries.hasMoreElements()) {
                    final ZipArchiveEntry entry = entries.nextElement();
                    if (!entry.isDirectory()) {
                        final String name = entry.getName().toLowerCase();
                        if (name.endsWith(".class")) {
                            isJar = true;
                            break;
                        }
                    }
                }
            }
        } catch (IOException ex) {
            LOGGER.debug("Unable to unzip zip file '{}'", dependency.getFilePath(), ex);
        } finally {
            ZipFile.closeQuietly(zip);
        }
        return isJar;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -18,35 +18,43 @@
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.util.ArrayList;
+import org.apache.commons.io.IOUtils;
-import java.util.List;
+import org.apache.commons.io.output.NullOutputStream;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 import java.util.ArrayList;
 import java.util.List;
 import javax.xml.parsers.ParserConfigurationException;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.apache.commons.lang3.SystemUtils;
 /**
- * Analyzer for getting company, product, and version information from a .NET assembly.
+ * Analyzer for getting company, product, and version information from a .NET
 * assembly.
 *
 * @author colezlaw
 *
 */
-public class AssemblyAnalyzer extends AbstractAnalyzer {
+public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The analyzer name
@@ -59,11 +67,11 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    /**
     * The list of supported extensions
     */
-    private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
+    private static final String[] SUPPORTED_EXTENSIONS = {"dll", "exe"};
    /**
     * The temp value for GrokAssembly.exe
     */
-    private File grokAssemblyExe;
+    private File grokAssemblyExe = null;
    /**
     * The DocumentBuilder for parsing the XML
     */
@@ -71,25 +79,26 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    /**
     * Logger
     */
-    private static final Logger LOG = Logger.getLogger(AbstractAnalyzer.class.getName());
+    private static final Logger LOGGER = LoggerFactory.getLogger(AssemblyAnalyzer.class);
    /**
     * Builds the beginnings of a List for ProcessBuilder
     *
     * @return the list of arguments to begin populating the ProcessBuilder
     */
-    private List<String> buildArgumentList() {
+    protected List<String> buildArgumentList() {
        // Use file.separator as a wild guess as to whether this is Windows
        final List<String> args = new ArrayList<String>();
-        if (!"\\".equals(System.getProperty("file.separator"))) {
+        if (!SystemUtils.IS_OS_WINDOWS) {
            if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
                args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
-            } else {
+            } else if (isInPath("mono")) {
                args.add("mono");
            } else {
                return null;
            }
        }
        args.add(grokAssemblyExe.getPath());
        return args;
    }
@@ -101,24 +110,51 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException if anything goes sideways
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine)
+    public void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        if (grokAssemblyExe == null) {
-            LOG.warning("GrokAssembly didn't get deployed");
+            LOGGER.warn("GrokAssembly didn't get deployed");
            return;
        }
        final List<String> args = buildArgumentList();
        if (args == null) {
            LOGGER.warn("Assembly Analyzer was unable to execute");
            return;
        }
        args.add(dependency.getActualFilePath());
        final ProcessBuilder pb = new ProcessBuilder(args);
        Document doc = null;
        try {
            final Process proc = pb.start();
-            final Document doc = builder.parse(proc.getInputStream());
+
            doc = builder.parse(proc.getInputStream());
            // Try evacuating the error stream
            final String errorStream = IOUtils.toString(proc.getErrorStream(), "UTF-8");
            if (null != errorStream && !errorStream.isEmpty()) {
                LOGGER.warn("Error from GrokAssembly: {}", errorStream);
            }
            int rc = 0;
            try {
                rc = proc.waitFor();
            } catch (InterruptedException ie) {
                return;
            }
            if (rc == 3) {
                LOGGER.debug("{} is not a .NET assembly or executable and as such cannot be analyzed by dependency-check",
                        dependency.getActualFilePath());
                return;
            } else if (rc != 0) {
                LOGGER.warn("Return code {} from GrokAssembly", rc);
            }
            final XPath xpath = XPathFactory.newInstance().newXPath();
            // First, see if there was an error
            final String error = xpath.evaluate("/assembly/error", doc);
-            if (error != null && !"".equals(error)) {
+            if (error != null && !error.isEmpty()) {
                throw new AnalysisException(error);
            }
@@ -151,89 +187,130 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    }
    /**
-     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
     * temporary location.
     *
-     * @throws Exception if anything goes wrong
+     * @throws InitializationException thrown if anything goes wrong
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
-        super.initialize();
+        final File tempFile;
-        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
+        try {
            tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
        } catch (IOException ex) {
            setEnabled(false);
            throw new InitializationException("Unable to create temporary file for the assembly analyzerr", ex);
        }
        FileOutputStream fos = null;
        InputStream is = null;
        try {
            fos = new FileOutputStream(tempFile);
            is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
-            final byte[] buff = new byte[4096];
+            IOUtils.copy(is, fos);
-            int bread = -1;
+
            while ((bread = is.read(buff)) >= 0) {
                fos.write(buff, 0, bread);
            }
            grokAssemblyExe = tempFile;
-            // Set the temp file to get deleted when we're done
+            LOGGER.debug("Extracted GrokAssembly.exe to {}", grokAssemblyExe.getPath());
            grokAssemblyExe.deleteOnExit();
            LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
        } catch (IOException ioe) {
-            LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
+            this.setEnabled(false);
-            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
+            LOGGER.warn("Could not extract GrokAssembly.exe: {}", ioe.getMessage());
            throw new InitializationException("Could not extract GrokAssembly.exe", ioe);
        } finally {
            if (fos != null) {
                try {
                    fos.close();
                } catch (Throwable e) {
-                    LOG.fine("Error closing output stream");
+                    LOGGER.debug("Error closing output stream");
                }
            }
            if (is != null) {
                try {
                    is.close();
                } catch (Throwable e) {
-                    LOG.fine("Error closing input stream");
+                    LOGGER.debug("Error closing input stream");
                }
            }
        }
        // Now, need to see if GrokAssembly actually runs from this location.
        final List<String> args = buildArgumentList();
        //TODO this creaes an "unreported" error - if someone doesn't look
        // at the command output this could easily be missed (especially in an
        // Ant or Mmaven build.
        //
        // We need to create a non-fatal warning error type that will
        // get added to the report.
        //TOOD this idea needs to get replicated to the bundle audit analyzer.
        if (args == null) {
            setEnabled(false);
            LOGGER.error("----------------------------------------------------");
            LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one "
                    + "'exe' or 'dll' was scanned. The 'mono' executale could not be found on "
                    + "the path; either disable the Assembly Analyzer or configure the path mono.");
            LOGGER.error("----------------------------------------------------");
            return;
        }
        try {
-            final Process p = new ProcessBuilder(args).start();
+            final ProcessBuilder pb = new ProcessBuilder(args);
            final Process p = pb.start();
            // Try evacuating the error stream
            IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
            final XPath xpath = XPathFactory.newInstance().newXPath();
            final String error = xpath.evaluate("/assembly/error", doc);
-            if (p.waitFor() != 1 || error == null || "".equals(error)) {
+            if (p.waitFor() != 1 || error == null || error.isEmpty()) {
-                LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
+                LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
-                LOG.fine("GrokAssembly.exe is not working properly");
+                LOGGER.debug("GrokAssembly.exe is not working properly");
                grokAssemblyExe = null;
-                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
+                setEnabled(false);
                throw new InitializationException("Could not execute .NET AssemblyAnalyzer");
            }
        } catch (InitializationException e) {
            setEnabled(false);
            throw e;
        } catch (Throwable e) {
-            LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
+            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
-                    + "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
+                    + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
-            LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
+            LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-            throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+            setEnabled(false);
            throw new InitializationException("An error occurred with the .NET AssemblyAnalyzer", e);
        }
        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    }
    @Override
    public void close() throws Exception {
        super.close();
        try {
-            grokAssemblyExe.delete();
+            builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
-        } catch (SecurityException se) {
+        } catch (ParserConfigurationException ex) {
-            LOG.fine("Can't delete temporary GrokAssembly.exe");
+            setEnabled(false);
            throw new InitializationException("Error initializing the assembly analyzer", ex);
        }
    }
    /**
-     * Gets the set of extensions supported by this analyzer.
+     * Removes resources used from the local file system.
     *
-     * @return the list of supported extensions
+     * @throws Exception thrown if there is a problem closing the analyzer
     */
    @Override
-    public Set<String> getSupportedExtensions() {
+    public void close() throws Exception {
-        return SUPORTED_EXTENSIONS;
+        super.close();
        try {
            if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
                LOGGER.debug("Unable to delete temporary GrokAssembly.exe; attempting delete on exit");
                grokAssemblyExe.deleteOnExit();
            }
        } catch (SecurityException se) {
            LOGGER.debug("Can't delete temporary GrokAssembly.exe");
            grokAssemblyExe.deleteOnExit();
        }
    }
    /**
     * The File Filter used to filter supported extensions.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
            SUPPORTED_EXTENSIONS).build();
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
@@ -246,17 +323,6 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }
    /**
     * Gets whether the analyzer supports the provided extension.
     *
     * @param extension the extension to check
     * @return whether the analyzer supports the extension
     */
    @Override
    public boolean supportsExtension(String extension) {
        return SUPORTED_EXTENSIONS.contains(extension);
    }
    /**
     * Returns the phase this analyzer runs under.
     *
@@ -266,4 +332,40 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
    }
    /**
     * Tests to see if a file is in the system path. <b>Note</b> - the current
     * implementation only works on non-windows platforms. For purposes of the
     * AssemblyAnalyzer this is okay as this is only needed on Mac/*nix.
     *
     * @param file the executable to look for
     * @return <code>true</code> if the file exists; otherwise
     * <code>false</code>
     */
    private boolean isInPath(String file) {
        final ProcessBuilder pb = new ProcessBuilder("which", file);
        try {
            final Process proc = pb.start();
            final int retCode = proc.waitFor();
            if (retCode == 0) {
                return true;
            }
        } catch (IOException ex) {
            LOGGER.debug("Path seach failed for " + file);
        } catch (InterruptedException ex) {
            LOGGER.debug("Path seach failed for " + file);
        }
        return false;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java
@@ -0,0 +1,284 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * Used to analyze Autoconf input files named configure.ac or configure.in.
 * Files simply named "configure" are also analyzed, assuming they are generated
 * by Autoconf, and contain certain special package descriptor variables.
 *
 * @author Dale Visser
 * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project
 * - Free Software Foundation (FSF)</a>
 */
@Experimental
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Autoconf output filename.
     */
    private static final String CONFIGURE = "configure";
    /**
     * Autoconf input filename.
     */
    private static final String CONFIGURE_IN = "configure.in";
    /**
     * Autoconf input filename.
     */
    private static final String CONFIGURE_AC = "configure.ac";
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Autoconf Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The set of file extensions supported by this analyzer.
     */
    private static final String[] EXTENSIONS = {"ac", "in"};
    /**
     * Matches AC_INIT variables in the output configure script.
     */
    private static final Pattern PACKAGE_VAR = Pattern.compile(
            "PACKAGE_(.+?)='(.*?)'", Pattern.DOTALL | Pattern.CASE_INSENSITIVE);
    /**
     * Matches AC_INIT statement in configure.ac file.
     */
    private static final Pattern AC_INIT_PATTERN;
    static {
        // each instance of param or sep_param has a capture group
        final String param = "\\[{0,2}(.+?)\\]{0,2}";
        final String sepParam = "\\s*,\\s*" + param;
        // Group 1: Package
        // Group 2: Version
        // Group 3: optional
        // Group 4: Bug report address (if it exists)
        // Group 5: optional
        // Group 6: Tarname (if it exists)
        // Group 7: optional
        // Group 8: URL (if it exists)
        AC_INIT_PATTERN = Pattern.compile(String.format(
                "AC_INIT\\(%s%s(%s)?(%s)?(%s)?\\s*\\)", param, sepParam,
                sepParam, sepParam, sepParam), Pattern.DOTALL
                | Pattern.CASE_INSENSITIVE);
    }
    /**
     * The file filter used to determine which files this analyzer supports.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames(CONFIGURE).addExtensions(
            EXTENSIONS).build();
    /**
     * Returns the FileFilter
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
    }
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        final File actualFile = dependency.getActualFile();
        final String name = actualFile.getName();
        if (name.startsWith(CONFIGURE)) {
            final File parent = actualFile.getParentFile();
            final String parentName = parent.getName();
            dependency.setDisplayFileName(parentName + "/" + name);
            final boolean isOutputScript = CONFIGURE.equals(name);
            if (isOutputScript || CONFIGURE_AC.equals(name)
                    || CONFIGURE_IN.equals(name)) {
                final String contents = getFileContents(actualFile);
                if (!contents.isEmpty()) {
                    if (isOutputScript) {
                        extractConfigureScriptEvidence(dependency, name,
                                contents);
                    } else {
                        gatherEvidence(dependency, name, contents);
                    }
                }
            }
        } else {
            // copy, alter and set in case some other thread is iterating over
            final List<Dependency> dependencies = new ArrayList<Dependency>(
                    engine.getDependencies());
            dependencies.remove(dependency);
            engine.setDependencies(dependencies);
        }
    }
    /**
     * Extracts evidence from the configuration.
     *
     * @param dependency the dependency being analyzed
     * @param name the name of the source of evidence
     * @param contents the contents to analyze for evidence
     */
    private void extractConfigureScriptEvidence(Dependency dependency,
            final String name, final String contents) {
        final Matcher matcher = PACKAGE_VAR.matcher(contents);
        while (matcher.find()) {
            final String variable = matcher.group(1);
            final String value = matcher.group(2);
            if (!value.isEmpty()) {
                if (variable.endsWith("NAME")) {
                    dependency.getProductEvidence().addEvidence(name, variable,
                            value, Confidence.HIGHEST);
                } else if ("VERSION".equals(variable)) {
                    dependency.getVersionEvidence().addEvidence(name, variable,
                            value, Confidence.HIGHEST);
                } else if ("BUGREPORT".equals(variable)) {
                    dependency.getVendorEvidence().addEvidence(name, variable,
                            value, Confidence.HIGH);
                } else if ("URL".equals(variable)) {
                    dependency.getVendorEvidence().addEvidence(name, variable,
                            value, Confidence.HIGH);
                }
            }
        }
    }
    /**
     * Retrieves the contents of a given file.
     *
     * @param actualFile the file to read
     * @return the contents of the file
     * @throws AnalysisException thrown if there is an IO Exception
     */
    private String getFileContents(final File actualFile)
            throws AnalysisException {
        try {
            return FileUtils.readFileToString(actualFile, Charset.defaultCharset()).trim();
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
    }
    /**
     * Gathers evidence from a given file
     *
     * @param dependency the dependency to add evidence to
     * @param name the source of the evidence
     * @param contents the evidence to analyze
     */
    private void gatherEvidence(Dependency dependency, final String name,
            String contents) {
        final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
        if (matcher.find()) {
            final EvidenceCollection productEvidence = dependency
                    .getProductEvidence();
            productEvidence.addEvidence(name, "Package", matcher.group(1),
                    Confidence.HIGHEST);
            dependency.getVersionEvidence().addEvidence(name,
                    "Package Version", matcher.group(2), Confidence.HIGHEST);
            final EvidenceCollection vendorEvidence = dependency
                    .getVendorEvidence();
            if (null != matcher.group(3)) {
                vendorEvidence.addEvidence(name, "Bug report address",
                        matcher.group(4), Confidence.HIGH);
            }
            if (null != matcher.group(5)) {
                productEvidence.addEvidence(name, "Tarname", matcher.group(6),
                        Confidence.HIGH);
            }
            if (null != matcher.group(7)) {
                final String url = matcher.group(8);
                if (UrlStringUtils.isUrl(url)) {
                    vendorEvidence.addEvidence(name, "URL", url,
                            Confidence.HIGH);
                }
            }
        }
    }
    /**
     * Initializes the file type analyzer.
     *
     * @throws InitializationException thrown if there is an exception during
     * initialization
     */
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        // No initialization needed.
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
@@ -0,0 +1,248 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.Charset;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * <p>
 * Used to analyze CMake build files, and collect information that can be used
 * to determine the associated CPE.</p>
 * <p>
 * Note: This analyzer catches straightforward invocations of the project
 * command, plus some other observed patterns of version inclusion in real CMake
 * projects. Many projects make use of older versions of CMake and/or use custom
 * "homebrew" ways to insert version information. Hopefully as the newer CMake
 * call pattern grows in usage, this analyzer allow more CPEs to be
 * identified.</p>
 *
 * @author Dale Visser
 */
@Experimental
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(CMakeAnalyzer.class);
    /**
     * Used when compiling file scanning regex patterns.
     */
    private static final int REGEX_OPTIONS = Pattern.DOTALL
            | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
    /**
     * Regex to extract the product information.
     */
    private static final Pattern PROJECT = Pattern.compile(
            "^ *project *\\([ \\n]*(\\w+)[ \\n]*.*?\\)", REGEX_OPTIONS);
    /**
     * Regex to extract product and version information.
     *
     * Group 1: Product
     *
     * Group 2: Version
     */
    private static final Pattern SET_VERSION = Pattern
            .compile(
                    "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
                    REGEX_OPTIONS);
    /**
     * Detects files that can be analyzed.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
            .addFilenames("CMakeLists.txt").build();
    /**
     * A reference to SHA1 message digest.
     */
    private static MessageDigest sha1 = null;
    static {
        try {
            sha1 = MessageDigest.getInstance("SHA1");
        } catch (NoSuchAlgorithmException e) {
            LOGGER.error(e.getMessage());
        }
    }
    /**
     * Returns the name of the CMake analyzer.
     *
     * @return the name of the analyzer
     *
     */
    @Override
    public String getName() {
        return "CMake Analyzer";
    }
    /**
     * Tell that we are used for information collection.
     *
     * @return INFORMATION_COLLECTION
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.INFORMATION_COLLECTION;
    }
    /**
     * Returns the set of supported file extensions.
     *
     * @return the set of supported file extensions
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * No-op initializer implementation.
     *
     * @throws InitializationException never thrown
     */
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        // Nothing to do here.
    }
    /**
     * Analyzes python packages and adds evidence to the dependency.
     *
     * @param dependency the dependency being analyzed
     * @param engine the engine being used to perform the scan
     * @throws AnalysisException thrown if there is an unrecoverable error
     * analyzing the dependency
     */
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        final File file = dependency.getActualFile();
        final String parentName = file.getParentFile().getName();
        final String name = file.getName();
        dependency.setDisplayFileName(String.format("%s%c%s", parentName, File.separatorChar, name));
        String contents;
        try {
            contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim();
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
        if (StringUtils.isNotBlank(contents)) {
            final Matcher m = PROJECT.matcher(contents);
            int count = 0;
            while (m.find()) {
                count++;
                LOGGER.debug(String.format(
                        "Found project command match with %d groups: %s",
                        m.groupCount(), m.group(0)));
                final String group = m.group(1);
                LOGGER.debug("Group 1: " + group);
                dependency.getProductEvidence().addEvidence(name, "Project",
                        group, Confidence.HIGH);
            }
            LOGGER.debug("Found {} matches.", count);
            analyzeSetVersionCommand(dependency, engine, contents);
        }
    }
    /**
     * Extracts the version information from the contents. If more then one
     * version is found additional dependencies are added to the dependency
     * list.
