version 1.2.8

Former-commit-id: 8c68d365e0dd05957ad26273a635dbb2c6a8871a
added link to the documentation on the Central Analyzer
2026-01-14 15:53:36 +01:00 · 2014-12-28 09:26:14 -05:00 · 2014-12-28 09:16:01 -05:00 · 2014-12-28 09:15:34 -05:00 · 2014-12-28 09:15:07 -05:00 · 2014-12-28 09:14:39 -05:00
241 changed files with 44341 additions and 12507 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,9 @@
 # Eclipse project files
 .classpath
 .project
+.settings
+maven-eclipse.xml
+.externalToolBuilders
 # Netbeans configuration
 nb-configuration.xml
 /target/
@@ -17,4 +20,6 @@ Gemfile
 Gemfile.lock
 _site/**
 #unknown as to why these are showing up... but need to be ignored.
-.LCKpom.xml~
+.LCKpom.xml~
+#coverity
+/cov-int/
--- a/README.md
+++ b/README.md
@@ -40,7 +40,6 @@ The plugin can be configured using the following:
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
-              <version>1.0.2</version>
              <executions>
                  <execution>
                      <goals>
@@ -59,7 +58,7 @@ The plugin can be configured using the following:

 ### Ant Task

-For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).

 Development Usage
 -------------
@@ -106,4 +105,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
  [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
--- a/dependency-check-ant/config/checkstyle-checks.xml
+++ b/dependency-check-ant/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE module PUBLIC
-          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
-          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
-
-<module name="Checker">
-  <!--
-      If you set the basedir property below, then all reported file
-      names will be relative to the specified directory. See
-      http://checkstyle.sourceforge.net/5.x/config.html#Checker
-
-      <property name="basedir" value="${basedir}"/>
-  -->
-
-  <property name="severity" value="error"/>
-
-  <module name="SuppressionFilter">
-    <property name="file" value="${checkstyle.suppressions.file}"/>
-  </module>
-
-  <module name="JavadocPackage">
-    <property name="allowLegacy" value="false"/>
-  </module>
-
-  <module name="Translation">
-    <property name="severity" value="warning"/>
-  </module>
-
-  <module name="FileTabCharacter">
-    <property name="eachLine" value="false"/>
-  </module>
-
-  <module name="FileLength">
-    <property name="fileExtensions" value="java"/>
-  </module>
-
-  <module name="NewlineAtEndOfFile">
-  <property name="fileExtensions" value="java"/>
-  <property name="lineSeparator" value="lf"/>
-  </module>
-
-  <module name="RegexpHeader">
-    <property name="headerFile" value="${checkstyle.header.file}"/>
-    <property name="fileExtensions" value="java"/>
-    <property name="id" value="header"/>
-  </module>
-
-  <module name="RegexpSingleline">
-    <property name="format" value="\s+$"/>
-    <property name="minimum" value="0"/>
-    <property name="maximum" value="0"/>
-  </module>
-
-  <module name="TreeWalker">
-    <property name="tabWidth" value="4"/>
-
-    <module name="AvoidStarImport"/>
-    <module name="ConstantName"/>
-    <module name="EmptyBlock"/>
-    <module name="EmptyForIteratorPad"/>
-    <module name="EqualsHashCode"/>
-    <module name="OneStatementPerLine"/>
-
-    <!-- module name="IllegalCatch"/ -->
-    <!--module name="ImportControl">
-      <property name="file" value="${checkstyle.importcontrol.file}"/>
-    </module-->
-    <module name="IllegalImport"/>
-    <module name="IllegalInstantiation"/>
-    <module name="IllegalThrows"/>
-    <module name="InnerAssignment"/>
-    <module name="JavadocType">
-      <property name="authorFormat" value="\S"/>
-    </module>
-    <module name="JavadocMethod">
-      <property name="allowUndeclaredRTE" value="true"/>
-      <property name="allowThrowsTagsForSubclasses" value="true"/>
-      <property name="allowMissingPropertyJavadoc" value="true"/>
-    </module>
-    <module name="JavadocVariable"/>
-    <module name="JavadocStyle">
-      <property name="scope" value="public"/>
-    </module>
-
-    <module name="LeftCurly">
-      <property name="option" value="eol"/>
-      <property name="tokens" value="CLASS_DEF"/>
-      <property name="tokens" value="CTOR_DEF"/>
-      <property name="tokens" value="INTERFACE_DEF"/>
-      <property name="tokens" value="METHOD_DEF"/>
-      <property name="tokens" value="LITERAL_CATCH"/>
-      <property name="tokens" value="LITERAL_DO"/>
-      <property name="tokens" value="LITERAL_ELSE"/>
-      <property name="tokens" value="LITERAL_FINALLY"/>
-      <property name="tokens" value="LITERAL_FOR"/>
-      <property name="tokens" value="LITERAL_IF"/>
-      <property name="tokens" value="LITERAL_SWITCH"/>
-      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
-      <property name="tokens" value="LITERAL_TRY"/>
-      <property name="tokens" value="LITERAL_WHILE"/>
-    </module>
-
-    <module name="OuterTypeNumber"/>
-    <module name="LineLength">
-      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
-    <property name="max" value="150"/>
-    </module>
-
-    <module name="MethodCount">
-      <property name="maxTotal" value="40"/>
-    </module>
-
-    <module name="LocalFinalVariableName"/>
-    <module name="LocalVariableName"/>
