version 1.2.3

Former-commit-id: c355adf9813220c4b3dac3450e80a83a245209a6
Merge branch 'colezlaw-master'
2026-01-14 07:43:40 +01:00 · 2014-06-28 06:06:33 -04:00 · 2014-06-26 20:33:45 -04:00 · 2014-06-26 20:33:35 -04:00 · 2014-06-26 20:32:07 -04:00 · 2014-06-26 15:14:55 -04:00
160 changed files with 31050 additions and 7988 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -17,4 +17,6 @@ Gemfile
 Gemfile.lock
 _site/**
 #unknown as to why these are showing up... but need to be ignored.
-.LCKpom.xml~
+.LCKpom.xml~
+#coverity
+/cov-int/
--- a/dependency-check-ant/config/checkstyle-suppressions.xml
+++ b/dependency-check-ant/config/checkstyle-suppressions.xml
@@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-
-<!DOCTYPE suppressions PUBLIC
-     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
-     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
-
-<suppressions>
-    <suppress checks=".*" files=".*[\\/]package-info\.java" />
-</suppressions>
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.2.3</version>
    </parent>

    <artifactId>dependency-check-ant</artifactId>
@@ -398,9 +398,9 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
@@ -412,6 +412,15 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
                            </configuration>
                        </plugin>
                        <plugin>
@@ -430,6 +439,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
@@ -62,6 +62,10 @@ public class DependencyCheckTask extends Task {
     * System specific new line character.
     */
    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyCheckTask.class.getName());

    /**
     * Construct a new DependencyCheckTask.
@@ -281,26 +285,50 @@ public class DependencyCheckTask extends Task {
        this.reportFormat = reportFormat.getValue();
    }
    /**
-     * The Proxy URL.
+     * The Proxy Server.
     */
-    private String proxyUrl;
+    private String proxyServer;

    /**
-     * Get the value of proxyUrl.
+     * Get the value of proxyServer.
     *
-     * @return the value of proxyUrl
+     * @return the value of proxyServer
     */
-    public String getProxyUrl() {
-        return proxyUrl;
+    public String getProxyServer() {
+        return proxyServer;
    }

    /**
-     * Set the value of proxyUrl.
+     * Set the value of proxyServer.
     *
-     * @param proxyUrl new value of proxyUrl
+     * @param server new value of proxyServer
     */
+    public void setProxyServer(String server) {
+        this.proxyServer = server;
+    }
+
+    /**
+     * Get the value of proxyServer.
+     *
+     * @return the value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#getProxyServer()} instead
+     */
+    @Deprecated
+    public String getProxyUrl() {
+        return proxyServer;
+    }
+
+    /**
+     * Set the value of proxyServer.
+     *
+     * @param proxyUrl new value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
+     * instead
+     */
+    @Deprecated
    public void setProxyUrl(String proxyUrl) {
-        this.proxyUrl = proxyUrl;
+        LOGGER.warning("A deprecated configuration option 'proxyUrl' was detected; use 'proxyServer' instead.");
+        this.proxyServer = proxyUrl;
    }
    /**
     * The Proxy Port.
@@ -457,6 +485,81 @@ public class DependencyCheckTask extends Task {
        this.showSummary = showSummary;
    }

+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param jarAnalyzerEnabled the value of the new setting
+     */
+    public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
+        this.jarAnalyzerEnabled = jarAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the Archive Analyzer is enabled.
+     */
+    private boolean archiveAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isArchiveAnalyzerEnabled() {
+        return archiveAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the .NET Assembly Analyzer is enabled.
+     */
+    private boolean assemblyAnalyzerEnabled = true;
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param archiveAnalyzerEnabled the value of the new setting
+     */
+    public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
+        this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
+    }
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isAssemblyAnalyzerEnabled() {
+        return assemblyAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param assemblyAnalyzerEnabled the value of the new setting
+     */
+    public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
+        this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the .NET Nuspec Analyzer is enabled.
+     */
+    private boolean nuspecAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isNuspecAnalyzerEnabled() {
+        return nuspecAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param nuspecAnalyzerEnabled the value of the new setting
+     */
+    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
+        this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
+    }
+
    /**
     * Whether or not the nexus analyzer is enabled.
     */
@@ -787,7 +890,7 @@ public class DependencyCheckTask extends Task {

        Engine engine = null;
        try {
-            engine = new Engine();
+            engine = new Engine(DependencyCheckTask.class.getClassLoader());

            for (Resource resource : path) {
                final FileProvider provider = resource.as(FileProvider.class);
@@ -807,7 +910,7 @@ public class DependencyCheckTask extends Task {
                    cve.open();
                    prop = cve.getDatabaseProperties();
                } catch (DatabaseException ex) {
-                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                    LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
                } finally {
                    if (cve != null) {
                        cve.close();
@@ -823,19 +926,17 @@ public class DependencyCheckTask extends Task {
                    showSummary(engine.getDependencies());
                }
            } catch (IOException ex) {
-                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
-                        "Unable to generate dependency-check report", ex);
+                LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
                throw new BuildException("Unable to generate dependency-check report", ex);
            } catch (Exception ex) {
-                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
-                        "An exception occurred; unable to continue task", ex);
+                LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
                throw new BuildException("An exception occurred; unable to continue task", ex);
            }
        } catch (DatabaseException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
-                    "Unable to connect to the dependency-check database; analysis has stopped");
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
        } finally {
+            Settings.cleanup(true);
            if (engine != null) {
                engine.cleanup();
            }
@@ -858,22 +959,23 @@ public class DependencyCheckTask extends Task {

    /**
     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
-     * properties required to change the proxy url, port, and connection timeout.
+     * properties required to change the proxy server, port, and connection timeout.
     */
    private void populateSettings() {
+        Settings.initialize();
        InputStream taskProperties = null;
        try {
            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
            Settings.mergeProperties(taskProperties);
        } catch (IOException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            if (taskProperties != null) {
                try {
                    taskProperties.close();
                } catch (IOException ex) {
-                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -889,8 +991,8 @@ public class DependencyCheckTask extends Task {

        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);

-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -907,11 +1009,29 @@ public class DependencyCheckTask extends Task {
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
+
+        //File Type Analyzer Settings
+        //JAR ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        //NUSPEC ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        //NEXUS ANALYZER
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        //ARCHIVE ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
+        //ASSEMBLY ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+
        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
        }
@@ -927,9 +1047,6 @@ public class DependencyCheckTask extends Task {
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
-        if (zipExtensions != null && !zipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        }
        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
        }
@@ -942,9 +1059,6 @@ public class DependencyCheckTask extends Task {
        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
        }
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
    }

    /**
@@ -1011,7 +1125,7 @@ public class DependencyCheckTask extends Task {
            final String msg = String.format("%n%n"
                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
+            LOGGER.log(Level.WARNING, msg);
        }
    }

@@ -1036,4 +1150,18 @@ public class DependencyCheckTask extends Task {
            return values;
        }
    }
+
+    /**
+     * Whether or not the Jar Analyzer is enabled.
+     */
+    private boolean jarAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isJarAnalyzerEnabled() {
+        return jarAnalyzerEnabled;
+    }
 }
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -18,34 +18,60 @@ the project's dependencies.
    </dependency-check>
 </target>
 ```
-The following table lists the configurable properties:

-Property              | Description | Requirement | Default Value
----------------------|-------------|-------------|------------
-applicationName       | The name of the application to use in the generated report. | Required | &nbsp;
-reportFormat          | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
-reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | &nbsp;
-failBuildOn           | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11
-autoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true
-dataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | &nbsp;
-logFile               | The file path to write verbose logging information. | Optional | &nbsp;
-suppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | &nbsp;
-proxyUrl              | Defines the proxy used to connect to the Internet. | Optional | &nbsp;
-proxyPort             | Defines the port for the proxy. | Optional | &nbsp;
-proxyUsername         | Defines the proxy user name. | Optional | &nbsp;
-proxyPassword         | Defines the proxy password. | Optional | &nbsp;
-connectionTimeout     | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
-nexusAnalyzerEnabled  | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
-nexusUrl              | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
-nexusUsesProxy        | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true
-databaseDriverName    | The name of the database driver. Example: org.h2.Driver. | Optional | &nbsp;
-databaseDriverPath    | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | &nbsp;
-connectionString      | The connection string used to connect to the database. | Optional | &nbsp;
-databaseUser          | The username used when connecting to the database. | Optional | dcuser
-databasePassword      | The password used when connecting to the database. | Optional | &nbsp;
-zipExtensions         | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | &nbsp;
-cveUrl12Modified      | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml
-cveUrl20Modified      | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cveUrl12Base          | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
-cveUrl20Base          | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
-pathToMono            | The path to Mono for .NET assembly analysis on non-windows systems | Optional | &nbsp;
+Configuration
+====================
+The following properties can be set on the dependency-check-maven plugin.
+
+Property             | Description                        | Default Value
+---------------------|------------------------------------|------------------
+autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
+outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+logFile              | The file path to write verbose logging information. | &nbsp;
+suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
+proxyServer          | The Proxy Server.                  | &nbsp;
+proxyPort            | The Proxy Port.                    | &nbsp;
+proxyUsername        | Defines the proxy user name.       | &nbsp;
+proxyPassword        | Defines the proxy password.        | &nbsp;
+connectionTimeout    | The URL Connection Timeout.        | &nbsp;
+
+Analyzer Configuration
+====================
+The following properties are used to configure the various file type analyzers.
+These properties can be used to turn off specific analyzers if it is not needed.
+Note, that specific analyzers will automatically disable themselves if no file
+types that they support are detected - so specifically disabling them may not
+be needed.
+
+Property                | Description                        | Default Value
+------------------------|------------------------------------|------------------
+archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                    | true
+zipExtensions           | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+jarAnalyzer             | Sets whether Jar Analyzer will be used.                            | true
+nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used.                          | true
+nexusUrl                | Defines the Nexus URL. | https://repository.sonatype.org/service/local/
+nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
+nuspecAnalyzerEnabled  | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.   | true
+assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.     | true
+pathToMono              | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp;
+
+Advanced Configuration
+====================
+The following properties can be configured in the plugin. However, they are less frequently changed. One exception
+may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
+
+Property             | Description                                                             | Default Value
+---------------------|-------------------------------------------------------------------------|------------------
+cveUrl12Modified     | URL for the modified CVE 1.2                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+dataDirectory        | Data directory to hold SQL CVEs contents. This should generally not be changed.             | &nbsp;
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    | &nbsp;
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
+connectionString     | The connection string used to connect to the database.                                      | &nbsp;
+databaseUser         | The username used when connecting to the database.                                          | &nbsp;
+databasePassword     | The password used when connecting to the database.                                          | &nbsp;
--- a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
+++ b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
@@ -18,14 +18,12 @@
 package org.owasp.dependencycheck.taskdefs;

 import java.io.File;
-import static junit.framework.TestCase.assertTrue;
 import org.apache.tools.ant.BuildFileTest;
 import org.junit.After;
-import org.junit.AfterClass;
 import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
@@ -33,20 +31,10 @@ import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
 */
 public class DependencyCheckTaskTest extends BuildFileTest {

-    public DependencyCheckTaskTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
    @Before
    @Override
    public void setUp() throws Exception {
+        Settings.initialize();
        BaseDBTestCase.ensureDBExists();
        final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
        configureProject(buildFile);
@@ -57,6 +45,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
    public void tearDown() {
        //no cleanup...
        //executeTarget("cleanup");
+        Settings.cleanup(true);
    }

    /**
@@ -64,7 +53,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddFileSet() throws Exception {
-        File report = new File("target/DependencyCheck-Report.html");
+        File report = new File("target/dependency-check-report.html");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
@@ -83,7 +72,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddFileList() throws Exception {
-        File report = new File("target/DependencyCheck-Report.xml");
+        File report = new File("target/dependency-check-report.xml");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
@@ -101,7 +90,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddDirSet() throws Exception {
-        File report = new File("target/DependencyCheck-Vulnerability.html");
+        File report = new File("target/dependency-check-vulnerability.html");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
--- a/dependency-check-cli/config/checkstyle-checks.xml
+++ b/dependency-check-cli/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE module PUBLIC
-          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
-          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
-
-<module name="Checker">
-  <!--
-      If you set the basedir property below, then all reported file
-      names will be relative to the specified directory. See
-      http://checkstyle.sourceforge.net/5.x/config.html#Checker
-
-      <property name="basedir" value="${basedir}"/>
-  -->
-
-  <property name="severity" value="error"/>
-
-  <module name="SuppressionFilter">
-    <property name="file" value="${checkstyle.suppressions.file}"/>
-  </module>
-
-  <module name="JavadocPackage">
-    <property name="allowLegacy" value="false"/>
-  </module>
-
-  <module name="Translation">
-    <property name="severity" value="warning"/>
-  </module>
-
-  <module name="FileTabCharacter">
-    <property name="eachLine" value="false"/>
-  </module>
-
-  <module name="FileLength">
-    <property name="fileExtensions" value="java"/>
-  </module>
-
-  <module name="NewlineAtEndOfFile">
-  <property name="fileExtensions" value="java"/>
-  <property name="lineSeparator" value="lf"/>
-  </module>
-
-  <module name="RegexpHeader">
-    <property name="headerFile" value="${checkstyle.header.file}"/>
-    <property name="fileExtensions" value="java"/>
-    <property name="id" value="header"/>
-  </module>
-
-  <module name="RegexpSingleline">
-    <property name="format" value="\s+$"/>
-    <property name="minimum" value="0"/>
-    <property name="maximum" value="0"/>
-  </module>
-
-  <module name="TreeWalker">
-    <property name="tabWidth" value="4"/>
-
-    <module name="AvoidStarImport"/>
-    <module name="ConstantName"/>
-    <module name="EmptyBlock"/>
-    <module name="EmptyForIteratorPad"/>
-    <module name="EqualsHashCode"/>
-    <module name="OneStatementPerLine"/>
-
-    <!-- module name="IllegalCatch"/ -->
-    <!--module name="ImportControl">
-      <property name="file" value="${checkstyle.importcontrol.file}"/>
-    </module-->
-    <module name="IllegalImport"/>
-    <module name="IllegalInstantiation"/>
-    <module name="IllegalThrows"/>
-    <module name="InnerAssignment"/>
-    <module name="JavadocType">
-      <property name="authorFormat" value="\S"/>
-    </module>
-    <module name="JavadocMethod">
-      <property name="allowUndeclaredRTE" value="true"/>
-      <property name="allowThrowsTagsForSubclasses" value="true"/>
-      <property name="allowMissingPropertyJavadoc" value="true"/>
-    </module>
-    <module name="JavadocVariable"/>
-    <module name="JavadocStyle">
-      <property name="scope" value="public"/>
-    </module>
-
-    <module name="LeftCurly">
-      <property name="option" value="eol"/>
-      <property name="tokens" value="CLASS_DEF"/>
-      <property name="tokens" value="CTOR_DEF"/>
-      <property name="tokens" value="INTERFACE_DEF"/>
-      <property name="tokens" value="METHOD_DEF"/>
-      <property name="tokens" value="LITERAL_CATCH"/>
-      <property name="tokens" value="LITERAL_DO"/>
-      <property name="tokens" value="LITERAL_ELSE"/>
-      <property name="tokens" value="LITERAL_FINALLY"/>
-      <property name="tokens" value="LITERAL_FOR"/>
-      <property name="tokens" value="LITERAL_IF"/>
-      <property name="tokens" value="LITERAL_SWITCH"/>
-      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
-      <property name="tokens" value="LITERAL_TRY"/>
-      <property name="tokens" value="LITERAL_WHILE"/>
-    </module>
-
-    <module name="OuterTypeNumber"/>
-    <module name="LineLength">
-      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
-    <property name="max" value="150"/>
-    </module>
-
-    <module name="MethodCount">
-      <property name="maxTotal" value="40"/>
-    </module>
-
-    <module name="LocalFinalVariableName"/>
-    <module name="LocalVariableName"/>
-    <module name="MemberName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="MethodLength">
-        <property name="max" value="160"/>
-        <property name="countEmpty" value="false"/>
-    </module>
-    <module name="MethodName"/>
-    <module name="MethodParamPad"/>
-    <module name="ModifierOrder"/>
-    <module name="NeedBraces"/>
-    <module name="NoWhitespaceAfter">
-      <property name="tokens" value="ARRAY_INIT"/>
-      <property name="tokens" value="BNOT"/>
-      <property name="tokens" value="DEC"/>
-      <property name="tokens" value="DOT"/>
-      <property name="tokens" value="INC"/>
-      <property name="tokens" value="LNOT"/>
-      <property name="tokens" value="UNARY_MINUS"/>
-      <property name="tokens" value="UNARY_PLUS"/>
-    </module>
-
-    <module name="NoWhitespaceBefore"/>
-    <module name="NoWhitespaceBefore">
-      <property name="tokens" value="DOT"/>
-      <property name="allowLineBreaks" value="true"/>
-    </module>
-
-    <module name="OperatorWrap"/>
-    <module name="OperatorWrap">
-      <property name="tokens" value="ASSIGN"/>
-      <property name="tokens" value="DIV_ASSIGN"/>
-      <property name="tokens" value="PLUS_ASSIGN"/>
-      <property name="tokens" value="MINUS_ASSIGN"/>
-      <property name="tokens" value="STAR_ASSIGN"/>
-      <property name="tokens" value="MOD_ASSIGN"/>
-      <property name="tokens" value="SR_ASSIGN"/>
-      <property name="tokens" value="BSR_ASSIGN"/>
-      <property name="tokens" value="SL_ASSIGN"/>
-      <property name="tokens" value="BXOR_ASSIGN"/>
-      <property name="tokens" value="BOR_ASSIGN"/>
-      <property name="tokens" value="BAND_ASSIGN"/>
-      <property name="option" value="eol"/>
-    </module>
-    <module name="PackageName"/>
-    <module name="ParameterName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="ParameterNumber">
-      <property name="id" value="paramNum"/>
-    </module>
-    <module name="ParenPad"/>
-    <module name="TypecastParenPad"/>
-    <module name="RedundantImport"/>
-    <module name="RedundantModifier"/>
-    <module name="RightCurly">
-      <property name="option" value="same"/>
-    </module>
-    <module name="SimplifyBooleanExpression"/>
-    <module name="SimplifyBooleanReturn"/>
-    <module name="StaticVariableName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="TypeName"/>
-    <module name="UnusedImports"/>
-    <module name="UpperEll"/>
-    <module name="VisibilityModifier"/>
-    <module name="WhitespaceAfter"/>
-    <module name="WhitespaceAround"/>
-    <module name="GenericWhitespace"/>
-    <module name="FinalClass"/>
-    <module name="MissingSwitchDefault"/>
-    <!--module name="MagicNumber"/-->
-    <!--module name="Indentation">
-      <property name="basicOffset" value="4"/>
-      <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="0"/>
-    </module-->
-    <module name="ArrayTrailingComma"/>
-    <module name="FinalLocalVariable"/>
-    <module name="EqualsAvoidNull"/>
-    <module name="ParameterAssignment"/>
-
-    <!-- Generates quite a few errors -->
-    <module name="CyclomaticComplexity">
-      <property name="severity" value="ignore"/>
-    </module>
-
-    <module name="NestedForDepth">
-      <property name="max" value="2"/>
-    </module>
-    <module name="NestedIfDepth">
-      <property name="max" value="4"/>
-    </module>
-    <module name="NestedTryDepth">
-        <property name="max" value="2"/>
-    </module>
-    <!--module name="ExplicitInitialization"/-->
-    <module name="AnnotationUseStyle"/>
-    <module name="MissingDeprecated"/>
-    <module name="MissingOverride">
-      <property name="javaFiveCompatibility" value="true"/>
-    </module>
-    <module name="PackageAnnotation"/>
-    <module name="SuppressWarnings"/>
-    <module name="OuterTypeFilename"/>
-    <module name="HideUtilityClassConstructor"/>
-  </module>
-</module>
--- a/dependency-check-cli/config/checkstyle-header.txt
+++ b/dependency-check-cli/config/checkstyle-header.txt
@@ -1,18 +0,0 @@
-^/\*\s*$
-^ \* This file is part of dependency-check-cli\.\s*$
-^ \*\s*$
-^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
-^ \* you may not use this file except in compliance with the License.\s*$
-^ \* You may obtain a copy of the License at\s*$
-^ \*\s*$
-^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
-^ \*\s*$
-^ \* Unless required by applicable law or agreed to in writing, software\s*$
-^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
-^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
-^ \* See the License for the specific language governing permissions and\s*$
-^ \* limitations under the License\.\s*$
-^ \*\s*$
-^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
-^ \*/\s*$
-^package
--- a/dependency-check-cli/config/checkstyle-suppressions.xml
+++ b/dependency-check-cli/config/checkstyle-suppressions.xml
@@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-
-<!DOCTYPE suppressions PUBLIC
-     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
-     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
-
-<suppressions>
-    <suppress checks=".*" files=".*[\\/]package-info\.java" />
-</suppressions>
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.2.3</version>
    </parent>

    <artifactId>dependency-check-cli</artifactId>
@@ -248,16 +248,16 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.0.1</version>
+                            <version>3.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
@@ -265,6 +265,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                                <excludes>
                                    <exclude>**/generated/*.java</exclude>
                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
                            </configuration>
                        </plugin>
                        <plugin>
@@ -335,5 +341,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
    </dependencies>
 </project>
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -46,14 +46,24 @@ public class App {
     */
    private static final String LOG_PROPERTIES_FILE = "log.properties";

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(App.class.getName());
+
    /**
     * The main method for the application.
     *
     * @param args the command line arguments
     */
    public static void main(String[] args) {
-        final App app = new App();
-        app.run(args);
+        try {
+            Settings.initialize();
+            final App app = new App();
+            app.run(args);
+        } finally {
+            Settings.cleanup(true);
+        }
    }

    /**
@@ -62,8 +72,8 @@ public class App {
     * @param args the command line arguments
     */
    public void run(String[] args) {
-
        final CliParser cli = new CliParser();
+
        try {
            cli.parse(args);
        } catch (FileNotFoundException ex) {
@@ -82,7 +92,7 @@ public class App {
        if (cli.isGetVersion()) {
            cli.printVersionInfo();
        } else if (cli.isRunScan()) {
-            updateSettings(cli);
+            populateSettings(cli);
            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
        } else {
            cli.printHelp();
@@ -115,7 +125,7 @@ public class App {
                cve.open();
                prop = cve.getDatabaseProperties();
            } catch (DatabaseException ex) {
-                Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
            } finally {
                if (cve != null) {
                    cve.close();
@@ -125,15 +135,15 @@ public class App {
            try {
                report.generateReports(reportDirectory, outputFormat);
            } catch (IOException ex) {
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+                LOGGER.log(Level.FINE, null, ex);
            } catch (Throwable ex) {
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, "There was an error while attempting to generate the report.");
+                LOGGER.log(Level.FINE, null, ex);
            }
        } catch (DatabaseException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
-            Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
        } finally {
            if (scanner != null) {
                scanner.cleanup();
@@ -147,17 +157,21 @@ public class App {
     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
     * settings in the core engine.
     */
-    private void updateSettings(CliParser cli) {
+    private void populateSettings(CliParser cli) {

        final boolean autoUpdate = cli.isAutoUpdate();
        final String connectionTimeout = cli.getConnectionTimeout();
-        final String proxyUrl = cli.getProxyUrl();
+        final String proxyServer = cli.getProxyServer();
        final String proxyPort = cli.getProxyPort();
        final String proxyUser = cli.getProxyUsername();
        final String proxyPass = cli.getProxyPassword();
        final String dataDirectory = cli.getDataDirectory();
        final File propertiesFile = cli.getPropertiesFile();
        final String suppressionFile = cli.getSuppressionFile();
+        final boolean jarDisabled = cli.isJarDisabled();
+        final boolean archiveDisabled = cli.isArchiveDisabled();
+        final boolean assemblyDisabled = cli.isAssemblyDisabled();
+        final boolean nuspecDisabled = cli.isNuspecDisabled();
        final boolean nexusDisabled = cli.isNexusDisabled();
        final String nexusUrl = cli.getNexusUrl();
        final String databaseDriverName = cli.getDatabaseDriverName();
@@ -173,12 +187,12 @@ public class App {
                Settings.mergeProperties(propertiesFile);
            } catch (FileNotFoundException ex) {
                final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            } catch (IOException ex) {
                final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
        }
        // We have to wait until we've merged the properties before attempting to set whether we use
@@ -198,8 +212,8 @@ public class App {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -216,6 +230,13 @@ public class App {
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
+
+        //File Type Analyzer Settings
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
+
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.cli;

 import java.io.File;
 import java.io.FileNotFoundException;
-
+import java.util.logging.Logger;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -40,6 +40,10 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public final class CliParser {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CliParser.class.getName());
    /**
     * The command line.
     */
@@ -86,16 +90,16 @@ public final class CliParser {
     */
    private void validateArgs() throws FileNotFoundException, ParseException {
        if (isRunScan()) {
-            validatePathExists(getScanFiles(), ArgumentName.SCAN);
-            validatePathExists(getReportDirectory(), ArgumentName.OUT);
+            validatePathExists(getScanFiles(), ARGUMENT.SCAN);
+            validatePathExists(getReportDirectory(), ARGUMENT.OUT);
            if (getPathToMono() != null) {
-                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
+                validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
            }
-            if (!line.hasOption(ArgumentName.APP_NAME)) {
+            if (!line.hasOption(ARGUMENT.APP_NAME)) {
                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
            }
-            if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
-                final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
+            if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
+                final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
                try {
                    Format.valueOf(format);
                } catch (IllegalArgumentException ex) {
@@ -130,12 +134,14 @@ public final class CliParser {
     * @throws FileNotFoundException is thrown if the path being validated does not exist.
     */
    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
-        final File f = new File(path);
-        if (!f.exists()) {
-            isValid = false;
-            final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
-            throw new FileNotFoundException(msg);
-        }
+        if (!path.contains("*.")) {
+            final File f = new File(path);
+            if (!f.exists()) {
+                isValid = false;
+                final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                throw new FileNotFoundException(msg);
+            }
+        } // else { // TODO add a validation for *.zip extensions rather then relying on the engine to validate it.
    }

    /**
@@ -149,7 +155,7 @@ public final class CliParser {
        final Options options = new Options();
        addStandardOptions(options);
        addAdvancedOptions(options);
-
+        addDeprecatedOptions(options);
        return options;
    }

@@ -161,43 +167,44 @@ public final class CliParser {
     */
    @SuppressWarnings("static-access")
    private void addStandardOptions(final Options options) throws IllegalArgumentException {
-        final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
+        final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
                "Print this message.");

-        final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
+        final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP)
                .withDescription("Print the advanced help message.").create();

-        final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
+        final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
                false, "Print the version information.");

-        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+        final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
                false, "Disables the automatic updating of the CPE data.");

-        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
                .withDescription("The name of the application being scanned. This is a required argument.")
-                .create(ArgumentName.APP_NAME_SHORT);
+                .create(ARGUMENT.APP_NAME_SHORT);

-        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("The path to scan - this option can be specified multiple times.")
-                .create(ArgumentName.SCAN_SHORT);
+        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
+                .withDescription("The path to scan - this option can be specified multiple times. To limit the scan"
+                        + " to specific file types *.[ext] can be added to the end of the path.")
+                .create(ARGUMENT.SCAN_SHORT);

-        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
+        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
                .withDescription("A property file to load.")
-                .create(ArgumentName.PROP_SHORT);
+                .create(ARGUMENT.PROP_SHORT);

-        final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
+        final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ARGUMENT.OUT)
                .withDescription("The folder to write reports to. This defaults to the current directory.")
-                .create(ArgumentName.OUT_SHORT);
+                .create(ARGUMENT.OUT_SHORT);

-        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT)
                .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
-                .create(ArgumentName.OUTPUT_FORMAT_SHORT);
+                .create(ARGUMENT.OUTPUT_FORMAT_SHORT);

-        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
+        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG)
                .withDescription("The file path to write verbose logging information.")
-                .create(ArgumentName.VERBOSE_LOG_SHORT);
+                .create(ARGUMENT.VERBOSE_LOG_SHORT);

-        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
+        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE)
                .withDescription("The file path to the suppression XML file.")
                .create();

@@ -228,74 +235,87 @@ public final class CliParser {
    @SuppressWarnings("static-access")
    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {

-        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
+        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
                .withDescription("The location of the H2 Database file. This option should generally not be set.")
-                .create(ArgumentName.DATA_DIRECTORY_SHORT);
+                .create(ARGUMENT.DATA_DIRECTORY_SHORT);

-        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
-                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+                .create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);

-        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
-                .withDescription("The proxy url to use when downloading resources.")
-                .create(ArgumentName.PROXY_URL_SHORT);
+        final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER)
+                .withDescription("The proxy server to use when downloading resources.")
+                .create();

-        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT)
                .withDescription("The proxy port to use when downloading resources.")
-                .create(ArgumentName.PROXY_PORT_SHORT);
+                .create();

-        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME)
                .withDescription("The proxy username to use when downloading resources.")
                .create();

-        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD)
                .withDescription("The proxy password to use when downloading resources.")
                .create();

-        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
+        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING)
                .withDescription("The connection string to the database.")
                .create();

-        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
+        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME)
                .withDescription("The username used to connect to the database.")
                .create();

-        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
+        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD)
                .withDescription("The password for connecting to the database.")
                .create();

-        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
+        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER)
                .withDescription("The database driver name.")
                .create();

-        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
+        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH)
                .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
                .create();

-        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
+        final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR)
+                .withDescription("Disable the Jar Analyzer.")
+                .create();
+        final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE)
+                .withDescription("Disable the Archive Analyzer.")
+                .create();
+        final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
+                .withDescription("Disable the Nuspec Analyzer.")
+                .create();
+        final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
+                .withDescription("Disable the .NET Assembly Analyzer.")
+                .create();
+
+        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
                .withDescription("Disable the Nexus Analyzer.")
                .create();

-        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
+        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
                .withDescription("The url to the Nexus Server.")
                .create();

-        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
                .create();

        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
-                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
-                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+                .withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
+                .withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
                        + "(ZIP, EAR, WAR are already treated as zip files)")
                .create();

-        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
+        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO)
                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
                .create();

        options.addOption(proxyPort)
-                .addOption(proxyUrl)
+                .addOption(proxyServer)
                .addOption(proxyUsername)
                .addOption(proxyPassword)
                .addOption(connectionTimeout)
@@ -305,6 +325,10 @@ public final class CliParser {
                .addOption(dbPassword)
                .addOption(dbDriver)
                .addOption(dbDriverPath)
+                .addOption(disableJarAnalyzer)
+                .addOption(disableArchiveAnalyzer)
+                .addOption(disableAssemblyAnalyzer)
+                .addOption(disableNuspecAnalyzer)
                .addOption(disableNexusAnalyzer)
                .addOption(nexusUrl)
                .addOption(nexusUsesProxy)
@@ -312,13 +336,30 @@ public final class CliParser {
                .addOption(pathToMono);
    }

+    /**
+     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not
+     * including them in the help message. We need to add the deprecated options so as not to break existing scripts.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
+
+        final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
+                .withDescription("The proxy url argument is deprecated, use proxyserver instead.")
+                .create();
+
+        options.addOption(proxyServer);
+    }
+
    /**
     * Determines if the 'version' command line argument was passed in.
     *
     * @return whether or not the 'version' command line argument was passed in
     */
    public boolean isGetVersion() {
-        return (line != null) && line.hasOption(ArgumentName.VERSION);
+        return (line != null) && line.hasOption(ARGUMENT.VERSION);
    }

    /**
@@ -327,7 +368,7 @@ public final class CliParser {
     * @return whether or not the 'help' command line argument was passed in
     */
    public boolean isGetHelp() {
-        return (line != null) && line.hasOption(ArgumentName.HELP);
+        return (line != null) && line.hasOption(ARGUMENT.HELP);
    }

    /**
@@ -336,7 +377,43 @@ public final class CliParser {
     * @return whether or not the 'scan' command line argument was passed in
     */
    public boolean isRunScan() {
-        return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
+        return (line != null) && isValid && line.hasOption(ARGUMENT.SCAN);
+    }
+
+    /**
+     * Returns true if the disableJar command line argument was specified.
+     *
+     * @return true if the disableJar command line argument was specified; otherwise false
+     */
+    public boolean isJarDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
+    }
+
+    /**
+     * Returns true if the disableArchive command line argument was specified.
+     *
+     * @return true if the disableArchive command line argument was specified; otherwise false
+     */
+    public boolean isArchiveDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
+    }
+
+    /**
+     * Returns true if the disableNuspec command line argument was specified.