     *
     * @param dependency the dependency being analyzed
     * @param engine the dependency-check engine
     * @param contents the version information
     */
    @edu.umd.cs.findbugs.annotations.SuppressFBWarnings(
            value = "DM_DEFAULT_ENCODING",
            justification = "Default encoding is only used if UTF-8 is not available")
    private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
        Dependency currentDep = dependency;
        final Matcher m = SET_VERSION.matcher(contents);
        int count = 0;
        while (m.find()) {
            count++;
            LOGGER.debug("Found project command match with {} groups: {}",
                    m.groupCount(), m.group(0));
            String product = m.group(1);
            final String version = m.group(2);
            LOGGER.debug("Group 1: " + product);
            LOGGER.debug("Group 2: " + version);
            final String aliasPrefix = "ALIASOF_";
            if (product.startsWith(aliasPrefix)) {
                product = product.replaceFirst(aliasPrefix, "");
            }
            if (count > 1) {
                //TODO - refactor so we do not assign to the parameter (checkstyle)
                currentDep = new Dependency(dependency.getActualFile());
                currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
                final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                currentDep.setFilePath(filePath);
                byte[] path;
                try {
                    path = filePath.getBytes("UTF-8");
                } catch (UnsupportedEncodingException ex) {
                    path = filePath.getBytes();
                }
                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                engine.getDependencies().add(currentDep);
            }
            final String source = currentDep.getDisplayFileName();
            currentDep.getProductEvidence().addEvidence(source, "Product",
                    product, Confidence.MEDIUM);
            currentDep.getVersionEvidence().addEvidence(source, "Version",
                    version, Confidence.MEDIUM);
        }
        LOGGER.debug(String.format("Found %d matches.", count));
    }
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_CMAKE_ENABLED;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -25,8 +25,7 @@ import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.StringTokenizer;
-import java.util.logging.Level;
+import org.apache.commons.lang3.builder.CompareToBuilder;
 import java.util.logging.Logger;
 import org.apache.lucene.document.Document;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
@@ -47,17 +46,25 @@ import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts
- * It uses the evidence contained within the dependency to search the Lucene index.
+ * to discern if there is an associated CPE. It uses the evidence contained
 * within the dependency to search the Lucene index.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class CPEAnalyzer implements Analyzer {
    /**
     * The Logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(CPEAnalyzer.class);
    /**
     * The maximum number of query results to return.
     */
@@ -67,15 +74,18 @@ public class CPEAnalyzer implements Analyzer {
     */
    static final String WEIGHTING_BOOST = "^5";
    /**
-     * A string representation of a regular expression defining characters utilized within the CPE Names.
+     * A string representation of a regular expression defining characters
     * utilized within the CPE Names.
     */
    static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
    /**
-     * A string representation of a regular expression used to remove all but alpha characters.
+     * A string representation of a regular expression used to remove all but
     * alpha characters.
     */
    static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
    /**
-     * The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
+     * The additional size to add to a new StringBuilder to account for extra
     * data that will be written into the string.
     */
    static final int STRING_BUILDER_BUFFER = 20;
    /**
@@ -87,24 +97,72 @@ public class CPEAnalyzer implements Analyzer {
     */
    private CveDB cve;
    /**
     * The URL to perform a search of the NVD CVE data at NIST.
     */
    public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
    /**
     * Returns the name of this analyzer.
     *
     * @return the name of this analyzer.
     */
    @Override
    public String getName() {
        return "CPE Analyzer";
    }
    /**
     * Returns the analysis phase that this analyzer should run in.
     *
     * @return the analysis phase that this analyzer should run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.IDENTIFIER_ANALYSIS;
    }
    /**
     * Creates the CPE Lucene Index.
     *
     * @throws InitializationException is thrown if there is an issue opening
     * the index.
     */
    @Override
    public void initialize() throws InitializationException {
        try {
            this.open();
        } catch (IOException ex) {
            LOGGER.debug("Exception initializing the Lucene Index", ex);
            throw new InitializationException("An exception occurred initializing the Lucene Index", ex);
        } catch (DatabaseException ex) {
            LOGGER.debug("Exception accessing the database", ex);
            throw new InitializationException("An exception occurred accessing the database", ex);
        }
    }
    /**
     * Opens the data source.
     *
-     * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
+     * @throws IOException when the Lucene directory to be queried does not
-     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
+     * exist or is corrupt.
-     * by another process.
+     * @throws DatabaseException when the database throws an exception. This
     * usually occurs when the database is in use by another process.
     */
    public void open() throws IOException, DatabaseException {
-        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
+        if (!isOpen()) {
-        cve = new CveDB();
+            cve = new CveDB();
-        cve.open();
+            cve.open();
-        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Creating the Lucene CPE Index");
+            cpe = CpeMemoryIndex.getInstance();
-        cpe = CpeMemoryIndex.getInstance();
+            try {
-        try {
+                LOGGER.info("Creating the CPE Index");
-            cpe.open(cve);
+                final long creationStart = System.currentTimeMillis();
-        } catch (IndexException ex) {
+                cpe.open(cve);
-            Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "IndexException", ex);
+                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-            throw new DatabaseException(ex);
+            } catch (IndexException ex) {
                LOGGER.debug("IndexException", ex);
                throw new DatabaseException(ex);
            }
        }
    }
@@ -115,15 +173,22 @@ public class CPEAnalyzer implements Analyzer {
    public void close() {
        if (cpe != null) {
            cpe.close();
            cpe = null;
        }
        if (cve != null) {
            cve.close();
            cve = null;
        }
    }
    public boolean isOpen() {
        return cpe != null && cpe.isOpen();
    }
    /**
-     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
+     * Searches the data store of CPE entries, trying to identify the CPE for
-     * contained within. The dependency passed in is updated with any identified CPE values.
+     * the given dependency based on the evidence contained within. The
     * dependency passed in is updated with any identified CPE values.
     *
     * @param dependency the dependency to search for CPE entries on.
     * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -131,47 +196,46 @@ public class CPEAnalyzer implements Analyzer {
     * @throws ParseException is thrown when the Lucene query cannot be parsed.
     */
    protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        Confidence confidence = Confidence.HIGHEST;
+        //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
-
+        String vendors = "";
-        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
+        String products = "";
-        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
+        for (Confidence confidence : Confidence.values()) {
        /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
         * CPE identified. As such, we are "using" the evidence and ignoring the results. */
        addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
        int ctr = 0;
        do {
            if (!vendors.isEmpty() && !products.isEmpty()) {
                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
                        dependency.getVendorEvidence().getWeighting());
                for (IndexEntry e : entries) {
                    if (verifyEntry(e, dependency)) {
                        final String vendor = e.getVendor();
                        final String product = e.getProduct();
                        determineIdentifiers(dependency, vendor, product);
                    }
                }
            }
            confidence = reduceConfidence(confidence);
            if (dependency.getVendorEvidence().contains(confidence)) {
                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
                LOGGER.debug("vendor search: {}", vendors);
            }
            if (dependency.getProductEvidence().contains(confidence)) {
                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
                LOGGER.debug("product search: {}", products);
            }
-            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
+            if (!vendors.isEmpty() && !products.isEmpty()) {
-             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
+                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getVendorEvidence().getWeighting(),
-            if (dependency.getVersionEvidence().contains(confidence)) {
+                        dependency.getProductEvidence().getWeighting());
-                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+                if (entries == null) {
                    continue;
                }
                boolean identifierAdded = false;
                for (IndexEntry e : entries) {
                    LOGGER.debug("Verifying entry: {}", e);
                    if (verifyEntry(e, dependency)) {
                        final String vendor = e.getVendor();
                        final String product = e.getProduct();
                        LOGGER.debug("identified vendor/product: {}/{}", vendor, product);
                        identifierAdded |= determineIdentifiers(dependency, vendor, product, confidence);
                    }
                }
                if (identifierAdded) {
                    break;
                }
            }
-        } while ((++ctr) < 4);
+        }
    }
    /**
-     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
+     * Returns the text created by concatenating the text and the values from
-     * specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
+     * the EvidenceCollection (filtered for a specific confidence). This
-     * is longer then 200 characters it will be truncated.
+     * attempts to prevent duplicate terms from being added.<br/<br/> Note, if
     * the evidence is longer then 200 characters it will be truncated.
     *
     * @param text the base text.
     * @param ec an EvidenceCollection
@@ -200,85 +264,73 @@ public class CPEAnalyzer implements Analyzer {
        return sb.toString().trim();
    }
    /**
     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
     *
     * @param c the confidence to reduce.
     * @return One less then the confidence passed in.
     */
    private Confidence reduceConfidence(final Confidence c) {
        if (c == Confidence.HIGHEST) {
            return Confidence.HIGH;
        } else if (c == Confidence.HIGH) {
            return Confidence.MEDIUM;
        } else {
            return Confidence.LOW;
        }
    }
    /**
     * <p>
-     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
+     * Searches the Lucene CPE index to identify possible CPE entries associated
-     * version.</p>
+     * with the supplied vendor, product, and version.</p>
     *
     * <p>
-     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
+     * If either the vendorWeightings or productWeightings lists have been
-     * factors to the search.</p>
+     * populated this data is used to add weighting factors to the search.</p>
     *
     * @param vendor the text used to search the vendor field
     * @param product the text used to search the product field
-     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
+     * @param vendorWeightings a list of strings to use to add weighting factors
-     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
+     * to the vendor field
     * @param productWeightings Adds a list of strings that will be used to add
     * weighting factors to the product search
     * @return a list of possible CPE values
     * @throws CorruptIndexException when the Lucene index is corrupt
     * @throws IOException when the Lucene index is not found
     * @throws ParseException when the generated query is not valid
     */
    protected List<IndexEntry> searchCPE(String vendor, String product,
-            Set<String> vendorWeightings, Set<String> productWeightings)
+            Set<String> vendorWeightings, Set<String> productWeightings) {
-            throws CorruptIndexException, IOException, ParseException {
+
-        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
        final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
        if (searchString == null) {
            return ret;
        }
-
+        try {
-        final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
+            final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
-        for (ScoreDoc d : docs.scoreDocs) {
+            for (ScoreDoc d : docs.scoreDocs) {
-            if (d.score >= 0.08) {
+                if (d.score >= 0.08) {
-                final Document doc = cpe.getDocument(d.doc);
+                    final Document doc = cpe.getDocument(d.doc);
-                final IndexEntry entry = new IndexEntry();
+                    final IndexEntry entry = new IndexEntry();
-                entry.setVendor(doc.get(Fields.VENDOR));
+                    entry.setVendor(doc.get(Fields.VENDOR));
-                entry.setProduct(doc.get(Fields.PRODUCT));
+                    entry.setProduct(doc.get(Fields.PRODUCT));
-//                if (d.score < 0.08) {
+                    entry.setSearchScore(d.score);
-//                    System.out.print(entry.getVendor());
+                    if (!ret.contains(entry)) {
-//                    System.out.print(":");
+                        ret.add(entry);
-//                    System.out.print(entry.getProduct());
+                    }
 //                    System.out.print(":");
 //                    System.out.println(d.score);
 //                }
                entry.setSearchScore(d.score);
                if (!ret.contains(entry)) {
                    ret.add(entry);
                }
            }
            return ret;
        } catch (ParseException ex) {
            LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
            LOGGER.info("Unable to parse: {}", searchString, ex);
        } catch (IOException ex) {
            LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
            LOGGER.info("IO Error with search string: {}", searchString, ex);
        }
-        return ret;
+        return null;
    }
    /**
     * <p>
-     * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
+     * Builds a Lucene search string by properly escaping data and constructing
     * a valid search query.</p>
     *
     * <p>
-     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
+     * If either the possibleVendor or possibleProducts lists have been
-     * factors to the search string generated.</p>
+     * populated this data is used to add weighting factors to the search string
     * generated.</p>
     *
     * @param vendor text to search the vendor field
     * @param product text to search the product field
-     * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
+     * @param vendorWeighting a list of strings to apply to the vendor to boost
-     * @param productWeightings a list of strings to apply to the product to boost the terms weight
+     * the terms weight
     * @param productWeightings a list of strings to apply to the product to
     * boost the terms weight
     * @return the Lucene query
     */
    protected String buildSearch(String vendor, String product,
@@ -299,22 +351,25 @@ public class CPEAnalyzer implements Analyzer {
    }
    /**
-     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
+     * This method constructs a Lucene query for a given field. The searchText
-     * word is within the list of weighted words then an additional weighting is applied to the term as it is appended
+     * is split into separate words and if the word is within the list of
-     * into the query.
+     * weighted words then an additional weighting is applied to the term as it
     * is appended into the query.
     *
     * @param sb a StringBuilder that the query text will be appended to.
-     * @param field the field within the Lucene index that the query is searching.
+     * @param field the field within the Lucene index that the query is
     * searching.
     * @param searchText text used to construct the query.
-     * @param weightedText a list of terms that will be considered higher importance when searching.
+     * @param weightedText a list of terms that will be considered higher
     * importance when searching.
     * @return if the append was successful.
     */
    private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
-        sb.append(" ").append(field).append(":( ");
+        sb.append(' ').append(field).append(":( ");
        final String cleanText = cleanseText(searchText);
-        if ("".equals(cleanText)) {
+        if (cleanText.isEmpty()) {
            return false;
        }
@@ -324,20 +379,27 @@ public class CPEAnalyzer implements Analyzer {
            final StringTokenizer tokens = new StringTokenizer(cleanText);
            while (tokens.hasMoreElements()) {
                final String word = tokens.nextToken();
-                String temp = null;
+                StringBuilder temp = null;
                for (String weighted : weightedText) {
                    final String weightedStr = cleanseText(weighted);
                    if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
-                        temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
+                        temp = new StringBuilder(word.length() + 2);
                        LuceneUtils.appendEscapedLuceneQuery(temp, word);
                        temp.append(WEIGHTING_BOOST);
                        if (!word.equalsIgnoreCase(weightedStr)) {
-                            temp += " " + LuceneUtils.escapeLuceneQuery(weightedStr) + WEIGHTING_BOOST;
+                            temp.append(' ');
                            LuceneUtils.appendEscapedLuceneQuery(temp, weightedStr);
                            temp.append(WEIGHTING_BOOST);
                        }
                        break;
                    }
                }
                sb.append(' ');
                if (temp == null) {
-                    temp = LuceneUtils.escapeLuceneQuery(word);
+                    LuceneUtils.appendEscapedLuceneQuery(sb, word);
                } else {
                    sb.append(temp);
                }
                sb.append(" ").append(temp);
            }
        }
        sb.append(" ) ");
@@ -345,7 +407,8 @@ public class CPEAnalyzer implements Analyzer {
    }
    /**
-     * Removes characters from the input text that are not used within the CPE index.
+     * Removes characters from the input text that are not used within the CPE
     * index.
     *
     * @param text is the text to remove the characters from.
     * @return the text having removed some characters.
@@ -355,7 +418,8 @@ public class CPEAnalyzer implements Analyzer {
    }
    /**
-     * Compares two strings after lower casing them and removing the non-alpha characters.
+     * Compares two strings after lower casing them and removing the non-alpha
     * characters.
     *
     * @param l string one to compare.
     * @param r string two to compare.
@@ -372,8 +436,9 @@ public class CPEAnalyzer implements Analyzer {
    }
    /**
-     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
+     * Ensures that the CPE Identified matches the dependency. This validates
-     * information for the CPE are contained within the dependencies evidence.
+     * that the product, vendor, and version information for the CPE are
     * contained within the dependencies evidence.
     *
     * @param entry a CPE entry.
     * @param dependency the dependency that the CPE entries could be for.
@@ -382,6 +447,8 @@ public class CPEAnalyzer implements Analyzer {
    private boolean verifyEntry(final IndexEntry entry, final Dependency dependency) {
        boolean isValid = false;
        //TODO - does this nullify some of the fuzzy matching that happens in the lucene search?
        // for instance CPE some-component and in the evidence we have SomeComponent.
        if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
                && collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())) {
            //&& collectionContainsVersion(dependency.getVersionEvidence(), entry.getVersion())
@@ -398,17 +465,6 @@ public class CPEAnalyzer implements Analyzer {
     * @return whether or not the EvidenceCollection contains the string
     */
    private boolean collectionContainsString(EvidenceCollection ec, String text) {
        //<editor-fold defaultstate="collapsed" desc="This code fold contains an old version of the code, delete once more testing is done">
        //        String[] splitText = text.split("[\\s_-]");
        //
        //        for (String search : splitText) {
        //            //final String search = text.replaceAll("[\\s_-]", "").toLowerCase();
        //            if (ec.containsUsedString(search)) {
        //                return true;
        //            }
        //        }
        //</editor-fold>
        //TODO - likely need to change the split... not sure if this will work for CPE with special chars
        if (text == null) {
            return false;
@@ -430,9 +486,16 @@ public class CPEAnalyzer implements Analyzer {
                list.add(word);
            }
        }
-        if (tempWord != null && !list.isEmpty()) {
+        if (tempWord != null) {
-            final String tmp = list.get(list.size() - 1) + tempWord;
+            if (!list.isEmpty()) {
-            list.add(tmp);
+                final String tmp = list.get(list.size() - 1) + tempWord;
                list.add(tmp);
            } else {
                list.add(tempWord);
            }
        }
        if (list.isEmpty()) {
            return false;
        }
        boolean contains = true;
        for (String word : list) {
@@ -442,14 +505,16 @@ public class CPEAnalyzer implements Analyzer {
    }
    /**
-     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
+     * Analyzes a dependency and attempts to determine if there are any CPE
     * identifiers for this dependency.
     *
     * @param dependency The Dependency to analyze.
     * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
+     * @throws AnalysisException is thrown if there is an issue analyzing the
     * dependency.
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        try {
            determineCPE(dependency);
        } catch (CorruptIndexException ex) {
@@ -462,71 +527,32 @@ public class CPEAnalyzer implements Analyzer {
    }
    /**
-     * Returns true because this analyzer supports all dependency types.
+     * Retrieves a list of CPE values from the CveDB based on the vendor and
-     *
+     * product passed in. The list is then validated to find only CPEs that are
-     * @return true.
+     * valid for the given dependency. It is possible that the CPE identified is
-     */
+     * a best effort "guess" based on the vendor, product, and version
-    @Override
+     * information.
    public Set<String> getSupportedExtensions() {
        return null;
    }
    /**
     * Returns the name of this analyzer.
     *
     * @return the name of this analyzer.
     */
    @Override
    public String getName() {
        return "CPE Analyzer";
    }
    /**
     * Returns true because this analyzer supports all dependency types.
     *
     * @param extension the file extension of the dependency being analyzed.
     * @return true.
     */
    @Override
    public boolean supportsExtension(String extension) {
        return true;
    }
    /**
     * Returns the analysis phase that this analyzer should run in.
     *
     * @return the analysis phase that this analyzer should run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.IDENTIFIER_ANALYSIS;
    }
    /**
     * Opens the CPE Lucene Index.
     *
     * @throws Exception is thrown if there is an issue opening the index.
     */
    @Override
    public void initialize() throws Exception {
        this.open();
    }
    /**
     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
     * best effort "guess" based on the vendor, product, and version information.
     *
     * @param dependency the Dependency being analyzed
     * @param vendor the vendor for the CPE being analyzed
     * @param product the product for the CPE being analyzed
     * @param currentConfidence the current confidence being used during
     * analysis
     * @return <code>true</code> if an identifier was added to the dependency;
     * otherwise <code>false</code>
     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
     */
-    private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
+    protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
            Confidence currentConfidence) throws UnsupportedEncodingException {
        final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
        DependencyVersion bestGuess = new DependencyVersion("-");
        Confidence bestGuessConf = null;
        boolean hasBroadMatch = false;
        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
        //TODO the following algorithm incorrectly identifies things as a lower version
        // if there lower confidence evidence when the current (highest) version number
        // is newer then anything in the NVD.
        for (Confidence conf : Confidence.values()) {
            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
                final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
@@ -535,25 +561,28 @@ public class CPEAnalyzer implements Analyzer {
                }
                for (VulnerableSoftware vs : cpes) {
                    DependencyVersion dbVer;
-                    if (vs.getRevision() != null && !vs.getRevision().isEmpty()) {
+                    if (vs.getUpdate() != null && !vs.getUpdate().isEmpty()) {
-                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getRevision());
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + '.' + vs.getUpdate());
                    } else {
                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                    }
-                    if (dbVer == null //special case, no version specified - everything is vulnerable
+                    if (dbVer == null) { //special case, no version specified - everything is vulnerable
-                            || evVer.equals(dbVer)) { //yeah! exact match
+                        hasBroadMatch = true;
-                        final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
+                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.BROAD_MATCH, conf);
                        collected.add(match);
                    } else if (evVer.equals(dbVer)) { //yeah! exact match
                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                        collected.add(match);
-                    } else {
+
                        //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
-                        if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
+                    } else if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
-                                && evVer.matchesAtLeastThreeLevels(dbVer)) {
+                            && evVer.matchesAtLeastThreeLevels(dbVer)) {
-                            if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                        if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
-                                if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
+                            if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
-                                    bestGuess = dbVer;
+                                bestGuess = dbVer;
-                                    bestGuessConf = conf;
+                                bestGuessConf = conf;
                                }
                            }
                        }
                    }
@@ -567,7 +596,11 @@ public class CPEAnalyzer implements Analyzer {
            }
        }
        final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
-        final String url = null; //String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(cpeName, "UTF-8"));
+        String url = null;
        if (hasBroadMatch) { //if we have a broad match we can add the URL to the best guess.
            final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
            url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
        }
        if (bestGuessConf == null) {
            bestGuessConf = Confidence.LOW;
        }
@@ -577,6 +610,7 @@ public class CPEAnalyzer implements Analyzer {
        Collections.sort(collected);
        final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
        final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
        boolean identifierAdded = false;
        for (IdentifierMatch m : collected) {
            if (bestIdentifierQuality.equals(m.getConfidence())
                    && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
@@ -587,8 +621,10 @@ public class CPEAnalyzer implements Analyzer {
                    i.setConfidence(bestEvidenceQuality);
                }
                dependency.addIdentifier(i);
                identifierAdded = true;
            }
        }
        return identifierAdded;
    }
    /**
@@ -603,11 +639,18 @@ public class CPEAnalyzer implements Analyzer {
        /**
         * A best guess for the CPE.