-    <module name="MemberName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="MethodLength">
-        <property name="max" value="160"/>
-        <property name="countEmpty" value="false"/>
-    </module>
-    <module name="MethodName"/>
-    <module name="MethodParamPad"/>
-    <module name="ModifierOrder"/>
-    <module name="NeedBraces"/>
-    <module name="NoWhitespaceAfter">
-      <property name="tokens" value="ARRAY_INIT"/>
-      <property name="tokens" value="BNOT"/>
-      <property name="tokens" value="DEC"/>
-      <property name="tokens" value="DOT"/>
-      <property name="tokens" value="INC"/>
-      <property name="tokens" value="LNOT"/>
-      <property name="tokens" value="UNARY_MINUS"/>
-      <property name="tokens" value="UNARY_PLUS"/>
-    </module>
-
-    <module name="NoWhitespaceBefore"/>
-    <module name="NoWhitespaceBefore">
-      <property name="tokens" value="DOT"/>
-      <property name="allowLineBreaks" value="true"/>
-    </module>
-
-    <module name="OperatorWrap"/>
-    <module name="OperatorWrap">
-      <property name="tokens" value="ASSIGN"/>
-      <property name="tokens" value="DIV_ASSIGN"/>
-      <property name="tokens" value="PLUS_ASSIGN"/>
-      <property name="tokens" value="MINUS_ASSIGN"/>
-      <property name="tokens" value="STAR_ASSIGN"/>
-      <property name="tokens" value="MOD_ASSIGN"/>
-      <property name="tokens" value="SR_ASSIGN"/>
-      <property name="tokens" value="BSR_ASSIGN"/>
-      <property name="tokens" value="SL_ASSIGN"/>
-      <property name="tokens" value="BXOR_ASSIGN"/>
-      <property name="tokens" value="BOR_ASSIGN"/>
-      <property name="tokens" value="BAND_ASSIGN"/>
-      <property name="option" value="eol"/>
-    </module>
-    <module name="PackageName"/>
-    <module name="ParameterName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="ParameterNumber">
-      <property name="id" value="paramNum"/>
-    </module>
-    <module name="ParenPad"/>
-    <module name="TypecastParenPad"/>
-    <module name="RedundantImport"/>
-    <module name="RedundantModifier"/>
-    <module name="RightCurly">
-      <property name="option" value="same"/>
-    </module>
-    <module name="SimplifyBooleanExpression"/>
-    <module name="SimplifyBooleanReturn"/>
-    <module name="StaticVariableName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="TypeName"/>
-    <module name="UnusedImports"/>
-    <module name="UpperEll"/>
-    <module name="VisibilityModifier"/>
-    <module name="WhitespaceAfter"/>
-    <module name="WhitespaceAround"/>
-    <module name="GenericWhitespace"/>
-    <module name="FinalClass"/>
-    <module name="MissingSwitchDefault"/>
-    <!--module name="MagicNumber"/-->
-    <!--module name="Indentation">
-      <property name="basicOffset" value="4"/>
-      <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="0"/>
-    </module-->
-    <module name="ArrayTrailingComma"/>
-    <module name="FinalLocalVariable"/>
-    <module name="EqualsAvoidNull"/>
-    <module name="ParameterAssignment"/>
-
-    <!-- Generates quite a few errors -->
-    <module name="CyclomaticComplexity">
-      <property name="severity" value="ignore"/>
-    </module>
-
-    <module name="NestedForDepth">
-      <property name="max" value="2"/>
-    </module>
-    <module name="NestedIfDepth">
-      <property name="max" value="4"/>
-    </module>
-    <module name="NestedTryDepth">
-        <property name="max" value="2"/>
-    </module>
-    <!--module name="ExplicitInitialization"/-->
-    <module name="AnnotationUseStyle"/>
-    <module name="MissingDeprecated"/>
-    <module name="MissingOverride">
-      <property name="javaFiveCompatibility" value="true"/>
-    </module>
-    <module name="PackageAnnotation"/>
-    <module name="SuppressWarnings"/>
-    <module name="OuterTypeFilename"/>
-    <module name="HideUtilityClassConstructor"/>
-  </module>
-</module>
--- a/dependency-check-ant/config/checkstyle-header.txt
+++ b/dependency-check-ant/config/checkstyle-header.txt
@@ -1,18 +0,0 @@
-^/\*\s*$
-^ \* This file is part of dependency-check-ant\.\s*$
-^ \*\s*$
-^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
-^ \* you may not use this file except in compliance with the License.\s*$
-^ \* You may obtain a copy of the License at\s*$
-^ \*\s*$
-^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
-^ \*\s*$
-^ \* Unless required by applicable law or agreed to in writing, software\s*$
-^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
-^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
-^ \* See the License for the specific language governing permissions and\s*$
-^ \* limitations under the License\.\s*$
-^ \*\s*$
-^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
-^ \*/\s*$
-^package
--- a/dependency-check-ant/config/checkstyle-suppressions.xml
+++ b/dependency-check-ant/config/checkstyle-suppressions.xml
@@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-
-<!DOCTYPE suppressions PUBLIC
-     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
-     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
-
-<suppressions>
-    <suppress checks=".*" files=".*[\\/]package-info\.java" />
-</suppressions>
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -15,20 +15,19 @@ limitations under the License.

 Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.2.8</version>
    </parent>

    <artifactId>dependency-check-ant</artifactId>
    <packaging>jar</packaging>

    <name>Dependency-Check Ant Task</name>
-    <description>Dependency-check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -324,6 +323,9 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-javadoc-plugin</artifactId>
                            <version>2.9.1</version>
+                            <configuration>
+                                <bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
+                            </configuration>
                            <reportSets>
                                <reportSet>
                                    <id>default</id>
@@ -398,9 +400,9 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
@@ -412,6 +414,15 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
                                <sourceEncoding>utf-8</sourceEncoding>
+                                <excludes>
+                                    <exclude>**/generated/*.java</exclude>
+                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
                            </configuration>
                        </plugin>
                        <plugin>
@@ -430,6 +441,11 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
@@ -62,6 +62,10 @@ public class DependencyCheckTask extends Task {
     * System specific new line character.
     */
    private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyCheckTask.class.getName());

    /**
     * Construct a new DependencyCheckTask.
@@ -281,26 +285,50 @@ public class DependencyCheckTask extends Task {
        this.reportFormat = reportFormat.getValue();
    }
    /**
-     * The Proxy URL.
+     * The Proxy Server.
     */
-    private String proxyUrl;
+    private String proxyServer;

    /**
-     * Get the value of proxyUrl.
+     * Get the value of proxyServer.
     *
-     * @return the value of proxyUrl
+     * @return the value of proxyServer
     */
-    public String getProxyUrl() {
-        return proxyUrl;
+    public String getProxyServer() {
+        return proxyServer;
    }

    /**
-     * Set the value of proxyUrl.
+     * Set the value of proxyServer.
     *
-     * @param proxyUrl new value of proxyUrl
+     * @param server new value of proxyServer
     */
+    public void setProxyServer(String server) {
+        this.proxyServer = server;
+    }
+
+    /**
+     * Get the value of proxyServer.
+     *
+     * @return the value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#getProxyServer()} instead
+     */
+    @Deprecated
+    public String getProxyUrl() {
+        return proxyServer;
+    }
+
+    /**
+     * Set the value of proxyServer.
+     *
+     * @param proxyUrl new value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
+     * instead
+     */
+    @Deprecated
    public void setProxyUrl(String proxyUrl) {
-        this.proxyUrl = proxyUrl;
+        LOGGER.warning("A deprecated configuration option 'proxyUrl' was detected; use 'proxyServer' instead.");
+        this.proxyServer = proxyUrl;
    }
    /**
     * The Proxy Port.
@@ -457,6 +485,103 @@ public class DependencyCheckTask extends Task {
        this.showSummary = showSummary;
    }

+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param jarAnalyzerEnabled the value of the new setting
+     */
+    public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
+        this.jarAnalyzerEnabled = jarAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the Archive Analyzer is enabled.
+     */
+    private boolean archiveAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isArchiveAnalyzerEnabled() {
+        return archiveAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the .NET Assembly Analyzer is enabled.
+     */
+    private boolean assemblyAnalyzerEnabled = true;
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param archiveAnalyzerEnabled the value of the new setting
+     */
+    public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
+        this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
+    }
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isAssemblyAnalyzerEnabled() {
+        return assemblyAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param assemblyAnalyzerEnabled the value of the new setting
+     */
+    public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
+        this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the .NET Nuspec Analyzer is enabled.
+     */
+    private boolean nuspecAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isNuspecAnalyzerEnabled() {
+        return nuspecAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the analyzer is enabled.
+     *
+     * @param nuspecAnalyzerEnabled the value of the new setting
+     */
+    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
+        this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
+    }
+    /**
+     * Whether or not the central analyzer is enabled.
+     */
+    private boolean centralAnalyzerEnabled = false;
+
+    /**
+     * Get the value of centralAnalyzerEnabled
+     *
+     * @return the value of centralAnalyzerEnabled
+     */
+    public boolean isCentralAnalyzerEnabled() {
+        return centralAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of centralAnalyzerEnabled
+     *
+     * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
+     */
+    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
+        this.centralAnalyzerEnabled = centralAnalyzerEnabled;
+    }
+
    /**
     * Whether or not the nexus analyzer is enabled.
     */
@@ -787,7 +912,7 @@ public class DependencyCheckTask extends Task {