+     *
+     * @return true if the disableNuspec command line argument was specified; otherwise false
+     */
+    public boolean isNuspecDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
+    }
+
+    /**
+     * Returns true if the disableAssembly command line argument was specified.
+     *
+     * @return true if the disableAssembly command line argument was specified; otherwise false
+     */
+    public boolean isAssemblyDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
    }

    /**
@@ -345,7 +422,7 @@ public final class CliParser {
     * @return true if the disableNexus command line argument was specified; otherwise false
     */
    public boolean isNexusDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
    }

    /**
@@ -354,10 +431,10 @@ public final class CliParser {
     * @return the url to the nexus server; if none was specified this will return null;
     */
    public String getNexusUrl() {
-        if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
+        if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
            return null;
        } else {
-            return line.getOptionValue(ArgumentName.NEXUS_URL);
+            return line.getOptionValue(ARGUMENT.NEXUS_URL);
        }
    }

@@ -370,14 +447,14 @@ public final class CliParser {
    public boolean isNexusUsesProxy() {
        // If they didn't specify whether Nexus needs to use the proxy, we should
        // still honor the property if it's set.
-        if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
+        if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
            try {
                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
            } catch (InvalidSettingException ise) {
                return true;
            }
        } else {
-            return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
+            return Boolean.parseBoolean(line.getOptionValue(ARGUMENT.NEXUS_USES_PROXY));
        }
    }

@@ -388,7 +465,7 @@ public final class CliParser {
        final HelpFormatter formatter = new HelpFormatter();
        final Options options = new Options();
        addStandardOptions(options);
-        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
+        if (line != null && line.hasOption(ARGUMENT.ADVANCED_HELP)) {
            addAdvancedOptions(options);
        }
        final String helpMsg = String.format("%n%s"
@@ -411,7 +488,7 @@ public final class CliParser {
     * @return the file paths specified on the command line for scan
     */
    public String[] getScanFiles() {
-        return line.getOptionValues(ArgumentName.SCAN);
+        return line.getOptionValues(ARGUMENT.SCAN);
    }

    /**
@@ -420,7 +497,7 @@ public final class CliParser {
     * @return the path to the reports directory.
     */
    public String getReportDirectory() {
-        return line.getOptionValue(ArgumentName.OUT, ".");
+        return line.getOptionValue(ARGUMENT.OUT, ".");
    }

    /**
@@ -429,7 +506,7 @@ public final class CliParser {
     * @return the path to Mono
     */
    public String getPathToMono() {
-        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
+        return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
    }

    /**
@@ -438,7 +515,7 @@ public final class CliParser {
     * @return the output format name.
     */
    public String getReportFormat() {
-        return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
+        return line.getOptionValue(ARGUMENT.OUTPUT_FORMAT, "HTML");
    }

    /**
@@ -447,7 +524,7 @@ public final class CliParser {
     * @return the application name.
     */
    public String getApplicationName() {
-        return line.getOptionValue(ArgumentName.APP_NAME);
+        return line.getOptionValue(ARGUMENT.APP_NAME);
    }

    /**
@@ -456,16 +533,24 @@ public final class CliParser {
     * @return the connection timeout
     */
    public String getConnectionTimeout() {
-        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+        return line.getOptionValue(ARGUMENT.CONNECTION_TIMEOUT);
    }

    /**
-     * Returns the proxy url.
+     * Returns the proxy server.
     *
-     * @return the proxy url
+     * @return the proxy server
     */
-    public String getProxyUrl() {
-        return line.getOptionValue(ArgumentName.PROXY_URL);
+    public String getProxyServer() {
+
+        String server = line.getOptionValue(ARGUMENT.PROXY_SERVER);
+        if (server == null) {
+            server = line.getOptionValue(ARGUMENT.PROXY_URL);
+            if (server != null) {
+                LOGGER.warning("An old command line argument 'proxyurl' was detected; use proxyserver instead");
+            }
+        }
+        return server;
    }

    /**
@@ -474,7 +559,7 @@ public final class CliParser {
     * @return the proxy port
     */
    public String getProxyPort() {
-        return line.getOptionValue(ArgumentName.PROXY_PORT);
+        return line.getOptionValue(ARGUMENT.PROXY_PORT);
    }

    /**
@@ -483,7 +568,7 @@ public final class CliParser {
     * @return the proxy username
     */
    public String getProxyUsername() {
-        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
+        return line.getOptionValue(ARGUMENT.PROXY_USERNAME);
    }

    /**
@@ -492,7 +577,7 @@ public final class CliParser {
     * @return the proxy password
     */
    public String getProxyPassword() {
-        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
+        return line.getOptionValue(ARGUMENT.PROXY_PASSWORD);
    }

    /**
@@ -501,7 +586,7 @@ public final class CliParser {
     * @return the value of dataDirectory
     */
    public String getDataDirectory() {
-        return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
+        return line.getOptionValue(ARGUMENT.DATA_DIRECTORY);
    }

    /**
@@ -510,7 +595,7 @@ public final class CliParser {
     * @return the properties file specified on the command line
     */
    public File getPropertiesFile() {
-        final String path = line.getOptionValue(ArgumentName.PROP);
+        final String path = line.getOptionValue(ARGUMENT.PROP);
        if (path != null) {
            return new File(path);
        }
@@ -523,7 +608,7 @@ public final class CliParser {
     * @return the path to the verbose log file
     */
    public String getVerboseLog() {
-        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
+        return line.getOptionValue(ARGUMENT.VERBOSE_LOG);
    }

    /**
@@ -532,7 +617,7 @@ public final class CliParser {
     * @return the path to the suppression file
     */
    public String getSuppressionFile() {
-        return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
+        return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
    }

    /**
@@ -555,7 +640,7 @@ public final class CliParser {
     * @return if auto-update is allowed.
     */
    public boolean isAutoUpdate() {
-        return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
+        return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
    }

    /**
@@ -564,7 +649,7 @@ public final class CliParser {
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverName() {
-        return line.getOptionValue(ArgumentName.DB_DRIVER);
+        return line.getOptionValue(ARGUMENT.DB_DRIVER);
    }

    /**
@@ -573,7 +658,7 @@ public final class CliParser {
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverPath() {
-        return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
+        return line.getOptionValue(ARGUMENT.DB_DRIVER_PATH);
    }

    /**
@@ -582,7 +667,7 @@ public final class CliParser {
     * @return the database connection string if specified; otherwise null is returned
     */
    public String getConnectionString() {
-        return line.getOptionValue(ArgumentName.CONNECTION_STRING);
+        return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
    }

    /**
@@ -591,7 +676,7 @@ public final class CliParser {
     * @return the database database user name if specified; otherwise null is returned
     */
    public String getDatabaseUser() {
-        return line.getOptionValue(ArgumentName.DB_NAME);
+        return line.getOptionValue(ARGUMENT.DB_NAME);
    }

    /**
@@ -600,7 +685,7 @@ public final class CliParser {
     * @return the database database password if specified; otherwise null is returned
     */
    public String getDatabasePassword() {
-        return line.getOptionValue(ArgumentName.DB_PASSWORD);
+        return line.getOptionValue(ARGUMENT.DB_PASSWORD);
    }

    /**
@@ -609,13 +694,13 @@ public final class CliParser {
     * @return the additional Extensions; otherwise null is returned
     */
    public String getAdditionalZipExtensions() {
-        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
+        return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
    }

    /**
     * A collection of static final strings that represent the possible command line arguments.
     */
-    public static class ArgumentName {
+    public static class ARGUMENT {

        /**
         * The long CLI argument name specifying the directory/file to scan.
@@ -677,21 +762,20 @@ public final class CliParser {
         * The short CLI argument name asking for the version.
         */
        public static final String VERSION = "version";
-        /**
-         * The short CLI argument name indicating the proxy port.
-         */
-        public static final String PROXY_PORT_SHORT = "p";
        /**
         * The CLI argument name indicating the proxy port.
         */
        public static final String PROXY_PORT = "proxyport";
        /**
-         * The short CLI argument name indicating the proxy url.
+         * The CLI argument name indicating the proxy server.
         */
-        public static final String PROXY_URL_SHORT = "u";
+        public static final String PROXY_SERVER = "proxyserver";
        /**
         * The CLI argument name indicating the proxy url.
+         *
+         * @deprecated use {@link org.owasp.dependencycheck.cli.CliParser.ArgumentName#PROXY_SERVER} instead
         */
+        @Deprecated
        public static final String PROXY_URL = "proxyurl";
        /**
         * The CLI argument name indicating the proxy username.
@@ -736,7 +820,23 @@ public final class CliParser {
        /**
         * The CLI argument name for setting the location of the suppression file.
         */
-        public static final String SUPPRESION_FILE = "suppression";
+        public static final String SUPPRESSION_FILE = "suppression";
+        /**
+         * Disables the Jar Analyzer.
+         */
+        public static final String DISABLE_JAR = "disableJar";
+        /**
+         * Disables the Archive Analyzer.
+         */
+        public static final String DISABLE_ARCHIVE = "disableArchive";
+        /**
+         * Disables the Assembly Analyzer.
+         */
+        public static final String DISABLE_ASSEMBLY = "disableAssembly";
+        /**
+         * Disables the Nuspec Analyzer.
+         */
+        public static final String DISABLE_NUSPEC = "disableNuspec";
        /**
         * Disables the Nexus Analyzer.
         */
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -1,33 +1,43 @@
 Command Line Arguments
-====================
+======================

 The following table lists the command line arguments:

-Short  | Argument Name         | Parameter       | Description | Requirement
+Short  | Argument&nbsp;Name&nbsp;&nbsp; | Parameter       | Description | Requirement
 -------|-----------------------|-----------------|-------------|------------
 \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
- \-c   | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | Optional
- \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
+ \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify specific file types that should be scanned by supplying a scan path of '[path]/[to]/[scan]/*.zip'. The wild card can only be used to denote any file-name with a specific extension. | Required
+ \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
 \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
- \-h   | \-\-help              |                 | Print the help message. | Optional
 \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
 \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
- \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
- \-p   | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | Optional
-       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | Optional
-       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | Optional
- \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. | Required
       | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
- \-u   | \-\-proxyurl          | \<url\>         | The proxy url to use when downloading resources. | Optional
- \-v   | \-\-version           |                 | Print the version information. | Optional
+ \-h   | \-\-help              |                 | Print the help message. | Optional
       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
-       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | Optional
-       | \-\-dbDriverName      | \<driver\>      | The database driver name. | Optional
-       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
-       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | Optional
-       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | Optional
-       | \-\-disableNexus      |                 | Disable the Nexus Analyzer. | Optional
-       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | Optional
-       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
-       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
-       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems. | Optional
+ \-v   | \-\-version           |                 | Print the version information. | Optional
+
+Advanced Options
+================
+Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter       | Description | Default&nbsp;Value
+-------|-----------------------|-----------------|-------------|---------------
+       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                      | false
+       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+       | \-\-disableJar        |                 | Sets whether Jar Analyzer will be used.                              | false
+       | \-\-disableNexus      |                 | Sets whether Nexus Analyzer will be used.                            | false
+       | \-\-disableNexus      |                 | Disable the Nexus Analyzer.                                          | &nbsp;
+       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | https://repository.sonatype.org/service/local/
+       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true
+       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.     | false
+       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.       | false
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.  | &nbsp;
+       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources. | &nbsp;
+       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | &nbsp;
+       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
+       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | &nbsp;
+       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | &nbsp;
+       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | &nbsp;
+       | \-\-dbDriverName      | \<driver\>      | The database driver name. | &nbsp;
+       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
+       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | &nbsp;
+       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | &nbsp;
+ \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
--- a/dependency-check-cli/src/site/markdown/installation.md.vm
+++ b/dependency-check-cli/src/site/markdown/installation.md.vm
@@ -8,20 +8,18 @@ script executable:
    $ chmod +777 dependency-check.sh

 To scan a folder on the system you can run:
+#set( $H = '#' )

-Windows
-------
+$H$H$H Windows
    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"

-\*nix
-------
+$H$H$H *nix
    dependency-check.sh --app "My App Name" --scan "/java/application/lib"

 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
-Windows
-------
+
+$H$H$H Windows
    dependency-check.bat --help

-\*nix
-------
+$H$H$H *nix
    dependency-check.sh --help
--- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
+++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
@@ -29,6 +29,7 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
@@ -38,10 +39,12 @@ public class CliParserTest {

    @BeforeClass
    public static void setUpClass() throws Exception {
+        Settings.initialize();
    }

    @AfterClass
    public static void tearDownClass() throws Exception {
+        Settings.cleanup(true);
    }

    @Before
--- a/dependency-check-core/config/checkstyle-checks.xml
+++ b/dependency-check-core/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE module PUBLIC
-          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
-          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
-
-<module name="Checker">
-  <!--
-      If you set the basedir property below, then all reported file
-      names will be relative to the specified directory. See
-      http://checkstyle.sourceforge.net/5.x/config.html#Checker
-
-      <property name="basedir" value="${basedir}"/>
-  -->
-
-  <property name="severity" value="error"/>
-
-  <module name="SuppressionFilter">
-    <property name="file" value="${checkstyle.suppressions.file}"/>
-  </module>
-
-  <module name="JavadocPackage">
-    <property name="allowLegacy" value="false"/>
-  </module>
-
-  <module name="Translation">
-    <property name="severity" value="warning"/>
-  </module>
-
-  <module name="FileTabCharacter">
-    <property name="eachLine" value="false"/>
-  </module>
-
-  <module name="FileLength">
-    <property name="fileExtensions" value="java"/>
-  </module>
-
-  <module name="NewlineAtEndOfFile">
-  <property name="fileExtensions" value="java"/>
-  <property name="lineSeparator" value="lf"/>
-  </module>
-
-  <module name="RegexpHeader">
-    <property name="headerFile" value="${checkstyle.header.file}"/>
-    <property name="fileExtensions" value="java"/>
-    <property name="id" value="header"/>
-  </module>
-
-  <module name="RegexpSingleline">
-    <property name="format" value="\s+$"/>
-    <property name="minimum" value="0"/>
-    <property name="maximum" value="0"/>
-  </module>
-
-  <module name="TreeWalker">
-    <property name="tabWidth" value="4"/>
-
-    <module name="AvoidStarImport"/>
-    <module name="ConstantName"/>
-    <module name="EmptyBlock"/>
-    <module name="EmptyForIteratorPad"/>
-    <module name="EqualsHashCode"/>
-    <module name="OneStatementPerLine"/>
-
-    <!-- module name="IllegalCatch"/ -->
-    <!--module name="ImportControl">
-      <property name="file" value="${checkstyle.importcontrol.file}"/>
-    </module-->
-    <module name="IllegalImport"/>
-    <module name="IllegalInstantiation"/>
-    <module name="IllegalThrows"/>
-    <module name="InnerAssignment"/>
-    <module name="JavadocType">
-      <property name="authorFormat" value="\S"/>
-    </module>
-    <module name="JavadocMethod">
-      <property name="allowUndeclaredRTE" value="true"/>
-      <property name="allowThrowsTagsForSubclasses" value="true"/>
-      <property name="allowMissingPropertyJavadoc" value="true"/>
-    </module>
-    <module name="JavadocVariable"/>
-    <module name="JavadocStyle">
-      <property name="scope" value="public"/>
-    </module>
-
-    <module name="LeftCurly">
-      <property name="option" value="eol"/>
-      <property name="tokens" value="CLASS_DEF"/>
-      <property name="tokens" value="CTOR_DEF"/>
-      <property name="tokens" value="INTERFACE_DEF"/>
-      <property name="tokens" value="METHOD_DEF"/>
-      <property name="tokens" value="LITERAL_CATCH"/>
-      <property name="tokens" value="LITERAL_DO"/>
-      <property name="tokens" value="LITERAL_ELSE"/>
-      <property name="tokens" value="LITERAL_FINALLY"/>
-      <property name="tokens" value="LITERAL_FOR"/>
-      <property name="tokens" value="LITERAL_IF"/>
-      <property name="tokens" value="LITERAL_SWITCH"/>
-      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
-      <property name="tokens" value="LITERAL_TRY"/>
-      <property name="tokens" value="LITERAL_WHILE"/>
-    </module>
-
-    <module name="OuterTypeNumber"/>
-    <module name="LineLength">
-      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
-    <property name="max" value="150"/>
-    </module>
-
-    <module name="MethodCount">
-      <property name="maxTotal" value="40"/>
-    </module>
-
-    <module name="LocalFinalVariableName"/>
-    <module name="LocalVariableName"/>
-    <module name="MemberName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="MethodLength">
-        <property name="max" value="160"/>
-        <property name="countEmpty" value="false"/>
-    </module>
-    <module name="MethodName"/>
-    <module name="MethodParamPad"/>
-    <module name="ModifierOrder"/>
-    <module name="NeedBraces"/>
-    <module name="NoWhitespaceAfter">
-      <property name="tokens" value="ARRAY_INIT"/>
-      <property name="tokens" value="BNOT"/>
-      <property name="tokens" value="DEC"/>
-      <property name="tokens" value="DOT"/>
-      <property name="tokens" value="INC"/>
-      <property name="tokens" value="LNOT"/>
-      <property name="tokens" value="UNARY_MINUS"/>
-      <property name="tokens" value="UNARY_PLUS"/>
-    </module>
-
-    <module name="NoWhitespaceBefore"/>
-    <module name="NoWhitespaceBefore">
-      <property name="tokens" value="DOT"/>
-      <property name="allowLineBreaks" value="true"/>
-    </module>
-
-    <module name="OperatorWrap"/>
-    <module name="OperatorWrap">
-      <property name="tokens" value="ASSIGN"/>
-      <property name="tokens" value="DIV_ASSIGN"/>
-      <property name="tokens" value="PLUS_ASSIGN"/>
-      <property name="tokens" value="MINUS_ASSIGN"/>
-      <property name="tokens" value="STAR_ASSIGN"/>
-      <property name="tokens" value="MOD_ASSIGN"/>
-      <property name="tokens" value="SR_ASSIGN"/>
-      <property name="tokens" value="BSR_ASSIGN"/>
-      <property name="tokens" value="SL_ASSIGN"/>
-      <property name="tokens" value="BXOR_ASSIGN"/>
-      <property name="tokens" value="BOR_ASSIGN"/>
-      <property name="tokens" value="BAND_ASSIGN"/>
-      <property name="option" value="eol"/>
-    </module>
-    <module name="PackageName"/>
-    <module name="ParameterName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="ParameterNumber">
-      <property name="id" value="paramNum"/>
-    </module>
-    <module name="ParenPad"/>
-    <module name="TypecastParenPad"/>
-    <module name="RedundantImport"/>
-    <module name="RedundantModifier"/>
-    <module name="RightCurly">
-      <property name="option" value="same"/>
-    </module>
-    <module name="SimplifyBooleanExpression"/>
-    <module name="SimplifyBooleanReturn"/>
-    <module name="StaticVariableName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="TypeName"/>
-    <module name="UnusedImports"/>
-    <module name="UpperEll"/>
-    <module name="VisibilityModifier"/>
-    <module name="WhitespaceAfter"/>
-    <module name="WhitespaceAround"/>
-    <module name="GenericWhitespace"/>
-    <module name="FinalClass"/>
-    <module name="MissingSwitchDefault"/>
-    <!--module name="MagicNumber"/-->
-    <!--module name="Indentation">
-      <property name="basicOffset" value="4"/>
-      <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="0"/>
-    </module-->
-    <module name="ArrayTrailingComma"/>
-    <module name="FinalLocalVariable"/>
-    <module name="EqualsAvoidNull"/>
-    <module name="ParameterAssignment"/>
-
-    <!-- Generates quite a few errors -->
-    <module name="CyclomaticComplexity">
-      <property name="severity" value="ignore"/>
-    </module>
-
-    <module name="NestedForDepth">
-      <property name="max" value="2"/>
-    </module>
-    <module name="NestedIfDepth">
-      <property name="max" value="4"/>
-    </module>
-    <module name="NestedTryDepth">
-        <property name="max" value="2"/>
-    </module>
-    <!--module name="ExplicitInitialization"/-->
-    <module name="AnnotationUseStyle"/>
-    <module name="MissingDeprecated"/>
-    <module name="MissingOverride">
-      <property name="javaFiveCompatibility" value="true"/>
-    </module>
-    <module name="PackageAnnotation"/>
-    <module name="SuppressWarnings"/>
-    <module name="OuterTypeFilename"/>
-    <module name="HideUtilityClassConstructor"/>
-  </module>
-</module>
--- a/dependency-check-core/config/checkstyle-header.txt
+++ b/dependency-check-core/config/checkstyle-header.txt
@@ -1,18 +0,0 @@
-^/\*\s*$
-^ \* This file is part of dependency-check-core\.\s*$
-^ \*\s*$
-^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
-^ \* you may not use this file except in compliance with the License.\s*$
-^ \* You may obtain a copy of the License at\s*$
-^ \*\s*$
-^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
-^ \*\s*$
-^ \* Unless required by applicable law or agreed to in writing, software\s*$
-^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
-^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
-^ \* See the License for the specific language governing permissions and\s*$
-^ \* limitations under the License\.\s*$
-^ \*\s*$
-^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
-^ \*/\s*$
-^package
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -15,13 +15,12 @@ limitations under the License.

 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.2.3</version>
    </parent>

    <artifactId>dependency-check-core</artifactId>
@@ -220,6 +219,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <name>data.directory</name>
                            <value>${project.build.directory}/data</value>
                        </property>
+                        <property>
+                            <name>temp.directory</name>
+                            <value>${project.build.directory}/temp</value>
+                        </property>
+
                    </systemProperties>
                    <includes>
                        <include>**/*IntegrationTest.java</include>
@@ -348,16 +352,16 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.0.1</version>
+                            <version>3.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
@@ -365,6 +369,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                                <excludes>
                                    <exclude>**/generated/*.java</exclude>
                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
                            </configuration>
                        </plugin>
                        <plugin>
@@ -393,6 +403,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        </plugins>
    </build>
    <dependencies>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-test-framework</artifactId>
@@ -410,6 +425,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <artifactId>commons-cli</artifactId>
            <version>1.2</version>
        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.8</version>
+        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
@@ -495,11 +515,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <version>1.7.2</version>
            <type>jar</type>
        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-            <version>1.5</version>
-        </dependency>
        <!-- The following dependencies are only used during testing -->
        <dependency>
            <groupId>org.apache.maven.scm</groupId>
@@ -515,6 +530,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>3.0.0.RELEASE</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
        <dependency>
            <groupId>com.hazelcast</groupId>
            <artifactId>hazelcast</artifactId>
@@ -581,6 +603,20 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa</artifactId>
+            <version>2.0.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+            <version>3.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
    </dependencies>
    <profiles>
        <profile>
@@ -642,11 +678,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            Additionally, these are only added when using "allTests" to
            make the build slightly faster in most cases. -->
            <id>False Positive Tests</id>
-            <!--activation>
+            <activation>
                <property>
                    <name>allTests</name>
                </property>
-            </activation-->
+            </activation>
            <dependencies>
                <dependency>
                    <groupId>org.apache.xmlgraphics</groupId>
@@ -669,6 +705,34 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <scope>provided</scope>
                    <optional>true</optional>
                </dependency>
+                <dependency>
+                    <groupId>com.ganyo</groupId>
+                    <artifactId>gcm-server</artifactId>
+                    <version>1.0.2</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.python</groupId>
+                    <artifactId>jython-standalone</artifactId>
+                    <version>2.7-b1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.jruby</groupId>
+                    <artifactId>jruby-complete</artifactId>
+                    <version>1.7.4</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.jruby</groupId>
+                    <artifactId>jruby</artifactId>
+                    <version>1.6.3</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
            </dependencies>
        </profile>
    </profiles>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -29,6 +29,7 @@ import java.util.logging.Logger;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
 import org.owasp.dependencycheck.data.cpe.IndexException;
@@ -56,15 +57,23 @@ public class Engine {
    /**
     * The list of dependencies.
     */
-    private final List<Dependency> dependencies;
+    private List<Dependency> dependencies;
    /**
     * A Map of analyzers grouped by Analysis phase.
     */
    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
    /**
-     * A set of extensions supported by the analyzers.
+     * A Map of analyzers grouped by Analysis phase.
     */
-    private final Set<String> extensions;
+    private final Set<FileTypeAnalyzer> fileTypeAnalyzers;
+    /**
+     * The ClassLoader to use when dynamically loading Analyzer and Update services.
+     */
+    private ClassLoader serviceClassLoader;
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = Logger.getLogger(Engine.class.getName());

    /**
     * Creates a new Engine.
@@ -72,16 +81,28 @@ public class Engine {
     * @throws DatabaseException thrown if there is an error connecting to the database
     */
    public Engine() throws DatabaseException {
-        this.extensions = new HashSet<String>();
+        this(Thread.currentThread().getContextClassLoader());
+    }
+
+    /**
+     * Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
+     *
+     * @param serviceClassLoader the ClassLoader to use when dynamically loading Analyzer and Update services
+     * @throws DatabaseException thrown if there is an error connecting to the database
+     */
+    public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
        this.dependencies = new ArrayList<Dependency>();
        this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+        this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
+        this.serviceClassLoader = serviceClassLoader;
+
        ConnectionFactory.initialize();

        boolean autoUpdate = true;
        try {
            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
        } catch (InvalidSettingException ex) {
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
+            LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
        }
        if (autoUpdate) {
            doUpdates();
@@ -105,13 +126,13 @@ public class Engine {
            analyzers.put(phase, new ArrayList<Analyzer>());
        }

-        final AnalyzerService service = AnalyzerService.getInstance();
+        final AnalyzerService service = new AnalyzerService(serviceClassLoader);
        final Iterator<Analyzer> iterator = service.getAnalyzers();
        while (iterator.hasNext()) {
            final Analyzer a = iterator.next();
            analyzers.get(a.getAnalysisPhase()).add(a);
-            if (a.getSupportedExtensions() != null) {
-                extensions.addAll(a.getSupportedExtensions());
+            if (a instanceof FileTypeAnalyzer) {
+                this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
            }
        }
    }
@@ -135,6 +156,13 @@ public class Engine {
        return dependencies;
    }

+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+        //for (Dependency dependency: dependencies) {
+        //    dependencies.add(dependency);
+        //}
+    }
+
    /**
     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
@@ -157,8 +185,21 @@ public class Engine {
     * @param path the path to a file or directory to be analyzed.
     */
    public void scan(String path) {
-        final File file = new File(path);
-        scan(file);
+        if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
+            final String[] parts = path.split("\\*\\.");
+            final String[] ext = new String[]{parts[parts.length - 1]};
+            final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
+            if (dir.isDirectory()) {
+                final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
+                scan(files);
+            } else {
+                final String msg = String.format("Invalid file path provided to scan '%s'", path);
+                LOGGER.log(Level.SEVERE, msg);
+            }
+        } else {
+            final File file = new File(path);
+            scan(file);
+        }
    }

    /**
@@ -247,20 +288,20 @@ public class Engine {
    protected void scanFile(File file) {
        if (!file.isFile()) {
            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+            LOGGER.log(Level.FINE, msg);
            return;
        }
        final String fileName = file.getName();
        final String extension = FileUtils.getFileExtension(fileName);
        if (extension != null) {
-            if (extensions.contains(extension)) {
+            if (supportsExtension(extension)) {
                final Dependency dependency = new Dependency(file);
                dependencies.add(dependency);
            }
        } else {
            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
                    file.toString());
-            Logger.getLogger(Engine.class.getName()).log(Level.FINEST, msg);
+            LOGGER.log(Level.FINEST, msg);
        }
    }

@@ -273,13 +314,13 @@ public class Engine {
            ensureDataExists();
        } catch (NoDataException ex) {
            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
-            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
            return;
        } catch (DatabaseException ex) {
            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
-            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
            return;

        }
@@ -288,75 +329,54 @@ public class Engine {
                + "----------------------------------------------------%n"
                + "BEGIN ANALYSIS%n"
                + "----------------------------------------------------");
-        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
-        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
-
-        //phase one initialize
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
-            final List<Analyzer> analyzerList = analyzers.get(phase);
-            for (Analyzer a : analyzerList) {
-                try {
-                    final String msg = String.format("Initializing %s", a.getName());
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-                    a.initialize();
-                } catch (Throwable ex) {
-                    final String msg = String.format("Exception occurred initializing %s.", a.getName());
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
-                    try {
-                        a.close();
-                    } catch (Throwable ex1) {
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
-                    }
-                }
-            }
-        }
+        LOGGER.log(Level.FINE, logHeader);
+        LOGGER.log(Level.INFO, "Analysis Starting");

        // analysis phases
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);

            for (Analyzer a : analyzerList) {
+                initializeAnalyzer(a);
+
                /* need to create a copy of the collection because some of the
                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
                 * This is okay for adds/deletes because it happens per analyzer.
                 */
                final String msg = String.format("Begin Analyzer '%s'", a.getName());
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+                LOGGER.log(Level.FINE, msg);
                final Set<Dependency> dependencySet = new HashSet<Dependency>();
                dependencySet.addAll(dependencies);
                for (Dependency d : dependencySet) {
-                    if (a.supportsExtension(d.getFileExtension())) {
+                    boolean shouldAnalyze = true;
+                    if (a instanceof FileTypeAnalyzer) {
+                        final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
+                        shouldAnalyze = fAnalyzer.supportsExtension(d.getFileExtension());
+                    }
+                    if (shouldAnalyze) {
                        final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
+                        LOGGER.log(Level.FINE, msgFile);
                        try {
                            a.analyze(d, this);
                        } catch (AnalysisException ex) {
-                            final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
-                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
+                            final String exMsg = String.format("An error occurred while analyzing '%s'.", d.getActualFilePath());
+                            LOGGER.log(Level.WARNING, exMsg);
+                            LOGGER.log(Level.FINE, "", ex);
                        } catch (Throwable ex) {
                            final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
                            //final AnalysisException ax = new AnalysisException(axMsg, ex);
-                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
+                            LOGGER.log(Level.WARNING, axMsg);
+                            LOGGER.log(Level.FINE, "", ex);
                        }
                    }
                }
            }
        }
-
-        //close/cleanup
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);
+
            for (Analyzer a : analyzerList) {
-                final String msg = String.format("Closing Analyzer '%s'", a.getName());
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-                try {
-                    a.close();
-                } catch (Throwable ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
-                }
+                closeAnalyzer(a);
            }
        }

@@ -364,24 +384,61 @@ public class Engine {
                + "----------------------------------------------------%n"
                + "END ANALYSIS%n"
                + "----------------------------------------------------");
-        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
-        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Complete");
+        LOGGER.log(Level.FINE, logFooter);
+        LOGGER.log(Level.INFO, "Analysis Complete");
+    }
+
+    /**
+     * Initializes the given analyzer.
+     *
+     * @param analyzer the analyzer to initialize
+     */
+    private void initializeAnalyzer(Analyzer analyzer) {
+        try {
+            final String msg = String.format("Initializing %s", analyzer.getName());
+            LOGGER.log(Level.FINE, msg);
+            analyzer.initialize();
+        } catch (Throwable ex) {
+            final String msg = String.format("Exception occurred initializing %s.", analyzer.getName());
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
+            try {
+                analyzer.close();
+            } catch (Throwable ex1) {
+                LOGGER.log(Level.FINEST, null, ex1);
+            }
+        }
+    }
+
+    /**
+     * Closes the given analyzer.
+     *
+     * @param analyzer the analyzer to close
+     */
+    private void closeAnalyzer(Analyzer analyzer) {
+        final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
+        LOGGER.log(Level.FINE, msg);
+        try {
+            analyzer.close();
+        } catch (Throwable ex) {
+            LOGGER.log(Level.FINEST, null, ex);
+        }
    }

    /**
     * Cycles through the cached web data sources and calls update on all of them.
     */
    private void doUpdates() {
-        final UpdateService service = UpdateService.getInstance();
+        final UpdateService service = new UpdateService(serviceClassLoader);
        final Iterator<CachedWebDataSource> iterator = service.getDataSources();
        while (iterator.hasNext()) {
            final CachedWebDataSource source = iterator.next();
            try {
                source.update();
            } catch (UpdateException ex) {
-                Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
+                LOGGER.log(Level.WARNING,
                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE,
+                LOGGER.log(Level.FINE,
                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
            }
        }
@@ -411,15 +468,13 @@ public class Engine {
        if (ext == null) {
            return false;
        }
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
-            final List<Analyzer> analyzerList = analyzers.get(phase);
-            for (Analyzer a : analyzerList) {
-                if (a.getSupportedExtensions() != null && a.supportsExtension(ext)) {
-                    return true;
-                }
-            }
+        boolean scan = false;
+        for (FileTypeAnalyzer a : this.fileTypeAnalyzers) {
+            /* note, we can't break early on this loop as the analyzers need to know if
+             they have files to work on prior to initialization */
+            scan |= a.supportsExtension(ext);
        }
-        return false;
+        return scan;
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
@@ -0,0 +1,994 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Steve Springett. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.agent;
+
+import java.io.File;
+import java.io.IOException;
+import java.util.List;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.ScanAgentException;
+import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting
+ * evidence from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it
+ * takes a list of dependencies that can be programmatically added from data in a spreadsheet, database or some other
+ * datasource and conduct a scan based on this pre-defined evidence.