         */
-        BEST_GUESS
+        BEST_GUESS,
        /**
         * The entire vendor/product group must be added (without a guess at
         * version) because there is a CVE with a VS that only specifies
         * vendor/product.
         */
        BROAD_MATCH
    }
    /**
-     * A simple object to hold an identifier and carry information about the confidence in the identifier.
+     * A simple object to hold an identifier and carry information about the
     * confidence in the identifier.
     */
    private static class IdentifierMatch implements Comparable<IdentifierMatch> {
@@ -617,8 +660,10 @@ public class CPEAnalyzer implements Analyzer {
         * @param type the type of identifier (such as CPE)
         * @param value the value of the identifier
         * @param url the URL of the identifier
-         * @param identifierConfidence the confidence in the identifier: best guess or exact match
+         * @param identifierConfidence the confidence in the identifier: best
-         * @param evidenceConfidence the confidence of the evidence used to find the identifier
+         * guess or exact match
         * @param evidenceConfidence the confidence of the evidence used to find
         * the identifier
         */
        IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
            this.identifier = new Identifier(type, value, url);
@@ -749,14 +794,20 @@ public class CPEAnalyzer implements Analyzer {
        //</editor-fold>
        /**
-         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
+         * Standard implementation of compareTo that compares identifier
-         * identifier.
+         * confidence, evidence confidence, and then the identifier.
         *
         * @param o the IdentifierMatch to compare to
         * @return the natural ordering of IdentifierMatch
         */
        @Override
        public int compareTo(IdentifierMatch o) {
            return new CompareToBuilder()
                    .append(confidence, o.confidence)
                    .append(evidenceConfidence, o.evidenceConfidence)
                    .append(identifier, o.identifier)
                    .toComparison();
            /*
            int conf = this.confidence.compareTo(o.confidence);
            if (conf == 0) {
                conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
@@ -765,6 +816,7 @@ public class CPEAnalyzer implements Analyzer {
                }
            }
            return conf;
             */
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -0,0 +1,249 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.xml.pom.PomUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 * Analyzer which will attempt to locate a dependency, and the GAV information,
 * by querying Central for the dependency's SHA-1 digest.
 *
 * @author colezlaw
 */
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(CentralAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Central Analyzer";
    /**
     * The phase in which this analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The types of files on which this will work.
     */
    private static final String SUPPORTED_EXTENSIONS = "jar";
    /**
     * The analyzer should be disabled if there are errors, so this is a flag to
     * determine if such an error has occurred.
     */
    private boolean errorFlag = false;
    /**
     * The searcher itself.
     */
    private CentralSearch searcher;
    /**
     * Field indicating if the analyzer is enabled.
     */
    private final boolean enabled = checkEnabled();
    /**
     * Determine whether to enable this analyzer or not.
     *
     * @return whether the analyzer should be enabled
     */
    @Override
    public boolean isEnabled() {
        return enabled;
    }
    /**
     * Determines if this analyzer is enabled.
     *
     * @return <code>true</code> if the analyzer is enabled; otherwise
     * <code>false</code>
     */
    private boolean checkEnabled() {
        boolean retval = false;
        try {
            if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
                if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
                        || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                    LOGGER.debug("Enabling the Central analyzer");
                    retval = true;
                } else {
                    LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                }
            } else {
                LOGGER.info("Central analyzer disabled");
            }
        } catch (InvalidSettingException ise) {
            LOGGER.warn("Invalid setting. Disabling the Central analyzer");
        }
        return retval;
    }
    /**
     * Initializes the analyzer once before any analysis is performed.
     *
     * @throws InitializationException if there's an error during initialization
     */
    @Override
    public void initializeFileTypeAnalyzer() throws InitializationException {
        LOGGER.debug("Initializing Central analyzer");
        LOGGER.debug("Central analyzer enabled: {}", isEnabled());
        if (isEnabled()) {
            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
            LOGGER.debug("Central Analyzer URL: {}", searchUrl);
            try {
                searcher = new CentralSearch(new URL(searchUrl));
            } catch (MalformedURLException ex) {
                setEnabled(false);
                throw new InitializationException("The configured URL to Maven Central is malformed: " + searchUrl, ex);
            }
        }
    }
    /**
     * Returns the analyzer's name.
     *
     * @return the name of the analyzer
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the key used in the properties file to to reference the
     * analyzer's enabled property.
     *
     * @return the analyzer's enabled property setting key.
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
    }
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
     * @return the phase under which the analyzer runs
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * The file filter used to determine which files this analyzer supports.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * Performs the analysis.
     *
     * @param dependency the dependency to analyze
     * @param engine the engine
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        if (errorFlag || !isEnabled()) {
            return;
        }
        try {
            final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
            final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
            for (MavenArtifact ma : mas) {
                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
                dependency.addAsEvidence("central", ma, confidence);
                boolean pomAnalyzed = false;
                for (Evidence e : dependency.getVendorEvidence()) {
                    if ("pom".equals(e.getSource())) {
                        pomAnalyzed = true;
                        break;
                    }
                }
                if (!pomAnalyzed && ma.getPomUrl() != null) {
                    File pomFile = null;
                    try {
                        final File baseDir = Settings.getTempDirectory();
                        pomFile = File.createTempFile("pom", ".xml", baseDir);
                        if (!pomFile.delete()) {
                            LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
                                    + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                            LOGGER.debug("Unable to delete temp file");
                        }
                        LOGGER.debug("Downloading {}", ma.getPomUrl());
                        Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
                        PomUtils.analyzePOM(dependency, pomFile);
                    } catch (DownloadFailedException ex) {
                        LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                    } finally {
                        if (pomFile != null && pomFile.exists() && !FileUtils.deleteQuietly(pomFile)) {
                            LOGGER.debug("Failed to delete temporary pom file {}", pomFile.toString());
                            pomFile.deleteOnExit();
                        }
                    }
                }
            }
        } catch (IllegalArgumentException iae) {
            LOGGER.info("invalid sha1-hash on {}", dependency.getFileName());
        } catch (FileNotFoundException fnfe) {
            LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
        } catch (IOException ioe) {
            LOGGER.debug("Could not connect to Central search", ioe);
            errorFlag = true;
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java
@@ -0,0 +1,205 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 * This analyzer is used to analyze SWIFT and Objective-C packages by collecting
 * information from .podspec files. CocoaPods dependency manager see
 * https://cocoapods.org/.
 *
 * @author Bianca Jiang (https://twitter.com/biancajiang)
 */
@Experimental
 public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
 //    private static final Logger LOGGER = LoggerFactory.getLogger(CocoaPodsAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "CocoaPods Package Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The file name to scan.
     */
    public static final String PODSPEC = "podspec";
    /**
     * Filter that detects files named "*.podspec".
     */
    private static final FileFilter PODSPEC_FILTER = FileFilterBuilder.newInstance().addExtensions(PODSPEC).build();
    /**
     * The capture group #1 is the block variable. e.g. "Pod::Spec.new do
     * |spec|"
     */
    private static final Pattern PODSPEC_BLOCK_PATTERN = Pattern.compile("Pod::Spec\\.new\\s+?do\\s+?\\|(.+?)\\|");
    /**
     * Returns the FileFilter
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return PODSPEC_FILTER;
    }
    @Override
    protected void initializeFileTypeAnalyzer() {
        // NO-OP
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_COCOAPODS_ENABLED;
    }
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        String contents;
        try {
            contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
        final Matcher matcher = PODSPEC_BLOCK_PATTERN.matcher(contents);
        if (matcher.find()) {
            contents = contents.substring(matcher.end());
            final String blockVariable = matcher.group(1);
            final EvidenceCollection vendor = dependency.getVendorEvidence();
            final EvidenceCollection product = dependency.getProductEvidence();
            final EvidenceCollection version = dependency.getVersionEvidence();
            final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
            if (!name.isEmpty()) {
                vendor.addEvidence(PODSPEC, "name_project", name, Confidence.HIGHEST);
            }
            addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.HIGHEST);
            addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
            addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
            addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
            addStringEvidence(version, contents, blockVariable, "version", "version", Confidence.HIGHEST);
        }
        setPackagePath(dependency);
    }
    /**
     * Extracts evidence from the contents and adds it to the given evidence
     * collection.
     *
     * @param evidences the evidence collection to update
     * @param contents the text to extract evidence from
     * @param blockVariable the block variable within the content to search for
     * @param field the name of the field being searched for
     * @param fieldPattern the field pattern within the contents to search for
     * @param confidence the confidence level of the evidence if found
     * @return the string that was added as evidence
     */
    private String addStringEvidence(EvidenceCollection evidences, String contents,
            String blockVariable, String field, String fieldPattern, Confidence confidence) {
        String value = "";
        //capture array value between [ ]
        final Matcher arrayMatcher = Pattern.compile(
                String.format("\\s*?%s\\.%s\\s*?=\\s*?\\{\\s*?(.*?)\\s*?\\}", blockVariable, fieldPattern),
                Pattern.CASE_INSENSITIVE).matcher(contents);
        if (arrayMatcher.find()) {
            value = arrayMatcher.group(1);
        } else { //capture single value between quotes
            final Matcher matcher = Pattern.compile(
                    String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern),
                    Pattern.CASE_INSENSITIVE).matcher(contents);
            if (matcher.find()) {
                value = matcher.group(2);
            }
        }
        if (value.length() > 0) {
            evidences.addEvidence(PODSPEC, field, value, confidence);
        }
        return value;
    }
    /**
     * Sets the package path on the given dependency.
     *
     * @param dep the dependency to update
     */
    private void setPackagePath(Dependency dep) {
        final File file = new File(dep.getFilePath());
        final String parent = file.getParent();
        if (parent != null) {
            dep.setPackagePath(parent);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java
@@ -0,0 +1,172 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 The OWASP Foundation. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.composer.ComposerDependency;
 import org.owasp.dependencycheck.data.composer.ComposerException;
 import org.owasp.dependencycheck.data.composer.ComposerLockParser;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.nio.charset.Charset;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * Used to analyze a composer.lock file for a composer PHP app.
 *
 * @author colezlaw
 */
@Experimental
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
    /**
     * The analyzer name.
     */
    private static final String ANALYZER_NAME = "Composer.lock analyzer";
    /**
     * composer.json.
     */
    private static final String COMPOSER_LOCK = "composer.lock";
    /**
     * The FileFilter.
     */
    private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
    /**
     * Returns the FileFilter.
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILE_FILTER;
    }
    /**
     * Initializes the analyzer.
     *
     * @throws InitializationException thrown if an exception occurs getting an
     * instance of SHA1
     */
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        try {
            sha1 = MessageDigest.getInstance("SHA1");
        } catch (NoSuchAlgorithmException ex) {
            setEnabled(false);
            throw new InitializationException("Unable to create SHA1 MmessageDigest", ex);
        }
    }
    /**
     * The MessageDigest for calculating a new digest for the new dependencies
     * added.
     */
    private MessageDigest sha1 = null;
    /**
     * Entry point for the analyzer.
     *
     * @param dependency the dependency to analyze
     * @param engine the engine scanning
     * @throws AnalysisException if there's a failure during analysis
     */
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        FileInputStream fis = null;
        try {
            fis = new FileInputStream(dependency.getActualFile());
            final ComposerLockParser clp = new ComposerLockParser(fis);
            LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
            clp.process();
            for (ComposerDependency dep : clp.getDependencies()) {
                final Dependency d = new Dependency(dependency.getActualFile());
                d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
                final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
                d.setFilePath(filePath);
                d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
                d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
                d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
                d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
                LOGGER.info("Adding dependency {}", d);
                engine.getDependencies().add(d);
            }
        } catch (FileNotFoundException fnfe) {
            LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());
        } catch (ComposerException ce) {
            LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce);
        } finally {
            if (fis != null) {
                try {
                    fis.close();
                } catch (Exception e) {
                    LOGGER.debug("Unable to close file", e);
                }
            }
        }
    }
    /**
     * Gets the key to determine whether the analyzer is enabled.
     *
     * @return the key specifying whether the analyzer is enabled
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED;
    }
    /**
     * Returns the analyzer's name.
     *
     * @return the analyzer's name
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase this analyzer should run under.
     *
     * @return the analysis phase
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.INFORMATION_COLLECTION;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
@@ -20,17 +20,17 @@ package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 /**
 * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
 * Any identified CPE entries within the dependencies that match will be removed.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -17,50 +17,53 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
 import java.util.HashSet;
 import java.util.Iterator;
 import java.util.ListIterator;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
-import org.owasp.dependencycheck.utils.LogUtils;
+import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * <p>
- * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
+ * This analyzer ensures dependencies that should be grouped together, to remove
- * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
+ * excess noise from the report, are grouped. An example would be Spring, Spring
- * same relative path then these should be grouped into a single dependency under the core/main library.</p>
+ * Beans, Spring MVC, etc. If they are all for the same version and have the
 * same relative path then these should be grouped into a single dependency
 * under the core/main library.</p>
 * <p>
- * Note, this grouping only works on dependencies with identified CVE entries</p>
+ * Note, this grouping only works on dependencies with identified CVE
 * entries</p>
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
    /**
     * The Logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(DependencyBundlingAnalyzer.class);
    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
    /**
     * A pattern for obtaining the first part of a filename.
     */
-    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
+    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
    /**
     * a flag indicating if this analyzer has run. This analyzer only runs once.
     */
    private boolean analyzed = false;
    //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The set of file extensions supported by this analyzer.
     */
    private static final Set<String> EXTENSIONS = null;
    /**
     * The name of the analyzer.
     */
@@ -70,51 +73,36 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    public boolean supportsExtension(String extension) {
        return true;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
    /**
-     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
+     * Analyzes a set of dependencies. If they have been found to have the same
-     * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
+     * base path and the same set of identifiers they are likely related. The
     * related dependencies are bundled into a single reportable item.
     *
     * @param ignore this analyzer ignores the dependency being analyzed
     * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR
     * file.
     */
    @Override
    public void analyze(Dependency ignore, Engine engine) throws AnalysisException {
@@ -125,30 +113,50 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            //for (Dependency nextDependency : engine.getDependencies()) {
            while (mainIterator.hasNext()) {
                final Dependency dependency = mainIterator.next();
-                if (mainIterator.hasNext()) {
+                if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                    while (subIterator.hasNext()) {
                        final Dependency nextDependency = subIterator.next();
-                        if (isShadedJar(dependency, nextDependency)) {
+                        Dependency main = null;
-                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
+                        if (hashesMatch(dependency, nextDependency) && !containedInWar(dependency.getFilePath())
-                                dependenciesToRemove.add(dependency);
+                                && !containedInWar(nextDependency.getFilePath())) {
-                            } else {
+                            if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
                                dependenciesToRemove.add(nextDependency);
                            }
                        } else if (hashesMatch(dependency, nextDependency)) {
                            if (isCore(dependency, nextDependency)) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        } else if (isShadedJar(dependency, nextDependency)) {
                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                nextDependency.getRelatedDependencies().remove(dependency);
                                break;
                            } else {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                                dependency.getRelatedDependencies().remove(nextDependency);
                            }
                        } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                && hasSameBasePath(dependency, nextDependency)
                                && fileNameMatch(dependency, nextDependency)) {
                            if (isCore(dependency, nextDependency)) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        } else if ((main = getMainGemspecDependency(dependency, nextDependency)) != null) {
                            if (main == dependency) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        } else if ((main = getMainSwiftDependency(dependency, nextDependency)) != null) {
                            if (main == dependency) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        }
                    }
@@ -156,9 +164,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            }
            //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
            // was difficult because of the inner iterator.
-            for (Dependency d : dependenciesToRemove) {
+            engine.getDependencies().removeAll(dependenciesToRemove);
                engine.getDependencies().remove(d);
            }
        }
    }
@@ -166,10 +172,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     * Adds the relatedDependency to the dependency's related dependencies.
     *
     * @param dependency the main dependency
-     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
+     * @param relatedDependency a collection of dependencies to be removed from
-     * source of dependencies to remove
+     * the main analysis loop, this is the source of dependencies to remove
-     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
+     * @param dependenciesToRemove a collection of dependencies that will be
-     * function adds to this collection
+     * removed from the main analysis loop, this function adds to this
     * collection
     */
    private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
        dependency.addRelatedDependency(relatedDependency);
@@ -178,6 +185,9 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            dependency.addRelatedDependency(i.next());
            i.remove();
        }
        if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
            dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
        }
        dependenciesToRemove.add(relatedDependency);
    }
@@ -208,44 +218,27 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    }
    /**
-     * Returns true if the file names (and version if it exists) of the two dependencies are sufficiently similar.
+     * Returns true if the file names (and version if it exists) of the two
     * dependencies are sufficiently similar.
     *
     * @param dependency1 a dependency2 to compare
     * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are equal
+     * @return true if the identifiers in the two supplied dependencies are
     * equal
     */
    private boolean fileNameMatch(Dependency dependency1, Dependency dependency2) {
        if (dependency1 == null || dependency1.getFileName() == null
                || dependency2 == null || dependency2.getFileName() == null) {
            return false;
        }
-        String fileName1 = dependency1.getFileName();
+        final String fileName1 = dependency1.getActualFile().getName();
-        String fileName2 = dependency2.getFileName();
+        final String fileName2 = dependency2.getActualFile().getName();
        //update to deal with archive analyzer, the starting name maybe the same
        // as this is incorrectly looking at the starting path
        final File one = new File(fileName1);
        final File two = new File(fileName2);
        final String oneParent = one.getParent();
        final String twoParent = two.getParent();
        if (oneParent != null) {
            if (oneParent.equals(twoParent)) {
                fileName1 = one.getName();
                fileName2 = two.getName();
            } else {
                return false;
            }
        } else if (twoParent != null) {
            return false;
        }
        //version check
        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
        final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
-        if (version1 != null && version2 != null) {
+        if (version1 != null && version2 != null && !version1.equals(version2)) {
-            if (!version1.equals(version2)) {
+            return false;
                return false;
            }
        }
        //filename check
@@ -259,11 +252,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    }
    /**
-     * Returns true if the CPE identifiers in the two supplied dependencies are equal.
+     * Returns true if the CPE identifiers in the two supplied dependencies are
     * equal.