        Engine engine = null;
        try {
-            engine = new Engine();
+            engine = new Engine(DependencyCheckTask.class.getClassLoader());

            for (Resource resource : path) {
                final FileProvider provider = resource.as(FileProvider.class);
@@ -807,7 +932,7 @@ public class DependencyCheckTask extends Task {
                    cve.open();
                    prop = cve.getDatabaseProperties();
                } catch (DatabaseException ex) {
-                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                    LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
                } finally {
                    if (cve != null) {
                        cve.close();
@@ -823,19 +948,17 @@ public class DependencyCheckTask extends Task {
                    showSummary(engine.getDependencies());
                }
            } catch (IOException ex) {
-                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
-                        "Unable to generate dependency-check report", ex);
+                LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
                throw new BuildException("Unable to generate dependency-check report", ex);
            } catch (Exception ex) {
-                Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE,
-                        "An exception occurred; unable to continue task", ex);
+                LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
                throw new BuildException("An exception occurred; unable to continue task", ex);
            }
        } catch (DatabaseException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.SEVERE,
-                    "Unable to connect to the dependency-check database; analysis has stopped");
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, "", ex);
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
        } finally {
+            Settings.cleanup(true);
            if (engine != null) {
                engine.cleanup();
            }
@@ -858,22 +981,23 @@ public class DependencyCheckTask extends Task {

    /**
     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
-     * properties required to change the proxy url, port, and connection timeout.
+     * properties required to change the proxy server, port, and connection timeout.
     */
    private void populateSettings() {
+        Settings.initialize();
        InputStream taskProperties = null;
        try {
            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
            Settings.mergeProperties(taskProperties);
        } catch (IOException ex) {
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load the dependency-check ant task.properties file.");
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            if (taskProperties != null) {
                try {
                    taskProperties.close();
                } catch (IOException ex) {
-                    Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -889,8 +1013,8 @@ public class DependencyCheckTask extends Task {

        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);

-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -907,11 +1031,31 @@ public class DependencyCheckTask extends Task {
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
+
+        //File Type Analyzer Settings
+        //JAR ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        //NUSPEC ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        //CENTRAL ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        //NEXUS ANALYZER
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        //ARCHIVE ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
+        if (zipExtensions != null && !zipExtensions.isEmpty()) {
+            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        }
+        //ASSEMBLY ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
+        if (pathToMono != null && !pathToMono.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        }
+
        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
        }
@@ -927,9 +1071,6 @@ public class DependencyCheckTask extends Task {
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
-        if (zipExtensions != null && !zipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        }
        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
        }
@@ -942,9 +1083,6 @@ public class DependencyCheckTask extends Task {
        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
        }
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
    }

    /**
@@ -1011,7 +1149,7 @@ public class DependencyCheckTask extends Task {
            final String msg = String.format("%n%n"
                    + "One or more dependencies were identified with known vulnerabilities:%n%n%s"
                    + "%n%nSee the dependency-check report for more details.%n%n", summary.toString());
-            Logger.getLogger(DependencyCheckTask.class.getName()).log(Level.WARNING, msg);
+            LOGGER.log(Level.WARNING, msg);
        }
    }