+ *
+ * <h2>Example:</h2>
+ * <pre>
+ * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
+ * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
+ * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
+ * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
+ * dependencies.add(dependency);
+ *
+ * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
+ * scan.setDependencies(dependencies);
+ * scan.setReportFormat(ReportGenerator.Format.ALL);
+ * scan.setReportOutputDirectory(System.getProperty("user.home"));
+ * scan.execute();
+ * </pre>
+ *
+ * @author Steve Springett <steve.springett@owasp.org>
+ */
+@SuppressWarnings("unused")
+public class DependencyCheckScanAgent {
+
+    /**
+     * System specific new line character.
+     */
+    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+    /**
+     * Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyCheckScanAgent.class.getName());
+    /**
+     * The application name for the report.
+     */
+    private String applicationName = "Dependency-Check";
+
+    /**
+     * Get the value of applicationName.
+     *
+     * @return the value of applicationName
+     */
+    public String getApplicationName() {
+        return applicationName;
+    }
+
+    /**
+     * Set the value of applicationName.
+     *
+     * @param applicationName new value of applicationName
+     */
+    public void setApplicationName(String applicationName) {
+        this.applicationName = applicationName;
+    }
+
+    /**
+     * The pre-determined dependencies to scan
+     */
+    private List<Dependency> dependencies;
+
+    /**
+     * Returns a list of pre-determined dependencies.
+     *
+     * @return returns a list of dependencies
+     */
+    public List<Dependency> getDependencies() {
+        return dependencies;
+    }
+
+    /**
+     * Sets the list of dependencies to scan.
+     *
+     * @param dependencies new value of dependencies
+     */
+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+    }
+
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+
+    /**
+     * Get the value of dataDirectory.
+     *
+     * @return the value of dataDirectory
+     */
+    public String getDataDirectory() {
+        return dataDirectory;
+    }
+
+    /**
+     * Set the value of dataDirectory.
+     *
+     * @param dataDirectory new value of dataDirectory
+     */
+    public void setDataDirectory(String dataDirectory) {
+        this.dataDirectory = dataDirectory;
+    }
+
+    /**
+     * Specifies the destination directory for the generated Dependency-Check report.
+     */
+    private String reportOutputDirectory;
+
+    /**
+     * Get the value of reportOutputDirectory.
+     *
+     * @return the value of reportOutputDirectory
+     */
+    public String getReportOutputDirectory() {
+        return reportOutputDirectory;
+    }
+
+    /**
+     * Set the value of reportOutputDirectory.
+     *
+     * @param reportOutputDirectory new value of reportOutputDirectory
+     */
+    public void setReportOutputDirectory(String reportOutputDirectory) {
+        this.reportOutputDirectory = reportOutputDirectory;
+    }
+
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
+     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
+     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+
+    /**
+     * Get the value of failBuildOnCVSS.
+     *
+     * @return the value of failBuildOnCVSS
+     */
+    public float getFailBuildOnCVSS() {
+        return failBuildOnCVSS;
+    }
+
+    /**
+     * Set the value of failBuildOnCVSS.
+     *
+     * @param failBuildOnCVSS new value of failBuildOnCVSS
+     */
+    public void setFailBuildOnCVSS(float failBuildOnCVSS) {
+        this.failBuildOnCVSS = failBuildOnCVSS;
+    }
+
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
+     * false. Default is true.
+     */
+    private boolean autoUpdate = true;
+
+    /**
+     * Get the value of autoUpdate.
+     *
+     * @return the value of autoUpdate
+     */
+    public boolean isAutoUpdate() {
+        return autoUpdate;
+    }
+
+    /**
+     * Set the value of autoUpdate.
+     *
+     * @param autoUpdate new value of autoUpdate
+     */
+    public void setAutoUpdate(boolean autoUpdate) {
+        this.autoUpdate = autoUpdate;
+    }
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
+     * within the Site plugin unless the externalReport is set to true. Default is HTML.
+     */
+    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
+
+    /**
+     * Get the value of reportFormat.
+     *
+     * @return the value of reportFormat
+     */
+    public ReportGenerator.Format getReportFormat() {
+        return reportFormat;
+    }
+
+    /**
+     * Set the value of reportFormat.
+     *
+     * @param reportFormat new value of reportFormat
+     */
+    public void setReportFormat(ReportGenerator.Format reportFormat) {
+        this.reportFormat = reportFormat;
+    }
+
+    /**
+     * The Proxy Server.
+     */
+    private String proxyServer;
+
+    /**
+     * Get the value of proxyServer.
+     *
+     * @return the value of proxyServer
+     */
+    public String getProxyServer() {
+        return proxyServer;
+    }
+
+    /**
+     * Set the value of proxyServer.
+     *
+     * @param proxyServer new value of proxyServer
+     */
+    public void setProxyServer(String proxyServer) {
+        this.proxyServer = proxyServer;
+    }
+
+    /**
+     * Get the value of proxyServer.
+     *
+     * @return the value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
+     */
+    @Deprecated
+    public String getProxyUrl() {
+        return proxyServer;
+    }
+
+    /**
+     * Set the value of proxyServer.
+     *
+     * @param proxyUrl new value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#setProxyServer(java.lang.String)
+     * } instead
+     */
+    @Deprecated
+    public void setProxyUrl(String proxyUrl) {
+        this.proxyServer = proxyUrl;
+    }
+
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+
+    /**
+     * Get the value of proxyPort.
+     *
+     * @return the value of proxyPort
+     */
+    public String getProxyPort() {
+        return proxyPort;
+    }
+
+    /**
+     * Set the value of proxyPort.
+     *
+     * @param proxyPort new value of proxyPort
+     */
+    public void setProxyPort(String proxyPort) {
+        this.proxyPort = proxyPort;
+    }
+
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+
+    /**
+     * Get the value of proxyUsername.
+     *
+     * @return the value of proxyUsername
+     */
+    public String getProxyUsername() {
+        return proxyUsername;
+    }
+
+    /**
+     * Set the value of proxyUsername.
+     *
+     * @param proxyUsername new value of proxyUsername
+     */
+    public void setProxyUsername(String proxyUsername) {
+        this.proxyUsername = proxyUsername;
+    }
+
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+
+    /**
+     * Get the value of proxyPassword.
+     *
+     * @return the value of proxyPassword
+     */
+    public String getProxyPassword() {
+        return proxyPassword;
+    }
+
+    /**
+     * Set the value of proxyPassword.
+     *
+     * @param proxyPassword new value of proxyPassword
+     */
+    public void setProxyPassword(String proxyPassword) {
+        this.proxyPassword = proxyPassword;
+    }
+
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+
+    /**
+     * Get the value of connectionTimeout.
+     *
+     * @return the value of connectionTimeout
+     */
+    public String getConnectionTimeout() {
+        return connectionTimeout;
+    }
+
+    /**
+     * Set the value of connectionTimeout.
+     *
+     * @param connectionTimeout new value of connectionTimeout
+     */
+    public void setConnectionTimeout(String connectionTimeout) {
+        this.connectionTimeout = connectionTimeout;
+    }
+
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+
+    /**
+     * Get the value of logFile.
+     *
+     * @return the value of logFile
+     */
+    public String getLogFile() {
+        return logFile;
+    }
+
+    /**
+     * Set the value of logFile.
+     *
+     * @param logFile new value of logFile
+     */
+    public void setLogFile(String logFile) {
+        this.logFile = logFile;
+    }
+
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+
+    /**
+     * Get the value of suppressionFile.
+     *
+     * @return the value of suppressionFile
+     */
+    public String getSuppressionFile() {
+        return suppressionFile;
+    }
+
+    /**
+     * Set the value of suppressionFile.
+     *
+     * @param suppressionFile new value of suppressionFile
+     */
+    public void setSuppressionFile(String suppressionFile) {
+        this.suppressionFile = suppressionFile;
+    }
+
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+
+    /**
+     * Get the value of showSummary.
+     *
+     * @return the value of showSummary
+     */
+    public boolean isShowSummary() {
+        return showSummary;
+    }
+
+    /**
+     * Set the value of showSummary.
+     *
+     * @param showSummary new value of showSummary
+     */
+    public void setShowSummary(boolean showSummary) {
+        this.showSummary = showSummary;
+    }
+
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+
+    /**
+     * Get the value of nexusAnalyzerEnabled.
+     *
+     * @return the value of nexusAnalyzerEnabled
+     */
+    public boolean isNexusAnalyzerEnabled() {
+        return nexusAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of nexusAnalyzerEnabled.
+     *
+     * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
+     */
+    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+        this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
+    }
+
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+
+    /**
+     * Get the value of nexusUrl.
+     *
+     * @return the value of nexusUrl
+     */
+    public String getNexusUrl() {
+        return nexusUrl;
+    }
+
+    /**
+     * Set the value of nexusUrl.
+     *
+     * @param nexusUrl new value of nexusUrl
+     */
+    public void setNexusUrl(String nexusUrl) {
+        this.nexusUrl = nexusUrl;
+    }
+
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+
+    /**
+     * Get the value of nexusUsesProxy.
+     *
+     * @return the value of nexusUsesProxy
+     */
+    public boolean isNexusUsesProxy() {
+        return nexusUsesProxy;
+    }
+
+    /**
+     * Set the value of nexusUsesProxy.
+     *
+     * @param nexusUsesProxy new value of nexusUsesProxy
+     */
+    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+        this.nexusUsesProxy = nexusUsesProxy;
+    }
+
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+
+    /**
+     * Get the value of databaseDriverName.
+     *
+     * @return the value of databaseDriverName
+     */
+    public String getDatabaseDriverName() {
+        return databaseDriverName;
+    }
+
+    /**
+     * Set the value of databaseDriverName.
+     *
+     * @param databaseDriverName new value of databaseDriverName
+     */
+    public void setDatabaseDriverName(String databaseDriverName) {
+        this.databaseDriverName = databaseDriverName;
+    }
+
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+
+    /**
+     * Get the value of databaseDriverPath.
+     *
+     * @return the value of databaseDriverPath
+     */
+    public String getDatabaseDriverPath() {
+        return databaseDriverPath;
+    }
+
+    /**
+     * Set the value of databaseDriverPath.
+     *
+     * @param databaseDriverPath new value of databaseDriverPath
+     */
+    public void setDatabaseDriverPath(String databaseDriverPath) {
+        this.databaseDriverPath = databaseDriverPath;
+    }
+
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+
+    /**
+     * Get the value of connectionString.
+     *
+     * @return the value of connectionString
+     */
+    public String getConnectionString() {
+        return connectionString;
+    }
+
+    /**
+     * Set the value of connectionString.
+     *
+     * @param connectionString new value of connectionString
+     */
+    public void setConnectionString(String connectionString) {
+        this.connectionString = connectionString;
+    }
+
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+
+    /**
+     * Get the value of databaseUser.
+     *
+     * @return the value of databaseUser
+     */
+    public String getDatabaseUser() {
+        return databaseUser;
+    }
+
+    /**
+     * Set the value of databaseUser.
+     *
+     * @param databaseUser new value of databaseUser
+     */
+    public void setDatabaseUser(String databaseUser) {
+        this.databaseUser = databaseUser;
+    }
+
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+
+    /**
+     * Get the value of databasePassword.
+     *
+     * @return the value of databasePassword
+     */
+    public String getDatabasePassword() {
+        return databasePassword;
+    }
+
+    /**
+     * Set the value of databasePassword.
+     *
+     * @param databasePassword new value of databasePassword
+     */
+    public void setDatabasePassword(String databasePassword) {
+        this.databasePassword = databasePassword;
+    }
+
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
+     * like ZIP files.
+     */
+    private String zipExtensions;
+
+    /**
+     * Get the value of zipExtensions.
+     *
+     * @return the value of zipExtensions
+     */
+    public String getZipExtensions() {
+        return zipExtensions;
+    }
+
+    /**
+     * Set the value of zipExtensions.
+     *
+     * @param zipExtensions new value of zipExtensions
+     */
+    public void setZipExtensions(String zipExtensions) {
+        this.zipExtensions = zipExtensions;
+    }
+
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+
+    /**
+     * Get the value of cveUrl12Modified.
+     *
+     * @return the value of cveUrl12Modified
+     */
+    public String getCveUrl12Modified() {
+        return cveUrl12Modified;
+    }
+
+    /**
+     * Set the value of cveUrl12Modified.
+     *
+     * @param cveUrl12Modified new value of cveUrl12Modified
+     */
+    public void setCveUrl12Modified(String cveUrl12Modified) {
+        this.cveUrl12Modified = cveUrl12Modified;
+    }
+
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+
+    /**
+     * Get the value of cveUrl20Modified.
+     *
+     * @return the value of cveUrl20Modified
+     */
+    public String getCveUrl20Modified() {
+        return cveUrl20Modified;
+    }
+
+    /**
+     * Set the value of cveUrl20Modified.
+     *
+     * @param cveUrl20Modified new value of cveUrl20Modified
+     */
+    public void setCveUrl20Modified(String cveUrl20Modified) {
+        this.cveUrl20Modified = cveUrl20Modified;
+    }
+
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+
+    /**
+     * Get the value of cveUrl12Base.
+     *
+     * @return the value of cveUrl12Base
+     */
+    public String getCveUrl12Base() {
+        return cveUrl12Base;
+    }
+
+    /**
+     * Set the value of cveUrl12Base.
+     *
+     * @param cveUrl12Base new value of cveUrl12Base
+     */
+    public void setCveUrl12Base(String cveUrl12Base) {
+        this.cveUrl12Base = cveUrl12Base;
+    }
+
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+
+    /**
+     * Get the value of cveUrl20Base.
+     *
+     * @return the value of cveUrl20Base
+     */
+    public String getCveUrl20Base() {
+        return cveUrl20Base;
+    }
+
+    /**
+     * Set the value of cveUrl20Base.
+     *
+     * @param cveUrl20Base new value of cveUrl20Base
+     */
+    public void setCveUrl20Base(String cveUrl20Base) {
+        this.cveUrl20Base = cveUrl20Base;
+    }
+
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+
+    /**
+     * Get the value of pathToMono.
+     *
+     * @return the value of pathToMono
+     */
+    public String getPathToMono() {
+        return pathToMono;
+    }
+
+    /**
+     * Set the value of pathToMono.
+     *
+     * @param pathToMono new value of pathToMono
+     */
+    public void setPathToMono(String pathToMono) {
+        this.pathToMono = pathToMono;
+    }
+
+    /**
+     * Executes the Dependency-Check on the dependent libraries.
+     *
+     * @return the Engine used to scan the dependencies.
+     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the
+     * database
+     */
+    private Engine executeDependencyCheck() throws DatabaseException {
+        populateSettings();
+        Engine engine = null;
+        engine = new Engine();
+        engine.setDependencies(this.dependencies);
+        engine.analyzeDependencies();
+        return engine;
+    }
+
+    /**
+     * Generates the reports for a given dependency-check engine.
+     *
+     * @param engine a dependency-check engine
+     * @param outDirectory the directory to write the reports to
+     */
+    private void generateExternalReports(Engine engine, File outDirectory) {
+        DatabaseProperties prop = null;
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            prop = cve.getDatabaseProperties();
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+        final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+        try {
+            r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
+        } catch (IOException ex) {
+            LOGGER.log(Level.SEVERE,
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
+        } catch (Throwable ex) {
+            LOGGER.log(Level.SEVERE,
+                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
+        }
+    }
+
+    /**
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
+     * properties required to change the proxy server, port, and connection timeout.
+     */
+    private void populateSettings() {
+        Settings.initialize();
+        if (dataDirectory != null) {
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else {
+            final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        }
+        if (proxyPort != null && !proxyPort.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        }
+        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        }
+        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        }
+        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        }
+        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        }
+        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        }
+        if (connectionString != null && !connectionString.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        }
+        if (databaseUser != null && !databaseUser.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
+        }
+        if (databasePassword != null && !databasePassword.isEmpty()) {
+            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
+        }
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
+        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        }
+        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        }
+        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        }
+        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
+            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        }
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+    }
+
+    /**
+     * Executes the dependency-check and generates the report.
+     *
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
+     * scan.
+     */
+    public void execute() throws ScanAgentException {
+        Engine engine = null;
+        try {
+            engine = executeDependencyCheck();
+            generateExternalReports(engine, new File(this.reportOutputDirectory));
+            if (this.showSummary) {
+                showSummary(engine.getDependencies());
+            }
+            if (this.failBuildOnCVSS <= 10) {
+                checkForFailure(engine.getDependencies());
+            }
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.SEVERE,
+                    "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
+        } finally {
+            Settings.cleanup(true);
+            if (engine != null) {
+                engine.cleanup();
+            }
+        }
+    }
+
+    /**
+     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
+     * configuration.
+     *
+     * @param dependencies the list of dependency objects
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
+     * scan.
+     */
+    private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
+        final StringBuilder ids = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean addName = true;
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (v.getCvssScore() >= failBuildOnCVSS) {
+                    if (addName) {
+                        addName = false;
+                        ids.append(NEW_LINE).append(d.getFileName()).append(": ");
+                        ids.append(v.getName());
+                    } else {
+                        ids.append(", ").append(v.getName());
+                    }
+                }
+            }
+        }
+        if (ids.length() > 0) {
+            final String msg = String.format("%n%nDependency-Check Failure:%n"
+                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
+                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+
+            throw new ScanAgentException(msg);
+        }
+    }
+
+    /**
+     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     *
+     * @param dependencies a list of dependency objects
+     */
+    private void showSummary(List<Dependency> dependencies) {
+        final StringBuilder summary = new StringBuilder();
+        for (Dependency d : dependencies) {
+            boolean firstEntry = true;
+            final StringBuilder ids = new StringBuilder();
+            for (Vulnerability v : d.getVulnerabilities()) {
+                if (firstEntry) {
+                    firstEntry = false;
+                } else {
+                    ids.append(", ");
+                }
+                ids.append(v.getName());
+            }
+            if (ids.length() > 0) {
+                summary.append(d.getFileName()).append(" (");
+                firstEntry = true;
+                for (Identifier id : d.getIdentifiers()) {
+                    if (firstEntry) {
+                        firstEntry = false;
+                    } else {
+                        summary.append(", ");
+                    }
+                    summary.append(id.getValue());
+                }
+                summary.append(") : ").append(ids).append(NEW_LINE);
+            }
+        }
+        if (summary.length() > 0) {
+            final String msg = String.format("%n%n"
+                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
+                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java
@@ -0,0 +1,13 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.agent</title>
+ * </head>
+ * <body>
+ * The agent package holds an agent API that can be used by other applications that have information about dependencies;
+ * but would rather implement something in their code directly rather then spawn a process to run the entire
+ * dependency-check engine. This basically provides programmatic access to running a scan.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.agent;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
@@ -17,33 +17,12 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public abstract class AbstractAnalyzer implements Analyzer {

-    /**
-     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
-     * final static declaration.<br/><br/>
-     *
-     * This implementation was copied from
-     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction
-     *
-     * @param strings a list of strings to add to the set.
-     * @return a Set of strings.
-     */
-    protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>();
-
-        Collections.addAll(set, strings);
-        return set;
-    }
-
    /**
     * The initialize method does nothing for this Analyzer.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
@@ -0,0 +1,229 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Constructor">
+    /**
+     * Base constructor that all children must call. This checks the configuration to determine if the analyzer is
+     * enabled.
+     */
+    public AbstractFileTypeAnalyzer() {
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            enabled = Settings.getBoolean(key, true);
+        } catch (InvalidSettingException ex) {
+            String msg = String.format("Invalid setting for property '%s'", key);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            msg = String.format("%s has been disabled", getName());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Field definitions">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractFileTypeAnalyzer.class.getName());
+    /**
+     * Whether the file type analyzer detected any files it needs to analyze.
+     */
+    private boolean filesMatched = false;
+
+    /**
+     * Get the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @return the value of filesMatched
+     */
+    protected boolean isFilesMatched() {
+        return filesMatched;
+    }
+
+    /**
+     * Set the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @param filesMatched new value of filesMatched
+     */
+    protected void setFilesMatched(boolean filesMatched) {
+        this.filesMatched = filesMatched;
+    }
+
+    /**
+     * A flag indicating whether or not the analyzer is enabled.
+     */
+    private boolean enabled = true;
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Set the value of enabled.
+     *
+     * @param enabled new value of enabled
+     */
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
+    /**
+     * <p>
+     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
+     * getSupportedExtensions function would return a set with a single element "jar".</p>
+     *
+     * <p>
+     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
+     *
+     * @return The file extensions supported by this analyzer.
+     *
+     * <p>
+     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
+     * file loaded</p>
+     */
+    protected abstract Set<String> getSupportedExtensions();
+
+    /**
+     * Initializes the file type analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    protected abstract void initializeFileTypeAnalyzer() throws Exception;
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    protected abstract String getAnalyzerEnabledSettingKey();
+
+//</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
+    /**
+     * Initializes the analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    @Override
+    public final void initialize() throws Exception {
+        if (filesMatched) {
+            initializeFileTypeAnalyzer();
+        } else {
+            enabled = false;
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (enabled) {
+            analyzeFileType(dependency, engine);
+        }
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    @Override
+    public final boolean supportsExtension(String extension) {
+        if (!enabled) {
+            return false;
+        }
+        final Set<String> ext = getSupportedExtensions();
+        if (ext == null) {
+            final String msg = String.format("The '%s' analyzer is misconfigured and does not have any file extensions;"
+                    + " it will be disabled", getName());
+            LOGGER.log(Level.SEVERE, msg);
+            return false;
+        } else {
+            final boolean match = ext.contains(extension);
+            if (match) {
+                filesMatched = match;
+            }
+            return match;
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Static utility methods">
+    /**
+     * <p>
+     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
+     * final static declaration.</p>
+     *
+     * <p>
+     * This implementation was copied from
+     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
+     *
+     * @param strings a list of strings to add to the set.
+     * @return a Set of strings.
+     */
+    protected static Set<String> newHashSet(String... strings) {
+        final Set<String> set = new HashSet<String>();
+
+        Collections.addAll(set, strings);
+        return set;
+    }
+//</editor-fold>
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;

 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
@@ -41,6 +42,11 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {

+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractSuppressionAnalyzer.class.getName());
+
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
@@ -51,17 +57,6 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        return null;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    //</editor-fold>
    /**
     * The initialize method loads the suppression XML file.
@@ -73,6 +68,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        super.initialize();
        loadSuppressionData();
    }
+
    /**
     * The list of suppression rules
     */
@@ -102,11 +98,17 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     * @throws SuppressionParseException thrown if the XML cannot be parsed.
     */
    private void loadSuppressionData() throws SuppressionParseException {
+        final SuppressionParser parser = new SuppressionParser();
+        File file = null;
+        try {
+            rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
+        } catch (SuppressionParseException ex) {
+            LOGGER.log(Level.FINE, "Unable to parse the base suppression data file", ex);
+        }
        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
        if (suppressionFilePath == null) {
            return;
        }
-        File file = null;
        boolean deleteTempFile = false;
        try {
            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
@@ -119,39 +121,58 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
                } catch (DownloadFailedException ex) {
                    Downloader.fetchFile(url, file, true);
                }
+            } else {
+                file = new File(suppressionFilePath);
+                if (!file.exists()) {
+                    final InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
+                    if (suppressionsFromClasspath != null) {
+                        deleteTempFile = true;
+                        file = FileUtils.getTempFile("suppression", "xml");
+                        try {
+                            org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
+                        } catch (IOException ex) {
+                            throwSuppressionParseException("Unable to locate suppressions file in classpath", ex);
+                        }
+                    }
+                }
            }

            if (file != null) {
-                final SuppressionParser parser = new SuppressionParser();
                try {
-                    rules = parser.parseSuppressionRules(file);
+                    //rules = parser.parseSuppressionRules(file);
+                    rules.addAll(parser.parseSuppressionRules(file));
+                    LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
                } catch (SuppressionParseException ex) {
                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                    LOGGER.log(Level.WARNING, msg);
+                    LOGGER.log(Level.WARNING, ex.getMessage());
+                    LOGGER.log(Level.FINE, "", ex);
                    throw ex;
                }
            }
        } catch (DownloadFailedException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
-                    "Unable to fetch the configured suppression file");
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
-            throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
+            throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
        } catch (MalformedURLException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
-                    "Configured suppression file has an invalid URL");
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
-            throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
+            throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
        } catch (IOException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
-                    "Unable to create temp file for suppressions");
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
-            throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
+            throwSuppressionParseException("Unable to create temp file for suppressions", ex);
        } finally {
            if (deleteTempFile && file != null) {
                FileUtils.delete(file);
            }
        }
    }
+
+    /**
+     * Utility method to throw parse exceptions.
+     *
+     * @param message the exception message
+     * @param exception the cause of the exception
+     * @throws SuppressionParseException throws the generated SuppressionParseException
+     */
+    private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
+        LOGGER.log(Level.WARNING, message);
+        LOGGER.log(Level.FINE, "", exception);
+        throw new SuppressionParseException(message, exception);
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
@@ -17,9 +17,8 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;

 /**
@@ -42,22 +41,6 @@ public interface Analyzer {
     */
    void analyze(Dependency dependency, Engine engine) throws AnalysisException;

-    /**
-     * <p>
-     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
-     * getSupportedExtensions function would return a set with a single element "jar".</p>
-     *
-     * <p>
-     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
-     *
-     * @return The file extensions supported by this analyzer.
-     *
-     * <p>
-     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
-     * file loaded</p>
-     */
-    Set<String> getSupportedExtensions();
-
    /**
     * Returns the name of the analyzer.
     *
@@ -65,14 +48,6 @@ public interface Analyzer {
     */
    String getName();

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    boolean supportsExtension(String extension);
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
@@ -21,15 +21,13 @@ import java.util.Iterator;
 import java.util.ServiceLoader;

 /**
+ * The Analyzer Service Loader. This class loads all services that implement
+ * org.owasp.dependencycheck.analyzer.Analyzer.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public final class AnalyzerService {
+public class AnalyzerService {

-    /**
-     * The analyzer service singleton.
-     */
-    private static AnalyzerService service;
    /**
     * The service loader for analyzers.
     */
@@ -37,21 +35,11 @@ public final class AnalyzerService {

    /**
     * Creates a new instance of AnalyzerService.
-     */
-    private AnalyzerService() {
-        loader = ServiceLoader.load(Analyzer.class);
-    }
-
-    /**
-     * Retrieve the singleton instance of AnalyzerService.
     *
-     * @return a singleton AnalyzerService.
+     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     */
-    public static synchronized AnalyzerService getInstance() {
-        if (service == null) {
-            service = new AnalyzerService();
-        }
-        return service;
+    public AnalyzerService(ClassLoader classLoader) {
+        loader = ServiceLoader.load(Analyzer.class, classLoader);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -35,7 +36,9 @@ import java.util.logging.Logger;
 import org.apache.commons.compress.archivers.ArchiveEntry;
 import org.apache.commons.compress.archivers.ArchiveInputStream;
 import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
 import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipFile;
 import org.apache.commons.compress.compressors.CompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipUtils;
@@ -53,8 +56,12 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ArchiveAnalyzer.class.getName());
    /**
     * The buffer size to use when extracting files from the archive.
     */
@@ -75,6 +82,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * Tracks the current scan/extraction depth for nested archives.
     */
    private int scanDepth = 0;
+
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
@@ -87,13 +95,18 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
    /**
     * The set of things we can handle with Zip methods
     */
-    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
+    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
    /**
     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
     * to be explicitly handled in extractFiles().
     */
    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");

+    /**
+     * The set of file extensions to remove from the engine's collection of dependencies.
+     */
+    private static final Set<String> REMOVE_FROM_ANALYSIS = newHashSet("zip", "tar", "gz", "tgz"); //TODO add nupkg, apk, sar?
+
    static {
        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
        if (additionalZipExt != null) {
@@ -108,6 +121,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
+    @Override
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
@@ -117,44 +131,40 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return the name of the analyzer.
     */
+    @Override
    public String getName() {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
+    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ARCHIVE_ENABLED;
+    }
+
    /**
     * The initialize method does nothing for this Analyzer.
     *
     * @throws Exception is thrown if there is an exception deleting or creating temporary files
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws Exception {
        final File baseDir = Settings.getTempDirectory();
-        if (!baseDir.exists()) {
-            if (!baseDir.mkdirs()) {
-                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
-                throw new AnalysisException(msg);
-            }
-        }
        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
        if (!tempFileLocation.delete()) {
            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -174,11 +184,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
    @Override
    public void close() throws Exception {
        if (tempFileLocation != null && tempFileLocation.exists()) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING,
-                        "Failed to delete some temporary files, see the log for more details");
+            if (!success && tempFileLocation != null & tempFileLocation.exists()) {
+                LOGGER.log(Level.WARNING, "Failed to delete some temporary files, see the log for more details");
            }
        }
    }
@@ -192,15 +201,15 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException thrown if there is an analysis exception
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        final File f = new File(dependency.getActualFilePath());
        final File tmpDir = getNextTempDirectory();
        extractFiles(f, tmpDir, engine);

        //make a copy
-        final List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
+        List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
        engine.scan(tmpDir);
-        final List<Dependency> newDependencies = engine.getDependencies();
+        List<Dependency> newDependencies = engine.getDependencies();
        if (dependencies.size() != newDependencies.size()) {
            //get the new dependencies
            final Set<Dependency> dependencySet = new HashSet<Dependency>();
@@ -228,6 +237,40 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                }
            }
        }
+        if (this.REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) {
+            if ("zip".equals(dependency.getFileExtension()) && isZipFileActuallyJarFile(dependency)) {
+                final File tdir = getNextTempDirectory();
+                final String fileName = dependency.getFileName();
+
+                LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a deep copy and analyzing it as a JAR.", fileName));
+
+                final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
+                try {
+                    org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
+                    dependencies = new ArrayList<Dependency>(engine.getDependencies());
+                    engine.scan(tmpLoc);
+                    newDependencies = engine.getDependencies();
+                    if (dependencies.size() != newDependencies.size()) {
+                        //get the new dependencies
+                        final Set<Dependency> dependencySet = new HashSet<Dependency>();
+                        dependencySet.addAll(newDependencies);
+                        dependencySet.removeAll(dependencies);
+                        if (dependencySet.size() != 1) {
+                            LOGGER.info("Deep copy of ZIP to JAR file resulted in more then one dependency?");
+                        }
+                        for (Dependency d : dependencySet) {
+                            //fix the dependency's display name and path
+                            d.setFilePath(dependency.getFilePath());
+                            d.setDisplayFileName(dependency.getFileName());
+                        }
+                    }
+                } catch (IOException ex) {
+                    final String msg = String.format("Unable to perform deep copy on '%s'", dependency.getActualFile().getPath());
+                    LOGGER.log(Level.FINE, msg, ex);
+                }
+            }
+            engine.getDependencies().remove(dependency);
+        }
        Collections.sort(engine.getDependencies());
    }

@@ -268,7 +311,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
        try {
            fis = new FileInputStream(archive);
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new AnalysisException("Archive file was not found.", ex);
        }
        final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
@@ -286,17 +329,17 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
            }
        } catch (ArchiveExtractionException ex) {
            final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } catch (IOException ex) {
            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            try {
                fis.close();
            } catch (IOException ex) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
@@ -344,13 +387,11 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                            }
                            bos.flush();
                        } catch (FileNotFoundException ex) {
-                            Logger.getLogger(ArchiveAnalyzer.class
-                                    .getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("Unable to find file '%s'.", file.getName());
                            throw new AnalysisException(msg, ex);
                        } catch (IOException ex) {
-                            Logger.getLogger(ArchiveAnalyzer.class
-                                    .getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
                            throw new AnalysisException(msg, ex);
                        } finally {
@@ -358,8 +399,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                                try {
                                    bos.close();
                                } catch (IOException ex) {
-                                    Logger.getLogger(ArchiveAnalyzer.class
-                                            .getName()).log(Level.FINEST, null, ex);
+                                    LOGGER.log(Level.FINEST, null, ex);
                                }
                            }
                        }
@@ -375,7 +415,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                try {
                    input.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -398,19 +438,53 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                out.write(buffer, 0, n);
            }
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new ArchiveExtractionException(ex);
        } catch (IOException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new ArchiveExtractionException(ex);
        } finally {
            if (out != null) {
                try {
                    out.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
    }
+
+    /**
+     * Attempts to determine if a zip file is actually a JAR file.