     *
     * @param dependency1 a dependency2 to compare
     * @param dependency2 a dependency2 to compare
-     * @return true if the identifiers in the two supplied dependencies are equal
+     * @return true if the identifiers in the two supplied dependencies are
     * equal
     */
    private boolean cpeIdentifiersMatch(Dependency dependency1, Dependency dependency2) {
        if (dependency1 == null || dependency1.getIdentifiers() == null
@@ -285,16 +280,15 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
            for (Identifier i : dependency1.getIdentifiers()) {
-                matches |= dependency2.getIdentifiers().contains(i);
+                if ("cpe".equals(i.getType())) {
-                if (!matches) {
+                    matches |= dependency2.getIdentifiers().contains(i);
-                    break;
+                    if (!matches) {
                        break;
                    }
                }
            }
        }
-        if (LogUtils.isVerboseLoggingEnabled()) {
+        LOGGER.debug("IdentifiersMatch={} ({}, {})", matches, dependency1.getFileName(), dependency2.getFileName());
            final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
        }
        return matches;
    }
@@ -315,10 +309,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        String right = rFile.getParent();
        if (left == null) {
            return right == null;
        } else if (right == null) {
            return false;
        }
        if (left.equalsIgnoreCase(right)) {
            return true;
        }
        if (left.matches(".*[/\\\\]repository[/\\\\].*") && right.matches(".*[/\\\\]repository[/\\\\].*")) {
            left = getBaseRepoPath(left);
            right = getBaseRepoPath(right);
@@ -336,12 +333,110 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    }
    /**
-     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
+     * Bundling Ruby gems that are identified from different .gemspec files but
-     * to the 'right' library.
+     * denote the same package path. This happens when Ruby bundler installs an
     * application's dependencies by running "bundle install".
     *
     * @param dependency1 dependency to compare
     * @param dependency2 dependency to compare
     * @return true if the the dependencies being analyzed appear to be the
     * same; otherwise false
     */
    private boolean isSameRubyGem(Dependency dependency1, Dependency dependency2) {
        if (dependency1 == null || dependency2 == null
                || !dependency1.getFileName().endsWith(".gemspec")
                || !dependency2.getFileName().endsWith(".gemspec")
                || dependency1.getPackagePath() == null
                || dependency2.getPackagePath() == null) {
            return false;
        }
        if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) {
            return true;
        }
        return false;
    }
    /**
     * Ruby gems installed by "bundle install" can have zero or more *.gemspec
     * files, all of which have the same packagePath and should be grouped. If
     * one of these gemspec is from <parent>/specifications/*.gemspec, because
     * it is a stub with fully resolved gem meta-data created by Ruby bundler,
     * this dependency should be the main one. Otherwise, use dependency2 as
     * main.
     *
     * This method returns null if any dependency is not from *.gemspec, or the
     * two do not have the same packagePath. In this case, they should not be
     * grouped.
     *
     * @param dependency1 dependency to compare
     * @param dependency2 dependency to compare
     * @return the main dependency; or null if a gemspec is not included in the
     * analysis
     */
    private Dependency getMainGemspecDependency(Dependency dependency1, Dependency dependency2) {
        if (isSameRubyGem(dependency1, dependency2)) {
            final File lFile = dependency1.getActualFile();
            final File left = lFile.getParentFile();
            if (left != null && left.getName().equalsIgnoreCase("specifications")) {
                return dependency1;
            }
            return dependency2;
        }
        return null;
    }
    /**
     * Bundling same swift dependencies with the same packagePath but identified
     * by different analyzers.
     *
     * @param dependency1 dependency to test
     * @param dependency2 dependency to test
     * @return <code>true</code> if the dependencies appear to be the same;
     * otherwise <code>false</code>
     */
    private boolean isSameSwiftPackage(Dependency dependency1, Dependency dependency2) {
        if (dependency1 == null || dependency2 == null
                || (!dependency1.getFileName().endsWith(".podspec")
                && !dependency1.getFileName().equals("Package.swift"))
                || (!dependency2.getFileName().endsWith(".podspec")
                && !dependency2.getFileName().equals("Package.swift"))
                || dependency1.getPackagePath() == null
                || dependency2.getPackagePath() == null) {
            return false;
        }
        if (dependency1.getPackagePath().equalsIgnoreCase(dependency2.getPackagePath())) {
            return true;
        }
        return false;
    }
    /**
     * Determines which of the swift dependencies should be considered the
     * primary.
     *
     * @param dependency1 the first swift dependency to compare
     * @param dependency2 the second swift dependency to compare
     * @return the primary swift dependency
     */
    private Dependency getMainSwiftDependency(Dependency dependency1, Dependency dependency2) {
        if (isSameSwiftPackage(dependency1, dependency2)) {
            if (dependency1.getFileName().endsWith(".podspec")) {
                return dependency1;
            }
            return dependency2;
        }
        return null;
    }
    /**
     * This is likely a very broken attempt at determining if the 'left'
     * dependency is the 'core' library in comparison to the 'right' library.
     *
     * @param left the dependency to test
     * @param right the dependency to test against
-     * @return a boolean indicating whether or not the left dependency should be considered the "core" version.
+     * @return a boolean indicating whether or not the left dependency should be
     * considered the "core" version.
     */
    boolean isCore(Dependency left, Dependency right) {
        final String leftName = left.getFileName().toLowerCase();
@@ -356,6 +451,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                || !rightName.contains("core") && leftName.contains("core")
                || !rightName.contains("kernel") && leftName.contains("kernel")) {
            returnVal = true;
 //        } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
 //            returnVal = true;
 //        } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
 //            returnVal = false;
        } else {
            /*
             * considered splitting the names up and comparing the components,
@@ -364,23 +463,22 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             * be shorter:
             * axis2-saaj-1.4.1.jar
             * axis2-1.4.1.jar       <-----
-             * axis2-kernal-1.4.1.jar
+             * axis2-kernel-1.4.1.jar
             */
            returnVal = leftName.length() <= rightName.length();
        }
-        if (LogUtils.isVerboseLoggingEnabled()) {
+        LOGGER.debug("IsCore={} ({}, {})", returnVal, left.getFileName(), right.getFileName());
            final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
        }
        return returnVal;
    }
    /**
-     * Compares the SHA1 hashes of two dependencies to determine if they are equal.
+     * Compares the SHA1 hashes of two dependencies to determine if they are
     * equal.
     *
     * @param dependency1 a dependency object to compare
     * @param dependency2 a dependency object to compare
-     * @return true if the sha1 hashes of the two dependencies match; otherwise false
+     * @return true if the sha1 hashes of the two dependencies match; otherwise
     * false
     */
    private boolean hashesMatch(Dependency dependency1, Dependency dependency2) {
        if (dependency1 == null || dependency2 == null || dependency1.getSha1sum() == null || dependency2.getSha1sum() == null) {
@@ -390,13 +488,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    }
    /**
-     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
+     * Determines if the jar is shaded and the created pom.xml identified the
-     * dependency should be removed.
+     * same CPE as the jar - if so, the pom.xml dependency should be removed.
     *
     * @param dependency a dependency to check
     * @param nextDependency another dependency to check
-     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
+     * @return true if on of the dependencies is a pom.xml and the identifiers
-     * otherwise false
+     * between the two collections match; otherwise false
     */
    private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
        final String mainName = dependency.getFileName().toLowerCase();
@@ -408,4 +506,54 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        return false;
    }
    /**
     * Determines which path is shortest; if path lengths are equal then we use
     * compareTo of the string method to determine if the first path is smaller.
     *
     * @param left the first path to compare
     * @param right the second path to compare
     * @return <code>true</code> if the leftPath is the shortest; otherwise
     * <code>false</code>
     */
    protected boolean firstPathIsShortest(String left, String right) {
        final String leftPath = left.replace('\\', '/');
        final String rightPath = right.replace('\\', '/');
        final int leftCount = countChar(leftPath, '/');
        final int rightCount = countChar(rightPath, '/');
        if (leftCount == rightCount) {
            return leftPath.compareTo(rightPath) <= 0;
        } else {
            return leftCount < rightCount;
        }
    }
    /**
     * Counts the number of times the character is present in the string.
     *
     * @param string the string to count the characters in
     * @param c the character to count
     * @return the number of times the character is present in the string
     */
    private int countChar(String string, char c) {
        int count = 0;
        final int max = string.length();
        for (int i = 0; i < max; i++) {
            if (c == string.charAt(i)) {
                count++;
            }
        }
        return count;
    }
    /**
     * Checks if the given file path is contained within a war or ear file.
     *
     * @param filePath the file path to check
     * @return true if the path contains '.war\' or '.ear\'.
     */
    private boolean containedInWar(String filePath) {
        return filePath == null ? false : filePath.matches(".*\\.(ear|war)[\\\\/].*");
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Experimental.java
@@ -0,0 +1,34 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.lang.annotation.ElementType;
 import java.lang.annotation.Retention;
 import java.lang.annotation.RetentionPolicy;
 import java.lang.annotation.Target;
 /**
 * Annotation used to flag an analyzer as experimental.
 *
 * @author jeremy long
 */
@Retention(RetentionPolicy.RUNTIME)
@Target(ElementType.TYPE)
 public @interface Experimental {
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.FileFilter;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.util.ArrayList;
@@ -25,8 +26,6 @@ import java.util.Iterator;
 import java.util.List;
 import java.util.ListIterator;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
@@ -34,19 +33,28 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
    /**
-     * The set of file extensions supported by this analyzer.
+     * The Logger.
     */
-    private static final Set<String> EXTENSIONS = null;
+    private static final Logger LOGGER = LoggerFactory.getLogger(FalsePositiveAnalyzer.class);
    /**
     * The file filter used to find DLL and EXE.
     */
    private static final FileFilter DLL_EXE_FILTER = FileFilterBuilder.newInstance().addExtensions("dll", "exe").build();
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -56,39 +64,22 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    public boolean supportsExtension(String extension) {
        return true;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
@@ -105,11 +96,46 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        removeJreEntries(dependency);
        removeBadMatches(dependency);
        removeBadSpringMatches(dependency);
        removeWrongVersionMatches(dependency);
        removeSpuriousCPE(dependency);
        removeDuplicativeEntriesFromJar(dependency, engine);
        addFalseNegativeCPEs(dependency);
    }
    /**
     * Removes inaccurate matches on springframework CPEs.
     *
     * @param dependency the dependency to test for and remove known inaccurate CPE matches
     */
    private void removeBadSpringMatches(Dependency dependency) {
        String mustContain = null;
        for (Identifier i : dependency.getIdentifiers()) {
            if ("maven".contains(i.getType())) {
                if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
                    final int endPoint = i.getValue().indexOf(':', 19);
                    if (endPoint >= 0) {
                        mustContain = i.getValue().substring(19, endPoint).toLowerCase();
                        break;
                    }
                }
            }
        }
        if (mustContain != null) {
            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
            while (itr.hasNext()) {
                final Identifier i = itr.next();
                if ("cpe".contains(i.getType())
                        && i.getValue() != null
                        && i.getValue().startsWith("cpe:/a:springsource:")
                        && !i.getValue().toLowerCase().contains(mustContain)) {
                    itr.remove();
                    //dependency.getIdentifiers().remove(i);
                }
            }
        }
    }
    /**
     * <p>
     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
@@ -130,8 +156,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     */
    @SuppressWarnings("null")
    private void removeSpuriousCPE(Dependency dependency) {
-        final List<Identifier> ids = new ArrayList<Identifier>();
+        final List<Identifier> ids = new ArrayList<Identifier>(dependency.getIdentifiers());
        ids.addAll(dependency.getIdentifiers());
        Collections.sort(ids);
        final ListIterator<Identifier> mainItr = ids.listIterator();
        while (mainItr.hasNext()) {
@@ -155,8 +180,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        final String nextVersion = nextCpe.getVersion();
                        if (currentVersion == null && nextVersion == null) {
                            //how did we get here?
-                            Logger.getLogger(FalsePositiveAnalyzer.class
+                            LOGGER.debug("currentVersion and nextVersion are both null?");
                                    .getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
                        } else if (currentVersion == null && nextVersion != null) {
                            dependency.getIdentifiers().remove(currentId);
                        } else if (nextVersion == null && currentVersion != null) {
@@ -179,12 +203,21 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     * Regex to identify core java libraries and a few other commonly misidentified ones.
     */
    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
-            + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+            + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
-            + "jdk|jre|jsf|jsse)($|:.*)");
+            + "jdk|jre|jsse)($|:.*)");
    /**
     * Regex to identify core jsf libraries.
     */
    public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
    /**
     * Regex to identify core java library files. This is currently incomplete.
     */
-    public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
    /**
     * Regex to identify core jsf java library files. This is currently incomplete.
     */
    public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");
    /**
     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
@@ -201,27 +234,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
            if (coreCPE.matches() && !coreFiles.matches()) {
                itr.remove();
            }
-
+            final Matcher coreJsfCPE = CORE_JAVA_JSF.matcher(i.getValue());
-            //replacecd with the regex above.
+            final Matcher coreJsfFiles = CORE_JSF_FILES.matcher(dependency.getFileName());
-            //            if (("cpe:/a:sun:java".equals(i.getValue())
+            if (coreJsfCPE.matches() && !coreJsfFiles.matches()) {
-            //                    || "cpe:/a:oracle:java".equals(i.getValue())
+                itr.remove();
-            //                    || "cpe:/a:ibm:java".equals(i.getValue())
+            }
            //                    || "cpe:/a:sun:j2se".equals(i.getValue())
            //                    || "cpe:/a:oracle:j2se".equals(i.getValue())
            //                    || i.getValue().startsWith("cpe:/a:sun:java:")
            //                    || i.getValue().startsWith("cpe:/a:sun:j2se:")
            //                    || i.getValue().startsWith("cpe:/a:sun:java:jre")
            //                    || i.getValue().startsWith("cpe:/a:sun:java:jdk")
            //                    || i.getValue().startsWith("cpe:/a:sun:java_se")
            //                    || i.getValue().startsWith("cpe:/a:oracle:java_se")
            //                    || i.getValue().startsWith("cpe:/a:oracle:java:")
            //                    || i.getValue().startsWith("cpe:/a:oracle:j2se:")
            //                    || i.getValue().startsWith("cpe:/a:oracle:jre")
            //                    || i.getValue().startsWith("cpe:/a:oracle:jdk")
            //                    || i.getValue().startsWith("cpe:/a:ibm:java:"))
            //                    && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
            //                itr.remove();
            //            }
        }
    }
@@ -240,15 +257,15 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        try {
            cpe.parseName(value);
        } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.trace("", ex);
            return null;
        }
        return cpe;
    }
    /**
-     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific
+     * Removes bad CPE matches for a dependency. Unfortunately, right now these are hard-coded patches for specific problems
-     * problems identified when testing this on a LARGE volume of jar files.
+     * identified when testing this on a LARGE volume of jar files.
     *
     * @param dependency the dependency to analyze
     */
@@ -265,18 +282,47 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
        while (itr.hasNext()) {
            final Identifier i = itr.next();
-            //TODO move this startswith expression to a configuration file?
+            //TODO move this startsWith expression to the base suppression file
            if ("cpe".equals(i.getType())) {
                if ((i.getValue().matches(".*c\\+\\+.*")
                        || i.getValue().startsWith("cpe:/a:jquery:jquery")
                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
                        || i.getValue().startsWith("cpe:/a:yahoo:yui")
                        || i.getValue().startsWith("cpe:/a:file:file")
                        || i.getValue().startsWith("cpe:/a:mozilla:mozilla")
                        || i.getValue().startsWith("cpe:/a:cvs:cvs")
                        || i.getValue().startsWith("cpe:/a:ftp:ftp")
-                        || i.getValue().startsWith("cpe:/a:ssh:ssh"))
+                        || i.getValue().startsWith("cpe:/a:tcp:tcp")
                        || i.getValue().startsWith("cpe:/a:ssh:ssh")
                        || i.getValue().startsWith("cpe:/a:lookup:lookup"))
                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
                        || dependency.getFileName().toLowerCase().endsWith(".dll")
                        || dependency.getFileName().toLowerCase().endsWith(".exe")
                        || dependency.getFileName().toLowerCase().endsWith(".nuspec")
                        || dependency.getFileName().toLowerCase().endsWith(".zip")
                        || dependency.getFileName().toLowerCase().endsWith(".sar")
                        || dependency.getFileName().toLowerCase().endsWith(".apk")
                        || dependency.getFileName().toLowerCase().endsWith(".tar")
                        || dependency.getFileName().toLowerCase().endsWith(".gz")
                        || dependency.getFileName().toLowerCase().endsWith(".tgz")
                        || dependency.getFileName().toLowerCase().endsWith(".ear")
                        || dependency.getFileName().toLowerCase().endsWith(".war"))) {
                    itr.remove();
                } else if ((i.getValue().startsWith("cpe:/a:jquery:jquery")
                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
                        || i.getValue().startsWith("cpe:/a:yahoo:yui"))
                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
                        || dependency.getFileName().toLowerCase().endsWith(".dll")
                        || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
                    itr.remove();
                } else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
                        || i.getValue().startsWith("cpe:/a:microsoft:word")
                        || i.getValue().startsWith("cpe:/a:microsoft:visio")
                        || i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
                        || i.getValue().startsWith("cpe:/a:microsoft:office")
                        || i.getValue().startsWith("cpe:/a:core_ftp:core_ftp"))
                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
                        || dependency.getFileName().toLowerCase().endsWith(".ear")
                        || dependency.getFileName().toLowerCase().endsWith(".war")
                        || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                    itr.remove();
                } else if (i.getValue().startsWith("cpe:/a:apache:maven")
@@ -286,7 +332,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        && !dependency.getEvidenceUsed().containsUsedString("m-core")) {
                    itr.remove();
                } else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
-                        && !dependency.getFileName().toLowerCase().matches("jboss-[\\d\\.]+(GA)?\\.jar")) {
+                        && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
                    itr.remove();
                }
            }
@@ -327,43 +373,111 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    }
    /**
-     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and
+     * There are some known CPE entries, specifically regarding sun and oracle products due to the acquisition and changes in
-     * changes in product names, that based on given evidence we can add the related CPE entries to ensure a complete
+     * product names, that based on given evidence we can add the related CPE entries to ensure a complete list of CVE entries.
     * list of CVE entries.
     *
     * @param dependency the dependency being analyzed
     */
    private void addFalseNegativeCPEs(Dependency dependency) {
-        final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+        //TODO move this to the hint analyzer
-        while (itr.hasNext()) {
+        for (final Identifier identifier : dependency.getIdentifiers()) {
-            final Identifier i = itr.next();
+            if ("cpe".equals(identifier.getType()) && identifier.getValue() != null
-            if ("cpe".equals(i.getType()) && i.getValue() != null
+                    && (identifier.getValue().startsWith("cpe:/a:oracle:opensso:")
-                    && (i.getValue().startsWith("cpe:/a:oracle:opensso:")
+                    || identifier.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
-                    || i.getValue().startsWith("cpe:/a:oracle:opensso_enterprise:")
+                    || identifier.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
-                    || i.getValue().startsWith("cpe:/a:sun:opensso_enterprise:")
+                    || identifier.getValue().startsWith("cpe:/a:sun:opensso:"))) {
-                    || i.getValue().startsWith("cpe:/a:sun:opensso:"))) {
+                final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", identifier.getValue().substring(22));
-                final String newCpe = String.format("cpe:/a:sun:opensso_enterprise:%s", i.getValue().substring(22));
+                final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", identifier.getValue().substring(22));
-                final String newCpe2 = String.format("cpe:/a:oracle:opensso_enterprise:%s", i.getValue().substring(22));
+                final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", identifier.getValue().substring(22));
-                final String newCpe3 = String.format("cpe:/a:sun:opensso:%s", i.getValue().substring(22));
+                final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", identifier.getValue().substring(22));
                final String newCpe4 = String.format("cpe:/a:oracle:opensso:%s", i.getValue().substring(22));
                try {
                    dependency.addIdentifier("cpe",
                            newCpe,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe2,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe2, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe3,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe3, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe4,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe4, "UTF-8")));
                } catch (UnsupportedEncodingException ex) {
-                    Logger.getLogger(FalsePositiveAnalyzer.class
+                    LOGGER.debug("", ex);
                            .getName()).log(Level.FINE, null, ex);
                }
            }
        }
    }
    /**
     * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM entries or
     * other types of files (such as DLLs and EXEs) being contained within the JAR.