@@ -1036,4 +1174,18 @@ public class DependencyCheckTask extends Task {
            return values;
        }
    }
+
+    /**
+     * Whether or not the Jar Analyzer is enabled.
+     */
+    private boolean jarAnalyzerEnabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return true if the analyzer is enabled
+     */
+    public boolean isJarAnalyzerEnabled() {
+        return jarAnalyzerEnabled;
+    }
 }
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -18,34 +18,61 @@ the project's dependencies.
    </dependency-check>
 </target>
 ```
-The following table lists the configurable properties:

-Property              | Description | Requirement | Default Value
----------------------|-------------|-------------|------------
-applicationName       | The name of the application to use in the generated report. | Required | &nbsp;
-reportFormat          | The format of the report to be generated. Allowed values are: HTML, XML, VULN, or ALL. The default value is HTML.| Optional | HTML
-reportOutputDirectory | The directory where dependency-check will store data used for analysis. Defaults to the current working directory. | Optional | &nbsp;
-failBuildOn           | If set and a CVE is found that is greater then the specified value the build will fail. The default value is 11 which means that the build will not fail. Valid values are 0-11. | Optional | 11
-autoUpdate            | If set to false the NVD CVE data is not automatically updated. Setting this to false could result in false negatives. However, this may be required in some environments. | Optional | true
-dataDirectory         | The directory where dependency-check will store data used for analysis. Defaults to a folder called, called 'dependency-check-data', that is in the same directory as the dependency-check-ant jar file was installed in. *It is not recommended to change this.* | Optional | &nbsp;
-logFile               | The file path to write verbose logging information. | Optional | &nbsp;
-suppressionFile       | An XML file conforming to the suppression schema that suppresses findings; this is used to hide [false positives](../suppression.html). | Optional | &nbsp;
-proxyUrl              | Defines the proxy used to connect to the Internet. | Optional | &nbsp;
-proxyPort             | Defines the port for the proxy. | Optional | &nbsp;
-proxyUsername         | Defines the proxy user name. | Optional | &nbsp;
-proxyPassword         | Defines the proxy password. | Optional | &nbsp;
-connectionTimeout     | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
-nexusAnalyzerEnabled  | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
-nexusUrl              | The connection timeout used when downloading data files from the Internet. | Optional | &nbsp;
-nexusUsesProxy        | Whether or not the defined proxy should be used when connecting to Nexus. | Optional | true
-databaseDriverName    | The name of the database driver. Example: org.h2.Driver. | Optional | &nbsp;
-databaseDriverPath    | The path to the database driver JAR file; only used if the driver is not in the class path. | Optional | &nbsp;
-connectionString      | The connection string used to connect to the database. | Optional | &nbsp;
-databaseUser          | The username used when connecting to the database. | Optional | dcuser
-databasePassword      | The password used when connecting to the database. | Optional | &nbsp;
-zipExtensions         | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional | &nbsp;
-cveUrl12Modified      | URL for the modified CVE 1.2 | Optional | http://nvd.nist.gov/download/nvdcve-modified.xml
-cveUrl20Modified      | URL for the modified CVE 2.0 | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cveUrl12Base          | Base URL for each year's CVE 1.2, the %d will be replaced with the year | Optional | http://nvd.nist.gov/download/nvdcve-%d.xml
-cveUrl20Base          | Base URL for each year's CVE 2.0, the %d will be replaced with the year | Optional | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
-pathToMono            | The path to Mono for .NET assembly analysis on non-windows systems | Optional | &nbsp;
+Configuration
+====================
+The following properties can be set on the dependency-check-maven plugin.
+
+Property             | Description                        | Default Value
+---------------------|------------------------------------|------------------
+autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
+outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+logFile              | The file path to write verbose logging information. | &nbsp;
+suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
+proxyServer          | The Proxy Server.                  | &nbsp;
+proxyPort            | The Proxy Port.                    | &nbsp;
+proxyUsername        | Defines the proxy user name.       | &nbsp;
+proxyPassword        | Defines the proxy password.        | &nbsp;
+connectionTimeout    | The URL Connection Timeout.        | &nbsp;
+
+Analyzer Configuration
+====================
+The following properties are used to configure the various file type analyzers.
+These properties can be used to turn off specific analyzers if it is not needed.
+Note, that specific analyzers will automatically disable themselves if no file
+types that they support are detected - so specifically disabling them may not
+be needed.
+
+Property                | Description                                                               | Default Value
+------------------------|---------------------------------------------------------------------------|------------------
+archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                           | true
+zipExtensions           | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+jarAnalyzer             | Sets whether the Jar Analyzer will be used.                                   | true
+centralAnalyzerEnabled  | Sets whether the Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
+nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
+nexusUrl                | Defines the Nexus Pro URL. If not set the Nexus Analyzer will be disabled. | &nbsp;
+nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
+nuspecAnalyzerEnabled   | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.          | true
+assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.            | true
+pathToMono              | The path to Mono for .NET assembly analysis on non-windows systems.       | &nbsp;
+
+Advanced Configuration
+====================
+The following properties can be configured in the plugin. However, they are less frequently changed. One exception
+may be the cvedUrl properties, which can be used to host a mirror of the NVD within an enterprise environment.
+
+Property             | Description                                                             | Default Value
+---------------------|-------------------------------------------------------------------------|------------------
+cveUrl12Modified     | URL for the modified CVE 1.2                                            | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0                                            | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+dataDirectory        | Data directory to hold SQL CVEs contents. This should generally not be changed.             | &nbsp;
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    | &nbsp;
+databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
+connectionString     | The connection string used to connect to the database.                                      | &nbsp;
+databaseUser         | The username used when connecting to the database.                                          | &nbsp;
+databasePassword     | The password used when connecting to the database.                                          | &nbsp;
--- a/dependency-check-ant/src/site/markdown/installation.md.vm
+++ b/dependency-check-ant/src/site/markdown/installation.md.vm
@@ -3,7 +3,20 @@ Installation
 Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
 To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
 the lib directory of your Ant instalation directory. Once installed you can add
-the taskdef to you build.xml and add the task to a new or existing target.
+the taskdef to you build.xml and add the task to a new or existing target:
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
+```
+
+If you do not want to install dependency-check-ant into your ant's lib directory when you define the task def you
+must add the classpath to the taskdef:
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
+    <classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
+</taskdef>
+```

 It is important to understand that the first time this task is executed it may
 take 20 minutes or more as it downloads and processes the data from the National
--- a/dependency-check-ant/src/site/markdown/usage.md.vm
+++ b/dependency-check-ant/src/site/markdown/usage.md.vm
@@ -1,11 +1,19 @@
 Usage
 ====================
-First, add the dependency-check-ant taskdef to your build.xml:
+First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html):

 ```xml
 <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
 ```

+Or
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
+    <classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
+</taskdef>
+```
+
 Next, add the task to a target of your choosing:

 ```xml
--- a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
+++ b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
@@ -18,14 +18,12 @@
 package org.owasp.dependencycheck.taskdefs;

 import java.io.File;
-import static junit.framework.TestCase.assertTrue;
 import org.apache.tools.ant.BuildFileTest;
 import org.junit.After;
-import org.junit.AfterClass;
 import org.junit.Before;
-import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
@@ -33,20 +31,10 @@ import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
 */
 public class DependencyCheckTaskTest extends BuildFileTest {

-    public DependencyCheckTaskTest() {
-    }
-
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
    @Before
    @Override
    public void setUp() throws Exception {
+        Settings.initialize();
        BaseDBTestCase.ensureDBExists();
        final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
        configureProject(buildFile);
@@ -57,6 +45,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
    public void tearDown() {
        //no cleanup...
        //executeTarget("cleanup");
+        Settings.cleanup(true);
    }

    /**
@@ -64,7 +53,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddFileSet() throws Exception {
-        File report = new File("target/DependencyCheck-Report.html");
+        File report = new File("target/dependency-check-report.html");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Report.html' prior to test.");
@@ -83,7 +72,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddFileList() throws Exception {
-        File report = new File("target/DependencyCheck-Report.xml");
+        File report = new File("target/dependency-check-report.xml");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
@@ -101,7 +90,7 @@ public class DependencyCheckTaskTest extends BuildFileTest {
     */
    @Test
    public void testAddDirSet() throws Exception {
-        File report = new File("target/DependencyCheck-Vulnerability.html");
+        File report = new File("target/dependency-check-vulnerability.html");
        if (report.exists()) {
            if (!report.delete()) {
                throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
--- a/dependency-check-cli/config/checkstyle-checks.xml
+++ b/dependency-check-cli/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE module PUBLIC
-          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
-          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
-
-<module name="Checker">
-  <!--
-      If you set the basedir property below, then all reported file
-      names will be relative to the specified directory. See
-      http://checkstyle.sourceforge.net/5.x/config.html#Checker
-
-      <property name="basedir" value="${basedir}"/>
-  -->
-
-  <property name="severity" value="error"/>
-
-  <module name="SuppressionFilter">
-    <property name="file" value="${checkstyle.suppressions.file}"/>
-  </module>
-
-  <module name="JavadocPackage">
-    <property name="allowLegacy" value="false"/>
-  </module>
-
-  <module name="Translation">
-    <property name="severity" value="warning"/>
-  </module>
-
-  <module name="FileTabCharacter">
-    <property name="eachLine" value="false"/>
-  </module>
-
-  <module name="FileLength">
-    <property name="fileExtensions" value="java"/>
-  </module>
-
-  <module name="NewlineAtEndOfFile">
-  <property name="fileExtensions" value="java"/>
-  <property name="lineSeparator" value="lf"/>
-  </module>
-
-  <module name="RegexpHeader">
-    <property name="headerFile" value="${checkstyle.header.file}"/>
-    <property name="fileExtensions" value="java"/>
-    <property name="id" value="header"/>
-  </module>
-
-  <module name="RegexpSingleline">
-    <property name="format" value="\s+$"/>
-    <property name="minimum" value="0"/>
-    <property name="maximum" value="0"/>
-  </module>
-
-  <module name="TreeWalker">
-    <property name="tabWidth" value="4"/>
-
-    <module name="AvoidStarImport"/>
-    <module name="ConstantName"/>
-    <module name="EmptyBlock"/>
-    <module name="EmptyForIteratorPad"/>
-    <module name="EqualsHashCode"/>
-    <module name="OneStatementPerLine"/>
-
-    <!-- module name="IllegalCatch"/ -->
-    <!--module name="ImportControl">
-      <property name="file" value="${checkstyle.importcontrol.file}"/>
-    </module-->
-    <module name="IllegalImport"/>
-    <module name="IllegalInstantiation"/>
-    <module name="IllegalThrows"/>
-    <module name="InnerAssignment"/>
-    <module name="JavadocType">
-      <property name="authorFormat" value="\S"/>
-    </module>
-    <module name="JavadocMethod">
-      <property name="allowUndeclaredRTE" value="true"/>
-      <property name="allowThrowsTagsForSubclasses" value="true"/>
-      <property name="allowMissingPropertyJavadoc" value="true"/>
-    </module>
-    <module name="JavadocVariable"/>
-    <module name="JavadocStyle">
-      <property name="scope" value="public"/>
-    </module>
-
-    <module name="LeftCurly">
-      <property name="option" value="eol"/>
-      <property name="tokens" value="CLASS_DEF"/>
-      <property name="tokens" value="CTOR_DEF"/>
-      <property name="tokens" value="INTERFACE_DEF"/>
-      <property name="tokens" value="METHOD_DEF"/>
-      <property name="tokens" value="LITERAL_CATCH"/>