+     *
+     * @param dependency the dependency to check
+     * @return true if the dependency appears to be a JAR file; otherwise false
+     */
+    private boolean isZipFileActuallyJarFile(Dependency dependency) {
+        boolean isJar = false;
+        ZipFile zip = null;
+        try {
+            zip = new ZipFile(dependency.getActualFilePath());
+            if (zip.getEntry("META-INF/MANIFEST.MF") != null
+                    || zip.getEntry("META-INF/maven") != null) {
+                final Enumeration<ZipArchiveEntry> entries = zip.getEntries();
+                while (entries.hasMoreElements()) {
+                    final ZipArchiveEntry entry = entries.nextElement();
+                    if (!entry.isDirectory()) {
+                        final String name = entry.getName().toLowerCase();
+                        if (name.endsWith(".class")) {
+                            isJar = true;
+                            break;
+                        }
+                    }
+                }
+            }
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, String.format("Unable to unzip zip file '%s'", dependency.getFilePath()), ex);
+        } finally {
+            ZipFile.closeQuietly(zip);
+        }
+
+        return isJar;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -17,10 +17,12 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
@@ -46,7 +48,7 @@ import org.xml.sax.SAXException;
 * @author colezlaw
 *
 */
-public class AssemblyAnalyzer extends AbstractAnalyzer {
+public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {

    /**
     * The analyzer name
@@ -59,11 +61,11 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    /**
     * The list of supported extensions
     */
-    private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("dll", "exe");
    /**
     * The temp value for GrokAssembly.exe
     */
-    private File grokAssemblyExe;
+    private File grokAssemblyExe = null;
    /**
     * The DocumentBuilder for parsing the XML
     */
@@ -71,7 +73,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    /**
     * Logger
     */
-    private static final Logger LOG = Logger.getLogger(AbstractAnalyzer.class.getName());
+    private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzer.class.getName(), "dependencycheck-resources");

    /**
     * Builds the beginnings of a List for ProcessBuilder
@@ -101,19 +103,41 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException if anything goes sideways
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine)
+    public void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        if (grokAssemblyExe == null) {
-            LOG.warning("GrokAssembly didn't get deployed");
+            LOGGER.warning("analyzer.AssemblyAnalyzer.notdeployed");
            return;
        }

        final List<String> args = buildArgumentList();
        args.add(dependency.getActualFilePath());
        final ProcessBuilder pb = new ProcessBuilder(args);
+        BufferedReader rdr = null;
+        Document doc = null;
        try {
            final Process proc = pb.start();
-            final Document doc = builder.parse(proc.getInputStream());
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
+            String line = null;
+            while (rdr.ready() && (line = rdr.readLine()) != null) {
+                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
+            }
+            int rc = 0;
+            doc = builder.parse(proc.getInputStream());
+
+            try {
+                rc = proc.waitFor();
+            } catch (InterruptedException ie) {
+                return;
+            }
+            if (rc == 3) {
+                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.notassembly", dependency.getActualFilePath());
+                return;
+            } else if (rc != 0) {
+                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.rc", rc);
+            }
+
            final XPath xpath = XPathFactory.newInstance().newXPath();

            // First, see if there was an error
@@ -147,6 +171,14 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
        } catch (XPathExpressionException xpe) {
            // This shouldn't happen
            throw new AnalysisException(xpe);
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
        }
    }

@@ -156,8 +188,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     * @throws Exception if anything goes wrong
     */
    @Override
-    public void initialize() throws Exception {
-        super.initialize();
+    public void initializeFileTypeAnalyzer() throws Exception {
        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
        FileOutputStream fos = null;
        InputStream is = null;
@@ -172,47 +203,67 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
            grokAssemblyExe = tempFile;
            // Set the temp file to get deleted when we're done
            grokAssemblyExe.deleteOnExit();
-            LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
+            LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.deployed", grokAssemblyExe.getPath());
        } catch (IOException ioe) {
-            LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
+            this.setEnabled(false);
+            LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.notdeployed", ioe.getMessage());
            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
        } finally {
            if (fos != null) {
                try {
                    fos.close();
                } catch (Throwable e) {
-                    LOG.fine("Error closing output stream");
+                    LOGGER.fine("Error closing output stream");
                }
            }
            if (is != null) {
                try {
                    is.close();
                } catch (Throwable e) {
-                    LOG.fine("Error closing input stream");
+                    LOGGER.fine("Error closing input stream");
                }
            }
        }

        // Now, need to see if GrokAssembly actually runs from this location.
        final List<String> args = buildArgumentList();
+        BufferedReader rdr = null;
        try {
-            final Process p = new ProcessBuilder(args).start();
+            final ProcessBuilder pb = new ProcessBuilder(args);
+            final Process p = pb.start();
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            while (rdr.ready() && rdr.readLine() != null) {
+                // We expect this to complain
+            }
            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
            final XPath xpath = XPathFactory.newInstance().newXPath();
            final String error = xpath.evaluate("/assembly/error", doc);
            if (p.waitFor() != 1 || error == null || "".equals(error)) {
-                LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
-                LOG.fine("GrokAssembly.exe is not working properly");
+                LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
+                LOGGER.fine("GrokAssembly.exe is not working properly");
                grokAssemblyExe = null;
+                this.setEnabled(false);
                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
            }
        } catch (Throwable e) {
-            LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
-                    + "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
-            LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
-            throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+            if (e instanceof AnalysisException) {
+                throw (AnalysisException) e;
+            } else {
+                LOGGER.warning("analyzer.AssemblyAnalyzer.grokassembly.initialization.failed");
+                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.initialization.message", e.getMessage());
+                this.setEnabled(false);
+                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+            }
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
        }
-
        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    }

@@ -220,9 +271,11 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    public void close() throws Exception {
        super.close();
        try {
-            grokAssemblyExe.delete();
+            if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
+                grokAssemblyExe.deleteOnExit();
+            }
        } catch (SecurityException se) {
-            LOG.fine("Can't delete temporary GrokAssembly.exe");
+            LOGGER.fine("analyzer.AssemblyAnalyzer.grokassembly.notdeleted");
        }
    }

@@ -233,7 +286,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     */
    @Override
    public Set<String> getSupportedExtensions() {
-        return SUPORTED_EXTENSIONS;
+        return SUPPORTED_EXTENSIONS;
    }

    /**
@@ -246,17 +299,6 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Gets whether the analyzer supports the provided extension.
-     *
-     * @param extension the extension to check
-     * @return whether the analyzer supports the extension
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return SUPORTED_EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase this analyzer runs under.
     *
@@ -266,4 +308,14 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -58,6 +58,10 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 */
 public class CPEAnalyzer implements Analyzer {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CPEAnalyzer.class.getName());
    /**
     * The maximum number of query results to return.
     */
@@ -87,6 +91,41 @@ public class CPEAnalyzer implements Analyzer {
     */
    private CveDB cve;

+    /**
+     * The URL to perform a search of the NVD CVE data at NIST.
+     */
+    public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
+
+    /**
+     * Returns the name of this analyzer.
+     *
+     * @return the name of this analyzer.
+     */
+    @Override
+    public String getName() {
+        return "CPE Analyzer";
+    }
+
+    /**
+     * Returns the analysis phase that this analyzer should run in.
+     *
+     * @return the analysis phase that this analyzer should run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.IDENTIFIER_ANALYSIS;
+    }
+
+    /**
+     * Creates the CPE Lucene Index.
+     *
+     * @throws Exception is thrown if there is an issue opening the index.
+     */
+    @Override
+    public void initialize() throws Exception {
+        this.open();
+    }
+
    /**
     * Opens the data source.
     *
@@ -95,15 +134,15 @@ public class CPEAnalyzer implements Analyzer {
     * by another process.
     */
    public void open() throws IOException, DatabaseException {
-        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
+        LOGGER.log(Level.FINE, "Opening the CVE Database");
        cve = new CveDB();
        cve.open();
-        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Creating the Lucene CPE Index");
+        LOGGER.log(Level.FINE, "Creating the Lucene CPE Index");
        cpe = CpeMemoryIndex.getInstance();
        try {
            cpe.open(cve);
        } catch (IndexException ex) {
-            Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "IndexException", ex);
+            LOGGER.log(Level.FINE, "IndexException", ex);
            throw new DatabaseException(ex);
        }
    }
@@ -461,57 +500,6 @@ public class CPEAnalyzer implements Analyzer {
        }
    }

-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    @Override
-    public Set<String> getSupportedExtensions() {
-        return null;
-    }
-
-    /**
-     * Returns the name of this analyzer.
-     *
-     * @return the name of this analyzer.
-     */
-    @Override
-    public String getName() {
-        return "CPE Analyzer";
-    }
-
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
-    /**
-     * Returns the analysis phase that this analyzer should run in.
-     *
-     * @return the analysis phase that this analyzer should run in.
-     */
-    @Override
-    public AnalysisPhase getAnalysisPhase() {
-        return AnalysisPhase.IDENTIFIER_ANALYSIS;
-    }
-
-    /**
-     * Opens the CPE Lucene Index.
-     *
-     * @throws Exception is thrown if there is an issue opening the index.
-     */
-    @Override
-    public void initialize() throws Exception {
-        this.open();
-    }
-
    /**
     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
@@ -542,7 +530,8 @@ public class CPEAnalyzer implements Analyzer {
                    }
                    if (dbVer == null //special case, no version specified - everything is vulnerable
                            || evVer.equals(dbVer)) { //yeah! exact match
-                        final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
+
+                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                        collected.add(match);
                    } else {
@@ -567,7 +556,7 @@ public class CPEAnalyzer implements Analyzer {
            }
        }
        final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
-        final String url = null; //String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(cpeName, "UTF-8"));
+        final String url = null;
        if (bestGuessConf == null) {
            bestGuessConf = Confidence.LOW;
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
 */
 public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -17,7 +17,6 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -28,6 +27,7 @@ import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
@@ -46,6 +46,11 @@ import org.owasp.dependencycheck.utils.LogUtils;
 */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyBundlingAnalyzer.class.getName());
+
    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
    /**
     * A pattern for obtaining the first part of a filename.
@@ -57,10 +62,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    private boolean analyzed = false;
    //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
    /**
     * The name of the analyzer.
     */
@@ -70,15 +71,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;

-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
    /**
     * Returns the name of the analyzer.
     *
@@ -88,16 +80,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -129,18 +111,18 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                    while (subIterator.hasNext()) {
                        final Dependency nextDependency = subIterator.next();
-                        if (isShadedJar(dependency, nextDependency)) {
-                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
-                                dependenciesToRemove.add(dependency);
-                            } else {
-                                dependenciesToRemove.add(nextDependency);
-                            }
-                        } else if (hashesMatch(dependency, nextDependency)) {
+                        if (hashesMatch(dependency, nextDependency)) {
                            if (isCore(dependency, nextDependency)) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
                            }
+                        } else if (isShadedJar(dependency, nextDependency)) {
+                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
+                                dependenciesToRemove.add(dependency);
+                            } else {
+                                dependenciesToRemove.add(nextDependency);
+                            }
                        } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                && hasSameBasePath(dependency, nextDependency)
                                && fileNameMatch(dependency, nextDependency)) {
@@ -293,7 +275,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        if (LogUtils.isVerboseLoggingEnabled()) {
            final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
-            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+            LOGGER.log(Level.FINE, msg);
        }
        return matches;
    }
@@ -364,13 +346,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             * be shorter:
             * axis2-saaj-1.4.1.jar
             * axis2-1.4.1.jar       <-----
-             * axis2-kernal-1.4.1.jar
+             * axis2-kernel-1.4.1.jar
             */
            returnVal = leftName.length() <= rightName.length();
        }
        if (LogUtils.isVerboseLoggingEnabled()) {
            final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
-            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+            LOGGER.log(Level.FINE, msg);
        }
        return returnVal;
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -42,11 +42,11 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
    /**
-     * The set of file extensions supported by this analyzer.
+     * The Logger.
     */
-    private static final Set<String> EXTENSIONS = null;
+    private static final Logger LOGGER = Logger.getLogger(FalsePositiveAnalyzer.class.getName());
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -56,15 +56,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;

-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
    /**
     * Returns the name of the analyzer.
     *
@@ -74,16 +65,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -107,6 +88,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        removeBadMatches(dependency);
        removeWrongVersionMatches(dependency);
        removeSpuriousCPE(dependency);
+        removeDuplicativeEntriesFromJar(dependency, engine);
        addFalseNegativeCPEs(dependency);
    }

@@ -155,8 +137,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        final String nextVersion = nextCpe.getVersion();
                        if (currentVersion == null && nextVersion == null) {
                            //how did we get here?
-                            Logger.getLogger(FalsePositiveAnalyzer.class
-                                    .getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
+                            LOGGER.log(Level.FINE, "currentVersion and nextVersion are both null?");
                        } else if (currentVersion == null && nextVersion != null) {
                            dependency.getIdentifiers().remove(currentId);
                        } else if (nextVersion == null && currentVersion != null) {
@@ -179,12 +160,21 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     * Regex to identify core java libraries and a few other commonly misidentified ones.
     */
    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
-            + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
-            + "jdk|jre|jsf|jsse)($|:.*)");
+            + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+            + "jdk|jre|jsse)($|:.*)");
+
+    /**
+     * Regex to identify core jsf libraries.
+     */
+    public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
    /**
     * Regex to identify core java library files. This is currently incomplete.
     */
-    public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    /**
+     * Regex to identify core jsf java library files. This is currently incomplete.
+     */
+    public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");

    /**
     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
@@ -201,27 +191,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
            if (coreCPE.matches() && !coreFiles.matches()) {
                itr.remove();
            }
-
-            //replacecd with the regex above.
-            //            if (("cpe:/a:sun:java".equals(i.getValue())
-            //                    || "cpe:/a:oracle:java".equals(i.getValue())
-            //                    || "cpe:/a:ibm:java".equals(i.getValue())
-            //                    || "cpe:/a:sun:j2se".equals(i.getValue())
-            //                    || "cpe:/a:oracle:j2se".equals(i.getValue())
-            //                    || i.getValue().startsWith("cpe:/a:sun:java:")
-            //                    || i.getValue().startsWith("cpe:/a:sun:j2se:")
-            //                    || i.getValue().startsWith("cpe:/a:sun:java:jre")
-            //                    || i.getValue().startsWith("cpe:/a:sun:java:jdk")
-            //                    || i.getValue().startsWith("cpe:/a:sun:java_se")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:java_se")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:java:")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:j2se:")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:jre")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:jdk")
-            //                    || i.getValue().startsWith("cpe:/a:ibm:java:"))
-            //                    && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
-            //                itr.remove();
-            //            }
+            final Matcher coreJsfCPE = CORE_JAVA_JSF.matcher(i.getValue());
+            final Matcher coreJsfFiles = CORE_JSF_FILES.matcher(dependency.getFileName());
+            if (coreJsfCPE.matches() && !coreJsfFiles.matches()) {
+                itr.remove();
+            }
        }
    }

@@ -240,7 +214,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        try {
            cpe.parseName(value);
        } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.log(Level.FINEST, null, ex);
            return null;
        }
        return cpe;
@@ -265,17 +239,36 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
        while (itr.hasNext()) {
            final Identifier i = itr.next();
-            //TODO move this startswith expression to a configuration file?
+            //TODO move this startsWith expression to a configuration file?
            if ("cpe".equals(i.getType())) {
                if ((i.getValue().matches(".*c\\+\\+.*")
-                        || i.getValue().startsWith("cpe:/a:jquery:jquery")
-                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
-                        || i.getValue().startsWith("cpe:/a:yahoo:yui")
                        || i.getValue().startsWith("cpe:/a:file:file")
                        || i.getValue().startsWith("cpe:/a:mozilla:mozilla")
                        || i.getValue().startsWith("cpe:/a:cvs:cvs")
                        || i.getValue().startsWith("cpe:/a:ftp:ftp")
-                        || i.getValue().startsWith("cpe:/a:ssh:ssh"))
+                        || i.getValue().startsWith("cpe:/a:tcp:tcp")
+                        || i.getValue().startsWith("cpe:/a:ssh:ssh")
+                        || i.getValue().startsWith("cpe:/a:lookup:lookup"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                        || dependency.getFileName().toLowerCase().endsWith(".dll")
+                        || dependency.getFileName().toLowerCase().endsWith(".exe")
+                        || dependency.getFileName().toLowerCase().endsWith(".nuspec")
+                        || dependency.getFileName().toLowerCase().endsWith(".nupkg"))) {
+                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:jquery:jquery")
+                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
+                        || i.getValue().startsWith("cpe:/a:yahoo:yui"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                        || dependency.getFileName().toLowerCase().endsWith(".dll")
+                        || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
+                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
+                        || i.getValue().startsWith("cpe:/a:microsoft:word")
+                        || i.getValue().startsWith("cpe:/a:microsoft:visio")
+                        || i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
+                        || i.getValue().startsWith("cpe:/a:microsoft:office"))
                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
                        || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                    itr.remove();
@@ -286,7 +279,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        && !dependency.getEvidenceUsed().containsUsedString("m-core")) {
                    itr.remove();
                } else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
-                        && !dependency.getFileName().toLowerCase().matches("jboss-[\\d\\.]+(GA)?\\.jar")) {
+                        && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
                    itr.remove();
                }
            }
@@ -334,6 +327,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     * @param dependency the dependency being analyzed
     */
    private void addFalseNegativeCPEs(Dependency dependency) {
+        //TODO move this to the hint analyzer
        final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
        while (itr.hasNext()) {
            final Identifier i = itr.next();
@@ -349,21 +343,92 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                try {
                    dependency.addIdentifier("cpe",
                            newCpe,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe2,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe2, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe3,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe3, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe4,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe4, "UTF-8")));
                } catch (UnsupportedEncodingException ex) {
-                    Logger.getLogger(FalsePositiveAnalyzer.class
-                            .getName()).log(Level.FINE, null, ex);
+                    LOGGER.log(Level.FINE, null, ex);
                }
            }
        }
    }
+
+    /**
+     * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM
+     * entries or other types of files (such as DLLs and EXEs) being contained within the JAR.
+     *
+     * @param dependency the dependency that might be a duplicate
+     * @param engine the engine used to scan all dependencies
+     */
+    private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
+        if (dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                || "dll".equals(dependency.getFileExtension())
+                || "exe".equals(dependency.getFileExtension())) {
+            String parentPath = dependency.getFilePath().toLowerCase();
+            if (parentPath.contains(".jar")) {
+                parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4);
+                final Dependency parent = findDependency(parentPath, engine.getDependencies());
+                if (parent != null) {
+                    boolean remove = false;
+                    for (Identifier i : dependency.getIdentifiers()) {
+                        if ("cpe".equals(i.getType())) {
+                            final String trimmedCPE = trimCpeToVendor(i.getValue());
+                            for (Identifier parentId : parent.getIdentifiers()) {
+                                if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) {
+                                    remove |= true;
+                                }
+                            }
+                        }
+                        if (!remove) { //we can escape early
+                            return;
+                        }
+                    }
+                    if (remove) {
+                        engine.getDependencies().remove(dependency);
+                    }
+                }
+            }
+
+        }
+    }
+
+    /**
+     * Retrieves a given dependency, based on a given path, from a list of dependencies.
+     *
+     * @param dependencyPath the path of the dependency to return
+     * @param dependencies the collection of dependencies to search
+     * @return the dependency object for the given path, otherwise null
+     */
+    private Dependency findDependency(String dependencyPath, List<Dependency> dependencies) {
+        for (Dependency d : dependencies) {
+            if (d.getFilePath().equalsIgnoreCase(dependencyPath)) {
+                return d;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Takes a full CPE and returns the CPE trimmed to include only vendor and product.
+     *
+     * @param value the CPE value to trim
+     * @return a CPE value that only includes the vendor and product
+     */
+    private String trimCpeToVendor(String value) {
+        //cpe:/a:jruby:jruby:1.0.8
+        final int pos1 = value.indexOf(":", 7); //right of vendor
+        final int pos2 = value.indexOf(":", pos1 + 1); //right of product
+        if (pos2 < 0) {
+            return value;
+        } else {
+            return value.substring(0, pos2);
+        }
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -17,10 +17,9 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
@@ -34,7 +33,7 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -43,19 +42,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }

    /**
     * Returns the name of the analyzer.
@@ -66,16 +52,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
@@ -0,0 +1,34 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ * An Analyzer that scans specific file types.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public interface FileTypeAnalyzer extends Analyzer {
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    boolean supportsExtension(String extension);
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -17,11 +17,11 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
 */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -41,44 +41,23 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }

    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
+    @Override
    public String getName() {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
+    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -64,7 +64,6 @@ import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
 import org.owasp.dependencycheck.jaxb.pom.generated.License;
 import org.owasp.dependencycheck.jaxb.pom.generated.Model;
 import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
-import org.owasp.dependencycheck.jaxb.pom.generated.Parent;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.NonClosingStream;
 import org.owasp.dependencycheck.utils.Settings;
@@ -74,14 +73,17 @@ import org.xml.sax.XMLFilter;
 import org.xml.sax.XMLReader;

 /**
- *
 * Used to load a JAR file and collect information that can be used to determine the associated CPE.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class JarAnalyzer extends AbstractFileTypeAnalyzer {

    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(JarAnalyzer.class.getName());
    /**
     * The buffer size to use when extracting files from the archive.
     */
@@ -111,9 +113,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            "buildjdk",
            "ant-version",
            "antversion",
+            "dynamicimportpackage",
+            "dynamicimport-package",
+            "dynamic-importpackage",
+            "dynamic-import-package",
            "import-package",
+            "ignore-package",
            "export-package",
            "importpackage",
+            "ignorepackage",
            "exportpackage",
            "sealed",
            "manifest-version",
@@ -125,7 +133,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            "tool",
            "bundle-manifestversion",
            "bundlemanifestversion",
-            "include-resource");
+            "include-resource",
+            "embed-dependency",
+            "ipojo-components",
+            "ipojo-extension",
+            "eclipse-sourcereferences");
    /**
     * item in some manifest, should be considered medium confidence.
     */
@@ -160,10 +172,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
            pomUnmarshaller = jaxbContext.createUnmarshaller();
        } catch (JAXBException ex) { //guess we will just have a null pointer exception later...
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, "Unable to load parser. See the log for more details.");
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
        }
    }
+
    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
    /**
     * The name of the analyzer.
@@ -183,6 +196,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
+    @Override
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
@@ -192,20 +206,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return the name of the analyzer.
     */
+    @Override
    public String getName() {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -216,6 +221,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
    }
    //</editor-fold>

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_JAR_ENABLED;
+    }
+
    /**
     * Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE
     * information.
@@ -225,7 +240,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException is thrown if there is an error reading the JAR file.
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        try {
            final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
            final String fileName = dependency.getFileName().toLowerCase();
@@ -263,8 +278,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
        } catch (IOException ex) {
            final String msg = String.format("Unable to read JarFile '%s'.", dependency.getActualFilePath());
            //final AnalysisException ax = new AnalysisException(msg, ex);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            return false;
        }
        List<String> pomEntries;
@@ -273,8 +288,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
        } catch (IOException ex) {
            final String msg = String.format("Unable to read Jar file entries in '%s'.", dependency.getActualFilePath());
            //final AnalysisException ax = new AnalysisException(msg, ex);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, msg, ex);
            return false;
        }
        if (pomEntries.isEmpty()) {
@@ -285,7 +300,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            try {
                pomProperties = retrievePomProperties(path, jar);
            } catch (IOException ex) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, "ignore this, failed reading a non-existent pom.properties", ex);
+                LOGGER.log(Level.FINEST, "ignore this, failed reading a non-existent pom.properties", ex);
            }
            Model pom = null;
            try {
@@ -305,7 +320,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {

                    newDependency.setFileName(displayName);
                    newDependency.setFilePath(displayPath);
-                    addPomEvidence(newDependency, pom, pomProperties);
+                    setPomEvidence(newDependency, pom, pomProperties, null);
                    engine.getDependencies().add(newDependency);
                    Collections.sort(engine.getDependencies());
                } else {
@@ -314,8 +329,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                }
            } catch (AnalysisException ex) {
                final String msg = String.format("An error occured while analyzing '%s'.", dependency.getActualFilePath());
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, "", ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
            }
        }
        return foundSomething;
@@ -348,7 +363,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @param jar the JarFile to search
     * @return a list of pom.xml entries
-     * @throws IOException thrown if there is an exception reading a JarEntryf
+     * @throws IOException thrown if there is an exception reading a JarEntry
     */
    private List<String> retrievePomListing(final JarFile jar) throws IOException {
        final List<String> pomEntries = new ArrayList<String>();
@@ -392,7 +407,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            bos.flush();
            dependency.setActualFilePath(file.getAbsolutePath());
        } catch (IOException ex) {
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = String.format("An error occurred reading '%s' from '%s'.", path, dependency.getFilePath());
+            LOGGER.warning(msg);
+            LOGGER.log(Level.SEVERE, "", ex);
        } finally {
            closeStream(bos);
            closeStream(fos);
@@ -408,18 +425,18 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            model = readPom(source);
        } catch (FileNotFoundException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (File Not Found)", path, jar.getName());
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            throw new AnalysisException(ex);
        } catch (UnsupportedEncodingException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            throw new AnalysisException(ex);
        } catch (AnalysisException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            throw ex;
        } finally {
            closeStream(fis);
@@ -437,7 +454,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            try {
                stream.close();
            } catch (IOException ex) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
@@ -452,7 +469,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            try {
                stream.close();
            } catch (IOException ex) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
@@ -478,21 +495,18 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                model = readPom(source);
            } catch (SecurityException ex) {
                final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
-                Logger
-                        .getLogger(JarAnalyzer.class
-                                .getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class
-                        .getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, null, ex);
                throw new AnalysisException(ex);
            } catch (IOException ex) {
                final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
                throw new AnalysisException(ex);
            } catch (Throwable ex) {
                final String msg = String.format("Unexpected error during parsing of the pom '%s' in jar '%s'", path, jar.getName());
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
                throw new AnalysisException(ex);
            }
        }
@@ -543,10 +557,21 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     */
    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
        boolean foundSomething = false;
+        boolean addAsIdentifier = true;
        if (pom == null) {
            return foundSomething;
        }
        String groupid = interpolateString(pom.getGroupId(), pomProperties);
+        String parentGroupId = null;
+
+        if (pom.getParent() != null) {
+            parentGroupId = interpolateString(pom.getParent().getGroupId(), pomProperties);
+            if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
+                groupid = parentGroupId;
+            }
+        }
+        final String originalGroupID = groupid;
+
        if (groupid != null && !groupid.isEmpty()) {
            if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
                groupid = groupid.substring(4);
@@ -556,8 +581,26 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
            addMatchingValues(classes, groupid, dependency.getVendorEvidence());
            addMatchingValues(classes, groupid, dependency.getProductEvidence());
+            if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
+                dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
+                dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
+                addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence());
+                addMatchingValues(classes, parentGroupId, dependency.getProductEvidence());
+            }
+        } else {
+            addAsIdentifier = false;
        }
+
        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
+        String parentArtifactId = null;
+
+        if (pom.getParent() != null) {
+            parentArtifactId = interpolateString(pom.getParent().getArtifactId(), pomProperties);
+            if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
+                artifactid = parentArtifactId;
+            }
+        }
+        final String originalArtifactID = artifactid;
        if (artifactid != null && !artifactid.isEmpty()) {
            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
                artifactid = artifactid.substring(4);
@@ -567,13 +610,40 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
            addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
            addMatchingValues(classes, artifactid, dependency.getProductEvidence());
+            if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
+                dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
+                dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
+                addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence());
+                addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence());
+            }
+        } else {
+            addAsIdentifier = false;
        }
        //version
-        final String version = interpolateString(pom.getVersion(), pomProperties);
+        String version = interpolateString(pom.getVersion(), pomProperties);
+        String parentVersion = null;
+
+        if (pom.getParent() != null) {
+            parentVersion = interpolateString(pom.getParent().getVersion(), pomProperties);
+            if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
+                version = parentVersion;
+            }
+        }
+
        if (version != null && !version.isEmpty()) {
            foundSomething = true;
            dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
+            if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
+                dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
+            }
+        } else {
+            addAsIdentifier = false;
        }
+
+        if (addAsIdentifier) {
+            dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.LOW);
+        }
+
        // org name
        final Organization org = pom.getOrganization();
        if (org != null && org.getName() != null) {
@@ -632,7 +702,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                //TODO remove weighting
                vendor.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
-                    vendor.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
+                    vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
@@ -641,7 +711,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            if (ratio > 0.5) {
                product.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
-                    product.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
+                    product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
@@ -675,10 +745,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                        && !dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
                        && !dependency.getFileName().toLowerCase().endsWith("-src.jar")
                        && !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
-                    Logger.getLogger(JarAnalyzer.class
-                            .getName()).log(Level.INFO,
-                                    String.format("Jar file '%s' does not contain a manifest.",
-                                            dependency.getFileName()));
+                    LOGGER.log(Level.FINE,
+                            String.format("Jar file '%s' does not contain a manifest.",
+                                    dependency.getFileName()));
                }
                return false;
            }
@@ -750,6 +819,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                            && !key.endsWith("class-path")
                            && !key.endsWith("-scm") //todo change this to a regex?
                            && !key.startsWith("scm-")
+                            && !value.trim().startsWith("scm:")
                            && !isImportPackage(key, value)
                            && !isPackage(key, value)) {

@@ -899,19 +969,13 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
    private File tempFileLocation = null;

    /**
-     * The initialize method does nothing for this Analyzer.
+     * Initializes the JarAnalyzer.
     *
     * @throws Exception is thrown if there is an exception creating a temporary directory
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws Exception {
        final File baseDir = Settings.getTempDirectory();
-        if (!baseDir.exists()) {
-            if (!baseDir.mkdirs()) {
-                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
-                throw new AnalysisException(msg);
-            }
-        }
        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
        if (!tempFileLocation.delete()) {
            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -929,10 +993,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
    @Override
    public void close() {
        if (tempFileLocation != null && tempFileLocation.exists()) {
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
            if (!success) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING,
+                LOGGER.log(Level.WARNING,
                        "Failed to delete some temporary files, see the log for more details");
            }
        }
@@ -1003,11 +1067,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @return true or false depending on if it is believed the entry is an "import" entry
     */
    private boolean isImportPackage(String key, String value) {
-        final Pattern packageRx = Pattern.compile("^((([a-zA-Z_#\\$0-9]\\.)+)\\s*\\;\\s*)+$");
-        if (packageRx.matcher(value).matches()) {
-            return (key.contains("import") || key.contains("include"));
-        }
-        return false;
+        final Pattern packageRx = Pattern.compile("^([a-zA-Z0-9_#\\$\\*\\.]+\\s*[,;]\\s*)+([a-zA-Z0-9_#\\$\\*\\.]+\\s*)?$");
+        final boolean matches = packageRx.matcher(value).matches();
+        return matches && (key.contains("import") || key.contains("include") || value.length() > 10);
    }

    /**
@@ -1034,17 +1096,14 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            }
        } catch (IOException ex) {
            final String msg = String.format("Unable to open jar file '%s'.", dependency.getFileName());
-            Logger
-                    .getLogger(JarAnalyzer.class
-                            .getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class
-                    .getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            if (jar != null) {
                try {
                    jar.close();
                } catch (IOException ex) {
-                    Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -1108,7 +1167,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @param evidence the evidence collection to add new entries too
     */
    private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
-        if (value == null || value.isEmpty()) {
+        if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
            return;
        }
        final String text = value.toLowerCase();
@@ -1135,93 +1194,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {

    }

-    /**
-     * Adds evidence from the POM to the dependency. This includes the GAV and in some situations the parent GAV if
-     * specified.