     *
     * @param dependency the dependency that might be a duplicate
     * @param engine the engine used to scan all dependencies
     */
    private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
        if (dependency.getFileName().toLowerCase().endsWith("pom.xml")
                || DLL_EXE_FILTER.accept(dependency.getActualFile())) {
            String parentPath = dependency.getFilePath().toLowerCase();
            if (parentPath.contains(".jar")) {
                parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4);
                final Dependency parent = findDependency(parentPath, engine.getDependencies());
                if (parent != null) {
                    boolean remove = false;
                    for (Identifier i : dependency.getIdentifiers()) {
                        if ("cpe".equals(i.getType())) {
                            final String trimmedCPE = trimCpeToVendor(i.getValue());
                            for (Identifier parentId : parent.getIdentifiers()) {
                                if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) {
                                    remove |= true;
                                }
                            }
                        }
                        if (!remove) { //we can escape early
                            return;
                        }
                    }
                    if (remove) {
                        engine.getDependencies().remove(dependency);
                    }
                }
            }
        }
    }
    /**
     * Retrieves a given dependency, based on a given path, from a list of dependencies.
     *
     * @param dependencyPath the path of the dependency to return
     * @param dependencies the collection of dependencies to search
     * @return the dependency object for the given path, otherwise null
     */
    private Dependency findDependency(String dependencyPath, List<Dependency> dependencies) {
        for (Dependency d : dependencies) {
            if (d.getFilePath().equalsIgnoreCase(dependencyPath)) {
                return d;
            }
        }
        return null;
    }
    /**
     * Takes a full CPE and returns the CPE trimmed to include only vendor and product.
     *
     * @param value the CPE value to trim
     * @return a CPE value that only includes the vendor and product
     */
    private String trimCpeToVendor(String value) {
        //cpe:/a:jruby:jruby:1.0.8
        final int pos1 = value.indexOf(':', 7); //right of vendor
        final int pos2 = value.indexOf(':', pos1 + 1); //right of product
        if (pos2 < 0) {
            return value;
        } else {
            return value.substring(0, pos2);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -17,10 +17,12 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
-import java.util.Set;
+
 import org.apache.commons.io.FilenameUtils;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
@@ -30,11 +32,11 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 *
 * Takes a dependency and analyzes the filename and determines the hashes.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -43,97 +45,76 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The set of file extensions supported by this analyzer.
     */
    private static final Set<String> EXTENSIONS = null;
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support.
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    public boolean supportsExtension(String extension) {
        return true;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
    /**
     * Python init files
     */
    //CSOFF: WhitespaceAfter
    private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[]{
        "__init__.py",
        "__init__.pyc",
        "__init__.pyo",});
    //CSON: WhitespaceAfter
    /**
     * Collects information about the file name.
     *
     * @param dependency the dependency to analyze.
     * @param engine the engine that is scanning the dependencies
-     * @throws AnalysisException is thrown if there is an error reading the JAR file.
+     * @throws AnalysisException is thrown if there is an error reading the JAR
     * file.
     */
    @Override
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        //strip any path information that may get added by ArchiveAnalyzer, etc.
-        final File f = new File(dependency.getFileName());
+        final File f = dependency.getActualFile();
-        String fileName = f.getName();
+        final String fileName = FilenameUtils.removeExtension(f.getName());
        //remove file extension
        final int pos = fileName.lastIndexOf(".");
        if (pos > 0) {
            fileName = fileName.substring(0, pos);
        }
        //add version evidence
        final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
        final String packageName = DependencyVersionUtil.parsePreVersion(fileName);
        if (version != null) {
            // If the version number is just a number like 2 or 23, reduce the confidence
            // a shade. This should hopefully correct for cases like log4j.jar or
            // struts2-core.jar
            if (version.getVersionParts() == null || version.getVersionParts().size() < 2) {
-                dependency.getVersionEvidence().addEvidence("file", "name",
+                dependency.getVersionEvidence().addEvidence("file", "version",
                        version.toString(), Confidence.MEDIUM);
            } else {
-                dependency.getVersionEvidence().addEvidence("file", "name",
+                dependency.getVersionEvidence().addEvidence("file", "version",
                        version.toString(), Confidence.HIGHEST);
            }
            dependency.getVersionEvidence().addEvidence("file", "name",
-                    fileName, Confidence.MEDIUM);
+                    packageName, Confidence.MEDIUM);
        }
-        //add as vendor and product evidence
+        if (!IGNORED_FILES.accept(f)) {
        if (fileName.contains("-")) {
            dependency.getProductEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGHEST);
+                    packageName, Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("file", "name",
-                    fileName, Confidence.HIGHEST);
+                    packageName, Confidence.HIGH);
        } else {
            dependency.getProductEvidence().addEvidence("file", "name",
                    fileName, Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("file", "name",
                    fileName, Confidence.HIGH);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
@@ -0,0 +1,33 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.FileFilter;
 /**
 * An Analyzer that scans specific file types.
 *
 * @author Jeremy Long
 */
 public interface FileTypeAnalyzer extends Analyzer, FileFilter {
    /**
     * Resets the analyzers state.
     */
    void reset();
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -17,22 +17,43 @@
 */
 package org.owasp.dependencycheck.analyzer;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.ArrayList;
 import java.util.Iterator;
-import java.util.Set;
+import java.util.List;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.xml.suppression.PropertyType;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.xml.hints.VendorDuplicatingHintRule;
 import org.owasp.dependencycheck.xml.hints.HintParseException;
 import org.owasp.dependencycheck.xml.hints.HintParser;
 import org.owasp.dependencycheck.xml.hints.HintRule;
 import org.owasp.dependencycheck.xml.hints.Hints;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import org.xml.sax.SAXException;
 /**
 * This analyzer adds evidence to dependencies to enhance the accuracy of
 * library identification.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -41,59 +62,121 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
    /**
     * The set of file extensions supported by this analyzer.
     */
    private static final Set<String> EXTENSIONS = null;
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support.
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    public boolean supportsExtension(String extension) {
        return true;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * The initialize method does nothing for this Analyzer.
     *
     * @throws InitializationException thrown if there is an exception
     */
    @Override
    public void initialize() throws InitializationException {
        try {
            super.initialize();
            loadHintRules();
        } catch (HintParseException ex) {
            LOGGER.debug("Unable to parse hint file", ex);
            throw new InitializationException("Unable to parse the hint file", ex);
        }
    }
    //</editor-fold>
    /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
+     * The Logger for use throughout the class
-     * identifiers or vulnerabilities.
+     */
    private static final Logger LOGGER = LoggerFactory.getLogger(HintAnalyzer.class);
    /**
     * The name of the hint rule file
     */
    private static final String HINT_RULE_FILE_NAME = "dependencycheck-base-hint.xml";
    /**
     * The collection of hints.
     */
    private Hints hints;
    /**
     * The HintAnalyzer uses knowledge about a dependency to add additional
     * information to help in identification of identifiers or vulnerabilities.
     *
     * @param dependency The dependency being analyzed
     * @param engine The scanning engine
-     * @throws AnalysisException is thrown if there is an exception analyzing the dependency.
+     * @throws AnalysisException is thrown if there is an exception analyzing
     * the dependency.
     */
    @Override
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        for (HintRule hint : hints.getHintRules()) {
            boolean shouldAdd = false;
            for (Evidence given : hint.getGivenVendor()) {
                if (dependency.getVendorEvidence().getEvidence().contains(given)) {
                    shouldAdd = true;
                    break;
                }
            }
            if (!shouldAdd) {
                for (Evidence given : hint.getGivenProduct()) {
                    if (dependency.getProductEvidence().getEvidence().contains(given)) {
                        shouldAdd = true;
                        break;
                    }
                }
            }
            if (!shouldAdd) {
                for (PropertyType pt : hint.getFilenames()) {
                    if (pt.matches(dependency.getFileName())) {
                        shouldAdd = true;
                    }
                }
            }
            if (shouldAdd) {
                for (Evidence e : hint.getAddVendor()) {
                    dependency.getVendorEvidence().addEvidence(e);
                }
                for (Evidence e : hint.getAddProduct()) {
                    dependency.getProductEvidence().addEvidence(e);
                }
                for (Evidence e : hint.getAddVersion()) {
                    dependency.getVersionEvidence().addEvidence(e);
                }
            }
        }
        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
        final List<Evidence> newEntries = new ArrayList<Evidence>();
        while (itr.hasNext()) {
            final Evidence e = itr.next();
            for (VendorDuplicatingHintRule dhr : hints.getVendorDuplicatingHintRules()) {
                if (dhr.getValue().equalsIgnoreCase(e.getValue(false))) {
                    newEntries.add(new Evidence(e.getSource() + " (hint)",
                            e.getName(), dhr.getDuplicate(), e.getConfidence()));
                }
            }
        }
        for (Evidence e : newEntries) {
            dependency.getVendorEvidence().addEvidence(e);
        }
        //<editor-fold defaultstate="collapsed" desc="Old implementation">
        /*
        final Evidence springTest1 = new Evidence("Manifest",
                "Implementation-Title",
                "Spring Framework",
@@ -105,24 +188,79 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                Confidence.HIGH);
        final Evidence springTest3 = new Evidence("Manifest",
-                "Bundle-Vendor",
+                "Implementation-Title",
-                "SpringSource",
+                "spring-core",
                Confidence.HIGH);
-        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
+        final Evidence springTest4 = new Evidence("jar",
-        if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
+                "package name",
                "springframework",
                Confidence.LOW);
        final Evidence springSecurityTest1 = new Evidence("Manifest",
                "Bundle-Name",
                "Spring Security Core",
                Confidence.MEDIUM);
        final Evidence springSecurityTest2 = new Evidence("pom",
                "artifactid",
                "spring-security-core",
                Confidence.HIGH);
        final Evidence symfony = new Evidence("composer.lock",
            "vendor",
            "symfony",
            Confidence.HIGHEST);
        final Evidence zendframeworkVendor = new Evidence("composer.lock",
            "vendor",
            "zendframework",
            Confidence.HIGHEST);
        final Evidence zendframeworkProduct = new Evidence("composer.lock",
            "product",
            "zendframework",
            Confidence.HIGHEST);
        //springsource/vware problem
        final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
        final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
        if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
                || (dependency.getFileName().contains("spring") && product.contains(springTest4))) {
            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
        }
        if (vendor.contains(springTest4)) {
            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "pivotal", Confidence.HIGH);
        }
        if (product.contains(springSecurityTest1) || product.contains(springSecurityTest2)) {
            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_security", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
        }
-        evidence = dependency.getVendorEvidence().getEvidence();
+        if (vendor.contains(symfony)) {
-        if (evidence.contains(springTest3)) {
+            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "sensiolabs", Confidence.HIGHEST);
            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
        }
        if (vendor.contains(zendframeworkVendor)) {
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "zend", Confidence.HIGHEST);
        }
        if (product.contains(zendframeworkProduct)) {
            dependency.getProductEvidence().addEvidence("hint analyzer", "vendor", "zend_framework", Confidence.HIGHEST);
        }
        //sun/oracle problem
        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        final List<Evidence> newEntries = new ArrayList<Evidence>();
        while (itr.hasNext()) {
            final Evidence e = itr.next();
            if ("sun".equalsIgnoreCase(e.getValue(false))) {
@@ -136,6 +274,90 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
        for (Evidence e : newEntries) {
            dependency.getVendorEvidence().addEvidence(e);
        }
         */
        //</editor-fold>
    }
    /**
     * Loads the hint rules file.
     *
     * @throws HintParseException thrown if the XML cannot be parsed.
     */
    private void loadHintRules() throws HintParseException {
        final HintParser parser = new HintParser();
        File file = null;
        try {
            hints = parser.parseHints(this.getClass().getClassLoader().getResourceAsStream(HINT_RULE_FILE_NAME));
        } catch (HintParseException ex) {
            LOGGER.error("Unable to parse the base hint data file");
            LOGGER.debug("Unable to parse the base hint data file", ex);
        } catch (SAXException ex) {
            LOGGER.error("Unable to parse the base hint data file");
            LOGGER.debug("Unable to parse the base hint data file", ex);
        }
        final String filePath = Settings.getString(Settings.KEYS.HINTS_FILE);
        if (filePath == null) {
            return;
        }
        boolean deleteTempFile = false;
        try {
            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
            if (uriRx.matcher(filePath).matches()) {
                deleteTempFile = true;
                file = FileUtils.getTempFile("hint", "xml");
                final URL url = new URL(filePath);
                try {
                    Downloader.fetchFile(url, file, false);
                } catch (DownloadFailedException ex) {
                    Downloader.fetchFile(url, file, true);
                }
            } else {
                file = new File(filePath);
                if (!file.exists()) {
                    InputStream fromClasspath = null;
                    try {
                        fromClasspath = this.getClass().getClassLoader().getResourceAsStream(filePath);
                        if (fromClasspath != null) {
                            deleteTempFile = true;
                            file = FileUtils.getTempFile("hint", "xml");
                            try {
                                org.apache.commons.io.FileUtils.copyInputStreamToFile(fromClasspath, file);
                            } catch (IOException ex) {
                                throw new HintParseException("Unable to locate suppressions file in classpath", ex);
                            }
                        }
                    } finally {
                        if (fromClasspath != null) {
                            fromClasspath.close();
                        }
                    }
                }
            }
            if (file != null) {
                try {
                    final Hints newHints = parser.parseHints(file);
                    hints.getHintRules().addAll(newHints.getHintRules());
                    hints.getVendorDuplicatingHintRules().addAll(newHints.getVendorDuplicatingHintRules());
                    LOGGER.debug("{} hint rules were loaded.", hints.getHintRules().size());
                    LOGGER.debug("{} duplicating hint rules were loaded.", hints.getVendorDuplicatingHintRules().size());
                } catch (HintParseException ex) {
                    LOGGER.warn("Unable to parse hint rule xml file '{}'", file.getPath());
                    LOGGER.warn(ex.getMessage());
                    LOGGER.debug("", ex);
                    throw ex;
                }
            }
        } catch (DownloadFailedException ex) {
            throw new HintParseException("Unable to fetch the configured hint file", ex);
        } catch (MalformedURLException ex) {
            throw new HintParseException("Configured hint file has an invalid URL", ex);
        } catch (IOException ex) {
            throw new HintParseException("Unable to create temp file for hints", ex);
        } finally {
            if (deleteTempFile && file != null) {
                FileUtils.delete(file);
            }
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
@@ -1,132 +0,0 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.FileReader;
 import java.io.IOException;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 /**
 *
 * Used to analyze a JavaScript file to gather information to aid in identification of a CPE identifier.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "JavaScript Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The set of file extensions supported by this analyzer.
     */
    private static final Set<String> EXTENSIONS = newHashSet("js");
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
    @Override
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns whether or not this analyzer can process the given extension.
     *
     * @param extension the file extension to test for support.
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    @Override
    public boolean supportsExtension(String extension) {
        return EXTENSIONS.contains(extension);
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
    /**
     * Loads a specified JavaScript file and collects information from the copyright information contained within.
     *
     * @param dependency the dependency to analyze.
     * @param engine the engine that is scanning the dependencies
     * @throws AnalysisException is thrown if there is an error reading the JavaScript file.
     */
    @Override
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        BufferedReader fin = null;;
        try {
            //  /\*([^\*][^/]|[\r\n\f])+?\*/
            final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);
            File file = dependency.getActualFile();
            fin = new BufferedReader(new FileReader(file));
            StringBuilder sb = new StringBuilder(2000);
            String text;
            while ((text = fin.readLine()) != null) {
                sb.append(text);
            }
        } catch (FileNotFoundException ex) {
            final String msg = String.format("Dependency file not found: '%s'", dependency.getActualFilePath());
            throw new AnalysisException(msg, ex);
        } catch (IOException ex) {
            Logger.getLogger(JavaScriptAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
        } finally {
            if (fin != null) {
                try {
                    fin.close();
                } catch (IOException ex) {
                    Logger.getLogger(JavaScriptAnalyzer.class.getName()).log(Level.FINEST, null, ex);
                }
            }
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -17,61 +17,75 @@
 */
 package org.owasp.dependencycheck.analyzer;
-import java.io.FileNotFoundException;
+import org.apache.commons.io.FileUtils;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.xml.pom.PomUtils;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
 import java.net.URL;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 /**
- * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
+ * Analyzer which will attempt to locate a dependency on a Nexus service by
 * SHA-1 digest of the dependency.
 *
 * There are two settings which govern this behavior:
 *
 * <ul>
- * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED}
- * even enabled. This can be overridden by setting the system property.</li>
+ * determines whether this analyzer is even enabled. This can be overridden by
- * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
+ * setting the system property.</li>
- * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL}
 * the URL to a Nexus service to search by SHA-1. There is an expected
 * <code>%s</code> in this where the SHA-1 will get entered.</li>
 * </ul>
 *
 * @author colezlaw
 */
-public class NexusAnalyzer extends AbstractAnalyzer {
+public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
    /**
-     * The logger
+     * The default URL - this will be used by the CentralAnalyzer to determine
     * whether to enable this.
     */
-    private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());
+    public static final String DEFAULT_URL = "https://repository.sonatype.org/service/local/";
    /**
-     * The name of the analyzer
+     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(NexusAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Nexus Analyzer";
    /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The types of files on which this will work.
     */
-    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
+    private static final String SUPPORTED_EXTENSIONS = "jar";
    /**
     * Whether this is actually enabled. Will get set during initialization.
     */
    private boolean enabled = false;
    /**
     * The Nexus Search to be set up for this analyzer.
@@ -79,29 +93,68 @@ public class NexusAnalyzer extends AbstractAnalyzer {
    private NexusSearch searcher;
    /**
-     * Initializes the analyzer once before any analysis is performed.
+     * Field indicating if the analyzer is enabled.
     */
    private final boolean enabled = checkEnabled();
    /**
     * Determines if this analyzer is enabled
     *
-     * @throws Exception if there's an error during initialization
+     * @return <code>true</code> if the analyzer is enabled; otherwise
     * <code>false</code>
     */
    private boolean checkEnabled() {
        /* Enable this analyzer ONLY if the Nexus URL has been set to something
         other than the default one (if it's the default one, we'll use the
         central one) and it's enabled by the user.
         */
        boolean retval = false;
        try {
            if (!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))
                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
                LOGGER.info("Enabling Nexus analyzer");
                retval = true;
            } else {
                LOGGER.debug("Nexus analyzer disabled, using Central instead");
            }
        } catch (InvalidSettingException ise) {
            LOGGER.warn("Invalid setting. Disabling Nexus analyzer");
        }
        return retval;
    }
    /**
     * Determine whether to enable this analyzer or not.
     *
     * @return whether the analyzer should be enabled
     */
    @Override
-    public void initialize() throws Exception {
+    public boolean isEnabled() {
-        enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
+        return enabled;
-        LOGGER.fine("Initializing Nexus Analyzer");
+    }
-        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", enabled));
+
-        if (enabled) {
+    /**
     * Initializes the analyzer once before any analysis is performed.
     *
     * @throws InitializationException if there's an error during initialization
     */
    @Override
    public void initializeFileTypeAnalyzer() throws InitializationException {
        LOGGER.debug("Initializing Nexus Analyzer");
        LOGGER.debug("Nexus Analyzer enabled: {}", isEnabled());
        if (isEnabled()) {
            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
-            LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
+            LOGGER.debug("Nexus Analyzer URL: {}", searchUrl);
            try {
                searcher = new NexusSearch(new URL(searchUrl));
                if (!searcher.preflightRequest()) {
-                    LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
+                    setEnabled(false);
-                    enabled = false;
+                    throw new InitializationException("There was an issue getting Nexus status. Disabling analyzer.");
                }
            } catch (MalformedURLException mue) {
-                // I know that initialize can throw an exception, but we'll
+                setEnabled(false);
-                // just disable the analyzer if the URL isn't valid
+                throw new InitializationException("Malformed URL to Nexus: " + searchUrl, mue);
                LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
                enabled = false;
            }
        }
    }
@@ -116,6 +169,17 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
    }
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
@@ -127,24 +191,18 @@ public class NexusAnalyzer extends AbstractAnalyzer {
    }
    /**
-     * Returns the extensions for which this Analyzer runs.
+     * The file filter used to determine which files this analyzer supports.
     *
     * @return the extensions for which this Analyzer runs
     */
-    @Override
+    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(SUPPORTED_EXTENSIONS).build();
    public Set<String> getSupportedExtensions() {
        return SUPPORTED_EXTENSIONS;
    }
    /**
-     * Determines whether the incoming extension is supported.