-     *
-     * @param dependency the dependency being analyzed
-     * @param pom the POM data
-     * @param pomProperties the properties file associated with the pom
-     */
-    private void addPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
-        if (pom == null) {
-            return;
-        }
-        String groupid = interpolateString(pom.getGroupId(), pomProperties);
-        if (groupid != null && !groupid.isEmpty()) {
-            if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
-                groupid = groupid.substring(4);
-            }
-            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
-            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
-        }
-        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
-        if (artifactid != null && !artifactid.isEmpty()) {
-            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
-                artifactid = artifactid.substring(4);
-            }
-            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
-        }
-        final String version = interpolateString(pom.getVersion(), pomProperties);
-        if (version != null && !version.isEmpty()) {
-            dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
-        }
-
-        final Parent parent = pom.getParent(); //grab parent GAV
-        if (parent != null) {
-            final String parentGroupId = interpolateString(parent.getGroupId(), pomProperties);
-            if (parentGroupId != null && !parentGroupId.isEmpty()) {
-                if (groupid == null || groupid.isEmpty()) {
-                    dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.HIGH);
-                } else {
-                    dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.MEDIUM);
-                }
-                dependency.getProductEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.LOW);
-            }
-            final String parentArtifactId = interpolateString(parent.getArtifactId(), pomProperties);
-            if (parentArtifactId != null && !parentArtifactId.isEmpty()) {
-                if (artifactid == null || artifactid.isEmpty()) {
-                    dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.HIGH);
-                } else {
-                    dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.MEDIUM);
-                }
-                dependency.getVendorEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.LOW);
-            }
-            final String parentVersion = interpolateString(parent.getVersion(), pomProperties);
-            if (parentVersion != null && !parentVersion.isEmpty()) {
-                if (version == null || version.isEmpty()) {
-                    dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.HIGH);
-                } else {
-                    dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.LOW);
-                }
-            }
-        }
-        // org name
-        final Organization org = pom.getOrganization();
-        if (org != null && org.getName() != null) {
-            final String orgName = interpolateString(org.getName(), pomProperties);
-            if (orgName != null && !orgName.isEmpty()) {
-                dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
-            }
-        }
-        //pom name
-        final String pomName = interpolateString(pom.getName(), pomProperties);
-        if (pomName != null && !pomName.isEmpty()) {
-            dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
-        }
-
-        //Description
-        if (pom.getDescription() != null) {
-            final String description = interpolateString(pom.getDescription(), pomProperties);
-            if (description != null && !description.isEmpty()) {
-                addDescription(dependency, description, "pom", "description");
-            }
-        }
-        extractLicense(pom, pomProperties, dependency);
-    }
-
    /**
     * Extracts the license information from the pom and adds it to the dependency.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
@@ -29,6 +29,7 @@ import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
@@ -36,9 +37,14 @@ import org.owasp.dependencycheck.dependency.Dependency;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(JavaScriptAnalyzer.class.getName());
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -72,17 +78,6 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -93,6 +88,15 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_JAVASCRIPT_ENABLED;
+    }

    /**
     * Loads a specified JavaScript file and collects information from the copyright information contained within.
@@ -102,8 +106,8 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException is thrown if there is an error reading the JavaScript file.
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        BufferedReader fin = null;;
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        BufferedReader fin = null;
        try {
            //  /\*([^\*][^/]|[\r\n\f])+?\*/
            final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);
@@ -118,15 +122,20 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
            final String msg = String.format("Dependency file not found: '%s'", dependency.getActualFilePath());
            throw new AnalysisException(msg, ex);
        } catch (IOException ex) {
-            Logger.getLogger(JavaScriptAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
+            LOGGER.log(Level.SEVERE, null, ex);
        } finally {
            if (fin != null) {
                try {
                    fin.close();
                } catch (IOException ex) {
-                    Logger.getLogger(JavaScriptAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -30,6 +30,7 @@ import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.Settings;

 /**
@@ -46,20 +47,20 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author colezlaw
 */
-public class NexusAnalyzer extends AbstractAnalyzer {
+public class NexusAnalyzer extends AbstractFileTypeAnalyzer {

    /**
-     * The logger
+     * The logger.
     */
    private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());

    /**
-     * The name of the analyzer
+     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Nexus Analyzer";

    /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;

@@ -68,11 +69,6 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     */
    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");

-    /**
-     * Whether this is actually enabled. Will get set during initialization.
-     */
-    private boolean enabled = false;
-
    /**
     * The Nexus Search to be set up for this analyzer.
     */
@@ -84,24 +80,23 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     * @throws Exception if there's an error during initialization
     */
    @Override
-    public void initialize() throws Exception {
-        enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
+    public void initializeFileTypeAnalyzer() throws Exception {
        LOGGER.fine("Initializing Nexus Analyzer");
-        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", enabled));
-        if (enabled) {
+        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
+        if (isEnabled()) {
            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
            LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
            try {
                searcher = new NexusSearch(new URL(searchUrl));
                if (!searcher.preflightRequest()) {
                    LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
-                    enabled = false;
+                    setEnabled(false);
                }
            } catch (MalformedURLException mue) {
                // I know that initialize can throw an exception, but we'll
                // just disable the analyzer if the URL isn't valid
                LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
-                enabled = false;
+                setEnabled(false);
            }
        }
    }
@@ -116,6 +111,16 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
+    }
+
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
@@ -136,17 +141,6 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        return SUPPORTED_EXTENSIONS;
    }

-    /**
-     * Determines whether the incoming extension is supported.
-     *
-     * @param extension the extension to check for support
-     * @return whether the extension is supported
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return SUPPORTED_EXTENSIONS.contains(extension);
-    }
-
    /**
     * Performs the analysis.
     *
@@ -155,12 +149,7 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        // Make a quick exit if this analyzer is disabled
-        if (!enabled) {
-            return;
-        }
-
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        try {
            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
@@ -173,14 +162,25 @@ public class NexusAnalyzer extends AbstractAnalyzer {
                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
            }
            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
-                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
+                boolean found = false;
+                for (Identifier i : dependency.getIdentifiers()) {
+                    if ("maven".equals(i.getType()) && i.getValue().equals(ma.toString())) {
+                        found = true;
+                        i.setConfidence(Confidence.HIGHEST);
+                        i.setUrl(ma.getArtifactUrl());
+                        break;
+                    }
+                }
+                if (!found) {
+                    dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
+                }
            }
        } catch (IllegalArgumentException iae) {
            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
            LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
        } catch (FileNotFoundException fnfe) {
            //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
-            LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
+            LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
            LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
        } catch (IOException ioe) {
            //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
@@ -188,5 +188,3 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        }
    }
 }
-
-// vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
@@ -18,36 +18,40 @@
 package org.owasp.dependencycheck.analyzer;

 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nuget.NugetPackage;
+import org.owasp.dependencycheck.data.nuget.NuspecParseException;
 import org.owasp.dependencycheck.data.nuget.NuspecParser;
 import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 * Analyzer which will parse a Nuspec file to gather module information.
 *
 * @author colezlaw
 */
-public class NuspecAnalyzer extends AbstractAnalyzer {
+public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {

    /**
-     * The logger
+     * The logger.
     */
    private static final Logger LOGGER = Logger.getLogger(NuspecAnalyzer.class.getName());

    /**
-     * The name of the analyzer
+     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Nuspec Analyzer";

    /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;

@@ -62,7 +66,7 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
     * @throws Exception if there's an error during initialization
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws Exception {
    }

    /**
@@ -75,6 +79,16 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NUSPEC_ENABLED;
+    }
+
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
@@ -95,17 +109,6 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        return SUPPORTED_EXTENSIONS;
    }

-    /**
-     * Determines whether the incoming extension is supported.
-     *
-     * @param extension the extension to check for support
-     * @return whether the extension is supported
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return SUPPORTED_EXTENSIONS.contains(extension);
-    }
-
    /**
     * Performs the analysis.
     *
@@ -114,8 +117,8 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        LOGGER.log(Level.INFO, "Checking Nuspec file {0}", dependency.toString());
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        LOGGER.log(Level.FINE, "Checking Nuspec file {0}", dependency.toString());
        try {
            final NuspecParser parser = new XPathNuspecParser();
            NugetPackage np = null;
@@ -123,11 +126,15 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
            try {
                fis = new FileInputStream(dependency.getActualFilePath());
                np = parser.parse(fis);
+            } catch (NuspecParseException ex) {
+                throw new AnalysisException(ex);
+            } catch (FileNotFoundException ex) {
+                throw new AnalysisException(ex);
            } finally {
                if (fis != null) {
                    try {
                        fis.close();
-                    } catch (Throwable e) {
+                    } catch (IOException e) {
                        LOGGER.fine("Error closing input stream");
                    }
                }
@@ -147,5 +154,3 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        }
    }
 }
-
-// vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
@@ -17,12 +17,11 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -62,6 +61,7 @@ public class NvdCveAnalyzer implements Analyzer {
    /**
     * Closes the data source.
     */
+    @Override
    public void close() {
        cveDB.close();
        cveDB = null;
@@ -96,6 +96,7 @@ public class NvdCveAnalyzer implements Analyzer {
     * @param engine The analysis engine
     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
     */
+    @Override
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        for (Identifier id : dependency.getIdentifiers()) {
            if ("cpe".equals(id.getType())) {
@@ -108,15 +109,17 @@ public class NvdCveAnalyzer implements Analyzer {
                }
            }
        }
-    }
-
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    public Set<String> getSupportedExtensions() {
-        return null;
+        for (Identifier id : dependency.getSuppressedIdentifiers()) {
+            if ("cpe".equals(id.getType())) {
+                try {
+                    final String value = id.getValue();
+                    final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
+                    dependency.getSuppressedVulnerabilities().addAll(vulns);
+                } catch (DatabaseException ex) {
+                    throw new AnalysisException(ex);
+                }
+            }
+        }
    }

    /**
@@ -124,34 +127,27 @@ public class NvdCveAnalyzer implements Analyzer {
     *
     * @return the name of this analyzer.
     */
+    @Override
    public String getName() {
        return "NVD CVE Analyzer";
    }

-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the analysis phase that this analyzer should run in.
     *
     * @return the analysis phase that this analyzer should run in.
     */
+    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS;
    }

    /**
-     * Opens the NVD CVE Lucene Index.
+     * Opens the database used to gather NVD CVE data.
     *
     * @throws Exception is thrown if there is an issue opening the index.
     */
+    @Override
    public void initialize() throws Exception {
        this.open();
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
@@ -54,7 +54,10 @@ import org.owasp.dependencycheck.utils.Pair;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class CpeMemoryIndex {
-
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CpeMemoryIndex.class.getName());
    /**
     * singleton instance.
     */
@@ -197,7 +200,7 @@ public final class CpeMemoryIndex {
            try {
                indexReader.close();
            } catch (IOException ex) {
-                Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
            indexReader = null;
        }
@@ -229,7 +232,7 @@ public final class CpeMemoryIndex {
                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
                }
            } catch (DatabaseException ex) {
-                Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.FINE, null, ex);
                throw new IndexException("Error reading CPE data", ex);
            }
        } catch (CorruptIndexException ex) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
@@ -29,7 +29,10 @@ import java.util.logging.Logger;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class CweDB {
-
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CweDB.class.getName());
    /**
     * Empty private constructor as this is a utility class.
     */
@@ -54,17 +57,17 @@ public final class CweDB {
            oin = new ObjectInputStream(input);
            return (HashMap<String, String>) oin.readObject();
        } catch (ClassNotFoundException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
-            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
+            LOGGER.log(Level.FINE, null, ex);
        } catch (IOException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
-            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            if (oin != null) {
                try {
                    oin.close();
                } catch (IOException ex) {
-                    Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
@@ -36,7 +36,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
-
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(UrlTokenizingFilter.class.getName());
    /**
     * Constructs a new VersionTokenizingFilter.
     *
@@ -67,7 +70,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
                            final List<String> data = UrlStringUtils.extractImportantUrlData(part);
                            tokens.addAll(data);
                        } catch (MalformedURLException ex) {
-                            Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.FINE, "error parsing " + part, ex);
+                            LOGGER.log(Level.FINE, "error parsing " + part, ex);
                            tokens.add(part);
                        }
                    } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -21,7 +21,6 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
-import java.net.URLConnection;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.parsers.DocumentBuilder;
@@ -65,7 +64,7 @@ public class NexusSearch {
    public NexusSearch(URL rootURL) {
        this.rootURL = rootURL;
        try {
-            if (null != Settings.getString(Settings.KEYS.PROXY_URL)
+            if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
                useProxy = true;
                LOGGER.fine("Using proxy");
@@ -84,7 +83,7 @@ public class NexusSearch {
     *
     * @param sha1 The SHA-1 hash string for which to search
     * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repositor or if the specified artifact is not
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
     * found.
     */
    public MavenArtifact searchSha1(String sha1) throws IOException {
@@ -102,8 +101,7 @@ public class NexusSearch {
        // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
        // or proxy is specifically
        // set to false
-        URLConnection conn = null;
-        conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+        final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);

        conn.setDoOutput(true);

@@ -112,36 +110,40 @@ public class NexusSearch {
        conn.addRequestProperty("Accept", "application/xml");
        conn.connect();

-        try {
-            final DocumentBuilder builder = DocumentBuilderFactory
-                    .newInstance().newDocumentBuilder();
-            final Document doc = builder.parse(conn.getInputStream());
-            final XPath xpath = XPathFactory.newInstance().newXPath();
-            final String groupId = xpath
-                    .evaluate(
-                            "/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
-                            doc);
-            final String artifactId = xpath.evaluate(
-                    "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
-                    doc);
-            final String version = xpath
-                    .evaluate(
-                            "/org.sonatype.nexus.rest.model.NexusArtifact/version",
-                            doc);
-            final String link = xpath
-                    .evaluate(
-                            "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
-                            doc);
-            return new MavenArtifact(groupId, artifactId, version, link);
-        } catch (FileNotFoundException fnfe) {
-            /* This is what we get when the SHA1 they sent doesn't exist in
-             * Nexus. This is useful upstream for recovery, so we just re-throw it
-             */
-            throw fnfe;
-        } catch (Throwable e) {
-            // Anything else is jacked-up XML stuff that we really can't recover
-            // from well
-            throw new IOException(e.getMessage(), e);
+        if (conn.getResponseCode() == 200) {
+            try {
+                final DocumentBuilder builder = DocumentBuilderFactory
+                        .newInstance().newDocumentBuilder();
+                final Document doc = builder.parse(conn.getInputStream());
+                final XPath xpath = XPathFactory.newInstance().newXPath();
+                final String groupId = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
+                                doc);
+                final String artifactId = xpath.evaluate(
+                        "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
+                        doc);
+                final String version = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/version",
+                                doc);
+                final String link = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
+                                doc);
+                return new MavenArtifact(groupId, artifactId, version, link);
+            } catch (Throwable e) {
+                // Anything else is jacked-up XML stuff that we really can't recover
+                // from well
+                throw new IOException(e.getMessage(), e);
+            }
+        } else if (conn.getResponseCode() == 404) {
+            throw new FileNotFoundException("Artifact not found in Nexus");
+        } else {
+            final String msg = String.format("Could not connect to Nexus received response code: %d %s",
+                    conn.getResponseCode(), conn.getResponseMessage());
+            LOGGER.fine(msg);
+            throw new IOException(msg);
        }
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
@@ -56,7 +56,7 @@ public class NuspecParseException extends Exception {
     * Note that the detail message associated with <code>cause</code> is <em>not</em>
     * automatically incorporated in this exception's detail message.
     *
-     * @param message the detail message (whcih is saved for later retrieval by the
+     * @param message the detail message (which is saved for later retrieval by the
     * {@link java.lang.Throwable#getMessage()} method.
     * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
     * (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
@@ -42,7 +42,10 @@ import org.owasp.dependencycheck.utils.Settings;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class ConnectionFactory {
-
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ConnectionFactory.class.getName());
    /**
     * The version of the current DB Schema.
     */
@@ -90,17 +93,17 @@ public final class ConnectionFactory {
            //load the driver if necessary
            final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
            if (!driverName.isEmpty()) { //likely need to load the correct driver
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
+                LOGGER.log(Level.FINE, "Loading driver: {0}", driverName);
                final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
                try {
                    if (!driverPath.isEmpty()) {
-                        Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
+                        LOGGER.log(Level.FINE, "Loading driver from: {0}", driverPath);
                        driver = DriverLoader.load(driverName, driverPath);
                    } else {
                        driver = DriverLoader.load(driverName);
                    }
                } catch (DriverLoadException ex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to load database driver", ex);
+                    LOGGER.log(Level.FINE, "Unable to load database driver", ex);
                    throw new DatabaseException("Unable to load database driver");
                }
            }
@@ -110,7 +113,7 @@ public final class ConnectionFactory {
            try {
                connectionString = getConnectionString();
            } catch (IOException ex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
+                LOGGER.log(Level.FINE,
                        "Unable to retrieve the database connection string", ex);
                throw new DatabaseException("Unable to retrieve the database connection string");
            }
@@ -118,15 +121,15 @@ public final class ConnectionFactory {
            try {
                if (connectionString.startsWith("jdbc:h2:file:")) { //H2
                    shouldCreateSchema = !dbSchemaExists();
-                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
+                    LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
                }
            } catch (IOException ioex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to verify database exists", ioex);
+                LOGGER.log(Level.FINE, "Unable to verify database exists", ioex);
                throw new DatabaseException("Unable to verify database exists");
            }
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connectionString);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", userName);
+            LOGGER.log(Level.FINE, "Loading database connection");
+            LOGGER.log(Level.FINE, "Connection String: {0}", connectionString);
+            LOGGER.log(Level.FINE, "Database User: {0}", userName);

            try {
                conn = DriverManager.getConnection(connectionString, userName, password);
@@ -136,14 +139,14 @@ public final class ConnectionFactory {
                    try {
                        conn = DriverManager.getConnection(connectionString, userName, password);
                        Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-                        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
+                        LOGGER.log(Level.FINE,
                                "Unable to start the database in server mode; reverting to single user mode");
                    } catch (SQLException sqlex) {
-                        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
+                        LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
                        throw new DatabaseException("Unable to connect to the database");
                    }
                } else {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
+                    LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
                    throw new DatabaseException("Unable to connect to the database");
                }
            }
@@ -152,14 +155,14 @@ public final class ConnectionFactory {
                try {
                    createTables(conn);
                } catch (DatabaseException dex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
+                    LOGGER.log(Level.FINE, null, dex);
                    throw new DatabaseException("Unable to create the database structure");
                }
            } else {
                try {
                    ensureSchemaVersion(conn);
                } catch (DatabaseException dex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
+                    LOGGER.log(Level.FINE, null, dex);
                    throw new DatabaseException("Database schema does not match this version of dependency-check");
                }
            }
@@ -168,7 +171,7 @@ public final class ConnectionFactory {
                try {
                    conn.close();
                } catch (SQLException ex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured closing the connection", ex);
+                    LOGGER.log(Level.FINE, "An error occurred closing the connection", ex);
                }
            }
        }
@@ -184,7 +187,10 @@ public final class ConnectionFactory {
            try {
                DriverManager.deregisterDriver(driver);
            } catch (SQLException ex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured unloading the databse driver", ex);
+                LOGGER.log(Level.FINE, "An error occurred unloading the database driver", ex);
+            } catch (Throwable unexpected) {
+                LOGGER.log(Level.FINE,
+                        "An unexpected throwable occurred unloading the database driver", unexpected);
            }
            driver = null;
        }
@@ -205,7 +211,7 @@ public final class ConnectionFactory {
        try {
            conn = DriverManager.getConnection(connectionString, userName, password);
        } catch (SQLException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new DatabaseException("Unable to connect to the database");
        }
        return conn;
@@ -223,7 +229,7 @@ public final class ConnectionFactory {
        if (connStr.contains("%s")) {
            final String directory = getDataDirectory().getCanonicalPath();
            final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
+            LOGGER.log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
            return String.format(connStr, dataFile.getAbsolutePath());
        }
        return connStr;
@@ -266,7 +272,7 @@ public final class ConnectionFactory {
     * @throws DatabaseException thrown if there is a Database Exception
     */
    private static void createTables(Connection conn) throws DatabaseException {
-        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Creating database structure");
+        LOGGER.log(Level.FINE, "Creating database structure");
        InputStream is;
        InputStreamReader reader;
        BufferedReader in = null;
@@ -284,7 +290,7 @@ public final class ConnectionFactory {
                statement = conn.createStatement();
                statement.execute(sb.toString());
            } catch (SQLException ex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.FINE, null, ex);
                throw new DatabaseException("Unable to create database statement", ex);
            } finally {
                DBUtils.closeStatement(statement);
@@ -296,7 +302,7 @@ public final class ConnectionFactory {
                try {
                    in.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -323,7 +329,7 @@ public final class ConnectionFactory {
                throw new DatabaseException("Database schema is missing");
            }
        } catch (SQLException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new DatabaseException("Unable to check the database schema version");
        } finally {
            DBUtils.closeResultSet(rs);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -47,6 +47,10 @@ import org.owasp.dependencycheck.utils.Pair;
 */
 public class CveDB {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CveDB.class.getName());
    /**
     * Database connection
     */
@@ -95,12 +99,12 @@ public class CveDB {
                conn.close();
            } catch (SQLException ex) {
                final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
-                Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            } catch (Throwable ex) {
                final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
-                Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
            conn = null;
        }
@@ -135,7 +139,7 @@ public class CveDB {
    @Override
    @SuppressWarnings("FinalizeDeclaration")
    protected void finalize() throws Throwable {
-        Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, "Entering finalize");
+        LOGGER.log(Level.FINE, "Entering finalize");
        close();
        super.finalize();
    }
@@ -244,6 +248,7 @@ public class CveDB {
    /**
     * SQL Statement to retrieve a property from the database.
     */
+    @SuppressWarnings("unused")
    private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
    /**
     * SQL Statement to insert a new property.
@@ -256,6 +261,7 @@ public class CveDB {
    /**
     * SQL Statement to delete a property.
     */
+    @SuppressWarnings("unused")
    private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";

    //</editor-fold>
@@ -284,8 +290,8 @@ public class CveDB {
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            DBUtils.closeResultSet(rs);
            DBUtils.closeStatement(ps);
@@ -336,8 +342,8 @@ public class CveDB {
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            DBUtils.closeStatement(ps);
            DBUtils.closeResultSet(rs);
@@ -358,8 +364,8 @@ public class CveDB {
                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
                insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                LOGGER.log(Level.WARNING, "Unable to save properties to the database");
+                LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
                return;
            }
            for (Entry<Object, Object> entry : props.entrySet()) {
@@ -374,8 +380,8 @@ public class CveDB {
                    }
                } catch (SQLException ex) {
                    final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
-                    Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
-                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+                    LOGGER.log(Level.WARNING, msg);
+                    LOGGER.log(Level.FINE, null, ex);
                }
            }
        } finally {
@@ -397,8 +403,8 @@ public class CveDB {
            try {
                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                LOGGER.log(Level.WARNING, "Unable to save properties to the database");
+                LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
                return;
            }
            try {
@@ -408,8 +414,8 @@ public class CveDB {
                    try {
                        insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
                    } catch (SQLException ex) {
-                        Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
-                        Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                        LOGGER.log(Level.WARNING, "Unable to save properties to the database");
+                        LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
                        return;
                    }
                    insertProperty.setString(1, key);
@@ -418,8 +424,8 @@ public class CveDB {
                }
            } catch (SQLException ex) {
                final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
-                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
        } finally {
            DBUtils.closeStatement(updateProperty);
@@ -440,7 +446,7 @@ public class CveDB {
        try {
            cpe.parseName(cpeStr);
        } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.log(Level.FINEST, null, ex);
        }
        final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
        final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
@@ -678,7 +684,7 @@ public class CveDB {

        } catch (SQLException ex) {
            final String msg = String.format("Error updating '%s'", vuln.getName());
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new DatabaseException(msg, ex);
        } finally {
            DBUtils.closeStatement(selectVulnerabilityId);
@@ -707,8 +713,8 @@ public class CveDB {
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            DBUtils.closeStatement(ps);
        }
@@ -730,8 +736,10 @@ public class CveDB {
        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
        final DependencyVersion v = parseDependencyVersion(cpeId);
        final boolean prevAffected = previous != null && !previous.isEmpty();
-        if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
-            if (v == null || "-".equals(v.toString())) {
+        if (v == null || "-".equals(v.toString())) { //all versions
+            affected = true;
+        } else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
+            if (prevAffected) {
                affected = true;
            }
        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
@@ -763,7 +771,7 @@ public class CveDB {
            cpe.parseName(cpeStr);
        } catch (UnsupportedEncodingException ex) {
            //never going to happen.
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.log(Level.FINEST, null, ex);
        }
        return parseDependencyVersion(cpe);
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
@@ -17,7 +17,6 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;

-import com.hazelcast.logging.Logger;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -26,6 +25,7 @@ import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.TreeMap;
 import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;

@@ -36,6 +36,10 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
 */
 public class DatabaseProperties {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DatabaseProperties.class.getName());
    /**
     * Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
     * days of updates)..
@@ -150,8 +154,8 @@ public class DatabaseProperties {
                        final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
                        final String formatted = format.format(date);
                        map.put(key, formatted);
-                    } catch (Throwable ex) { //deliberatly being broad in this catch clause
-                        Logger.getLogger(DatabaseProperties.class.getName()).log(Level.FINE, "Unable to parse timestamp from DB", ex);
+                    } catch (Throwable ex) { //deliberately being broad in this catch clause
+                        LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
                        map.put(key, entry.getValue());
                    }
                } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
@@ -37,6 +37,11 @@ import java.util.logging.Logger;
 */
 public final class DriverLoader {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DriverLoader.class.getName());
+
    /**
     * Private constructor for a utility class.
     */
@@ -58,7 +63,7 @@ public final class DriverLoader {
    /**
     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver
     * with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
-     * loaded. Note, the pathTodriver can contain a semi-colon separated list of paths so any dependencies can be added
+     * loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
     * as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
     * class path.
     *
@@ -83,7 +88,7 @@ public final class DriverLoader {
                    } catch (MalformedURLException ex) {
                        final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
                                className, f.getAbsoluteFile());
-                        Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+                        LOGGER.log(Level.FINE, msg, ex);
                        throw new DriverLoadException(msg, ex);
                    }
                }
@@ -93,7 +98,7 @@ public final class DriverLoader {
                } catch (MalformedURLException ex) {
                    final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
                            className, file.getAbsoluteFile());
-                    Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+                    LOGGER.log(Level.FINE, msg, ex);
                    throw new DriverLoadException(msg, ex);
                }
            }
@@ -127,19 +132,19 @@ public final class DriverLoader {
            return shim;
        } catch (ClassNotFoundException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        } catch (InstantiationException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        } catch (IllegalAccessException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        } catch (SQLException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
@@ -39,6 +39,10 @@ import java.util.logging.Logger;
 */
 class DriverShim implements Driver {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DriverShim.class.getName());
    /**
     * The database driver being wrapped.
     */
@@ -123,11 +127,11 @@ class DriverShim implements Driver {
            try {
                return (Logger) m.invoke(m);
            } catch (IllegalAccessException ex) {
-                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+                LOGGER.log(Level.FINER, null, ex);
            } catch (IllegalArgumentException ex) {
-                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+                LOGGER.log(Level.FINER, null, ex);
            } catch (InvocationTargetException ex) {
-                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+                LOGGER.log(Level.FINER, null, ex);
            }
        }
        throw new SQLFeatureNotSupportedException();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -30,6 +30,11 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
 */
 public class NvdCveUpdater implements CachedWebDataSource {

+    /**
+     * The logger
+     */
+    private static final Logger LOGGER = Logger.getLogger(NvdCveUpdater.class.getName());
+
    /**
     * <p>
     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
@@ -44,13 +49,13 @@ public class NvdCveUpdater implements CachedWebDataSource {
                task.update();
            }
        } catch (MalformedURLException ex) {
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
+            LOGGER.log(Level.WARNING,
                    "NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.");
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
        } catch (DownloadFailedException ex) {
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
+            LOGGER.log(Level.WARNING,
                    "Unable to download the NVD CVE data, unable to update the data to use the most current data.");
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
+import org.owasp.dependencycheck.data.update.task.DownloadTask;
 import org.owasp.dependencycheck.data.update.task.ProcessTask;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -47,6 +47,10 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public class StandardUpdate {

+    /**
+     * Static logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(StandardUpdate.class.getName());
    /**
     * The max thread pool size to use when downloading files.
     */
@@ -104,7 +108,7 @@ public class StandardUpdate {
                return;
            }
            if (maxUpdates > 3) {
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO,
+                LOGGER.log(Level.INFO,
                        "NVD CVE requires several updates; this could take a couple of minutes.");
            }
            if (maxUpdates > 0) {
@@ -118,7 +122,7 @@ public class StandardUpdate {
            final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
            for (NvdCveInfo cve : updateable) {
                if (cve.getNeedsUpdate()) {
-                    final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB);
+                    final DownloadTask call = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
                    downloadFutures.add(downloadExecutors.submit(call));
                }
            }
@@ -134,19 +138,19 @@ public class StandardUpdate {
                    downloadExecutors.shutdownNow();
                    processExecutor.shutdownNow();

-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
+                    LOGGER.log(Level.FINE, "Thread was interrupted during download", ex);
                    throw new UpdateException("The download was interrupted", ex);
                } catch (ExecutionException ex) {
                    downloadExecutors.shutdownNow();
                    processExecutor.shutdownNow();

-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
+                    LOGGER.log(Level.FINE, "Thread was interrupted during download execution", ex);
                    throw new UpdateException("The execution of the download was interrupted", ex);
                }
                if (task == null) {
                    downloadExecutors.shutdownNow();
                    processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
+                    LOGGER.log(Level.FINE, "Thread was interrupted during download");
                    throw new UpdateException("The download was interrupted; unable to complete the update");
                } else {
                    processFutures.add(task);
@@ -161,11 +165,11 @@ public class StandardUpdate {
                    }
                } catch (InterruptedException ex) {
                    processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
+                    LOGGER.log(Level.FINE, "Thread was interrupted during processing", ex);
                    throw new UpdateException(ex);
                } catch (ExecutionException ex) {
                    processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Execution Exception during process", ex);
+                    LOGGER.log(Level.FINE, "Execution Exception during process", ex);
                    throw new UpdateException(ex);
                } finally {
                    processExecutor.shutdown();
@@ -174,7 +178,9 @@ public class StandardUpdate {

            if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
                properties.save(updateable.get(MODIFIED));
+                LOGGER.log(Level.INFO, "Begin database maintenance.");
                cveDB.cleanupDatabase();
+                LOGGER.log(Level.INFO, "End database maintenance.");
            }
        } finally {
            closeDataStores();
@@ -197,10 +203,10 @@ public class StandardUpdate {
            updates = retrieveCurrentTimestampsFromWeb();
        } catch (InvalidDataException ex) {
            final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
-            Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DownloadFailedException(msg, ex);
        } catch (InvalidSettingException ex) {
-            Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
+            LOGGER.log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
            throw new DownloadFailedException("Invalid settings", ex);
        }

@@ -233,9 +239,7 @@ public class StandardUpdate {
                            } catch (NumberFormatException ex) {
                                final String msg = String.format("Error parsing '%s' '%s' from nvdcve.lastupdated",
                                        DatabaseProperties.LAST_UPDATED_BASE, entry.getId());
-                                Logger
-                                        .getLogger(StandardUpdate.class
-                                                .getName()).log(Level.FINE, msg, ex);
+                                LOGGER.log(Level.FINE, msg, ex);
                            }
                            if (currentTimestamp == entry.getTimestamp()) {
                                entry.setNeedsUpdate(false);
@@ -245,8 +249,8 @@ public class StandardUpdate {
                }
            } catch (NumberFormatException ex) {
                final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
            }
        }
        return updates;
@@ -290,7 +294,7 @@ public class StandardUpdate {
            try {
                cveDB.close();
            } catch (Throwable ignore) {
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
+                LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
            }
        }
    }
@@ -309,7 +313,7 @@ public class StandardUpdate {
            cveDB.open();
        } catch (DatabaseException ex) {
            closeDataStores();
-            Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Database Exception opening databases", ex);
+            LOGGER.log(Level.FINE, "Database Exception opening databases", ex);
            throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java
@@ -21,37 +21,25 @@ import java.util.Iterator;
 import java.util.ServiceLoader;

 /**
+ * The CachedWebDataSource Service Loader. This class loads all services that implement
+ * org.owasp.dependencycheck.data.update.CachedWebDataSource.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public final class UpdateService {
+public class UpdateService {

-    /**
-     * the singleton reference to the service.
-     */
-    private static UpdateService service;
    /**
     * the service loader for CachedWebDataSource.
     */
    private final ServiceLoader<CachedWebDataSource> loader;

    /**
-     * Creates a new instance of UpdateService
-     */
-    private UpdateService() {
-        loader = ServiceLoader.load(CachedWebDataSource.class);
-    }
-
-    /**
-     * Retrieve the singleton instance of UpdateService.
+     * Creates a new instance of UpdateService.
     *
-     * @return a singleton UpdateService.
+     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     */
-    public static synchronized UpdateService getInstance() {
-        if (service == null) {
-            service = new UpdateService();
-        }
-        return service;
+    public UpdateService(ClassLoader classLoader) {
+        loader = ServiceLoader.load(CachedWebDataSource.class, classLoader);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
@@ -27,6 +27,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.Settings;
@@ -36,7 +37,12 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
+public class DownloadTask implements Callable<Future<ProcessTask>> {
+
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DownloadTask.class.getName());

    /**
     * Simple constructor for the callable download task.
@@ -44,11 +50,15 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
     * @param nvdCveInfo the NVD CVE info
     * @param processor the processor service to submit the downloaded files to
     * @param cveDB the CVE DB to use to store the vulnerability data
+     * @param settings a reference to the global settings object; this is necessary so that when the thread is started
+     * the dependencies have a correct reference to the global settings.
+     * @throws UpdateException thrown if temporary files could not be created
     */
-    public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB) {
+    public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
        this.nvdCveInfo = nvdCveInfo;
        this.processorService = processor;
        this.cveDB = cveDB;
+        this.settings = settings;

        final File file1;
        final File file2;
@@ -57,7 +67,7 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
        } catch (IOException ex) {
-            return;
+            throw new UpdateException("Unable to create temporary files", ex);
        }
        this.first = file1;
        this.second = file2;
@@ -75,6 +85,10 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
     * The NVD CVE Meta Data.
     */
    private NvdCveInfo nvdCveInfo;
+    /**
+     * A reference to the global settings object.
+     */
+    private Settings settings;

    /**
     * Get the value of nvdCveInfo.
@@ -163,30 +177,33 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
    @Override
    public Future<ProcessTask> call() throws Exception {
        try {
+            Settings.setInstance(settings);
            final URL url1 = new URL(nvdCveInfo.getUrl());
            final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
            String msg = String.format("Download Started for NVD CVE - %s", nvdCveInfo.getId());
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
+            LOGGER.log(Level.INFO, msg);
            try {
                Downloader.fetchFile(url1, first);
                Downloader.fetchFile(url2, second);
            } catch (DownloadFailedException ex) {
                msg = String.format("Download Failed for NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
-                Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, null, ex);
                return null;
            }

            msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
+            LOGGER.log(Level.INFO, msg);

-            final ProcessTask task = new ProcessTask(cveDB, this);
+            final ProcessTask task = new ProcessTask(cveDB, this, settings);
            return this.processorService.submit(task);

        } catch (Throwable ex) {
            final String msg = String.format("An exception occurred downloading NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, "Download Task Failed", ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "Download Task Failed", ex);
+        } finally {
+            Settings.cleanup(false);
        }
        return null;
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
@@ -32,11 +32,11 @@ import javax.xml.parsers.SAXParserFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
-import org.owasp.dependencycheck.data.update.StandardUpdate;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
 import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.Settings;
 import org.xml.sax.SAXException;

 /**
@@ -46,6 +46,10 @@ import org.xml.sax.SAXException;
 */
 public class ProcessTask implements Callable<ProcessTask> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ProcessTask.class.getName());
    /**
     * A field to store any update exceptions that occur during the "call".
     */
@@ -75,22 +79,29 @@ public class ProcessTask implements Callable<ProcessTask> {
    /**
     * A reference to the callable download task.
     */
-    private final CallableDownloadTask filePair;
+    private final DownloadTask filePair;
    /**
     * A reference to the properties.
     */
    private final DatabaseProperties properties;
+    /**
+     * A reference to the global settings object.
+     */
+    private Settings settings;

    /**
     * Constructs a new ProcessTask used to process an NVD CVE update.
     *
     * @param cveDB the data store object
     * @param filePair the download task that contains the URL references to download
+     * @param settings a reference to the global settings object; this is necessary so that when the thread is started
+     * the dependencies have a correct reference to the global settings.
     */
-    public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair) {
+    public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
        this.cveDB = cveDB;
        this.filePair = filePair;
        this.properties = cveDB.getDatabaseProperties();
+        this.settings = settings;
    }

    /**
@@ -103,9 +114,12 @@ public class ProcessTask implements Callable<ProcessTask> {
    @Override
    public ProcessTask call() throws Exception {
        try {
+            Settings.setInstance(settings);
            processFiles();
        } catch (UpdateException ex) {
            this.exception = ex;
+        } finally {
+            Settings.cleanup(false);
        }
        return this;
    }
@@ -145,7 +159,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     */
    private void processFiles() throws UpdateException {
        String msg = String.format("Processing Started for NVD CVE - %s", filePair.getNvdCveInfo().getId());
-        Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
+        LOGGER.log(Level.INFO, msg);
        try {
            importXML(filePair.getFirst(), filePair.getSecond());
            cveDB.commit();
@@ -168,6 +182,6 @@ public class ProcessTask implements Callable<ProcessTask> {
            filePair.cleanup();
        }
        msg = String.format("Processing Complete for NVD CVE - %s", filePair.getNvdCveInfo().getId());
-        Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
+        LOGGER.log(Level.INFO, msg);
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java
@@ -40,6 +40,10 @@ import org.xml.sax.helpers.DefaultHandler;
 */
 public class NvdCve20Handler extends DefaultHandler {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NvdCve20Handler.class.getName());
    /**
     * the current supported schema version.
     */
@@ -168,8 +172,8 @@ public class NvdCve20Handler extends DefaultHandler {
                final float score = Float.parseFloat(nodeText.toString());
                vulnerability.setCvssScore(score);
            } catch (NumberFormatException ex) {
-                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
-                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, "Error parsing CVSS Score.");
+                LOGGER.log(Level.FINE, null, ex);
            }
            nodeText = null;
        } else if (current.isCVSSAccessVectorNode()) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -37,6 +37,10 @@ import org.owasp.dependencycheck.utils.FileUtils;
 */
 public class Dependency implements Comparable<Dependency> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(Dependency.class.getName());
    /**
     * The actual file path of the dependency on disk.
     */
@@ -87,6 +91,8 @@ public class Dependency implements Comparable<Dependency> {
        versionEvidence = new EvidenceCollection();
        identifiers = new TreeSet<Identifier>();
        vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
+        suppressedIdentifiers = new TreeSet<Identifier>();
+        suppressedVulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
    }

    /**
@@ -106,16 +112,26 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Returns the file name of the dependency.
     *
-     * @return the file name of the dependency.
+     * @return the file name of the dependency
     */
    public String getFileName() {
        return this.fileName;
    }

+    /**
+     * Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack
+     * as I could not get the replace to work in the template itself.
+     *
+     * @return the file name of the dependency with the backslash escaped for use in JavaScript
+     */
+    public String getFileNameForJavaScript() {
+        return this.fileName.replace("\\", "\\\\");
+    }
+
    /**
     * Sets the file name of the dependency.
     *
-     * @param fileName the file name of the dependency.
+     * @param fileName the file name of the dependency
     */
    public void setFileName(String fileName) {
        this.fileName = fileName;
@@ -124,7 +140,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets the actual file path of the dependency on disk.
     *
-     * @param actualFilePath the file path of the dependency.
+     * @param actualFilePath the file path of the dependency
     */
    public void setActualFilePath(String actualFilePath) {
        this.actualFilePath = actualFilePath;
@@ -137,7 +153,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Gets the file path of the dependency.
     *
-     * @return the file path of the dependency.
+     * @return the file path of the dependency
     */
    public String getActualFilePath() {
        return this.actualFilePath;
@@ -146,7 +162,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Gets a reference to the File object.
     *
-     * @return the File object.
+     * @return the File object
     */
    public File getActualFile() {
        return new File(this.actualFilePath);
@@ -155,12 +171,39 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets the file path of the dependency.
     *
-     * @param filePath the file path of the dependency.
+     * @param filePath the file path of the dependency
     */
    public void setFilePath(String filePath) {
        this.filePath = filePath;
    }

+    /**
+     * The file name to display in reports.
+     */
+    private String displayName = null;
+
+    /**
+     * Sets the file name to display in reports.
+     *
+     * @param displayName the name to display
+     */
+    public void setDisplayFileName(String displayName) {
+        this.displayName = displayName;
+    }
+
+    /**
+     * Returns the file name to display in reports; if no display file name has been set it will default to the actual
+     * file name.
+     *
+     * @return the file name to display
+     */
+    public String getDisplayFileName() {
+        if (displayName == null) {
+            return this.fileName;
+        }
+        return this.displayName;
+    }
+
    /**
     * <p>
     * Gets the file path of the dependency.</p>
@@ -168,7 +211,7 @@ public class Dependency implements Comparable<Dependency> {
     * <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be
     * obtained via the getActualFilePath().</p>
     *
-     * @return the file path of the dependency.
+     * @return the file path of the dependency
     */
    public String getFilePath() {
        return this.filePath;
@@ -177,7 +220,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets the file name of the dependency.
     *
-     * @param fileExtension the file name of the dependency.
+     * @param fileExtension the file name of the dependency
     */
    public void setFileExtension(String fileExtension) {
        this.fileExtension = fileExtension;
@@ -186,7 +229,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Gets the file extension of the dependency.
     *
-     * @return the file extension of the dependency.
+     * @return the file extension of the dependency
     */
    public String getFileExtension() {
        return this.fileExtension;
@@ -231,7 +274,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Returns a List of Identifiers.
     *
-     * @return an ArrayList of Identifiers.
+     * @return an ArrayList of Identifiers
     */
    public Set<Identifier> getIdentifiers() {
        return this.identifiers;
@@ -240,7 +283,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets a List of Identifiers.
     *
-     * @param identifiers A list of Identifiers.
+     * @param identifiers A list of Identifiers
     */
    public void setIdentifiers(Set<Identifier> identifiers) {
        this.identifiers = identifiers;
@@ -280,6 +323,69 @@ public class Dependency implements Comparable<Dependency> {
    public void addIdentifier(Identifier identifier) {
        this.identifiers.add(identifier);
    }
+    /**
+     * A set of identifiers that have been suppressed.
+     */
+    private Set<Identifier> suppressedIdentifiers;
+
+    /**
+     * Get the value of suppressedIdentifiers.
+     *
+     * @return the value of suppressedIdentifiers
+     */
+    public Set<Identifier> getSuppressedIdentifiers() {
+        return suppressedIdentifiers;
+    }
+
+    /**
+     * Set the value of suppressedIdentifiers.
+     *
+     * @param suppressedIdentifiers new value of suppressedIdentifiers
+     */
+    public void setSuppressedIdentifiers(Set<Identifier> suppressedIdentifiers) {
+        this.suppressedIdentifiers = suppressedIdentifiers;
+    }
+
+    /**
+     * Adds an identifier to the list of suppressed identifiers.
+     *
+     * @param identifier an identifier that was suppressed.
+     */
+    public void addSuppressedIdentifier(Identifier identifier) {
+        this.suppressedIdentifiers.add(identifier);
+    }
+
+    /**
+     * A set of vulnerabilities that have been suppressed.
+     */
+    private SortedSet<Vulnerability> suppressedVulnerabilities;
+
+    /**
+     * Get the value of suppressedVulnerabilities.
+     *
+     * @return the value of suppressedVulnerabilities
+     */
+    public SortedSet<Vulnerability> getSuppressedVulnerabilities() {
+        return suppressedVulnerabilities;
+    }
+
+    /**
+     * Set the value of suppressedVulnerabilities.
+     *
+     * @param suppressedVulnerabilities new value of suppressedVulnerabilities
+     */
+    public void setSuppressedVulnerabilities(SortedSet<Vulnerability> suppressedVulnerabilities) {
+        this.suppressedVulnerabilities = suppressedVulnerabilities;
+    }
+
+    /**
+     * Adds a vulnerability to the set of suppressed vulnerabilities.
+     *
+     * @param vulnerability the vulnerability that was suppressed
+     */
+    public void addSuppressedVulnerability(Vulnerability vulnerability) {
+        this.suppressedVulnerabilities.add(vulnerability);
+    }

    /**
     * Returns the evidence used to identify this dependency.
@@ -290,6 +396,15 @@ public class Dependency implements Comparable<Dependency> {
        return EvidenceCollection.merge(this.productEvidence, this.vendorEvidence, this.versionEvidence);
    }

+    /**
+     * Returns the evidence used to identify this dependency.
+     *
+     * @return an EvidenceCollection.
+     */
+    public Set<Evidence> getEvidenceForDisplay() {
+        return EvidenceCollection.mergeForDisplay(this.productEvidence, this.vendorEvidence, this.versionEvidence);
+    }
+
    /**
     * Returns the evidence used to identify this dependency.
     *
@@ -405,12 +520,12 @@ public class Dependency implements Comparable<Dependency> {
            sha1 = Checksum.getSHA1Checksum(file);
        } catch (IOException ex) {
            final String msg = String.format("Unable to read '%s' to determine hashes.", file.getName());
-            Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } catch (NoSuchAlgorithmException ex) {
            final String msg = "Unable to use MD5 of SHA1 checksums.";
-            Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        }
        this.setMd5sum(md5);
        this.setSha1sum(sha1);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -220,22 +220,95 @@ public class Evidence implements Comparable<Evidence> {
     * @return an integer indicating the ordering of the two objects
     */
    public int compareTo(Evidence o) {
-        if (source.equals(o.source)) {
-            if (name.equals(o.name)) {
-                if (value.equals(o.value)) {
-                    if (confidence.equals(o.confidence)) {
+        if (o == null) {
+            return 1;
+        }
+        if (equalsWithNullCheck(source, o.source)) {
+            if (equalsWithNullCheck(name, o.name)) {
+                if (equalsWithNullCheck(value, o.value)) {
+                    if (equalsWithNullCheck(confidence, o.confidence)) {
                        return 0; //they are equal
                    } else {
-                        return confidence.compareTo(o.confidence);
+                        return compareToWithNullCheck(confidence, o.confidence);
                    }
                } else {
-                    return value.compareToIgnoreCase(o.value);
+                    return compareToIgnoreCaseWithNullCheck(value, o.value);
                }
            } else {
-                return name.compareToIgnoreCase(o.name);
+                return compareToIgnoreCaseWithNullCheck(name, o.name);
            }
        } else {
-            return source.compareToIgnoreCase(o.source);
+            return compareToIgnoreCaseWithNullCheck(source, o.source);
        }
    }
+
+    /**
+     * Equality check with an exhaustive, possibly duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private boolean equalsWithNullCheck(String me, String other) {
+        if (me == null && other == null) {
+            return true;
+        } else if (me == null || other == null) {
+            return false;
+        }
+        return me.equals(other);
+    }
+
+    /**
+     * Equality check with an exhaustive, possibly duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private boolean equalsWithNullCheck(Confidence me, Confidence other) {
+        if (me == null && other == null) {
+            return true;
+        } else if (me == null || other == null) {
+            return false;
+        }
+        return me.equals(other);
+    }
+
+    /**
+     * Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an
+     * exhaustive, possibly duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private int compareToIgnoreCaseWithNullCheck(String me, String other) {
+        if (me == null && other == null) {
+            return 0;
+        } else if (me == null) {
+            return -1; //the other string is greater then me
+        } else if (other == null) {
+            return 1; //me is greater then the other string
+        }
+        return me.compareToIgnoreCase(other);
+    }
+
+    /**
+     * Wrapper around {@link java.lang.Enum#compareTo(java.lang.Enum) Enum.compareTo} with an exhaustive, possibly
+     * duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private int compareToWithNullCheck(Confidence me, Confidence other) {
+        if (me == null && other == null) {
+            return 0;
+        } else if (me == null) {
+            return -1; //the other string is greater then me
+        } else if (other == null) {
+            return 1; //me is greater then the other string
+        }
+        return me.compareTo(other);
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
@@ -38,6 +38,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 */
 public class EvidenceCollection implements Iterable<Evidence> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(EvidenceCollection.class.getName());
    /**
     * Used to iterate over highest confidence evidence contained in the collection.
     */
@@ -307,6 +311,26 @@ public class EvidenceCollection implements Iterable<Evidence> {
        return ret;
    }

+    /**
+     * Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence.
+     *
+     * @param ec One or more EvidenceCollections
+     * @return new set of evidence resulting from merging the evidence in the collections
+     */
+    public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
+        final Set<Evidence> ret = new TreeSet<Evidence>();
+        for (EvidenceCollection col : ec) {
+            for (Evidence e : col) {
+                if (e.isUsed()) {
+                    final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
+                    newEvidence.setUsed(true);
+                    ret.add(newEvidence);
+                }
+            }
+        }
+        return ret;
+    }
+
    /**
     * Returns a string of evidence 'values'.
     *
@@ -360,7 +384,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
                    final List<String> data = UrlStringUtils.extractImportantUrlData(part);
                    sb.append(' ').append(StringUtils.join(data, ' '));
                } catch (MalformedURLException ex) {
-                    Logger.getLogger(EvidenceCollection.class.getName()).log(Level.FINE, "error parsing " + part, ex);
+                    LOGGER.log(Level.FINE, "error parsing " + part, ex);
                    sb.append(' ').append(part);
                }
            } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -31,6 +31,10 @@ import org.owasp.dependencycheck.data.cpe.IndexEntry;
 */
 public class VulnerableSoftware extends IndexEntry implements Serializable, Comparable<VulnerableSoftware> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(VulnerableSoftware.class.getName());
    /**
     * The serial version UID.
     */
@@ -46,8 +50,8 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
            parseName(cpe);
        } catch (UnsupportedEncodingException ex) {
            final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
-            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
            setName(cpe);
        }
    }
@@ -73,19 +77,19 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
        if (cpeName != null && cpeName.length() > 7) {
            final String[] data = cpeName.substring(7).split(":");
            if (data.length >= 1) {
-                this.setVendor(URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8"));
+                this.setVendor(urlDecode(data[0]));
            }
            if (data.length >= 2) {
-                this.setProduct(URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8"));
+                this.setProduct(urlDecode(data[1]));
            }
            if (data.length >= 3) {
-                version = URLDecoder.decode(data[2].replace("+", "%2B"), "UTF-8");
+                version = urlDecode(data[2]);
            }
            if (data.length >= 4) {
-                revision = URLDecoder.decode(data[3].replace("+", "%2B"), "UTF-8");
+                revision = urlDecode(data[3]);
            }
            if (data.length >= 5) {
-                edition = URLDecoder.decode(data[4].replace("+", "%2B"), "UTF-8");
+                edition = urlDecode(data[4]);
            }
        }
    }
@@ -337,4 +341,25 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
    public void setEdition(String edition) {
        this.edition = edition;
    }
+
+    /**
+     * Replaces '+' with '%2B' and then URL Decodes the string attempting first UTF-8, then ASCII, then default.
+     *
+     * @param string the string to URL Decode
+     * @return the URL Decoded string
+     */
+    private String urlDecode(String string) {
+        final String text = string.replace("+", "%2B");
+        String result;
+        try {
+            result = URLDecoder.decode(text, "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            try {
+                result = URLDecoder.decode(text, "ASCII");
+            } catch (UnsupportedEncodingException ex1) {
+                result = URLDecoder.decode(text);
+            }
+        }
+        return result;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
@@ -0,0 +1,68 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.exception;
+
+import java.io.IOException;
+
+/**
+ * An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
+ *
+ * @author Steve Springett <steve.springett@owasp.org>
+ */
+public class ScanAgentException extends IOException {
+
+    /**
+     * The serial version uid.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new ScanAgentException.
+     */
+    public ScanAgentException() {
+        super();
+    }
+
+    /**
+     * Creates a new ScanAgentException.
+     *
+     * @param msg a message for the exception.
+     */
+    public ScanAgentException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new NoDataException.
+     *
+     * @param ex the cause of the exception.
+     */
+    public ScanAgentException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new ScanAgentException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the exception.
+     */
+    public ScanAgentException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java
@@ -56,16 +56,16 @@ public class MavenNamespaceFilter extends XMLFilterImpl {
     * @param uri the uri
     * @param localName the localName
     * @param qName the qualified name
-     * @param atts the attributes
+     * @param attributes the attributes
     * @throws SAXException thrown if there is a SAXException
     */
    @Override
-    public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException {
-        super.startElement(NAMESPACE, localName, qName, atts);
+    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
+        super.startElement(NAMESPACE, localName, qName, attributes);
    }

    /**
-     * Indicatees the start of the document.
+     * Indicates the start of the document.
     *
     * @param uri the uri
     * @param localName the localName
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
@@ -0,0 +1,74 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.reporting;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.lang.StringEscapeUtils;
+
+/**
+ * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
+ * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class EscapeTool {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(EscapeTool.class.getName());
+
+    /**
+     * URL Encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the URL encoded text
+     */
+    public String url(String text) {
+        try {
+            return URLEncoder.encode(text, "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            LOGGER.log(Level.WARNING, "UTF-8 is not supported?");
+            LOGGER.log(Level.INFO, null, ex);
+        }
+        return "";
+    }
+
+    /**
+     * HTML Encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the HTML encoded text
+     */
+    public String html(String text) {
+        return StringEscapeUtils.escapeHtml(text);
+    }
+
+    /**
+     * XML Encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the XML encoded text
+     */
+    public String xml(String text) {
+        return StringEscapeUtils.escapeXml(text);
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -26,15 +26,16 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
 import org.apache.velocity.runtime.RuntimeConstants;
-import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader;
-import org.apache.velocity.tools.ToolManager;
-import org.apache.velocity.tools.config.EasyFactoryConfiguration;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -48,6 +49,11 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public class ReportGenerator {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ReportGenerator.class.getName());
+
    /**
     * An enumeration of the report formats.
     */
@@ -93,10 +99,20 @@ public class ReportGenerator {

        engine.init();

+        final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
+        final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+        final Date d = new Date();
+        final String scanDate = dateFormat.format(d);
+        final String scanDateXML = dateFormatXML.format(d);
+        final EscapeTool enc = new EscapeTool();
+
        context.put("applicationName", applicationName);
        context.put("dependencies", dependencies);
        context.put("analyzers", analyzers);
        context.put("properties", properties);
+        context.put("scanDate", scanDate);
+        context.put("scanDateXML", scanDateXML);
+        context.put("enc", enc);
        context.put("version", Settings.getString("application.version", "Unknown"));
    }

@@ -106,28 +122,19 @@ public class ReportGenerator {
     * @return a velocity engine.
     */
    private VelocityEngine createVelocityEngine() {
-        final VelocityEngine ve = new VelocityEngine();
-        ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
-        ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-        ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
-        return ve;
+        final VelocityEngine engine = new VelocityEngine();
+        // Logging redirection for Velocity - Required by Jenkins and other server applications
+        engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
+        return engine;
    }

    /**
-     * Creates a new Velocity Context initialized with escape and date tools.
+     * Creates a new Velocity Context.
     *
     * @return a Velocity Context.
     */
-    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "RV_RETURN_VALUE_IGNORED_INFERRED",
-            justification = "No plan to fix this style issue")
    private Context createContext() {
-        final ToolManager manager = new ToolManager();
-        final Context c = manager.createContext();
-        final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
-        config.addDefaultTools();
-        config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
-        manager.configure(config);
-        return c;
+        return new VelocityContext();
    }

    /**
@@ -140,13 +147,13 @@ public class ReportGenerator {
     */
    public void generateReports(String outputDir, Format format) throws IOException, Exception {
        if (format == Format.XML || format == Format.ALL) {
-            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+            generateReport("XmlReport", outputDir + File.separator + "dependency-check-report.xml");
        }
        if (format == Format.HTML || format == Format.ALL) {
-            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+            generateReport("HtmlReport", outputDir + File.separator + "dependency-check-report.html");
        }
        if (format == Format.VULN || format == Format.ALL) {
-            generateReport("VulnerabilityReport", outputDir + File.separator + "DependencyCheck-Vulnerability.html");
+            generateReport("VulnerabilityReport", outputDir + File.separator + "dependency-check-vulnerability.html");
        }
    }

@@ -196,8 +203,8 @@ public class ReportGenerator {
                input = new FileInputStream(f);
            } catch (FileNotFoundException ex) {
                final String msg = "Unable to generate the report, the report template file could not be found.";
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
        } else {
            templatePath = "templates/" + templateName + ".vsl";
@@ -232,20 +239,20 @@ public class ReportGenerator {
                try {
                    writer.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
            if (outputStream != null) {
                try {
                    outputStream.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
            try {
                reader.close();
            } catch (IOException ex) {
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.reporting;

 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.apache.velocity.app.Velocity;
 import org.apache.velocity.runtime.RuntimeServices;
 import org.apache.velocity.runtime.log.LogChute;

@@ -37,6 +36,11 @@ import org.apache.velocity.runtime.log.LogChute;
 */
 public class VelocityLoggerRedirect implements LogChute {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(VelocityLoggerRedirect.class.getName());
+
    /**
     * This will be invoked once by the LogManager.
     *
@@ -54,7 +58,7 @@ public class VelocityLoggerRedirect implements LogChute {
     * @param message the message to be logged
     */
    public void log(int level, String message) {
-        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
+        LOGGER.log(getLevel(level), message);
    }

    /**
@@ -66,7 +70,7 @@ public class VelocityLoggerRedirect implements LogChute {
     * @param t a throwable to log
     */
    public void log(int level, String message, Throwable t) {
-        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
+        LOGGER.log(getLevel(level), message, t);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java
@@ -30,6 +30,11 @@ import org.xml.sax.SAXParseException;
 */
 public class SuppressionErrorHandler implements ErrorHandler {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(SuppressionErrorHandler.class.getName());
+
    /**
     * Builds a prettier exception message.
     *
@@ -65,7 +70,7 @@ public class SuppressionErrorHandler implements ErrorHandler {
     */
    @Override
    public void warning(SAXParseException ex) throws SAXException {
-        Logger.getLogger(SuppressionErrorHandler.class.getName()).log(Level.FINE, null, ex);
+        LOGGER.log(Level.FINE, null, ex);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
@@ -54,6 +54,10 @@ public class SuppressionHandler extends DefaultHandler {
     * The CWE element name.
     */
    public static final String CWE = "cwe";
+    /**
+     * The GAV element name.
+     */
+    public static final String GAV = "gav";
    /**
     * The cvssBelow element name.
     */
@@ -95,13 +99,10 @@ public class SuppressionHandler extends DefaultHandler {
     */
    @Override
    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
-        currentAttributes = null;
+        currentAttributes = attributes;
        currentText = new StringBuffer();
-
        if (SUPPRESS.equals(qName)) {
            rule = new SuppressionRule();
-        } else if (FILE_PATH.equals(qName)) {
-            currentAttributes = attributes;
        }
    }

@@ -123,6 +124,9 @@ public class SuppressionHandler extends DefaultHandler {
            rule.setFilePath(pt);
        } else if (SHA1.equals(qName)) {
            rule.setSha1(currentText.toString());
+        } else if (GAV.equals(qName)) {
+            final PropertyType pt = processPropertyType();
+            rule.setGav(pt);
        } else if (CPE.equals(qName)) {
            final PropertyType pt = processPropertyType();
            rule.addCpe(pt);
@@ -164,7 +168,7 @@ public class SuppressionHandler extends DefaultHandler {
                pt.setRegex(Boolean.parseBoolean(regex));
            }
            final String caseSensitive = currentAttributes.getValue("caseSensitive");
-            if (regex != null) {
+            if (caseSensitive != null) {
                pt.setCaseSensitive(Boolean.parseBoolean(caseSensitive));
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
@@ -27,9 +27,11 @@ import java.io.Reader;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+
 import javax.xml.parsers.ParserConfigurationException;
 import javax.xml.parsers.SAXParser;
 import javax.xml.parsers.SAXParserFactory;
+
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 import org.xml.sax.XMLReader;
@@ -41,6 +43,10 @@ import org.xml.sax.XMLReader;
 */
 public class SuppressionParser {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(SuppressionParser.class.getName());
    /**
     * JAXP Schema Language. Source: http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
     */
@@ -62,10 +68,25 @@ public class SuppressionParser {
     * @throws SuppressionParseException thrown if the xml file cannot be parsed
     */
    public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
+        try {
+            return parseSuppressionRules(new FileInputStream(file));
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new SuppressionParseException(ex);
+        }
+    }
+
+    /**
+     * Parses the given xml stream and returns a list of the suppression rules contained.
+     * 
+     * @param inputStream an InputStream containing suppression rues
+     * @return a list of suppression rules
+     * @throws SuppressionParseException if the xml cannot be parsed
+     */
+    public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException {
        try {
            final InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream("schema/suppression.xsd");
            final SuppressionHandler handler = new SuppressionHandler();
-
            final SAXParserFactory factory = SAXParserFactory.newInstance();
            factory.setNamespaceAware(true);
            factory.setValidating(true);
@@ -76,7 +97,6 @@ public class SuppressionParser {
            xmlReader.setErrorHandler(new SuppressionErrorHandler());
            xmlReader.setContentHandler(handler);

-            final InputStream inputStream = new FileInputStream(file);
            final Reader reader = new InputStreamReader(inputStream, "UTF-8");
            final InputSource in = new InputSource(reader);
            //in.setEncoding("UTF-8");
@@ -85,16 +105,16 @@ public class SuppressionParser {

            return handler.getSuppressionRules();
        } catch (ParserConfigurationException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        } catch (SAXException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        } catch (IOException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
@@ -234,6 +234,37 @@ public class SuppressionRule {
    public boolean hasCve() {
        return cve.size() > 0;
    }
+    /**
+     * A Maven GAV to suppression.
+     */
+    private PropertyType gav = null;
+
+    /**
+     * Get the value of Maven GAV.
+     *
+     * @return the value of gav
+     */
+    public PropertyType getGav() {
+        return gav;
+    }
+
+    /**
+     * Set the value of Maven GAV.
+     *
+     * @param gav new value of Maven gav
+     */
+    public void setGav(PropertyType gav) {
+        this.gav = gav;
+    }
+
+    /**
+     * Returns whether or not this suppression rule as GAV entries.
+     *
+     * @return whether or not this suppression rule as GAV entries
+     */
+    public boolean hasGav() {
+        return gav != null;
+    }

    /**
     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
@@ -248,12 +279,28 @@ public class SuppressionRule {
        if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
            return;
        }
+        if (gav != null) {
+            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+            boolean gavFound = false;
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if (identifierMatches("maven", this.gav, i)) {
+                    gavFound = true;
+                    break;
+                }
+            }
+            if (!gavFound) {
+                return;
+            }
+        }
+
        if (this.hasCpe()) {
            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
            while (itr.hasNext()) {
                final Identifier i = itr.next();
                for (PropertyType c : this.cpe) {
-                    if (cpeMatches(c, i)) {
+                    if (identifierMatches("cpe", c, i)) {
+                        dependency.addSuppressedIdentifier(i);
                        itr.remove();
                        break;
                    }
@@ -292,6 +339,7 @@ public class SuppressionRule {
                    }
                }
                if (remove) {
+                    dependency.addSuppressedVulnerability(v);
                    itr.remove();
                }
            }
@@ -307,7 +355,7 @@ public class SuppressionRule {
    boolean cpeHasNoVersion(PropertyType c) {
        if (c.isRegex()) {
            return false;
-        } // cpe:/a:jboss:jboss:1.0.0:
+        }
        if (countCharacter(c.getValue(), ':') == 3) {
            return true;
        }
@@ -334,26 +382,75 @@ public class SuppressionRule {
    /**
     * Determines if the cpeEntry specified as a PropertyType matches the given Identifier.
     *
-     * @param cpeEntry a suppression rule entry
+     * @param identifierType the type of identifier ("cpe", "maven", etc.)
+     * @param suppressionEntry a suppression rule entry
     * @param identifier a CPE identifier to check
     * @return true if the entry matches; otherwise false
     */
-    boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
-        if (cpeEntry.matches(identifier.getValue())) {
-            return true;
-        } else if (cpeHasNoVersion(cpeEntry)) {
-            if (cpeEntry.isCaseSensitive()) {
-                if (identifier.getValue().startsWith(cpeEntry.getValue())) {
-                    return true;
-                }
-            } else {
-                final String id = identifier.getValue().toLowerCase();
-                final String check = cpeEntry.getValue().toLowerCase();
-                if (id.startsWith(check)) {
-                    return true;
+    boolean identifierMatches(String identifierType, PropertyType suppressionEntry, Identifier identifier) {
+        if (identifierType.equals(identifier.getType())) {
+            if (suppressionEntry.matches(identifier.getValue())) {
+                return true;
+            } else if ("cpe".equals(identifierType) && cpeHasNoVersion(suppressionEntry)) {
+                if (suppressionEntry.isCaseSensitive()) {
+                    return identifier.getValue().startsWith(suppressionEntry.getValue());
+                } else {
+                    final String id = identifier.getValue().toLowerCase();
+                    final String check = suppressionEntry.getValue().toLowerCase();
+                    return id.startsWith(check);
                }
            }
        }
        return false;
    }
+
+    /**
+     * Standard toString implementation.