+     * Returns the FileFilter
     *
-     * @param extension the extension to check for support
+     * @return the FileFilter
     * @return whether the extension is supported
     */
    @Override
-    public boolean supportsExtension(String extension) {
+    protected FileFilter getFileFilter() {
-        return SUPPORTED_EXTENSIONS.contains(extension);
+        return FILTER;
    }
    /**
@@ -155,38 +213,54 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        // Make a quick exit if this analyzer is disabled
+        if (!isEnabled()) {
        if (!enabled) {
            return;
        }
        try {
            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
-            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
+            dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
-                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
+            boolean pomAnalyzed = false;
            LOGGER.debug("POM URL {}", ma.getPomUrl());
            for (Evidence e : dependency.getVendorEvidence()) {
                if ("pom".equals(e.getSource())) {
                    pomAnalyzed = true;
                    break;
                }
            }
-            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
+            if (!pomAnalyzed && ma.getPomUrl() != null) {
-                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
+                File pomFile = null;
-            }
+                try {
-            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
+                    final File baseDir = Settings.getTempDirectory();
-                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
+                    pomFile = File.createTempFile("pom", ".xml", baseDir);
-            }
+                    if (!pomFile.delete()) {
-            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
+                        LOGGER.warn("Unable to fetch pom.xml for {} from Nexus repository; "
-                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
+                                + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                        LOGGER.debug("Unable to delete temp file");
                    }
                    LOGGER.debug("Downloading {}", ma.getPomUrl());
                    Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
                    PomUtils.analyzePOM(dependency, pomFile);
                } catch (DownloadFailedException ex) {
                    LOGGER.warn("Unable to download pom.xml for {} from Nexus repository; "
                            + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                } finally {
                    if (pomFile != null && pomFile.exists() && !FileUtils.deleteQuietly(pomFile)) {
                        LOGGER.debug("Failed to delete temporary pom file {}", pomFile.toString());
                        pomFile.deleteOnExit();
                    }
                }
            }
        } catch (IllegalArgumentException iae) {
            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
-            LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
+            LOGGER.info("invalid sha-1 hash on {}", dependency.getFileName());
        } catch (FileNotFoundException fnfe) {
            //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
-            LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
+            LOGGER.debug("Artifact not found in repository '{}'", dependency.getFileName());
-            LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
+            LOGGER.debug(fnfe.getMessage(), fnfe);
        } catch (IOException ioe) {
            //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
-            LOGGER.log(Level.FINE, "Could not connect to nexus repository", ioe);
+            LOGGER.debug("Could not connect to nexus repository", ioe);
        }
    }
 }
 // vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java
@@ -0,0 +1,191 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.util.Map;
 import javax.json.Json;
 import javax.json.JsonException;
 import javax.json.JsonObject;
 import javax.json.JsonReader;
 import javax.json.JsonString;
 import javax.json.JsonValue;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * Used to analyze Node Package Manager (npm) package.json files, and collect
 * information that can be used to determine the associated CPE.
 *
 * @author Dale Visser
 */
@Experimental
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(NodePackageAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Node.js Package Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The file name to scan.
     */
    public static final String PACKAGE_JSON = "package.json";
    /**
     * Filter that detects files named "package.json".
     */
    private static final FileFilter PACKAGE_JSON_FILTER = FileFilterBuilder.newInstance()
            .addFilenames(PACKAGE_JSON).build();
    /**
     * Returns the FileFilter
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return PACKAGE_JSON_FILTER;
    }
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        // NO-OP
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED;
    }
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        final File file = dependency.getActualFile();
        JsonReader jsonReader;
        try {
            jsonReader = Json.createReader(FileUtils.openInputStream(file));
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
        try {
            final JsonObject json = jsonReader.readObject();
            final EvidenceCollection productEvidence = dependency.getProductEvidence();
            final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
            if (json.containsKey("name")) {
                final Object value = json.get("name");
                if (value instanceof JsonString) {
                    final String valueString = ((JsonString) value).getString();
                    productEvidence.addEvidence(PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
                    vendorEvidence.addEvidence(PACKAGE_JSON, "name_project", String.format("%s_project", valueString), Confidence.LOW);
                } else {
                    LOGGER.warn("JSON value not string as expected: {}", value);
                }
            }
            addToEvidence(json, productEvidence, "description");
            addToEvidence(json, vendorEvidence, "author");
            addToEvidence(json, dependency.getVersionEvidence(), "version");
            dependency.setDisplayFileName(String.format("%s/%s", file.getParentFile().getName(), file.getName()));
        } catch (JsonException e) {
            LOGGER.warn("Failed to parse package.json file.", e);
        } finally {
            jsonReader.close();
        }
    }
    /**
     * Adds information to an evidence collection from the node json
     * configuration.
     *
     * @param json information from node.js
     * @param collection a set of evidence about a dependency
     * @param key the key to obtain the data from the json information
     */
    private void addToEvidence(JsonObject json, EvidenceCollection collection, String key) {
        if (json.containsKey(key)) {
            final JsonValue value = json.get(key);
            if (value instanceof JsonString) {
                collection.addEvidence(PACKAGE_JSON, key, ((JsonString) value).getString(), Confidence.HIGHEST);
            } else if (value instanceof JsonObject) {
                final JsonObject jsonObject = (JsonObject) value;
                for (final Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
                    final String property = entry.getKey();
                    final JsonValue subValue = entry.getValue();
                    if (subValue instanceof JsonString) {
                        collection.addEvidence(PACKAGE_JSON,
                                String.format("%s.%s", key, property),
                                ((JsonString) subValue).getString(),
                                Confidence.HIGHEST);
                    } else {
                        LOGGER.warn("JSON sub-value not string as expected: {}", subValue);
                    }
                }
            } else {
                LOGGER.warn("JSON value not string or JSON object as expected: {}", value);
            }
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
@@ -17,52 +17,59 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.FileInputStream;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nuget.NugetPackage;
 import org.owasp.dependencycheck.data.nuget.NuspecParseException;
 import org.owasp.dependencycheck.data.nuget.NuspecParser;
 import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * Analyzer which will parse a Nuspec file to gather module information.
 *
 * @author colezlaw
 */
-public class NuspecAnalyzer extends AbstractAnalyzer {
+public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
    /**
-     * The logger
+     * The logger.
     */
-    private static final Logger LOGGER = Logger.getLogger(NuspecAnalyzer.class.getName());
+    private static final Logger LOGGER = LoggerFactory.getLogger(NuspecAnalyzer.class);
    /**
-     * The name of the analyzer
+     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Nuspec Analyzer";
    /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The types of files on which this will work.
     */
-    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("nuspec");
+    private static final String SUPPORTED_EXTENSIONS = "nuspec";
    /**
     * Initializes the analyzer once before any analysis is performed.
     *
-     * @throws Exception if there's an error during initialization
+     * @throws InitializationException if there's an error during initialization
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws InitializationException {
    }
    /**
@@ -75,6 +82,17 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_NUSPEC_ENABLED;
    }
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
@@ -86,24 +104,19 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
    }
    /**
-     * Returns the extensions for which this Analyzer runs.
+     * The file filter used to determine which files this analyzer supports.
     *
     * @return the extensions for which this Analyzer runs
     */
-    @Override
+    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(
-    public Set<String> getSupportedExtensions() {
+            SUPPORTED_EXTENSIONS).build();
        return SUPPORTED_EXTENSIONS;
    }
    /**
-     * Determines whether the incoming extension is supported.
+     * Returns the FileFilter
     *
-     * @param extension the extension to check for support
+     * @return the FileFilter
     * @return whether the extension is supported
     */
    @Override
-    public boolean supportsExtension(String extension) {
+    protected FileFilter getFileFilter() {
-        return SUPPORTED_EXTENSIONS.contains(extension);
+        return FILTER;
    }
    /**
@@ -114,8 +127,8 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        LOGGER.log(Level.INFO, "Checking Nuspec file {0}", dependency.toString());
+        LOGGER.debug("Checking Nuspec file {}", dependency);
        try {
            final NuspecParser parser = new XPathNuspecParser();
            NugetPackage np = null;
@@ -123,12 +136,16 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
            try {
                fis = new FileInputStream(dependency.getActualFilePath());
                np = parser.parse(fis);
            } catch (NuspecParseException ex) {
                throw new AnalysisException(ex);
            } catch (FileNotFoundException ex) {
                throw new AnalysisException(ex);
            } finally {
                if (fis != null) {
                    try {
                        fis.close();
-                    } catch (Throwable e) {
+                    } catch (IOException e) {
-                        LOGGER.fine("Error closing input stream");
+                        LOGGER.debug("Error closing input stream");
                    }
                }
            }
@@ -147,5 +164,3 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        }
    }
 }
 // vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
@@ -17,26 +17,30 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.slf4j.LoggerFactory;
 /**
 * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
 * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class NvdCveAnalyzer implements Analyzer {
-
+    /**
     * The Logger for use throughout the class
     */
    private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(NvdCveAnalyzer.class);
    /**
     * The maximum number of query results to return.
     */
@@ -62,6 +66,7 @@ public class NvdCveAnalyzer implements Analyzer {
    /**
     * Closes the data source.
     */
    @Override
    public void close() {
        cveDB.close();
        cveDB = null;
@@ -73,13 +78,13 @@ public class NvdCveAnalyzer implements Analyzer {
     * @return true or false.
     */
    public boolean isOpen() {
-        return (cveDB != null);
+        return cveDB != null;
    }
    /**
     * Ensures that the CVE Database is closed.
     *
-     * @throws Throwable when a throwable is thrown.
+     * @throws Throwable an exception raised by this method
     */
    @Override
    protected void finalize() throws Throwable {
@@ -94,8 +99,9 @@ public class NvdCveAnalyzer implements Analyzer {
     *
     * @param dependency The Dependency to analyze
     * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
+     * @throws AnalysisException thrown if there is an issue analyzing the dependency
     */
    @Override
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        for (Identifier id : dependency.getIdentifiers()) {
            if ("cpe".equals(id.getType())) {
@@ -108,15 +114,17 @@ public class NvdCveAnalyzer implements Analyzer {
                }
            }
        }
-    }
+        for (Identifier id : dependency.getSuppressedIdentifiers()) {
-
+            if ("cpe".equals(id.getType())) {
-    /**
+                try {
-     * Returns true because this analyzer supports all dependency types.
+                    final String value = id.getValue();
-     *
+                    final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
-     * @return true.
+                    dependency.getSuppressedVulnerabilities().addAll(vulns);
-     */
+                } catch (DatabaseException ex) {
-    public Set<String> getSupportedExtensions() {
+                    throw new AnalysisException(ex);
-        return null;
+                }
            }
        }
    }
    /**
@@ -124,35 +132,42 @@ public class NvdCveAnalyzer implements Analyzer {
     *
     * @return the name of this analyzer.
     */
    @Override
    public String getName() {
        return "NVD CVE Analyzer";
    }
    /**
     * Returns true because this analyzer supports all dependency types.
     *
     * @param extension the file extension of the dependency being analyzed.
     * @return true.
     */
    public boolean supportsExtension(String extension) {
        return true;
    }
    /**
     * Returns the analysis phase that this analyzer should run in.
     *
     * @return the analysis phase that this analyzer should run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS;
    }
    /**
-     * Opens the NVD CVE Lucene Index.
+     * Opens the database used to gather NVD CVE data.
     *
-     * @throws Exception is thrown if there is an issue opening the index.
+     * @throws InitializationException is thrown if there is an issue opening the index.
     */
-    public void initialize() throws Exception {
+    @Override
-        this.open();
+    public void initialize() throws InitializationException {
        try {
            this.open();
        } catch (SQLException ex) {
            LOGGER.debug("SQL Exception initializing NvdCveAnalyzer", ex);
            throw new InitializationException(ex);
        } catch (IOException ex) {
            LOGGER.debug("IO Exception initializing NvdCveAnalyzer", ex);
            throw new InitializationException(ex);
        } catch (DatabaseException ex) {
            LOGGER.debug("Database Exception initializing NvdCveAnalyzer", ex);
            throw new InitializationException(ex);
        } catch (ClassNotFoundException ex) {
            LOGGER.debug("Exception initializing NvdCveAnalyzer", ex);
            throw new InitializationException(ex);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java
@@ -0,0 +1,214 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * Used to analyze OpenSSL source code present in the file system.
 *
 * @author Dale Visser
 */
 public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Hexadecimal.
     */
    private static final int HEXADECIMAL = 16;
    /**
     * Filename to analyze. All other .h files get removed from consideration.
     */
    private static final String OPENSSLV_H = "opensslv.h";
    /**
     * Filter that detects files named "__init__.py".
     */
    private static final FileFilter OPENSSLV_FILTER = FileFilterBuilder.newInstance().addFilenames(OPENSSLV_H).build();
    /**
     * Open SSL Version number pattern.
     */
    private static final Pattern VERSION_PATTERN = Pattern.compile(
            "define\\s+OPENSSL_VERSION_NUMBER\\s+0x([0-9a-zA-Z]{8})L", Pattern.DOTALL
            | Pattern.CASE_INSENSITIVE);
    /**
     * The offset of the major version number.
     */
    private static final int MAJOR_OFFSET = 28;
    /**
     * The mask for the minor version number.
     */
    private static final long MINOR_MASK = 0x0ff00000L;
    /**
     * The offset of the minor version number.
     */
    private static final int MINOR_OFFSET = 20;
    /**
     * The max for the fix version.
     */
    private static final long FIX_MASK = 0x000ff000L;
    /**
     * The offset for the fix version.
     */
    private static final int FIX_OFFSET = 12;
    /**
     * The mask for the patch version.
     */
    private static final long PATCH_MASK = 0x00000ff0L;
    /**
     * The offset for the patch version.
     */
    private static final int PATCH_OFFSET = 4;
    /**
     * Number of letters.
     */
    private static final int NUM_LETTERS = 26;
    /**
     * The status mask.
     */
    private static final int STATUS_MASK = 0x0000000f;
    /**
     * Returns the open SSL version as a string.
     *
     * @param openSSLVersionConstant The open SSL version
     * @return the version of openssl
     */
    static String getOpenSSLVersion(long openSSLVersionConstant) {
        final long major = openSSLVersionConstant >>> MAJOR_OFFSET;
        final long minor = (openSSLVersionConstant & MINOR_MASK) >>> MINOR_OFFSET;
        final long fix = (openSSLVersionConstant & FIX_MASK) >>> FIX_OFFSET;
        final long patchLevel = (openSSLVersionConstant & PATCH_MASK) >>> PATCH_OFFSET;
        final String patch = 0 == patchLevel || patchLevel > NUM_LETTERS ? "" : String.valueOf((char) (patchLevel + 'a' - 1));
        final int statusCode = (int) (openSSLVersionConstant & STATUS_MASK);
        final String status = 0xf == statusCode ? "" : (0 == statusCode ? "-dev" : "-beta" + statusCode);
        return String.format("%d.%d.%d%s%s", major, minor, fix, patch, status);
    }
    /**
     * Returns the name of the Python Package Analyzer.
     *
     * @return the name of the analyzer
     */
    @Override
    public String getName() {
        return "OpenSSL Source Analyzer";
    }
    /**
     * Tell that we are used for information collection.
     *
     * @return INFORMATION_COLLECTION
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.INFORMATION_COLLECTION;
    }
    /**
     * Returns the set of supported file extensions.
     *
     * @return the set of supported file extensions
     */
    @Override
    protected FileFilter getFileFilter() {
        return OPENSSLV_FILTER;
    }
    /**
     * No-op initializer implementation.
     *
     * @throws InitializationException never thrown
     */
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        // Nothing to do here.
    }
    /**
     * Analyzes python packages and adds evidence to the dependency.
     *
     * @param dependency the dependency being analyzed
     * @param engine the engine being used to perform the scan
     * @throws AnalysisException thrown if there is an unrecoverable error
     * analyzing the dependency
     */
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        final File file = dependency.getActualFile();
        final String parentName = file.getParentFile().getName();
        boolean found = false;
        final String contents = getFileContents(file);
        if (!contents.isEmpty()) {
            final Matcher matcher = VERSION_PATTERN.matcher(contents);
            if (matcher.find()) {
                dependency.getVersionEvidence().addEvidence(OPENSSLV_H, "Version Constant",
                        getOpenSSLVersion(Long.parseLong(matcher.group(1), HEXADECIMAL)), Confidence.HIGH);
                found = true;
            }
        }
        if (found) {
            dependency.setDisplayFileName(parentName + File.separatorChar + OPENSSLV_H);
            dependency.getVendorEvidence().addEvidence(OPENSSLV_H, "Vendor", "OpenSSL", Confidence.HIGHEST);
            dependency.getProductEvidence().addEvidence(OPENSSLV_H, "Product", "OpenSSL", Confidence.HIGHEST);
        } else {
            engine.getDependencies().remove(dependency);
        }
    }
    /**
     * Retrieves the contents of a given file.
     *
     * @param actualFile the file to read
     * @return the contents of the file
     * @throws AnalysisException thrown if there is an IO Exception
     */
    private String getFileContents(final File actualFile)
            throws AnalysisException {
        try {
            return FileUtils.readFileToString(actualFile, Charset.defaultCharset()).trim();
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
    }
    /**
     * Returns the setting for the analyzer enabled setting key.
     *
     * @return the setting for the analyzer enabled setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_OPENSSL_ENABLED;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java
@@ -0,0 +1,404 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.BufferedInputStream;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FilenameFilter;
 import java.io.IOException;
 import java.io.InputStream;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.apache.commons.io.filefilter.SuffixFileFilter;
 import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import javax.mail.MessagingException;
 import javax.mail.internet.InternetHeaders;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.ExtractionException;
 import org.owasp.dependencycheck.utils.ExtractionUtil;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
 /**
 * Used to analyze a Wheel or egg distribution files, or their contents in
 * unzipped form, and collect information that can be used to determine the
 * associated CPE.
 *
 * @author Dale Visser
 */
@Experimental
 public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Name of egg metadata files to analyze.
     */
    private static final String PKG_INFO = "PKG-INFO";
    /**
     * Name of wheel metadata files to analyze.
     */
    private static final String METADATA = "METADATA";
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory
            .getLogger(PythonDistributionAnalyzer.class);
    /**
     * The count of directories created during analysis. This is used for
     * creating temporary directories.
     */
    private static int dirCount = 0;
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Python Distribution Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The set of file extensions supported by this analyzer.
     */
    private static final String[] EXTENSIONS = {"whl", "egg", "zip"};
    /**
     * Used to match on egg archive candidate extensions.
     */
    private static final FileFilter EGG_OR_ZIP = FileFilterBuilder.newInstance().addExtensions("egg", "zip").build();
    /**
     * Used to detect files with a .whl extension.
     */
    private static final FileFilter WHL_FILTER = FileFilterBuilder.newInstance().addExtensions("whl").build();
    /**
     * The parent directory for the individual directories per archive.
     */
    private File tempFileLocation;
    /**
     * Filter that detects *.dist-info files (but doesn't verify they are
     * directories.
     */
    private static final FilenameFilter DIST_INFO_FILTER = new SuffixFileFilter(
            ".dist-info");
    /**
     * Filter that detects files named "METADATA".
     */
    private static final FilenameFilter EGG_INFO_FILTER = new NameFileFilter(
            "EGG-INFO");
    /**
     * Filter that detects files named "METADATA".
     */
    private static final NameFileFilter METADATA_FILTER = new NameFileFilter(
            METADATA);
    /**
     * Filter that detects files named "PKG-INFO".