+     *
+     * @return a string representation of this object
+     */
+    @Override
+    public String toString() {
+        final StringBuilder sb = new StringBuilder();
+        sb.append("SuppressionRule{");
+        if (filePath != null) {
+            sb.append("filePath=").append(filePath).append(",");
+        }
+        if (sha1 != null) {
+            sb.append("sha1=").append(sha1).append(",");
+        }
+        if (gav != null) {
+            sb.append("gav=").append(gav).append(",");
+        }
+        if (cpe != null && cpe.size() > 0) {
+            sb.append("cpe={");
+            for (PropertyType pt : cpe) {
+                sb.append(pt).append(",");
+            }
+            sb.append("}");
+        }
+        if (cwe != null && cwe.size() > 0) {
+            sb.append("cwe={");
+            for (String s : cwe) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        if (cve != null && cve.size() > 0) {
+            sb.append("cve={");
+            for (String s : cve) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        if (cvssBelow != null && cvssBelow.size() > 0) {
+            sb.append("cvssBelow={");
+            for (Float s : cvssBelow) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        sb.append("}");
+        return sb.toString();
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Checksum.java
@@ -20,7 +20,11 @@ import java.util.logging.Logger;
 *
 */
 public final class Checksum {
-
+    
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(Checksum.class.getName());
    /**
     * Private constructor for a utility class.
     */
@@ -57,7 +61,7 @@ public final class Checksum {
                try {
                    fis.close();
                } catch (IOException ex) {
-                    Logger.getLogger(Checksum.class.getName()).log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
+                    LOGGER.log(Level.FINEST, "Error closing file '" + file.getName() + "'.", ex);
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
@@ -23,7 +23,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;

 /**
@@ -32,6 +31,11 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 */
 public final class DBUtils {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DBUtils.class.getName());
+
    /**
     * Private constructor for a utility class.
     */
@@ -70,8 +74,7 @@ public final class DBUtils {
            try {
                statement.close();
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class
-                        .getName()).log(Level.FINEST, statement.toString(), ex);
+                LOGGER.log(Level.FINEST, statement.toString(), ex);
            }
        }
    }
@@ -86,8 +89,7 @@ public final class DBUtils {
            try {
                rs.close();
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class
-                        .getName()).log(Level.FINEST, rs.toString(), ex);
+                LOGGER.log(Level.FINEST, rs.toString(), ex);
            }
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
@@ -47,10 +47,10 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion

    /**
     * Constructor for a DependencyVersion that will parse a version string.
-     * <b>Note</b>, this should only be used when the version passed in is already known to be a well formated version
+     * <b>Note</b>, this should only be used when the version passed in is already known to be a well formatted version
     * number. Otherwise, DependencyVersionUtil.parseVersion() should be used instead.
     *
-     * @param version the well formated version number to parse
+     * @param version the well formatted version number to parse
     */
    public DependencyVersion(String version) {
        parseVersion(version);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
@@ -13,7 +13,7 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.utils;

@@ -24,22 +24,23 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLDecoder;
-import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import org.owasp.dependencycheck.Engine;
+import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;

 /**
- * A collection of utilities for processing information about files.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public final class FileUtils {
+public final class ExtractionUtil {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ExtractionUtil.class.getName());
    /**
     * The buffer size to use when extracting files from the archive.
     */
@@ -48,103 +49,7 @@ public final class FileUtils {
    /**
     * Private constructor for a utility class.
     */
-    private FileUtils() {
-    }
-
-    /**
-     * Returns the (lowercase) file extension for a specified file.
-     *
-     * @param fileName the file name to retrieve the file extension from.
-     * @return the file extension.
-     */
-    public static String getFileExtension(String fileName) {
-        String ret = null;
-        final int pos = fileName.lastIndexOf(".");
-        if (pos >= 0) {
-            ret = fileName.substring(pos + 1, fileName.length()).toLowerCase();
-        }
-        return ret;
-    }
-
-    /**
-     * Deletes a file. If the File is a directory it will recursively delete the contents.
-     *
-     * @param file the File to delete
-     * @return true if the file was deleted successfully, otherwise false
-     */
-    public static boolean delete(File file) {
-        boolean success = true;
-        if (file.isDirectory()) { //some of this may duplicative of deleteQuietly....
-            for (File f : file.listFiles()) {
-                success &= delete(f);
-            }
-        }
-        if (!org.apache.commons.io.FileUtils.deleteQuietly(file)) {
-            success = false;
-            final String msg = String.format("Failed to delete file: %s", file.getPath());
-            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg);
-        }
-        return success;
-    }
-
-    /**
-     * Generates a new temporary file name that is guaranteed to be unique.
-     *
-     * @param prefix the prefix for the file name to generate
-     * @param extension the extension of the generated file name
-     * @return a temporary File
-     */
-    public static File getTempFile(String prefix, String extension) {
-        final File dir = Settings.getTempDirectory();
-        if (!dir.exists()) {
-            dir.mkdirs();
-        }
-        final String tempFileName = String.format("%s%s.%s", prefix, UUID.randomUUID().toString(), extension);
-        final File tempFile = new File(dir, tempFileName);
-        if (tempFile.exists()) {
-            return getTempFile(prefix, extension);
-        }
-        return tempFile;
-    }
-
-    /**
-     * Returns the data directory. If a path was specified in dependencycheck.properties or was specified using the
-     * Settings object, and the path exists, that path will be returned as a File object. If it does not exist, then a
-     * File object will be created based on the file location of the JAR containing the specified class.
-     *
-     * @param configuredFilePath the configured relative or absolute path
-     * @param clazz the class to resolve the path
-     * @return a File object
-     * @throws IOException is thrown if the path could not be decoded
-     * @deprecated This method should no longer be used. See the implementation in dependency-check-cli/App.java to see
-     * how the data directory should be set.
-     */
-    @java.lang.Deprecated
-    public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
-        final File file = new File(configuredFilePath);
-        if (file.isDirectory() && file.canWrite()) {
-            return new File(file.getCanonicalPath());
-        } else {
-            final File exePath = getPathToJar(clazz);
-            return new File(exePath, configuredFilePath);
-        }
-    }
-
-    /**
-     * Retrieves the physical path to the parent directory containing the provided class. For example, if a JAR file
-     * contained a class org.something.clazz this method would return the parent directory of the JAR file.
-     *
-     * @param clazz the class to determine the parent directory of
-     * @return the parent directory of the file containing the specified class.
-     * @throws UnsupportedEncodingException thrown if UTF-8 is not supported.
-     * @deprecated this should no longer be used.
-     */
-    @java.lang.Deprecated
-    public static File getPathToJar(Class clazz) throws UnsupportedEncodingException {
-        final String filePath = clazz.getProtectionDomain().getCodeSource().getLocation().getPath();
-        final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        final File jarPath = new File(decodedPath);
-        return jarPath.getParentFile();
+    private ExtractionUtil() {
    }

    /**
@@ -179,7 +84,7 @@ public final class FileUtils {
        try {
            fis = new FileInputStream(archive);
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new ExtractionException("Archive file was not found.", ex);
        }
        zis = new ZipInputStream(new BufferedInputStream(fis));
@@ -208,11 +113,11 @@ public final class FileUtils {
                            }
                            bos.flush();
                        } catch (FileNotFoundException ex) {
-                            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("Unable to find file '%s'.", file.getName());
                            throw new ExtractionException(msg, ex);
                        } catch (IOException ex) {
-                            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
                            throw new ExtractionException(msg, ex);
                        } finally {
@@ -220,7 +125,7 @@ public final class FileUtils {
                                try {
                                    bos.close();
                                } catch (IOException ex) {
-                                    Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
+                                    LOGGER.log(Level.FINEST, null, ex);
                                }
                            }
                        }
@@ -229,13 +134,13 @@ public final class FileUtils {
            }
        } catch (IOException ex) {
            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
-            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new ExtractionException(msg, ex);
        } finally {
            try {
                zis.close();
            } catch (IOException ex) {
-                Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
--- a/dependency-check-core/src/main/resources/GrokAssembly.exe
+++ b/dependency-check-core/src/main/resources/GrokAssembly.exe
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -0,0 +1,12 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+    <suppress>
+        <notes><![CDATA[
+        This suppresses false positives identified on spring security.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.security:spring.*</gav>
+        <cpe>cpe:/a:mod_security:mod_security</cpe>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+    </suppress>
+</suppressions>
--- a/dependency-check-core/src/main/resources/dependencycheck-resources.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck-resources.properties
@@ -0,0 +1,10 @@
+analyzer.AssemblyAnalyzer.notdeployed=GrokAssembly didn't get deployed
+analyzer.AssemblyAnalyzer.grokassembly.stderr=Error from GrokAssembly: {0}
+analyzer.AssemblyAnalyzer.notassembly={0} is not a .NET assembly or executable and as such cannot be analyzed by dependency-check
+analyzer.AssemblyAnalyzer.grokassembly.rc=Return code {0} from GrokAssembly
+analyzer.AssemblyAnalyzer.grokassembly.deployed=Extracted GrokAssembly.exe to {0}
+analyzer.AssemblyAnalyzer.grokassembly.notdeployed=Could not extract GrokAssembly.exe: {0}
+analyzer.AssemblyAnalyzer.grokassembly.initialization.failed=An error occurred with the .NET AssemblyAnalyzer; \
+    this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
+analyzer.AssemblyAnalyzer.grokassembly.initialization.message=Could not execute GrokAssembly {0}
+analyzer.AssemblyAnalyzer.grokassembly.notdeleted=Can't delete temporary GrokAssembly.exe
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -13,8 +13,10 @@ max.download.threads=3
 # will not be used. The data.directory will be resolved and if the connection string
 # below contains a %s then the data.directory will replace the %s.
 data.directory=[JAR]/data
-data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
+data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
+#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
+
 # user name and password for the database connection. The inherent case is to use H2.
 # As such, this unsecure username/password exist.
 data.user=dcuser
@@ -42,9 +44,15 @@ cve.startyear=2002
 cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml

+# file type analyzer settings:
+analyzer.archive.enabled=true
+analyzer.jar.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.assembly.enabled=true
+
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
-analyzer.nexus.url=http://repository.sonatype.org/service/local/
+analyzer.nexus.url=https://repository.sonatype.org/service/local/
 # If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
 # are configured
 analyzer.nexus.proxy=true
--- a/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd
+++ b/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
+<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
    <xs:element name="analysis">
        <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -119,64 +119,124 @@
                                        <xs:element name="identifiers" minOccurs="0" maxOccurs="1">
                                            <xs:complexType>
                                                <xs:sequence>
-                                                    <xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
-                                                        <xs:complexType>
-                                                            <xs:sequence>
-                                                                <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
-                                                                <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
-                                                            </xs:sequence>
-                                                            <xs:attribute name="type" type="xs:string" use="required" />
-                                                            <xs:attribute name="confidence" type="xs:string" use="optional" />
-                                                        </xs:complexType>
-                                                    </xs:element>
+                                                    <xs:sequence>
+                                                        <xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                </xs:sequence>
+                                                                <xs:attribute name="type" type="xs:string" use="required" />
+                                                                <xs:attribute name="confidence" type="xs:string" use="optional" />
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
+                                                    <xs:sequence>
+                                                        <xs:element name="suppressedIdentifier" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                </xs:sequence>
+                                                                <xs:attribute name="type" type="xs:string" use="required" />
+                                                                <xs:attribute name="confidence" type="xs:string" use="optional" />
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
                                                </xs:sequence>
                                            </xs:complexType>
                                        </xs:element>
                                        <xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
                                            <xs:complexType>
                                                <xs:sequence>
-                                                    <xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
-                                                        <xs:complexType>
-                                                            <xs:sequence>
-                                                                <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
-                                                                <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="references" minOccurs="0" maxOccurs="1">
-                                                                    <xs:complexType>
-                                                                        <xs:sequence>
-                                                                            <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
-                                                                                <xs:complexType>
-                                                                                    <xs:sequence>
-                                                                                        <xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                                        <xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                                        <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                                    </xs:sequence>
-                                                                                </xs:complexType>
-                                                                            </xs:element>
-                                                                        </xs:sequence>
-                                                                    </xs:complexType>
-                                                                </xs:element>
-                                                                <xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
-                                                                    <xs:complexType>
-                                                                        <xs:sequence>
-                                                                            <xs:element name="software" minOccurs="0" maxOccurs="unbounded">
-                                                                                <xs:complexType>
-                                                                                    <xs:simpleContent>
-                                                                                        <xs:extension base="xs:string">
-                                                                                            <xs:attribute name="allPreviousVersion" type="xs:boolean" />
-                                                                                        </xs:extension>
-                                                                                    </xs:simpleContent>
-                                                                                </xs:complexType>
-                                                                            </xs:element>
-                                                                        </xs:sequence>
-                                                                    </xs:complexType>
-                                                                </xs:element>
-                                                            </xs:sequence>
-                                                        </xs:complexType>
-                                                    </xs:element>
+                                                    <xs:sequence>
+                                                        <xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="references" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:sequence>
+                                                                                            <xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                        </xs:sequence>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                    <xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="software" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:simpleContent>
+                                                                                            <xs:extension base="xs:string">
+                                                                                                <xs:attribute name="allPreviousVersion" type="xs:boolean" />
+                                                                                            </xs:extension>
+                                                                                        </xs:simpleContent>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                </xs:sequence>
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
+                                                    <xs:sequence>
+                                                        <xs:element name="suppressedVulnerability" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="references" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:sequence>
+                                                                                            <xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                        </xs:sequence>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                    <xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="software" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:simpleContent>
+                                                                                            <xs:extension base="xs:string">
+                                                                                                <xs:attribute name="allPreviousVersion" type="xs:boolean" />
+                                                                                            </xs:extension>
+                                                                                        </xs:simpleContent>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                </xs:sequence>
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
                                                </xs:sequence>
                                            </xs:complexType>
                                        </xs:element>
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -41,6 +41,7 @@
                            <xs:choice minOccurs="0" maxOccurs="1">
                                <xs:element name="filePath" type="dc:regexStringType"/>
                                <xs:element name="sha1" type="dc:sha1Type"/>
+                                <xs:element name="gav" type="dc:regexStringType"/>
                            </xs:choice>
                            <xs:choice minOccurs="0" maxOccurs="unbounded">
                                <xs:element name="cpe" type="dc:regexStringType"/>
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -39,15 +39,23 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    var content = "#content" + h.id.substr(6);
                    var header = "#" + h.id;
                    $(content).slideToggle("fast");
-                    var exprx = /expandablesubsection/;
+                    var exprx = /expandable\b/;
                    if (exprx.exec($(header).attr("class"))) {
+                        $(header).addClass("collapsed");
+                        $(header).removeClass("expandable");
+                    } else {
+                        $(header).addClass("expandable");
+                        $(header).removeClass("collapsed");
+                    }
+                    var essrx = /expandablesubsection/;
+                    var cssrx = /collaspablesubsection/;
+                    if (essrx.exec($(header).attr("class"))) {
                        $(header).addClass("collaspablesubsection");
                        $(header).removeClass("expandablesubsection");
-                    } else {
+                    } else if (cssrx.exec($(header).attr("class"))) {
                        $(header).addClass("expandablesubsection");
                        $(header).removeClass("collaspablesubsection");
                    }
-
                });
            });

@@ -129,6 +137,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            #modal-text:focus {
                outline: none;
            }
+            .suppressedLabel {
+                cursor: default;
+                padding:1px;
+                background-color: #eeeeee;
+                border: 1px solid #555555;
+                color:#555555;
+                text-decoration:none;
+                -moz-border-radius: 3px;
+                -webkit-border-radius: 3px;
+                -khtml-border-radius: 3px;
+                -o-border-radius: 3px;
+                border-radius: 3px;
+            }
            .copybutton {
                padding:1px;
                background-color: #eeeeee;
@@ -215,24 +236,25 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            .hidden {
                display: none;
            }
-            .exandable {}
-            .expandablesubsection {
+            .expandable {
                cursor: pointer;
-                /*background-image: url(img/plus.gif);*/
                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIcjI8Hy22Q1FNwhnpxhW3d2XFWJn2PNiZbyERuAQA7);
                background-repeat: no-repeat;
                background-position: 98% 50%;
+            }
+            .collapsed {
+                cursor: pointer;
+                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
+                background-repeat: no-repeat;
+                background-position: 98% 50%;
+            }
+            .expandablesubsection {
                -moz-border-radius-bottomleft:15px; /* bottom left corner */
                -webkit-border-bottom-left-radius:15px; /* bottom left corner */
                border-bottom-left-radius: 15px;
                border-bottom: 1px solid #cccccc;
            }
            .collaspablesubsection {
-                cursor: pointer;
-                /*background-image: url(img/minus.gif);*/
-                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
-                background-repeat: no-repeat;
-                background-position: 98% 50%;
                -moz-border-radius-bottomleft:0px; /* bottom left corner */
                -webkit-border-bottom-left-radius:0px; /* bottom left corner */
                border-bottom-left-radius: 0px;
@@ -244,7 +266,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                border-bottom-left-radius: 0px;
                border-bottom: 0px solid #ffffff;
            }
-
            .content {
                margin-top:0px;
                margin-left:20px;
@@ -448,6 +469,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                color: blue;
                float:right;
            }
+            .disclaimer {
+                color: #888888;
+                font: 9px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif
+            }
+
        </style>
    </head>
    <body>
@@ -459,27 +485,45 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        </div>
        <div class="wrapper">
            <h1>Dependency-Check Report</h1>
+<p class="disclaimer">Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
+false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
+the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
+implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
+is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
+arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
 ]]#
-            <h2 class="">Project:&nbsp;$esc.html($applicationName)</h2>
+            <h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
            <div class="">
                #set($depCount=$dependencies.size())
+                #set($vulnDepCount=0)
                #set($vulnCount=0)
+                #set($vulnSuppressedCount=0)
+                #set($cpeSuppressedCount=0)

                #foreach($dependency in $dependencies)
                    #set($depCount=$depCount+$dependency.getRelatedDependencies().size())
                    #if($dependency.getVulnerabilities().size()>0)
-                        #set($vulnCount=$vulnCount+1)
+                        #set($vulnDepCount=$vulnDepCount+1)
+                        #set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size())
+                    #end
+                    #if($dependency.getSuppressedIdentifiers().size()>0)
+                        #set($cpeSuppressedCount=$cpeSuppressedCount+1)
+                    #end
+                    #if($dependency.getSuppressedVulnerabilities().size()>0)
+                        #set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
                    #end
                #end
                Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo');  return false;">show all</a>):<br/>
                    <ul class="indent">
                        <li><i>dependency-check version</i>: $version</li>
-                        <li><i>Report Generated On</i>: $date</li>
+                        <li><i>Report Generated On</i>: $scanDate</li>
                        <li><i>Dependencies Scanned</i>:&nbsp;$depCount</li>
-                        <li><i>Vulnerable Dependencies</i>:&nbsp;$vulnCount</li>
+                        <li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
+                        <li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
+                        <li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
                        <li class="scaninfo">...</li>
                        #foreach($prop in $properties.getMetaData().entrySet())
-                        <li class="scaninfo hidden"><i>$esc.html($prop.key)</i>: $esc.html($prop.value)</li>
+                        <li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
                        #end
                    </ul><br/>
                Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
@@ -488,11 +532,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                #foreach($dependency in $dependencies)
                    #set($lnkcnt=$lnkcnt+1)
                    <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
-                    <a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a>
+                    <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
                    #if($dependency.getRelatedDependencies().size()>0)
                        <ul>
                        #foreach($related in $dependency.getRelatedDependencies())
-                        <li>$esc.html($related.FileName)</li>
+                        <li>$enc.html($related.DisplayFileName)</li>
                        #end
                        </ul>
                    #end
@@ -505,30 +549,30 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                #set($vsctr=0) ##counter to create unique groups for vulnerable software
                #foreach($dependency in $dependencies)
                    #set($lnkcnt=$lnkcnt+1)
-                    <h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3>
+                    <h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$enc.html($dependency.Sha1sum)"></a>$enc.html($dependency.DisplayFileName)</h3>
                    <div class="subsectioncontent#if($dependency.getVulnerabilities().size()==0) notvulnerable#end">
                        #if ($dependency.description)
-                            <p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
+                            <p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
                        #end
                        <p>
                        #if ($dependency.license)
                            #if ($dependency.license.startsWith("http://"))
-                            <b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
+                            <b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
                            #else
-                            <b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
+                            <b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
                            #end
                        #end
-                            <b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
-                            <b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
-                            <b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum)
+                            <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
+                            <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
+                            <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
                        </p>
                        #set($cnt=$cnt+1)
                        <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
                        <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
                            <table class="lined fullwidth" border="0">
                                <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
-                                #foreach($evidence in $dependency.getEvidenceUsed())
-                                    <tr><td>$esc.html($evidence.getSource())</td><td>$esc.html($evidence.getName())</td><td>$esc.html($evidence.getValue())</td></tr>
+                                #foreach($evidence in $dependency.getEvidenceForDisplay())
+                                    <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
                                #end
                            </table>
                        </div>
@@ -538,18 +582,18 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
                            <ul>
                            #foreach($related in $dependency.getRelatedDependencies())
-                                <li>$esc.html($related.FileName)
+                                <li>$enc.html($related.DisplayFileName)
                                    <ul>
-                                        <li>File Path:&nbsp;$esc.html($related.FilePath)</li>
-                                        <li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
-                                        <li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
+                                        <li>File Path:&nbsp;$enc.html($related.FilePath)</li>
+                                        <li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
+                                        <li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
                                        #foreach($id in $related.getIdentifiers())
                                            #if ($id.type=="maven")
                                                #if( $id.url )
                                                    ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
-                                                    <li>$esc.html($id.type):&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
+                                                    <li>$enc.html($id.type):&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
                                                #else
-                                                    <li>$esc.html($id.type):&nbsp;$esc.html($id.value)
+                                                    <li>$enc.html($id.type):&nbsp;$enc.html($id.value)
                                                #end
                                                </li>
                                            #end
@@ -568,7 +612,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            #end
                        #end
                        <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4>
+                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                        <div id="content$cnt" class="subsectioncontent standardsubsection">
                        #if ($dependency.getIdentifiers().size()==0)
                            <ul><li><b>None</b></li></ul>
@@ -577,19 +621,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            #foreach($id in $dependency.getIdentifiers())
                                #if( $id.url )
                                    ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
-                                    <li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
+                                    <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
                                #else
-                                    <li><b>$esc.html($id.type):</b>&nbsp;$esc.html($id.value)
+                                    <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
                                #end
                                #if ($id.confidence)
                                    &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
                                #end
                                #if ($id.type=="cpe")
                                    ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
-                                    &nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileName)', '$esc.html($dependency.Sha1sum)', 'cpe', '$esc.html($id.value)')">suppress</button>
+                                    &nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
                                #end
                                #if ($id.description)
-                                    <br/>$esc.html($id.description)
+                                    <br/>$enc.html($id.description)
                                #end
                                </li>
                            #end
@@ -602,7 +646,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <div id="content$cnt" class="subsectioncontent standardsubsection">
                        #foreach($vuln in $dependency.getVulnerabilities())
                            #set($vsctr=$vsctr+1)
-                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileName)', '$esc.html($dependency.Sha1sum)', 'cve', '$esc.html($vuln.name)')">suppress</button></p>
+                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
                            <p>Severity:
                            #if ($vuln.cvssScore<4.0)
                                Low
@@ -615,27 +659,172 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            #if ($vuln.cwe)
                                <br/>CWE: $vuln.cwe
                            #end</p>
-                            <p>$esc.html($vuln.description)
+                            <p>$enc.html($vuln.description)
                                #if ($vuln.getReferences().size()>0)
                                    <ul>
                                    #foreach($ref in $vuln.getReferences())
-                                        <li>$esc.html($ref.source) - <a target="_blank" href="$esc.html($ref.url)">$ref.name</a></li>
+                                        <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
                                    #end
                                    </ul>
                                #end
                            </p>
-                            <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
-                                <li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vuln.matchedCPE)">$esc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
-                                <li class="vs$vsctr">...</li>
-                            #foreach($vs in $vuln.getVulnerableSoftware())
-                                <li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vs.name)">$esc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
+
+                            #if ($vuln.getVulnerableSoftware().size()<2)
+                                <p>Vulnerable Software &amp; Versions:<ul>
+                                    <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                </ul></p>
+                            #else
+                                <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
+                                    <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                    <li class="vs$vsctr">...</li>
+                                #foreach($vs in $vuln.getVulnerableSoftware())
+                                    <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
+                                #end
+                                </ul></p>
                            #end
-                            </ul></p>
                        #end
                    </div>
                    #end
                </div>
                #end
+
+
+
+## BEGIN SUPPRESSED VULNERABILITIES
+                #if ($vulnSuppressedCount>0 || $cpeSuppressedCount>0)
+                    #set($cnt=$cnt+1)
+                    <h2 id="header$cnt" class="expandable">Suppressed Vulnerabilities</h3>
+                    <div id="content$cnt" class="hidden">
+
+                    #foreach($dependency in $dependencies)
+                        #if ($dependency.getSuppressedIdentifiers().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
+                            #set($lnkcnt=$lnkcnt+1)
+                            <h3 class="subsectionheader standardsubsection">$enc.html($dependency.DisplayFileName)</h3>
+                            <div class="subsectioncontent">
+                                #if ($dependency.description)
+                                    <p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
+                                #end
+                                <p>
+                                #if ($dependency.license)
+                                    #if ($dependency.license.startsWith("http://"))
+                                    <b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
+                                    #else
+                                    <b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
+                                    #end
+                                #end
+                                    <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
+                                    <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
+                                    <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                                </p>
+                                #set($cnt=$cnt+1)
+                                <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
+                                <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
+                                    <table class="lined fullwidth" border="0">
+                                        <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
+                                        #foreach($evidence in $dependency.getEvidenceForDisplay())
+                                            <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
+                                        #end
+                                    </table>
+                                </div>
+                                #if($dependency.getRelatedDependencies().size()>0)
+                                    #set($cnt=$cnt+1)
+                                    <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Related Dependencies</h4>
+                                    <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
+                                    <ul>
+                                    #foreach($related in $dependency.getRelatedDependencies())
+                                        <li>$enc.html($related.DisplayFileName)
+                                            <ul>
+                                                <li>File Path:&nbsp;$enc.html($related.FilePath)</li>
+                                                <li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
+                                                <li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
+                                             </ul>
+                                        </li>
+                                    #end
+                                    </ul>
+                                    </div>
+                                #end
+                                #set($cnt=$cnt+1)
+                                #set($cpeCount=0)
+                                #foreach($id in $dependency.getSuppressedIdentifiers())
+                                    #if($id.type.equals("cpe"))
+                                        #set($cpeCount=$cpeCount+1)
+                                    #end
+                                #end
+                                <h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
+                                ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
+                                <div id="content$cnt" class="subsectioncontent standardsubsection">
+                                #if ($dependency.getSuppressedIdentifiers().size()==0)
+                                    <ul><li><b>None</b></li></ul>
+                                #else ## ($dependency.getSuppressedIdentifiers().size()>0)
+                                    <ul>
+                                    #foreach($id in $dependency.getSuppressedIdentifiers())
+                                        #if( $id.url )
+                                            ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
+                                            <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
+                                        #else
+                                            <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
+                                        #end
+                                        #if ($id.confidence)
+                                            &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
+                                        #end
+                                        #if ($id.description)
+                                            <br/>$enc.html($id.description)
+                                        #end
+                                        </li>
+                                    #end
+                                    </ul>
+                                #end
+                                </div>
+                            #if($dependency.getSuppressedVulnerabilities().size()>0)
+                            #set($cnt=$cnt+1)
+                            <h4 id="header$cnt" class="subsectionheader expandable collaspablesubsection white">Suppressed Vulnerabilities</h4>
+                            <div id="content$cnt" class="subsectioncontent standardsubsection">
+                                #foreach($vuln in $dependency.getSuppressedVulnerabilities())
+                                    #set($vsctr=$vsctr+1)
+                                    <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
+                                    <p>Severity:
+                                    #if ($vuln.cvssScore<4.0)
+                                        Low
+                                    #elseif ($vuln.cvssScore>=7.0)
+                                        High
+                                    #else
+                                        Medium
+                                    #end
+                                    <br/>CVSS Score: $vuln.cvssScore
+                                    #if ($vuln.cwe)
+                                        <br/>CWE: $vuln.cwe
+                                    #end</p>
+                                    <p>$enc.html($vuln.description)
+                                        #if ($vuln.getReferences().size()>0)
+                                            <ul>
+                                            #foreach($ref in $vuln.getReferences())
+                                                <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
+                                            #end
+                                            </ul>
+                                        #end
+                                    </p>
+                                    #if ($vuln.getVulnerableSoftware().size()<2)
+                                        <p>Vulnerable Software &amp; Versions:<ul>
+                                            git st<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                        </ul></p>
+                                    #else
+                                        <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
+                                            <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                            <li class="vs$vsctr">...</li>
+                                        #foreach($vs in $vuln.getVulnerableSoftware())
+                                            <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
+                                        #end
+                                        </ul></p>
+                                    #end
+                                #end
+                                </div>
+                            #end
+                            </div>
+                        #end
+                    #end
+                    </div>
+                #end
+## END SUPPRESSED VULNERABILITIES
            </div>
        </div>
        <div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div>
--- a/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
@@ -161,14 +161,25 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                margin-top:3px;
                margin-bottom:3px;
            }
+            .disclaimer {
+                color: #888888;
+                font: 9px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif
+            }
+
        </style>
    </head>
    <body>
        <div>
            <h1 class="sectionheader">Vulnerability Report</h1>
+<p class="disclaimer">Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
+false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
+the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
+implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
+is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
+arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
 ]]#
-            <h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2>
-            <div class="sectioncontent">Report Generated On: $date<br/><br/>
+            <h2 class="sectionheader white">Project:&nbsp;$enc.html($applicationName)</h2>
+            <div class="sectioncontent">Report Generated On: $scanDate<br/><br/>
                #set($depCount=$dependencies.size())
                #set($vulnCount=0)

@@ -194,7 +205,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                    #if($dependency.getVulnerabilities().size()>0)
                        #foreach($vuln in $dependency.getVulnerabilities())
                            <tr>
-                                <td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></td>
+                                <td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></td>
                                <td>
                                #if ($vuln.cwe)
                                    $vuln.cwe
@@ -211,10 +222,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                                ($vuln.cvssScore)
                                <td>#set($cnt=$cnt+1)
                                    #if($dependency.getRelatedDependencies().size()>0)<span id="header$cnt" class="expandable collapsedList">#end
-                                    $esc.html($dependency.FileName)
+                                    $enc.html($dependency.DisplayFileName)
                                    #if($dependency.getRelatedDependencies().size()>0)&nbsp;&nbsp;&nbsp;</span><div id="content$cnt" class="hidden">#end
                                    #foreach($related in $dependency.getRelatedDependencies())
-                                    $esc.html($related.FileName)<br/>
+                                    $enc.html($related.DisplayFileName)<br/>
                                    #end
                                    #if($dependency.getRelatedDependencies().size()>0)</div#end
                                </td>
--- a/dependency-check-core/src/main/resources/templates/XmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/XmlReport.vsl
@@ -18,47 +18,47 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
@author Jeremy Long <jeremy.long@owasp.org>
@version 1.1
 *#<?xml version="1.0"?>
-<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
+<analysis xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
    <scanInfo>
        <engineVersion>$version</engineVersion>
 #foreach($prop in $properties.getMetaData().entrySet())
        <dataSource>
-            <name>$esc.xml($prop.key)</name>
-            <timestamp>$esc.xml($prop.value)</timestamp>
+            <name>$enc.xml($prop.key)</name>
+            <timestamp>$enc.xml($prop.value)</timestamp>
        </dataSource>
 #end
    </scanInfo>
    <projectInfo>
-        <name>$esc.xml($applicationName)</name>
-        <reportDate>$date</reportDate>
+        <name>$enc.xml($applicationName)</name>
+        <reportDate>$scanDateXML</reportDate>
        <credits>This report contains data retrieved from the National Vulnerability Database: http://nvd.nist.gov</credits>
    </projectInfo>
    <dependencies>
 #foreach($dependency in $dependencies)
        <dependency>
-            <fileName>$esc.xml($dependency.FileName)</fileName>
-            <filePath>$esc.xml($dependency.FilePath)</filePath>
-            <md5>$esc.xml($dependency.Md5sum)</md5>
-            <sha1>$esc.xml($dependency.Sha1sum)</sha1>
+            <fileName>$enc.xml($dependency.DisplayFileName)</fileName>
+            <filePath>$enc.xml($dependency.FilePath)</filePath>
+            <md5>$enc.xml($dependency.Md5sum)</md5>
+            <sha1>$enc.xml($dependency.Sha1sum)</sha1>
 #if ($dependency.description)
-            <description>$esc.xml($dependency.description)</description>
+            <description>$enc.xml($dependency.description)</description>
 #end
 #if ($dependency.license)
-            <license>$esc.xml($dependency.license)</license>
+            <license>$enc.xml($dependency.license)</license>
 #end
 #if ($dependency.getRelatedDependencies().size()>0)
            <relatedDependencies>
 #foreach($related in $dependency.getRelatedDependencies())
                <relatedDependency>
-                    <filePath>$esc.xml($related.FilePath)</filePath>
-                    <sha1>$esc.xml($related.Sha1sum)</sha1>
-                    <md5>$esc.xml($related.Md5sum)</md5>
+                    <filePath>$enc.xml($related.FilePath)</filePath>
+                    <sha1>$enc.xml($related.Sha1sum)</sha1>
+                    <md5>$enc.xml($related.Md5sum)</md5>
 #foreach($id in $related.getIdentifiers())
 #if ($id.type=="maven")
-                    <identifier type="$esc.xml($id.type)">
+                    <identifier type="$enc.xml($id.type)">
                        <name>($id.value)</name>
 #if( $id.url )
-                        <url>$esc.xml($id.url)</url>
+                        <url>$enc.xml($id.url)</url>
 #end
                    </identifier>
 #end
@@ -68,34 +68,45 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            </relatedDependencies>
 #end
            <evidenceCollected>
-#foreach($evidence in $dependency.getEvidenceUsed())
+#foreach($evidence in $dependency.getEvidenceForDisplay())
                <evidence>
-                    <source>$esc.xml($evidence.getSource())</source>
-                    <name>$esc.xml($evidence.getName())</name>
-                    <value>$esc.xml($evidence.getValue().trim())</value>
+                    <source>$enc.xml($evidence.getSource())</source>
+                    <name>$enc.xml($evidence.getName())</name>
+                    <value>$enc.xml($evidence.getValue().trim())</value>
                </evidence>
 #end
            </evidenceCollected>
 #if($dependency.getIdentifiers().size()>0)
            <identifiers>
 #foreach($id in $dependency.getIdentifiers())
-                <identifier type="$esc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
+                <identifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
                    <name>($id.value)</name>
 #if( $id.url )
-                    <url>$esc.xml($id.url)</url>
+                    <url>$enc.xml($id.url)</url>
 #end
 #if( $id.description )
-                    <description>$esc.xml($id.description)</description>
+                    <description>$enc.xml($id.description)</description>
 #end
                </identifier>
+#end
+#foreach($id in $dependency.getSuppressedIdentifiers())
+                <suppressedIdentifier type="$enc.xml($id.type)" #if($id.confidence)confidence="$id.confidence"#end>
+                    <name>($id.value)</name>
+#if( $id.url )
+                    <url>$enc.xml($id.url)</url>
+#end
+#if( $id.description )
+                    <description>$enc.xml($id.description)</description>
+#end
+                </suppressedIdentifier>
 #end
            </identifiers>
 #end
-#if($dependency.getVulnerabilities().size()>0)
+#if($dependency.getVulnerabilities().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
            <vulnerabilities>
 #foreach($vuln in $dependency.getVulnerabilities())
                <vulnerability>
-                    <name>$esc.xml($vuln.name)</name>
+                    <name>$enc.xml($vuln.name)</name>
                    <cvssScore>$vuln.cvssScore</cvssScore>
 #if ($vuln.cvssScore<4.0)
                    <severity>Low</severity>
@@ -105,24 +116,55 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <severity>Medium</severity>
 #end
 #if ($vuln.cwe)
-                    <cwe>$esc.xml($vuln.cwe)</cwe>
+                    <cwe>$enc.xml($vuln.cwe)</cwe>
 #end
-                    <description>$esc.xml($vuln.description)</description>
+                    <description>$enc.xml($vuln.description)</description>
                    <references>
 #foreach($ref in $vuln.getReferences())
                        <reference>
-                            <source>$esc.xml($ref.source)</source>
-                            <url>$esc.xml($ref.url)</url>
-                            <name>$esc.xml($ref.name)</name>
+                            <source>$enc.xml($ref.source)</source>
+                            <url>$enc.xml($ref.url)</url>
+                            <name>$enc.xml($ref.name)</name>
                        </reference>
 #end
                    </references>
                    <vulnerableSoftware>
 #foreach($vs in $vuln.getVulnerableSoftware())
-                        <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$esc.xml($vs.name)</software>
+                        <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
 #end
                    </vulnerableSoftware>
                </vulnerability>
+#end
+#foreach($vuln in $dependency.getSuppressedVulnerabilities())
+                <suppressedVulnerability>
+                    <name>$enc.xml($vuln.name)</name>
+                    <cvssScore>$vuln.cvssScore</cvssScore>
+#if ($vuln.cvssScore<4.0)
+                    <severity>Low</severity>
+#elseif ($vuln.cvssScore>=7.0)
+                    <severity>High</severity>
+#else
+                    <severity>Medium</severity>
+#end
+#if ($vuln.cwe)
+                    <cwe>$enc.xml($vuln.cwe)</cwe>
+#end
+                    <description>$enc.xml($vuln.description)</description>
+                    <references>
+#foreach($ref in $vuln.getReferences())
+                        <reference>
+                            <source>$enc.xml($ref.source)</source>
+                            <url>$enc.xml($ref.url)</url>
+                            <name>$enc.xml($ref.name)</name>
+                        </reference>
+#end
+                    </references>
+                    <vulnerableSoftware>
+#foreach($vs in $vuln.getVulnerableSoftware())
+                        <software#if($vs.hasPreviousVersion()) allPreviousVersion="true"#end>$enc.xml($vs.name)</software>
+#end
+                    </vulnerableSoftware>
+                </suppressedVulnerability>
 #end
            </vulnerabilities>
 #end
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
@@ -0,0 +1,37 @@
+/*
+ * Copyright 2014 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck;
+
+import org.junit.AfterClass;
+import org.junit.BeforeClass;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class BaseTest {
+
+    @BeforeClass
+    public static void setUpClass() throws Exception {
+        Settings.initialize();
+    }
+
+    @AfterClass
+    public static void tearDownClass() throws Exception {
+        Settings.cleanup(true);
+    }
+}
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
@@ -18,28 +18,20 @@
 package org.owasp.dependencycheck;

 import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertTrue;
 import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class EngineIntegrationTest {
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
+public class EngineIntegrationTest extends BaseTest {

    @Before
    public void setUp() throws Exception {
@@ -57,8 +49,31 @@ public class EngineIntegrationTest {
     */
    @Test
    public void testScan() throws Exception {
-        String testClasses = "target/test-classes";
+        String testClasses = "target/test-classes/*.zip";
+        boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
        Engine instance = new Engine();
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        instance.scan(testClasses);
+        assertTrue(instance.getDependencies().size() > 0);
+        for (Dependency d : instance.getDependencies()) {
+            assertTrue("non-zip file collected " + d.getFileName(), d.getFileName().toLowerCase().endsWith(".zip"));
+        }
+        instance.cleanup();
+    }
+
+    /**
+     * Test running the entire engine.