     */
    private static final NameFileFilter PKG_INFO_FILTER = new NameFileFilter(
            PKG_INFO);
    /**
     * The file filter used to determine which files this analyzer supports.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFileFilters(
            METADATA_FILTER, PKG_INFO_FILTER).addExtensions(EXTENSIONS).build();
    /**
     * Returns the FileFilter
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
    }
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        final File actualFile = dependency.getActualFile();
        if (WHL_FILTER.accept(actualFile)) {
            collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER,
                    METADATA_FILTER);
        } else if (EGG_OR_ZIP.accept(actualFile)) {
            collectMetadataFromArchiveFormat(dependency, EGG_INFO_FILTER,
                    PKG_INFO_FILTER);
        } else {
            final String name = actualFile.getName();
            final boolean metadata = METADATA.equals(name);
            if (metadata || PKG_INFO.equals(name)) {
                final File parent = actualFile.getParentFile();
                final String parentName = parent.getName();
                dependency.setDisplayFileName(parentName + "/" + name);
                if (parent.isDirectory()
                        && (metadata && parentName.endsWith(".dist-info")
                        || parentName.endsWith(".egg-info") || "EGG-INFO"
                        .equals(parentName))) {
                    collectWheelMetadata(dependency, actualFile);
                }
            }
        }
    }
    /**
     * Collects the meta data from an archive.
     *
     * @param dependency the archive being scanned
     * @param folderFilter the filter to apply to the folder
     * @param metadataFilter the filter to apply to the meta data
     * @throws AnalysisException thrown when there is a problem analyzing the
     * dependency
     */
    private void collectMetadataFromArchiveFormat(Dependency dependency,
            FilenameFilter folderFilter, FilenameFilter metadataFilter)
            throws AnalysisException {
        final File temp = getNextTempDirectory();
        LOGGER.debug("{} exists? {}", temp, temp.exists());
        try {
            ExtractionUtil.extractFilesUsingFilter(
                    new File(dependency.getActualFilePath()), temp,
                    metadataFilter);
        } catch (ExtractionException ex) {
            throw new AnalysisException(ex);
        }
        File matchingFile = getMatchingFile(temp, folderFilter);
        if (matchingFile != null) {
            matchingFile = getMatchingFile(matchingFile, metadataFilter);
            if (matchingFile != null) {
                collectWheelMetadata(dependency, matchingFile);
            }
        }
    }
    /**
     * Makes sure a usable temporary directory is available.
     *
     * @throws InitializationException an AnalyzeException is thrown when the
     * temp directory cannot be created
     */
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        try {
            final File baseDir = Settings.getTempDirectory();
            tempFileLocation = File.createTempFile("check", "tmp", baseDir);
            if (!tempFileLocation.delete()) {
                setEnabled(false);
                final String msg = String.format(
                        "Unable to delete temporary file '%s'.",
                        tempFileLocation.getAbsolutePath());
                throw new InitializationException(msg);
            }
            if (!tempFileLocation.mkdirs()) {
                setEnabled(false);
                final String msg = String.format(
                        "Unable to create directory '%s'.",
                        tempFileLocation.getAbsolutePath());
                throw new InitializationException(msg);
            }
        } catch (IOException ex) {
            setEnabled(false);
            throw new InitializationException("Unable to create a temporary file", ex);
        }
    }
    /**
     * Deletes any files extracted from the Wheel during analysis.
     */
    @Override
    public void close() {
        if (tempFileLocation != null && tempFileLocation.exists()) {
            LOGGER.debug("Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
            if (!success) {
                LOGGER.warn(
                        "Failed to delete some temporary files, see the log for more details");
            }
        }
    }
    /**
     * Gathers evidence from the METADATA file.
     *
     * @param dependency the dependency being analyzed
     * @param file a reference to the manifest/properties file
     */
    private static void collectWheelMetadata(Dependency dependency, File file) {
        final InternetHeaders headers = getManifestProperties(file);
        addPropertyToEvidence(headers, dependency.getVersionEvidence(),
                "Version", Confidence.HIGHEST);
        addPropertyToEvidence(headers, dependency.getProductEvidence(), "Name",
                Confidence.HIGHEST);
        final String url = headers.getHeader("Home-page", null);
        final EvidenceCollection vendorEvidence = dependency
                .getVendorEvidence();
        if (StringUtils.isNotBlank(url)) {
            if (UrlStringUtils.isUrl(url)) {
                vendorEvidence.addEvidence(METADATA, "vendor", url,
                        Confidence.MEDIUM);
            }
        }
        addPropertyToEvidence(headers, vendorEvidence, "Author", Confidence.LOW);
        final String summary = headers.getHeader("Summary", null);
        if (StringUtils.isNotBlank(summary)) {
            JarAnalyzer
                    .addDescription(dependency, summary, METADATA, "summary");
        }
    }
    /**
     * Adds a value to the evidence collection.
     *
     * @param headers the properties collection
     * @param evidence the evidence collection to add the value
     * @param property the property name
     * @param confidence the confidence of the evidence
     */
    private static void addPropertyToEvidence(InternetHeaders headers,
            EvidenceCollection evidence, String property, Confidence confidence) {
        final String value = headers.getHeader(property, null);
        LOGGER.debug("Property: {}, Value: {}", property, value);
        if (StringUtils.isNotBlank(value)) {
            evidence.addEvidence(METADATA, property, value, confidence);
        }
    }
    /**
     * Returns a list of files that match the given filter, this does not
     * recursively scan the directory.
     *
     * @param folder the folder to filter
     * @param filter the filter to apply to the files in the directory
     * @return the list of Files in the directory that match the provided filter
     */
    private static File getMatchingFile(File folder, FilenameFilter filter) {
        File result = null;
        final File[] matches = folder.listFiles(filter);
        if (null != matches && 1 == matches.length) {
            result = matches[0];
        }
        return result;
    }
    /**
     * Reads the manifest entries from the provided file.
     *
     * @param manifest the manifest
     * @return the manifest entries
     */
    private static InternetHeaders getManifestProperties(File manifest) {
        final InternetHeaders result = new InternetHeaders();
        if (null == manifest) {
            LOGGER.debug("Manifest file not found.");
        } else {
            InputStream in = null;
            try {
                in = new BufferedInputStream(new FileInputStream(manifest));
                result.load(in);
            } catch (MessagingException e) {
                LOGGER.warn(e.getMessage(), e);
            } catch (FileNotFoundException e) {
                LOGGER.warn(e.getMessage(), e);
            } finally {
                if (in != null) {
                    try {
                        in.close();
                    } catch (IOException ex) {
                        LOGGER.debug("failed to close input stream", ex);
                    }
                }
            }
        }
        return result;
    }
    /**
     * Retrieves the next temporary destination directory for extracting an
     * archive.
     *
     * @return a directory
     * @throws AnalysisException thrown if unable to create temporary directory
     */
    private File getNextTempDirectory() throws AnalysisException {
        File directory;
        // getting an exception for some directories not being able to be
        // created; might be because the directory already exists?
        do {
            dirCount += 1;
            directory = new File(tempFileLocation, String.valueOf(dirCount));
        } while (directory.exists());
        if (!directory.mkdirs()) {
            throw new AnalysisException(String.format(
                    "Unable to create temp directory '%s'.",
                    directory.getAbsolutePath()));
        }
        return directory;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
@@ -0,0 +1,324 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.apache.commons.io.filefilter.NameFileFilter;
 import org.apache.commons.io.filefilter.SuffixFileFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.exception.InitializationException;
 /**
 * Used to analyze a Python package, and collect information that can be used to
 * determine the associated CPE.
 *
 * @author Dale Visser
 */
@Experimental
 public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Used when compiling file scanning regex patterns.
     */
    private static final int REGEX_OPTIONS = Pattern.DOTALL
            | Pattern.CASE_INSENSITIVE;
    /**
     * Filename extensions for files to be analyzed.
     */
    private static final String EXTENSIONS = "py";
    /**
     * Pattern for matching the module docstring in a source file.
     */
    private static final Pattern MODULE_DOCSTRING = Pattern.compile(
            "^(['\\\"]{3})(.*?)\\1", REGEX_OPTIONS);
    /**
     * Matches assignments to version variables in Python source code.
     */
    private static final Pattern VERSION_PATTERN = Pattern.compile(
            "\\b(__)?version(__)? *= *(['\"]+)(\\d+\\.\\d+.*?)\\3",
            REGEX_OPTIONS);
    /**
     * Matches assignments to title variables in Python source code.
     */
    private static final Pattern TITLE_PATTERN = compileAssignPattern("title");
    /**
     * Matches assignments to summary variables in Python source code.
     */
    private static final Pattern SUMMARY_PATTERN = compileAssignPattern("summary");
    /**
     * Matches assignments to URL/URL variables in Python source code.
     */
    private static final Pattern URI_PATTERN = compileAssignPattern("ur[il]");
    /**
     * Matches assignments to home page variables in Python source code.
     */
    private static final Pattern HOMEPAGE_PATTERN = compileAssignPattern("home_?page");
    /**
     * Matches assignments to author variables in Python source code.
     */
    private static final Pattern AUTHOR_PATTERN = compileAssignPattern("author");
    /**
     * Filter that detects files named "__init__.py".
     */
    private static final FileFilter INIT_PY_FILTER = new NameFileFilter("__init__.py");
    /**
     * The file filter for python files.
     */
    private static final FileFilter PY_FILTER = new SuffixFileFilter(".py");
    /**
     * Returns the name of the Python Package Analyzer.
     *
     * @return the name of the analyzer
     */
    @Override
    public String getName() {
        return "Python Package Analyzer";
    }
    /**
     * Tell that we are used for information collection.
     *
     * @return INFORMATION_COLLECTION
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.INFORMATION_COLLECTION;
    }
    /**
     * The file filter used to determine which files this analyzer supports.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
    /**
     * Returns the FileFilter
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * No-op initializer implementation.
     *
     * @throws InitializationException never thrown
     */
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        // Nothing to do here.
    }
    /**
     * Utility function to create a regex pattern matcher.
     *
     * @param name the value to use when constructing the assignment pattern
     * @return the compiled Pattern
     */
    private static Pattern compileAssignPattern(String name) {
        return Pattern.compile(
                String.format("\\b(__)?%s(__)?\\b *= *(['\"]+)(.*?)\\3", name),
                REGEX_OPTIONS);
    }
    /**
     * Analyzes python packages and adds evidence to the dependency.
     *
     * @param dependency the dependency being analyzed
     * @param engine the engine being used to perform the scan
     * @throws AnalysisException thrown if there is an unrecoverable error
     * analyzing the dependency
     */
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        final File file = dependency.getActualFile();
        final File parent = file.getParentFile();
        final String parentName = parent.getName();
        if (INIT_PY_FILTER.accept(file)) {
            //by definition, the containing folder of __init__.py is considered the package, even the file is empty:
            //"The __init__.py files are required to make Python treat the directories as containing packages"
            //see section "6.4 Packages" from https://docs.python.org/2/tutorial/modules.html;
            dependency.setDisplayFileName(parentName + "/__init__.py");
            dependency.getProductEvidence().addEvidence(file.getName(),
                    "PackageName", parentName, Confidence.HIGHEST);
            final File[] fileList = parent.listFiles(PY_FILTER);
            if (fileList != null) {
                for (final File sourceFile : fileList) {
                    analyzeFileContents(dependency, sourceFile);
                }
            }
        } else {
            // copy, alter and set in case some other thread is iterating over
            final List<Dependency> dependencies = new ArrayList<Dependency>(
                    engine.getDependencies());
            dependencies.remove(dependency);
            engine.setDependencies(dependencies);
        }
    }
    /**
     * This should gather information from leading docstrings, file comments,
     * and assignments to __version__, __title__, __summary__, __uri__, __url__,
     * __home*page__, __author__, and their all caps equivalents.
     *
     * @param dependency the dependency being analyzed
     * @param file the file name to analyze
     * @return whether evidence was found
     * @throws AnalysisException thrown if there is an unrecoverable error
     */
    private boolean analyzeFileContents(Dependency dependency, File file)
            throws AnalysisException {
        String contents;
        try {
            contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim();
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
        boolean found = false;
        if (!contents.isEmpty()) {
            final String source = file.getName();
            found = gatherEvidence(VERSION_PATTERN, contents, source,
                    dependency.getVersionEvidence(), "SourceVersion",
                    Confidence.MEDIUM);
            found |= addSummaryInfo(dependency, SUMMARY_PATTERN, 4, contents,
                    source, "summary");
            if (INIT_PY_FILTER.accept(file)) {
                found |= addSummaryInfo(dependency, MODULE_DOCSTRING, 2,
                        contents, source, "docstring");
            }
            found |= gatherEvidence(TITLE_PATTERN, contents, source,
                    dependency.getProductEvidence(), "SourceTitle",
                    Confidence.LOW);
            final EvidenceCollection vendorEvidence = dependency
                    .getVendorEvidence();
            found |= gatherEvidence(AUTHOR_PATTERN, contents, source,
                    vendorEvidence, "SourceAuthor", Confidence.MEDIUM);
            found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence,
                    source, "URL", contents);
            found |= gatherHomePageEvidence(HOMEPAGE_PATTERN,
                    vendorEvidence, source, "HomePage", contents);
        }
        return found;
    }
    /**
     * Adds summary information to the dependency
     *
     * @param dependency the dependency being analyzed
     * @param pattern the pattern used to perform analysis
     * @param group the group from the pattern that indicates the data to use
     * @param contents the data being analyzed
     * @param source the source name to use when recording the evidence
     * @param key the key name to use when recording the evidence
     * @return true if evidence was collected; otherwise false
     */
    private boolean addSummaryInfo(Dependency dependency, Pattern pattern,
            int group, String contents, String source, String key) {
        final Matcher matcher = pattern.matcher(contents);
        final boolean found = matcher.find();
        if (found) {
            JarAnalyzer.addDescription(dependency, matcher.group(group),
                    source, key);
        }
        return found;
    }
    /**
     * Collects evidence from the home page URL.
     *
     * @param pattern the pattern to match
     * @param evidence the evidence collection to add the evidence to
     * @param source the source of the evidence
     * @param name the name of the evidence
     * @param contents the home page URL
     * @return true if evidence was collected; otherwise false
     */
    private boolean gatherHomePageEvidence(Pattern pattern,
            EvidenceCollection evidence, String source, String name,
            String contents) {
        final Matcher matcher = pattern.matcher(contents);
        boolean found = false;
        if (matcher.find()) {
            final String url = matcher.group(4);
            if (UrlStringUtils.isUrl(url)) {
                found = true;
                evidence.addEvidence(source, name, url, Confidence.MEDIUM);
            }
        }
        return found;
    }
    /**
     * Gather evidence from a Python source file using the given string
     * assignment regex pattern.
     *
     * @param pattern to scan contents with
     * @param contents of Python source file
     * @param source for storing evidence
     * @param evidence to store evidence in
     * @param name of evidence
     * @param confidence in evidence
     * @return whether evidence was found
     */
    private boolean gatherEvidence(Pattern pattern, String contents,
            String source, EvidenceCollection evidence, String name,
            Confidence confidence) {
        final Matcher matcher = pattern.matcher(contents);
        final boolean found = matcher.find();
        if (found) {
            evidence.addEvidence(source, name, matcher.group(4), confidence);
        }
        return found;
    }
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -0,0 +1,505 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.io.InputStreamReader;
 import java.io.UnsupportedEncodingException;
 import java.nio.charset.Charset;
 import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party
 * bundle-audit tool.
 *
 * @author Dale Visser
 */
@Experimental
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Ruby Bundle Audit Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
    /**
     * The filter defining which files will be analyzed.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
    /**
     * Name.
     */
    public static final String NAME = "Name: ";
    /**
     * Version.
     */
    public static final String VERSION = "Version: ";
    /**
     * Advisory.
     */
    public static final String ADVISORY = "Advisory: ";
    /**
     * Criticality.
     */
    public static final String CRITICALITY = "Criticality: ";
    /**
     * The DAL.
     */
    private CveDB cvedb;
    /**
     * @return a filter that accepts files named Gemfile.lock
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * Launch bundle-audit.
     *
     * @param folder directory that contains bundle audit
     * @return a handle to the process
     * @throws AnalysisException thrown when there is an issue launching bundle
     * audit
     */
    private Process launchBundleAudit(File folder) throws AnalysisException {
        if (!folder.isDirectory()) {
            throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
        }
        final List<String> args = new ArrayList<String>();
        final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
        args.add(null == bundleAuditPath ? "bundle-audit" : bundleAuditPath);
        args.add("check");
        args.add("--verbose");
        final ProcessBuilder builder = new ProcessBuilder(args);
        builder.directory(folder);
        try {
            LOGGER.info("Launching: " + args + " from " + folder);
            return builder.start();
        } catch (IOException ioe) {
            throw new AnalysisException("bundle-audit failure", ioe);
        }
    }
    /**
     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
     * temporary location.
     *
     * @throws InitializationException if anything goes wrong
     */
    @Override
    public void initializeFileTypeAnalyzer() throws InitializationException {
        try {
            cvedb = new CveDB();
            cvedb.open();
        } catch (DatabaseException ex) {
            LOGGER.warn("Exception opening the database");
            LOGGER.debug("error", ex);
            setEnabled(false);
            throw new InitializationException("Error connecting to the database", ex);
        }
        // Now, need to see if bundle-audit actually runs from this location.
        Process process = null;
        try {
            process = launchBundleAudit(Settings.getTempDirectory());
        } catch (AnalysisException ae) {
            setEnabled(false);
            cvedb.close();
            cvedb = null;
            final String msg = String.format("Exception from bundle-audit process: %s. Disabling %s", ae.getCause(), ANALYZER_NAME);
            throw new InitializationException(msg, ae);
        } catch (IOException ex) {
            setEnabled(false);
            throw new InitializationException("Unable to create temporary file, the Ruby Bundle Audit Analyzer will be disabled", ex);
        }
        final int exitValue;
        try {
            exitValue = process.waitFor();
        } catch (InterruptedException ex) {
            setEnabled(false);
            final String msg = String.format("Bundle-audit process was interupted. Disabling %s", ANALYZER_NAME);
            throw new InitializationException(msg);
        }
        if (0 == exitValue) {
            setEnabled(false);
            final String msg = String.format("Unexpected exit code from bundle-audit process. Disabling %s: %s", ANALYZER_NAME, exitValue);
            throw new InitializationException(msg);
        } else {
            BufferedReader reader = null;
            try {
                reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
                if (!reader.ready()) {
                    LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME);
                    setEnabled(false);
                    throw new InitializationException("Bundle-audit error stream unexpectedly not ready.");
                } else {
                    final String line = reader.readLine();
                    if (line == null || !line.contains("Errno::ENOENT")) {
                        LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
                        setEnabled(false);
                        throw new InitializationException("Unexpected bundle-audit output.");
                    }
                }
            } catch (UnsupportedEncodingException ex) {
                setEnabled(false);
                throw new InitializationException("Unexpected bundle-audit encoding.", ex);
            } catch (IOException ex) {
                setEnabled(false);
                throw new InitializationException("Unable to read bundle-audit output.", ex);
            } finally {
                if (null != reader) {
                    try {
                        reader.close();
                    } catch (IOException ex) {
                        LOGGER.debug("Error closing reader", ex);
                    }
                }
            }
        }
        if (isEnabled()) {
            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
                    + "occasionally to keep its database up to date.");
        }
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
    }
    /**
     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have
     * successfully initialized, and it will be necessary to disable
     * {@link RubyGemspecAnalyzer}.
     */
    private boolean needToDisableGemspecAnalyzer = true;
    /**
     * Determines if the analyzer can analyze the given file type.
     *
     * @param dependency the dependency to determine if it can analyze
     * @param engine the dependency-check engine
     * @throws AnalysisException thrown if there is an analysis exception.
     */
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        if (needToDisableGemspecAnalyzer) {
            boolean failed = true;
            final String className = RubyGemspecAnalyzer.class.getName();
            for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
                if (analyzer instanceof RubyBundlerAnalyzer) {
                    ((RubyBundlerAnalyzer) analyzer).setEnabled(false);
                    LOGGER.info("Disabled " + RubyBundlerAnalyzer.class.getName() + " to avoid noisy duplicate results.");
                } else if (analyzer instanceof RubyGemspecAnalyzer) {
                    ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
                    LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
                    failed = false;
                }
            }
            if (failed) {
                LOGGER.warn("Did not find " + className + '.');
            }
            needToDisableGemspecAnalyzer = false;
        }
        final File parentFile = dependency.getActualFile().getParentFile();
        final Process process = launchBundleAudit(parentFile);
        final int exitValue;
        try {
            exitValue = process.waitFor();
        } catch (InterruptedException ie) {
            throw new AnalysisException("bundle-audit process interrupted", ie);
        }
        if (exitValue != 0) {
            final String msg = String.format("Unexpected exit code from bundle-audit process; exit code: %s", exitValue);
            throw new AnalysisException(msg);
        }
        BufferedReader rdr = null;
        BufferedReader errReader = null;
        try {
            errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
            while (errReader.ready()) {
                final String error = errReader.readLine();
                LOGGER.warn(error);
            }
            rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
            processBundlerAuditOutput(dependency, engine, rdr);
        } catch (IOException ioe) {
            LOGGER.warn("bundle-audit failure", ioe);
        } finally {
            if (errReader != null) {
                try {
                    errReader.close();
                } catch (IOException ioe) {
                    LOGGER.warn("bundle-audit close failure", ioe);
                }
            }
            if (null != rdr) {
                try {
                    rdr.close();
                } catch (IOException ioe) {
                    LOGGER.warn("bundle-audit close failure", ioe);
                }
            }
        }
    }
    /**
     * Processes the bundler audit output.