+     *
+     * @throws Exception is thrown when an exception occurs.
+     */
+    @Test
+    public void testEngine() throws Exception {
+        String testClasses = "target/test-classes";
+//        boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+//        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+        Engine instance = new Engine();
+//        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
        instance.scan(testClasses);
        assertTrue(instance.getDependencies().size() > 0);
        instance.analyzeDependencies();
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
@@ -18,45 +18,23 @@
 package org.owasp.dependencycheck.analyzer;

 import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;

 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class AbstractAnalyzerTest {
-
-    public AbstractAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
+public class AbstractFileTypeAnalyzerTest extends BaseTest {

    /**
     * Test of newHashSet method, of class AbstractAnalyzer.
     */
    @Test
    public void testNewHashSet() {
-        Set result = AbstractAnalyzer.newHashSet("one", "two");
+        Set result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
        assertEquals(2, result.size());
        assertTrue(result.contains("one"));
        assertTrue(result.contains("two"));
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
@@ -17,44 +17,78 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.Settings;
+
 import java.net.MalformedURLException;
 import java.net.URISyntaxException;
 import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.junit.After;
-import org.junit.AfterClass;
-import static org.junit.Assert.assertEquals;
+
 import static org.junit.Assert.assertNull;
-import org.junit.Before;
-import org.junit.BeforeClass;
-import org.junit.Test;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
-import org.owasp.dependencycheck.utils.Settings;
+import static org.junit.Assert.assertTrue;

 /**
- *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class AbstractSuppressionAnalyzerTest {
+public class AbstractSuppressionAnalyzerTest extends BaseTest {

-    public AbstractSuppressionAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
+    private AbstractSuppressionAnalyzer instance;

    @Before
-    public void setUp() {
+    public void createObjectUnderTest() throws Exception {
+        instance = new AbstractSuppressionAnalyzerImpl();
+    }
+
+    /**
+     * Test of getSupportedExtensions method, of class AbstractSuppressionAnalyzer.
+     */
+    @Test
+    public void testGetSupportedExtensions() {
+        Set<String> result = instance.getSupportedExtensions();
+        assertNull(result);
+    }
+
+    /**
+     * Test of getRules method, of class AbstractSuppressionAnalyzer for suppression file declared as URL.
+     */
+    @Test
+    public void testGetRulesFromSuppressionFileFromURL() throws Exception {
+        setSupressionFileFromURL();
+        instance.initialize();
+        int expCount = 5;
+        List<SuppressionRule> result = instance.getRules();
+        assertTrue(expCount <= result.size());
+    }
+
+    /**
+     * Test of getRules method, of class AbstractSuppressionAnalyzer for suppression file declared as URL.
+     */
+    @Test
+    public void testGetRulesFromSuppressionFileInClasspath() throws Exception {
+        Settings.setString(Settings.KEYS.SUPPRESSION_FILE, "suppressions.xml");
+        instance.initialize();
+        int expCount = 5;
+        List<SuppressionRule> result = instance.getRules();
+        assertTrue(expCount <= result.size());
+    }
+
+    @Test(expected = SuppressionParseException.class)
+    public void testFailureToLocateSuppressionFileAnywhere() throws Exception {
+        Settings.setString(Settings.KEYS.SUPPRESSION_FILE, "doesnotexist.xml");
+        instance.initialize();
+    }
+
+    private void setSupressionFileFromURL() throws Exception {
        try {
            final String uri = this.getClass().getClassLoader().getResource("suppressions.xml").toURI().toURL().toString();
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, uri);
@@ -65,53 +99,6 @@ public class AbstractSuppressionAnalyzerTest {
        }
    }

-    @After
-    public void tearDown() {
-    }
-
-    /**
-     * Test of getSupportedExtensions method, of class AbstractSuppressionAnalyzer.
-     */
-    @Test
-    public void testGetSupportedExtensions() {
-        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
-        Set<String> result = instance.getSupportedExtensions();
-        assertNull(result);
-    }
-
-    /**
-     * Test of supportsExtension method, of class AbstractSuppressionAnalyzer.
-     */
-    @Test
-    public void testSupportsExtension() {
-        String extension = "jar";
-        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
-        boolean expResult = true;
-        boolean result = instance.supportsExtension(extension);
-        assertEquals(expResult, result);
-    }
-
-    /**
-     * Test of initialize method, of class AbstractSuppressionAnalyzer.
-     */
-    @Test
-    public void testInitialize() throws Exception {
-        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
-        instance.initialize();
-    }
-
-    /**
-     * Test of getRules method, of class AbstractSuppressionAnalyzer.
-     */
-    @Test
-    public void testGetRules() throws Exception {
-        AbstractSuppressionAnalyzer instance = new AbstractSuppressionAnalyzerImpl();
-        instance.initialize();
-        int expCount = 5;
-        List<SuppressionRule> result = instance.getRules();
-        assertEquals(expCount, result.size());
-    }
-
    public class AbstractSuppressionAnalyzerImpl extends AbstractSuppressionAnalyzer {

        @Override
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AnalyzerServiceTest.java
@@ -18,52 +18,28 @@
 package org.owasp.dependencycheck.analyzer;

 import java.util.Iterator;
-import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertTrue;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;

 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class AnalyzerServiceTest {
-
-    public AnalyzerServiceTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
+public class AnalyzerServiceTest extends BaseTest {

    /**
     * Test of getAnalyzers method, of class AnalyzerService.
     */
    @Test
    public void testGetAnalyzers() {
-        AnalyzerService instance = AnalyzerService.getInstance();
+        AnalyzerService instance = new AnalyzerService(Thread.currentThread().getContextClassLoader());
        Iterator<Analyzer> result = instance.getAnalyzers();

        boolean found = false;
        while (result.hasNext()) {
            Analyzer a = result.next();
-            Set<String> e = a.getSupportedExtensions();
-            if (e != null && e.contains("jar")) {
+            if ("Jar Analyzer".equals(a.getName())) {
                found = true;
            }
        }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
@@ -20,13 +20,11 @@ package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.util.HashSet;
 import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cpe.BaseIndexTestCase;
+import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;

@@ -34,30 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class ArchiveAnalyzerTest extends BaseIndexTestCase {
-
-    public ArchiveAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    @Override
-    public void setUp() throws Exception {
-        super.setUp();
-    }
-
-    @After
-    @Override
-    public void tearDown() throws Exception {
-        super.tearDown();
-    }
+public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {

    /**
     * Test of getSupportedExtensions method, of class ArchiveAnalyzer.
@@ -69,6 +44,9 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
        expResult.add("zip");
        expResult.add("war");
        expResult.add("ear");
+        expResult.add("jar");
+        expResult.add("sar");
+        expResult.add("apk");
        expResult.add("nupkg");
        expResult.add("tar");
        expResult.add("gz");
@@ -147,6 +125,8 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
    @Test
    public void testAnalyze() throws Exception {
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        //trick the analyzer into thinking it is active.
+        instance.supportsExtension("ear");
        try {
            instance.initialize();

@@ -175,6 +155,8 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
    @Test
    public void testAnalyzeTar() throws Exception {
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        //trick the analyzer into thinking it is active so that it will initialize
+        instance.supportsExtension("tar");
        try {
            instance.initialize();

@@ -203,6 +185,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
    @Test
    public void testAnalyzeTarGz() throws Exception {
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        instance.supportsExtension("zip"); //ensure analyzer is "enabled"
        try {
            instance.initialize();

@@ -252,6 +235,7 @@ public class ArchiveAnalyzerTest extends BaseIndexTestCase {
    @Test
    public void testAnalyzeTgz() throws Exception {
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        instance.supportsExtension("zip"); //ensure analyzer is "enabled"
        try {
            instance.initialize();

--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -23,10 +23,12 @@ import java.util.logging.Logger;
 import org.junit.After;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
+import static org.junit.Assert.fail;
 import org.junit.Assume;
 import static org.junit.Assume.assumeFalse;
 import org.junit.Before;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -39,7 +41,7 @@ import org.owasp.dependencycheck.utils.Settings;
 * @author colezlaw
 *
 */
-public class AssemblyAnalyzerTest {
+public class AssemblyAnalyzerTest extends BaseTest {

    private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzerTest.class.getName());

@@ -51,12 +53,17 @@ public class AssemblyAnalyzerTest {
     * @throws Exception if anything goes sideways
     */
    @Before
-    public void setUp() {
+    public void setUp() throws Exception {
        try {
            analyzer = new AssemblyAnalyzer();
+            analyzer.supportsExtension("dll");
            analyzer.initialize();
        } catch (Exception e) {
-            LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
+            if (e.getMessage().contains("Could not execute .NET AssemblyAnalyzer")) {
+                LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete");
+            } else {
+                LOGGER.log(Level.WARNING, "Exception setting up AssemblyAnalyzer. Tests will be incomplete", e);
+            }
            Assume.assumeNoException("Is mono installed? TESTS WILL BE INCOMPLETE", e);
        }
    }
@@ -74,7 +81,21 @@ public class AssemblyAnalyzerTest {
        File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
        Dependency d = new Dependency(f);
        analyzer.analyze(d, null);
-        assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.0.5176.23901", Confidence.HIGHEST)));
+        boolean foundVendor = false;
+        for (Evidence e : d.getVendorEvidence().getEvidence("grokassembly", "vendor")) {
+            if ("OWASP".equals(e.getValue())) {
+                foundVendor = true;
+            }
+        }
+        assertTrue(foundVendor);
+
+        boolean foundProduct = false;
+        for (Evidence e : d.getProductEvidence().getEvidence("grokassembly", "product")) {
+            if ("GrokAssembly".equals(e.getValue())) {
+                foundProduct = true;
+            }
+        }
+        assertTrue(foundProduct);
    }

    @Test
@@ -87,15 +108,29 @@ public class AssemblyAnalyzerTest {
        assertTrue(d.getProductEvidence().getEvidence().contains(new Evidence("grokassembly", "product", "log4net", Confidence.HIGH)));
    }

-    @Test(expected = AnalysisException.class)
-    public void testNonexistent() throws Exception {
+    @Test
+    public void testNonexistent() {
+        Level oldLevel = Logger.getLogger(AssemblyAnalyzer.class.getName()).getLevel();
+        Level oldDependency = Logger.getLogger(Dependency.class.getName()).getLevel();
+        // Tweak the log level so the warning doesn't show in the console
+        Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF);
+        Logger.getLogger(Dependency.class.getName()).setLevel(Level.OFF);
        File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
        File test = new File(f.getParent(), "nonexistent.dll");
        Dependency d = new Dependency(test);
-        analyzer.analyze(d, null);
+
+        try {
+            analyzer.analyze(d, null);
+            fail("Expected an AnalysisException");
+        } catch (AnalysisException ae) {
+            assertEquals("File does not exist", ae.getMessage());
+        } finally {
+            Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(oldLevel);
+            Logger.getLogger(Dependency.class.getName()).setLevel(oldDependency);
+        }
    }

-    @Test(expected = AnalysisException.class)
+    @Test
    public void testWithSettingMono() throws Exception {

        //This test doesn't work on Windows.
@@ -112,11 +147,20 @@ public class AssemblyAnalyzerTest {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, "/yooser/bine/mono");
        }

+        Level oldLevel = Logger.getLogger(AssemblyAnalyzer.class.getName()).getLevel();
        try {
+            // Tweak the logging to swallow the warning when testing
+            Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF);
            // Have to make a NEW analyzer because during setUp, it would have gotten the correct one
            AssemblyAnalyzer aanalyzer = new AssemblyAnalyzer();
+            aanalyzer.supportsExtension("dll");
            aanalyzer.initialize();
+            fail("Expected an AnalysisException");
+        } catch (AnalysisException ae) {
+            assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
        } finally {
+            // Recover the logger
+            Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(oldLevel);
            // Now recover the way we came in. If we had to set a System property, delete it. Otherwise,
            // reset the old value
            if (oldValue == null) {
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
@@ -24,13 +24,9 @@ import java.util.List;
 import java.util.Set;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
-import org.junit.After;
-import org.junit.AfterClass;
 import org.junit.Assert;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
-import org.owasp.dependencycheck.data.cpe.BaseIndexTestCase;
+import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
@@ -39,27 +35,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class CPEAnalyzerTest extends BaseIndexTestCase {
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
-
-    @Before
-    @Override
-    public void setUp() throws Exception {
-        super.setUp();
-    }
-
-    @After
-    @Override
-    public void tearDown() throws Exception {
-        super.tearDown();
-    }
+public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {

    /**
     * Tests of buildSearch of class CPEAnalyzer.
@@ -139,16 +115,13 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
        FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
        fp.analyze(dep, null);

-//        for (Identifier i : dep.getIdentifiers()) {
-//            System.out.println(i.getValue());
-//        }
        if (expResult != null) {
            Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
            Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
-        } else if (dep.getIdentifiers().isEmpty()) {
-            Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().isEmpty());
        } else {
-            Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "', identifier:'" + dep.getIdentifiers().iterator().next().getValue() + "' }", dep.getIdentifiers().isEmpty());
+            for (Identifier i : dep.getIdentifiers()) {
+                Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
+            }
        }
    }

@@ -194,7 +167,10 @@ public class CPEAnalyzerTest extends BaseIndexTestCase {
        String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
        String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";

-        Assert.assertTrue("Apache Common Validator - found an identifier?", commonValidator.getIdentifiers().isEmpty());
+        for (Identifier i : commonValidator.getIdentifiers()) {
+            Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
+        }
+
        Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
        Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
        Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
@@ -17,50 +17,16 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Dependency;

 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class DependencyBundlingAnalyzerTest {
-
-    public DependencyBundlingAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-
-    /**
-     * Test of getSupportedExtensions method, of class DependencyBundlingAnalyzer.
-     */
-    @Test
-    public void testGetSupportedExtensions() {
-        DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
-        Set<String> result = instance.getSupportedExtensions();
-        assertNull(result);
-    }
+public class DependencyBundlingAnalyzerTest extends BaseTest {

    /**
     * Test of getName method, of class DependencyBundlingAnalyzer.
@@ -73,18 +39,6 @@ public class DependencyBundlingAnalyzerTest {
        assertEquals(expResult, result);
    }

-    /**
-     * Test of supportsExtension method, of class DependencyBundlingAnalyzer.
-     */
-    @Test
-    public void testSupportsExtension() {
-        String extension = "jar";
-        DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
-        boolean expResult = true;
-        boolean result = instance.supportsExtension(extension);
-        assertEquals(expResult, result);
-    }
-
    /**
     * Test of getAnalysisPhase method, of class DependencyBundlingAnalyzer.
     */
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzerTest.java
@@ -15,14 +15,8 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
-import static org.junit.Assert.assertNull;
 import static org.junit.Assert.assertTrue;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -33,36 +27,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
 */
 public class FalsePositiveAnalyzerTest {

-    public FalsePositiveAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-
-    /**
-     * Test of getSupportedExtensions method, of class FalsePositiveAnalyzer.
-     */
-    @Test
-    public void testGetSupportedExtensions() {
-        FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
-        Set<String> result = instance.getSupportedExtensions();
-        assertNull(result);
-
-    }
-
    /**
     * Test of getName method, of class FalsePositiveAnalyzer.
     */
@@ -74,18 +38,6 @@ public class FalsePositiveAnalyzerTest {
        assertEquals(expResult, result);
    }

-    /**
-     * Test of supportsExtension method, of class FalsePositiveAnalyzer.
-     */
-    @Test
-    public void testSupportsExtension() {
-        String extension = "any";
-        FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
-        boolean expResult = true;
-        boolean result = instance.supportsExtension(extension);
-        assertEquals(expResult, result);
-    }
-
    /**
     * Test of getAnalysisPhase method, of class FalsePositiveAnalyzer.
     */
@@ -104,6 +56,7 @@ public class FalsePositiveAnalyzerTest {
    public void testAnalyze() throws Exception {
        Dependency dependency = new Dependency();
        dependency.setFileName("pom.xml");
+        dependency.setFilePath("pom.xml");
        dependency.addIdentifier("cpe", "cpe:/a:file:file:1.2.1", "http://some.org/url");
        Engine engine = null;
        FalsePositiveAnalyzer instance = new FalsePositiveAnalyzer();
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
@@ -18,13 +18,8 @@
 package org.owasp.dependencycheck.analyzer;

 import java.io.File;
-import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.dependency.Dependency;

@@ -34,36 +29,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
 */
 public class FileNameAnalyzerTest {

-    public FileNameAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
-
-    /**
-     * Test of getSupportedExtensions method, of class FileNameAnalyzer.
-     */
-    @Test
-    public void testGetSupportedExtensions() {
-        FileNameAnalyzer instance = new FileNameAnalyzer();
-        Set expResult = null;
-        Set result = instance.getSupportedExtensions();
-        assertEquals(expResult, result);
-    }
-
    /**
     * Test of getName method, of class FileNameAnalyzer.
     */
@@ -75,18 +40,6 @@ public class FileNameAnalyzerTest {
        assertEquals(expResult, result);
    }

-    /**
-     * Test of supportsExtension method, of class FileNameAnalyzer.
-     */
-    @Test
-    public void testSupportsExtension() {
-        String extension = "any";
-        FileNameAnalyzer instance = new FileNameAnalyzer();
-        boolean expResult = true;
-        boolean result = instance.supportsExtension(extension);
-        assertEquals(expResult, result);
-    }
-
    /**
     * Test of getAnalysisPhase method, of class FileNameAnalyzer.
     */
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
@@ -0,0 +1,114 @@
+/*
+ * Copyright 2014 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.util.Set;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class HintAnalyzerTest extends BaseTest {
+
+    @Before
+    public void setUp() throws Exception {
+        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+    }
+
+    /**
+     * Test of getName method, of class HintAnalyzer.
+     */
+    @Test
+    public void testGetName() {
+        HintAnalyzer instance = new HintAnalyzer();
+        String expResult = "Hint Analyzer";
+        String result = instance.getName();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getAnalysisPhase method, of class HintAnalyzer.
+     */
+    @Test
+    public void testGetAnalysisPhase() {
+        HintAnalyzer instance = new HintAnalyzer();
+        AnalysisPhase expResult = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
+        AnalysisPhase result = instance.getAnalysisPhase();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of analyze method, of class HintAnalyzer.
+     */
+    @Test
+    public void testAnalyze() throws Exception {
+        HintAnalyzer instance = new HintAnalyzer();
+
+        File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
+        //Dependency guice = new Dependency(fileg);
+        File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+        //Dependency spring = new Dependency(files);
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+        Engine engine = new Engine();
+
+        engine.scan(guice);
+        engine.scan(spring);
+        engine.analyzeDependencies();
+        Dependency gdep = null;
+        Dependency sdep = null;
+        for (Dependency d : engine.getDependencies()) {
+            if (d.getActualFile().equals(guice)) {
+                gdep = d;
+            } else {
+                sdep = d;
+            }
+        }
+        final Evidence springTest1 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+        final Evidence springTest2 = new Evidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
+        final Evidence springTest3 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+        final Evidence springTest4 = new Evidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+        final Evidence springTest5 = new Evidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
+
+        Set<Evidence> evidence = gdep.getEvidence().getEvidence();
+        assertFalse(evidence.contains(springTest1));
+        assertFalse(evidence.contains(springTest2));
+        assertFalse(evidence.contains(springTest3));
+        assertFalse(evidence.contains(springTest4));
+        assertFalse(evidence.contains(springTest5));
+
+        evidence = sdep.getEvidence().getEvidence();
+        assertTrue(evidence.contains(springTest1));
+        assertTrue(evidence.contains(springTest2));
+        assertTrue(evidence.contains(springTest3));
+        //assertTrue(evidence.contains(springTest4));
+        //assertTrue(evidence.contains(springTest5));
+
+    }
+
+}
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
@@ -21,13 +21,10 @@ import java.io.File;
 import java.util.HashSet;
 import java.util.Properties;
 import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;

@@ -35,26 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class JarAnalyzerTest {
-
-    public JarAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
+public class JarAnalyzerTest extends BaseTest {

    /**
     * Test of inspect method, of class JarAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
@@ -20,12 +20,9 @@ package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.util.HashSet;
 import java.util.Set;
-import org.junit.After;
-import org.junit.AfterClass;
 import static org.junit.Assert.assertEquals;
-import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;

@@ -33,26 +30,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class JavaScriptAnalyzerTest {
-
-    public JavaScriptAnalyzerTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-    }
-
-    @After
-    public void tearDown() {
-    }
+public class JavaScriptAnalyzerTest extends BaseTest {

    /**
     * Test of getSupportedExtensions method, of class JavaScriptAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzerTest.java
@@ -17,39 +17,44 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.Test;
-import static org.junit.Assert.*;
+import org.owasp.dependencycheck.BaseTest;

-public class NuspecAnalyzerTest {
-  private NuspecAnalyzer instance;
+public class NuspecAnalyzerTest extends BaseTest {

-  @Before
-  public void setUp() {
-    instance = new NuspecAnalyzer();
-  }
+    private NuspecAnalyzer instance;

-  @Test
-  public void testGetAnalyzerName() {
-    assertEquals("Nuspec Analyzer", instance.getName());
-  }
+    @Before
+    public void setUp() throws Exception {
+        instance = new NuspecAnalyzer();
+        instance.setEnabled(true);
+    }

-  @Test
-  public void testGetSupportedExtensions() {
-    assertTrue(instance.getSupportedExtensions().contains("nuspec"));
-    assertFalse(instance.getSupportedExtensions().contains("nupkg"));
-  }
+    @Test
+    public void testGetAnalyzerName() {
+        assertEquals("Nuspec Analyzer", instance.getName());
+    }

-  @Test
-  public void testSupportsExtension() {
-    assertTrue(instance.supportsExtension("nuspec"));
-    assertFalse(instance.supportsExtension("nupkg"));
-  }
+    @Test
+    public void testGetSupportedExtensions() {
+        assertTrue(instance.getSupportedExtensions().contains("nuspec"));
+        assertFalse(instance.getSupportedExtensions().contains("nupkg"));
+    }

-  @Test
-  public void testGetAnalysisPhaze() {
-    assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase());
-  }
+    @Test
+    public void testSupportsExtension() {
+        assertTrue(instance.supportsExtension("nuspec"));
+        assertFalse(instance.supportsExtension("nupkg"));
+    }
+
+    @Test
+    public void testGetAnalysisPhaze() {
+        assertEquals(AnalysisPhase.INFORMATION_COLLECTION, instance.getAnalysisPhase());
+    }
 }

 // vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
@@ -0,0 +1,102 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import static org.junit.Assert.assertEquals;
+import static org.junit.Assert.assertTrue;
+import org.junit.Test;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Testing the vulnerability suppression analyzer.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+
+    /**
+     * Test of getName method, of class VulnerabilitySuppressionAnalyzer.
+     */
+    @Test
+    public void testGetName() {
+        VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
+        String expResult = "Vulnerability Suppression Analyzer";
+        String result = instance.getName();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getAnalysisPhase method, of class VulnerabilitySuppressionAnalyzer.
+     */
+    @Test
+    public void testGetAnalysisPhase() {
+        VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
+        AnalysisPhase expResult = AnalysisPhase.POST_FINDING_ANALYSIS;
+        AnalysisPhase result = instance.getAnalysisPhase();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of analyze method, of class VulnerabilitySuppressionAnalyzer.
+     */
+    @Test
+    public void testAnalyze() throws Exception {
+
+        File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
+        File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+        Engine engine = new Engine();
+        engine.scan(file);
+        engine.analyzeDependencies();
+        Dependency dependency = getDependency(engine, file);
+        int cveSize = dependency.getVulnerabilities().size();
+        int cpeSize = dependency.getIdentifiers().size();
+        assertTrue(cveSize > 0);
+        assertTrue(cpeSize > 0);
+        Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppression.getAbsolutePath());
+        VulnerabilitySuppressionAnalyzer instance = new VulnerabilitySuppressionAnalyzer();
+        instance.initialize();
+        instance.analyze(dependency, engine);
+        cveSize = cveSize > 1 ? cveSize - 2 : 0;
+        cpeSize = cpeSize > 0 ? cpeSize - 1 : 0;
+        assertTrue(dependency.getVulnerabilities().size() == cveSize);
+        assertTrue(dependency.getIdentifiers().size() == cpeSize);
+        engine.cleanup();
+    }
+
+    /**
+     * Retrieves a specific dependency from the engine.
+     *
+     * @param engine the engine
+     * @param file the dependency to retrieve
+     * @return the dependency
+     */
+    private Dependency getDependency(Engine engine, File file) {
+        for (Dependency d : engine.getDependencies()) {
+            if (d.getFileName().equals(file.getName())) {
+                return d;
+            }
+        }
+        return null;
+    }
+}
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java
@@ -17,37 +17,21 @@
 */
 package org.owasp.dependencycheck.data.cpe;

-import junit.framework.TestCase;
-import org.junit.After;
-import org.junit.AfterClass;
 import org.junit.Before;
-import org.junit.BeforeClass;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;

 /**
+ * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the
+ * data contained within.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public abstract class BaseIndexTestCase extends TestCase {
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-    }
+public abstract class AbstractDatabaseTestCase extends BaseTest {

    @Before
-    @Override
    public void setUp() throws Exception {
        BaseDBTestCase.ensureDBExists();
-        super.setUp();
    }

-    @After
-    @Override
-    public void tearDown() throws Exception {
-        super.tearDown();
-    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilterTest.java
@@ -69,6 +69,8 @@ public class TokenPairConcatenatingFilterTest extends BaseTokenStreamTestCase {

    /**
     * Test of clear method, of class TokenPairConcatenatingFilter.
+     *
+     * @throws java.io.IOException
     */
    @Test
    public void testClear() throws IOException {
--- a/Show More
+++ b/Show More