     *
     * @param original the dependency
     * @param engine the dependency-check engine
     * @param rdr the reader of the report
     * @throws IOException thrown if the report cannot be read.
     */
    private void processBundlerAuditOutput(Dependency original, Engine engine, BufferedReader rdr) throws IOException {
        final String parentName = original.getActualFile().getParentFile().getName();
        final String fileName = original.getFileName();
        final String filePath = original.getFilePath();
        Dependency dependency = null;
        Vulnerability vulnerability = null;
        String gem = null;
        final Map<String, Dependency> map = new HashMap<String, Dependency>();
        boolean appendToDescription = false;
        while (rdr.ready()) {
            final String nextLine = rdr.readLine();
            if (null == nextLine) {
                break;
            } else if (nextLine.startsWith(NAME)) {
                appendToDescription = false;
                gem = nextLine.substring(NAME.length());
                if (!map.containsKey(gem)) {
                    map.put(gem, createDependencyForGem(engine, parentName, fileName, filePath, gem));
                }
                dependency = map.get(gem);
                LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
            } else if (nextLine.startsWith(VERSION)) {
                vulnerability = createVulnerability(parentName, dependency, gem, nextLine);
            } else if (nextLine.startsWith(ADVISORY)) {
                setVulnerabilityName(parentName, dependency, vulnerability, nextLine);
            } else if (nextLine.startsWith(CRITICALITY)) {
                addCriticalityToVulnerability(parentName, vulnerability, nextLine);
            } else if (nextLine.startsWith("URL: ")) {
                addReferenceToVulnerability(parentName, vulnerability, nextLine);
            } else if (nextLine.startsWith("Description:")) {
                appendToDescription = true;
                if (null != vulnerability) {
                    vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. "
                            + "Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 "
                            + " indicates unknown). See link below for full details. *** ");
                }
            } else if (appendToDescription) {
                if (null != vulnerability) {
                    vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
                }
            }
        }
    }
    /**
     * Sets the vulnerability name.
     *
     * @param parentName the parent name
     * @param dependency the dependency
     * @param vulnerability the vulnerability
     * @param nextLine the line to parse
     */
    private void setVulnerabilityName(String parentName, Dependency dependency, Vulnerability vulnerability, String nextLine) {
        final String advisory = nextLine.substring((ADVISORY.length()));
        if (null != vulnerability) {
            vulnerability.setName(advisory);
        }
        if (null != dependency) {
            dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }
    /**
     * Adds a reference to the vulnerability.
     *
     * @param parentName the parent name
     * @param vulnerability the vulnerability
     * @param nextLine the line to parse
     */
    private void addReferenceToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
        final String url = nextLine.substring(("URL: ").length());
        if (null != vulnerability) {
            final Reference ref = new Reference();
            ref.setName(vulnerability.getName());
            ref.setSource("bundle-audit");
            ref.setUrl(url);
            vulnerability.getReferences().add(ref);
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }
    /**
     * Adds the criticality to the vulnerability
     *
     * @param parentName the parent name
     * @param vulnerability the vulnerability
     * @param nextLine the line to parse
     */
    private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
        if (null != vulnerability) {
            final String criticality = nextLine.substring(CRITICALITY.length()).trim();
            float score = -1.0f;
            Vulnerability v = null;
            try {
                v = cvedb.getVulnerability(vulnerability.getName());
            } catch (DatabaseException ex) {
                LOGGER.debug("Unable to look up vulnerability {}", vulnerability.getName());
            }
            if (v != null) {
                score = v.getCvssScore();
            } else if ("High".equalsIgnoreCase(criticality)) {
                score = 8.5f;
            } else if ("Medium".equalsIgnoreCase(criticality)) {
                score = 5.5f;
            } else if ("Low".equalsIgnoreCase(criticality)) {
                score = 2.0f;
            }
            vulnerability.setCvssScore(score);
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }
    /**
     * Creates a vulnerability.
     *
     * @param parentName the parent name
     * @param dependency the dependency
     * @param gem the gem name
     * @param nextLine the line to parse
     * @return the vulnerability
     */
    private Vulnerability createVulnerability(String parentName, Dependency dependency, String gem, String nextLine) {
        Vulnerability vulnerability = null;
        if (null != dependency) {
            final String version = nextLine.substring(VERSION.length());
            dependency.getVersionEvidence().addEvidence(
                    "bundler-audit",
                    "Version",
                    version,
                    Confidence.HIGHEST);
            vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
            vulnerability.setMatchedCPE(
                    String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
                    null);
            vulnerability.setCvssAccessVector("-");
            vulnerability.setCvssAccessComplexity("-");
            vulnerability.setCvssAuthentication("-");
            vulnerability.setCvssAvailabilityImpact("-");
            vulnerability.setCvssConfidentialityImpact("-");
            vulnerability.setCvssIntegrityImpact("-");
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
        return vulnerability;
    }
    /**
     * Creates the dependency based off of the gem.
     *
     * @param engine the engine used for scanning
     * @param parentName the gem parent
     * @param fileName the file name
     * @param filePath the file path
     * @param gem the gem name
     * @return the dependency to add
     * @throws IOException thrown if a temporary gem file could not be written
     */
    private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String filePath, String gem) throws IOException {
        final File gemFile = new File(Settings.getTempDirectory(), gem + "_Gemfile.lock");
        if (!gemFile.createNewFile()) {
            throw new IOException("Unable to create temporary gem file");
        }
        final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
        FileUtils.write(gemFile, displayFileName, Charset.defaultCharset()); // unique contents to avoid dependency bundling
        final Dependency dependency = new Dependency(gemFile);
        dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
        dependency.setDisplayFileName(displayFileName);
        dependency.setFileName(fileName);
        dependency.setFilePath(filePath);
        engine.getDependencies().add(dependency);
        return dependency;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundlerAnalyzer.java
@@ -0,0 +1,140 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.FilenameFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 /**
 * This analyzer accepts the fully resolved .gemspec created by the Ruby bundler
 * (http://bundler.io) for better evidence results. It also tries to resolve the
 * dependency packagePath to where the gem is actually installed. Then during {@link org.owasp.dependencycheck.analyzer.AnalysisPhase#PRE_FINDING_ANALYSIS}
 * {@link DependencyBundlingAnalyzer} will merge two .gemspec dependencies
 * together if <code>Dependency.getPackagePath()</code> are the same.
 *
 * Ruby bundler creates new .gemspec files under a folder called
 * "specifications" at deploy time, in addition to the original .gemspec files
 * from source. The bundler generated .gemspec files always contain fully
 * resolved attributes thus provide more accurate evidences, whereas the
 * original .gemspec from source often contain variables for attributes that
 * can't be used for evidences.
 *
 * Note this analyzer share the same
 * {@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_RUBY_GEMSPEC_ENABLED} as
 * {@link RubyGemspecAnalyzer}, so it will enabled/disabled with
 * {@link RubyGemspecAnalyzer}.
 *
 * @author Bianca Jiang (https://twitter.com/biancajiang)
 */
@Experimental
 public class RubyBundlerAnalyzer extends RubyGemspecAnalyzer {
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Ruby Bundler Analyzer";
    /**
     * Folder name that contains .gemspec files created by "bundle install"
     */
    private static final String SPECIFICATIONS = "specifications";
    /**
     * Folder name that contains the gems by "bundle install"
     */
    private static final String GEMS = "gems";
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Only accept *.gemspec files generated by "bundle install --deployment"
     * under "specifications" folder.
     *
     * @param pathname the path name to test
     * @return true if the analyzer can process the given file; otherwise false
     */
    @Override
    public boolean accept(File pathname) {
        boolean accepted = super.accept(pathname);
        if (accepted) {
            final File parentDir = pathname.getParentFile();
            accepted = parentDir != null && parentDir.getName().equals(SPECIFICATIONS);
        }
        return accepted;
    }
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        super.analyzeFileType(dependency, engine);
        //find the corresponding gem folder for this .gemspec stub by "bundle install --deployment"
        final File gemspecFile = dependency.getActualFile();
        final String gemFileName = gemspecFile.getName();
        final String gemName = gemFileName.substring(0, gemFileName.lastIndexOf(".gemspec"));
        final File specificationsDir = gemspecFile.getParentFile();
        if (specificationsDir != null && specificationsDir.getName().equals(SPECIFICATIONS) && specificationsDir.exists()) {
            final File parentDir = specificationsDir.getParentFile();
            if (parentDir != null && parentDir.exists()) {
                final File gemsDir = new File(parentDir, GEMS);
                if (gemsDir.exists()) {
                    final File[] matchingFiles = gemsDir.listFiles(new FilenameFilter() {
                        @Override
                        public boolean accept(File dir, String name) {
                            return name.equals(gemName);
                        }
                    });
                    if (matchingFiles != null && matchingFiles.length > 0) {
                        final String gemPath = matchingFiles[0].getAbsolutePath();
                        if (dependency.getActualFilePath().equals(dependency.getFilePath())) {
                            if (gemPath != null) {
                                dependency.setPackagePath(gemPath);
                            }
                        } else {
                            //.gemspec's actualFilePath and filePath are different when it's from a compressed file
                            //in which case actualFilePath is the temp directory used by decompression.
                            //packagePath should use the filePath of the identified gem file in "gems" folder
                            final File gemspecStub = new File(dependency.getFilePath());
                            final File specDir = gemspecStub.getParentFile();
                            if (specDir != null && specDir.getName().equals(SPECIFICATIONS)) {
                                final File gemsDir2 = new File(specDir.getParentFile(), GEMS);
                                final File packageDir = new File(gemsDir2, gemName);
                                dependency.setPackagePath(packageDir.getAbsolutePath());
                            }
                        }
                    }
                }
            }
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
@@ -0,0 +1,249 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FilenameFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * Used to analyze Ruby Gem specifications and collect information that can be
 * used to determine the associated CPE. Regular expressions are used to parse
 * the well-defined Ruby syntax that forms the specification.
 *
 * @author Dale Visser
 */
@Experimental
 public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
    private static final Logger LOGGER = LoggerFactory.getLogger(RubyGemspecAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Ruby Gemspec Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The gemspec file extension.
     */
    private static final String GEMSPEC = "gemspec";
    /**
     * The file filter containing the list of file extensions that can be
     * analyzed.
     */
    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).build();
    //TODO: support Rakefile
    //= FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
    /**
     * The name of the version file.
     */
    private static final String VERSION_FILE_NAME = "VERSION";
    /**
     * @return a filter that accepts files matching the glob pattern, *.gemspec
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    @Override
    protected void initializeFileTypeAnalyzer() throws InitializationException {
        // NO-OP
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED;
    }
    /**
     * The capture group #1 is the block variable.
     */
    private static final Pattern GEMSPEC_BLOCK_INIT = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        String contents;
        try {
            contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
        final Matcher matcher = GEMSPEC_BLOCK_INIT.matcher(contents);
        if (matcher.find()) {
            contents = contents.substring(matcher.end());
            final String blockVariable = matcher.group(1);
            final EvidenceCollection vendor = dependency.getVendorEvidence();
            final EvidenceCollection product = dependency.getProductEvidence();
            final String name = addStringEvidence(product, contents, blockVariable, "name", "name", Confidence.HIGHEST);
            if (!name.isEmpty()) {
                vendor.addEvidence(GEMSPEC, "name_project", name + "_project", Confidence.LOW);
            }
            addStringEvidence(product, contents, blockVariable, "summary", "summary", Confidence.LOW);
            addStringEvidence(vendor, contents, blockVariable, "author", "authors?", Confidence.HIGHEST);
            addStringEvidence(vendor, contents, blockVariable, "email", "emails?", Confidence.MEDIUM);
            addStringEvidence(vendor, contents, blockVariable, "homepage", "homepage", Confidence.HIGHEST);
            addStringEvidence(vendor, contents, blockVariable, "license", "licen[cs]es?", Confidence.HIGHEST);
            final String value = addStringEvidence(dependency.getVersionEvidence(), contents,
                    blockVariable, "version", "version", Confidence.HIGHEST);
            if (value.length() < 1) {
                addEvidenceFromVersionFile(dependency.getActualFile(), dependency.getVersionEvidence());
            }
        }
        setPackagePath(dependency);
    }
    /**
     * Adds the specified evidence to the given evidence collection.
     *
     * @param evidences the collection to add the evidence to
     * @param contents the evidence contents
     * @param blockVariable the variable
     * @param field the field
     * @param fieldPattern the field pattern
     * @param confidence the confidence of the evidence
     * @return the evidence string value added
     */
    private String addStringEvidence(EvidenceCollection evidences, String contents,
            String blockVariable, String field, String fieldPattern, Confidence confidence) {
        String value = "";
        //capture array value between [ ]
        final Matcher arrayMatcher = Pattern.compile(
                String.format("\\s*?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
        if (arrayMatcher.find()) {
            final String arrayValue = arrayMatcher.group(1);
            value = arrayValue.replaceAll("['\"]", "").trim(); //strip quotes
        } else { //capture single value between quotes
            final Matcher matcher = Pattern.compile(
                    String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern), Pattern.CASE_INSENSITIVE).matcher(contents);
            if (matcher.find()) {
                value = matcher.group(2);
            }
        }
        if (value.length() > 0) {
            evidences.addEvidence(GEMSPEC, field, value, confidence);
        }
        return value;
    }
    /**
     * Adds evidence from the version file.
     *
     * @param dependencyFile the dependency being analyzed
     * @param versionEvidences the version evidence
     */
    private void addEvidenceFromVersionFile(File dependencyFile, EvidenceCollection versionEvidences) {
        final File parentDir = dependencyFile.getParentFile();
        if (parentDir != null) {
            final File[] matchingFiles = parentDir.listFiles(new FilenameFilter() {
                @Override
                public boolean accept(File dir, String name) {
                    return name.contains(VERSION_FILE_NAME);
                }
            });
            if (matchingFiles == null) {
                return;
            }
            for (File f : matchingFiles) {
                try {
                    final List<String> lines = FileUtils.readLines(f, Charset.defaultCharset());
                    if (lines.size() == 1) { //TODO other checking?
                        final String value = lines.get(0).trim();
                        versionEvidences.addEvidence(GEMSPEC, "version", value, Confidence.HIGH);
                    }
                } catch (IOException e) {
                    LOGGER.debug("Error reading gemspec", e);
                }
            }
        }
    }
    /**
     * Sets the package path on the dependency.
     *
     * @param dep the dependency to alter
     */
    private void setPackagePath(Dependency dep) {
        final File file = new File(dep.getFilePath());
        final String parent = file.getParent();
        if (parent != null) {
            dep.setPackagePath(parent);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/SwiftPackageManagerAnalyzer.java
@@ -0,0 +1,192 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.nio.charset.Charset;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 * This analyzer is used to analyze the SWIFT Package Manager
 * (https://swift.org/package-manager/). It collects information about a package
 * from Package.swift files.
 *
 * @author Bianca Jiang (https://twitter.com/biancajiang)
 */
@Experimental
 public class SwiftPackageManagerAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "SWIFT Package Manager Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    /**
     * The file name to scan.
     */
    public static final String SPM_FILE_NAME = "Package.swift";
    /**
     * Filter that detects files named "package.json".
     */
    private static final FileFilter SPM_FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(SPM_FILE_NAME).build();
    /**
     * The capture group #1 is the block variable. e.g. "import
     * PackageDescription let package = Package( name: "Gloss" )"
     */
    private static final Pattern SPM_BLOCK_PATTERN = Pattern.compile("let[^=]+=\\s*Package\\s*\\(\\s*([^)]*)\\s*\\)", Pattern.DOTALL);
    /**
     * Returns the FileFilter
     *
     * @return the FileFilter
     */
    @Override
    protected FileFilter getFileFilter() {
        return SPM_FILE_FILTER;
    }
    @Override
    protected void initializeFileTypeAnalyzer() {
        // NO-OP
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's
     * enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED;
    }
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        String contents;
        try {
            contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
        } catch (IOException e) {
            throw new AnalysisException(
                    "Problem occurred while reading dependency file.", e);
        }
        final Matcher matcher = SPM_BLOCK_PATTERN.matcher(contents);
        if (matcher.find()) {
            final String packageDescription = matcher.group(1);
            if (packageDescription.isEmpty()) {
                return;
            }
            final EvidenceCollection product = dependency.getProductEvidence();
            final EvidenceCollection vendor = dependency.getVendorEvidence();
            //SPM is currently under development for SWIFT 3. Its current metadata includes package name and dependencies.
            //Future interesting metadata: version, license, homepage, author, summary, etc.
            final String name = addStringEvidence(product, packageDescription, "name", "name", Confidence.HIGHEST);
            if (name != null && !name.isEmpty()) {
                vendor.addEvidence(SPM_FILE_NAME, "name_project", name, Confidence.HIGHEST);
            }
        }
        setPackagePath(dependency);
    }
    /**
     * Extracts evidence from the package description and adds it to the given
     * evidence collection.
     *
     * @param evidences the evidence collection to update
     * @param packageDescription the text to extract evidence from
     * @param field the name of the field being searched for
     * @param fieldPattern the field pattern within the contents to search for
     * @param confidence the confidence level of the evidence if found
     * @return the string that was added as evidence
     */
    private String addStringEvidence(EvidenceCollection evidences,
            String packageDescription, String field, String fieldPattern, Confidence confidence) {
        String value = "";
        final Matcher matcher = Pattern.compile(
                String.format("%s *:\\s*\"([^\"]*)", fieldPattern), Pattern.DOTALL).matcher(packageDescription);
        if (matcher.find()) {
            value = matcher.group(1);
        }
        if (value != null) {
            value = value.trim();
            if (value.length() > 0) {
                evidences.addEvidence(SPM_FILE_NAME, field, value, confidence);
            }
        }
        return value;
    }
    /**
     * Sets the package path on the given dependency.
     *
     * @param dep the dependency to update
     */
    private void setPackagePath(Dependency dep) {
        final File file = new File(dep.getFilePath());
        final String parent = file.getParent();
        if (parent != null) {
            dep.setPackagePath(parent);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java
@@ -20,13 +20,13 @@ package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
 /**
 * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
 * Any identified Vulnerability entries within the dependencies that match will be removed.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/AnalysisException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/AnalysisException.java
@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer.exception;
 /**
 * An exception thrown when the analysis of a dependency fails.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class AnalysisException extends Exception {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/ArchiveExtractionException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/ArchiveExtractionException.java
@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer.exception;
 /**
 * An exception thrown when files in an archive cannot be extracted.
 *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
 */
 public class ArchiveExtractionException extends Exception {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/package-info.java
@@ -1,12 +1,4 @@
 /**
- * <html>
+ * A collection of exception classes used within the analyzers.
 * <head>
 * <title>org.owasp.dependencycheck.analyzer.exception</title>
 * </head>
 * <body>
 * <p>
 * A collection of exception classes used within the analyzers.</p>
 * </body>
 * </html>
 */
 package org.owasp.dependencycheck.analyzer.exception;
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`# the path to the data directory`	`# the path to the data directory`
	`data.directory=dependency-check-data`	`data.directory=data/3.0`
		`@@ -1,3 +0,0 @@`
			`# define custom tasks here`

			`dependencycheck=org.owasp.dependencycheck.taskdefs.DependencyCheckTask`