-      <property name="tokens" value="LITERAL_DO"/>
-      <property name="tokens" value="LITERAL_ELSE"/>
-      <property name="tokens" value="LITERAL_FINALLY"/>
-      <property name="tokens" value="LITERAL_FOR"/>
-      <property name="tokens" value="LITERAL_IF"/>
-      <property name="tokens" value="LITERAL_SWITCH"/>
-      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
-      <property name="tokens" value="LITERAL_TRY"/>
-      <property name="tokens" value="LITERAL_WHILE"/>
-    </module>
-
-    <module name="OuterTypeNumber"/>
-    <module name="LineLength">
-      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
-    <property name="max" value="150"/>
-    </module>
-
-    <module name="MethodCount">
-      <property name="maxTotal" value="40"/>
-    </module>
-
-    <module name="LocalFinalVariableName"/>
-    <module name="LocalVariableName"/>
-    <module name="MemberName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="MethodLength">
-        <property name="max" value="160"/>
-        <property name="countEmpty" value="false"/>
-    </module>
-    <module name="MethodName"/>
-    <module name="MethodParamPad"/>
-    <module name="ModifierOrder"/>
-    <module name="NeedBraces"/>
-    <module name="NoWhitespaceAfter">
-      <property name="tokens" value="ARRAY_INIT"/>
-      <property name="tokens" value="BNOT"/>
-      <property name="tokens" value="DEC"/>
-      <property name="tokens" value="DOT"/>
-      <property name="tokens" value="INC"/>
-      <property name="tokens" value="LNOT"/>
-      <property name="tokens" value="UNARY_MINUS"/>
-      <property name="tokens" value="UNARY_PLUS"/>
-    </module>
-
-    <module name="NoWhitespaceBefore"/>
-    <module name="NoWhitespaceBefore">
-      <property name="tokens" value="DOT"/>
-      <property name="allowLineBreaks" value="true"/>
-    </module>
-
-    <module name="OperatorWrap"/>
-    <module name="OperatorWrap">
-      <property name="tokens" value="ASSIGN"/>
-      <property name="tokens" value="DIV_ASSIGN"/>
-      <property name="tokens" value="PLUS_ASSIGN"/>
-      <property name="tokens" value="MINUS_ASSIGN"/>
-      <property name="tokens" value="STAR_ASSIGN"/>
-      <property name="tokens" value="MOD_ASSIGN"/>
-      <property name="tokens" value="SR_ASSIGN"/>
-      <property name="tokens" value="BSR_ASSIGN"/>
-      <property name="tokens" value="SL_ASSIGN"/>
-      <property name="tokens" value="BXOR_ASSIGN"/>
-      <property name="tokens" value="BOR_ASSIGN"/>
-      <property name="tokens" value="BAND_ASSIGN"/>
-      <property name="option" value="eol"/>
-    </module>
-    <module name="PackageName"/>
-    <module name="ParameterName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="ParameterNumber">
-      <property name="id" value="paramNum"/>
-    </module>
-    <module name="ParenPad"/>
-    <module name="TypecastParenPad"/>
-    <module name="RedundantImport"/>
-    <module name="RedundantModifier"/>
-    <module name="RightCurly">
-      <property name="option" value="same"/>
-    </module>
-    <module name="SimplifyBooleanExpression"/>
-    <module name="SimplifyBooleanReturn"/>
-    <module name="StaticVariableName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="TypeName"/>
-    <module name="UnusedImports"/>
-    <module name="UpperEll"/>
-    <module name="VisibilityModifier"/>
-    <module name="WhitespaceAfter"/>
-    <module name="WhitespaceAround"/>
-    <module name="GenericWhitespace"/>
-    <module name="FinalClass"/>
-    <module name="MissingSwitchDefault"/>
-    <!--module name="MagicNumber"/-->
-    <!--module name="Indentation">
-      <property name="basicOffset" value="4"/>
-      <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="0"/>
-    </module-->
-    <module name="ArrayTrailingComma"/>
-    <module name="FinalLocalVariable"/>
-    <module name="EqualsAvoidNull"/>
-    <module name="ParameterAssignment"/>
-
-    <!-- Generates quite a few errors -->
-    <module name="CyclomaticComplexity">
-      <property name="severity" value="ignore"/>
-    </module>
-
-    <module name="NestedForDepth">
-      <property name="max" value="2"/>
-    </module>
-    <module name="NestedIfDepth">
-      <property name="max" value="4"/>
-    </module>
-    <module name="NestedTryDepth">
-        <property name="max" value="2"/>
-    </module>
-    <!--module name="ExplicitInitialization"/-->
-    <module name="AnnotationUseStyle"/>
-    <module name="MissingDeprecated"/>
-    <module name="MissingOverride">
-      <property name="javaFiveCompatibility" value="true"/>
-    </module>
-    <module name="PackageAnnotation"/>
-    <module name="SuppressWarnings"/>
-    <module name="OuterTypeFilename"/>
-    <module name="HideUtilityClassConstructor"/>
-  </module>
-</module>
--- a/dependency-check-cli/config/checkstyle-suppressions.xml
+++ b/dependency-check-cli/config/checkstyle-suppressions.xml
@@ -1,9 +0,0 @@
-<?xml version="1.0"?>
-
-<!DOCTYPE suppressions PUBLIC
-     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
-     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
-
-<suppressions>
-    <suppress checks=".*" files=".*[\\/]package-info\.java" />
-</suppressions>
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -15,20 +15,19 @@ limitations under the License.

 Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.2.8</version>
    </parent>

    <artifactId>dependency-check-cli</artifactId>
    <packaging>jar</packaging>

    <name>Dependency-Check Command Line</name>
-    <description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -174,6 +173,9 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-javadoc-plugin</artifactId>
                            <version>2.9.1</version>
+                            <configuration>
+                                <bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
+                            </configuration>
                            <reportSets>
                                <reportSet>
                                    <id>default</id>
@@ -248,16 +250,16 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.0.1</version>
+                            <version>3.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
@@ -265,6 +267,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                                <excludes>
                                    <exclude>**/generated/*.java</exclude>
                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
                            </configuration>
                        </plugin>
                        <plugin>
@@ -278,12 +286,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>appassembler-maven-plugin</artifactId>
-                <version>1.7</version>
+                <version>1.8.1</version>
                <configuration>
                    <programs>
                        <program>
                            <mainClass>org.owasp.dependencycheck.App</mainClass>
-                            <name>dependency-check</name>
+                            <id>dependency-check</id>
                        </program>
                    </programs>
                    <assembleDirectory>${project.build.directory}/release</assembleDirectory>
@@ -335,5 +343,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
    </dependencies>
 </project>
--- a/dependency-check-cli/src/main/assembly/release.xml
+++ b/dependency-check-cli/src/main/assembly/release.xml
@@ -2,10 +2,8 @@
 <assembly
    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
-      http://maven.apache.org/xsd/assembly-1.1.2.xsd
-  "
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd"
 >
    <id>release</id>
    <formats>
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -21,15 +21,19 @@ import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
-import org.owasp.dependencycheck.cli.CliParser;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.org.apache.tools.ant.DirectoryScanner;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
@@ -46,14 +50,24 @@ public class App {
     */
    private static final String LOG_PROPERTIES_FILE = "log.properties";

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(App.class.getName());
+
    /**
     * The main method for the application.
     *
     * @param args the command line arguments
     */
    public static void main(String[] args) {
-        final App app = new App();
-        app.run(args);
+        try {
+            Settings.initialize();
+            final App app = new App();
+            app.run(args);
+        } finally {
+            Settings.cleanup(true);
+        }
    }

    /**
@@ -62,8 +76,8 @@ public class App {
     * @param args the command line arguments
     */
    public void run(String[] args) {
-
        final CliParser cli = new CliParser();
+
        try {
            cli.parse(args);
        } catch (FileNotFoundException ex) {
@@ -82,8 +96,12 @@ public class App {
        if (cli.isGetVersion()) {
            cli.printVersionInfo();
        } else if (cli.isRunScan()) {
-            updateSettings(cli);
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
+            populateSettings(cli);
+            try {
+                runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExcludeList());
+            } catch (InvalidScanPathException ex) {
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "An invalid scan path was detected; unable to scan '//*' paths");
+            }
        } else {
            cli.printHelp();
        }
@@ -96,18 +114,71 @@ public class App {
     * @param outputFormat the output format of the report
     * @param applicationName the application name for the report
     * @param files the files/directories to scan
+     * @param excludes the patterns for files/directories to exclude
+     *
+     * @throws InvalidScanPathException thrown if the path to scan starts with "//"
     */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
-        Engine scanner = null;
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
+            String[] excludes) throws InvalidScanPathException {
+        Engine engine = null;
        try {
-            scanner = new Engine();
-
-            for (String file : files) {
-                scanner.scan(file);
+            engine = new Engine();
+            List<String> antStylePaths = new ArrayList<String>();
+            if (excludes == null || excludes.length == 0) {
+                for (String file : files) {
+                    if (file.contains("*") || file.contains("?")) {
+                        antStylePaths.add(file);
+                    } else {
+                        engine.scan(file);
+                    }
+                }
+            } else {
+                antStylePaths = Arrays.asList(files);
            }

-            scanner.analyzeDependencies();
-            final List<Dependency> dependencies = scanner.getDependencies();
+            final Set<File> paths = new HashSet<File>();
+            for (String file : antStylePaths) {
+                final DirectoryScanner scanner = new DirectoryScanner();
+                String include = file.replace('\\', '/');
+                File baseDir;
+
+                if (include.startsWith("//")) {
+                    throw new InvalidScanPathException("Unable to scan paths specified by //");
+                } else if (include.startsWith("./")) {
+                    baseDir = new File(".");
+                    include = include.substring(2);
+                } else if (include.startsWith("/")) {
+                    baseDir = new File("/");
+                    include = include.substring(1);
+                } else if (include.contains("/")) {
+                    final int pos = include.indexOf('/');
+                    final String tmp = include.substring(0, pos);
+                    if (tmp.contains("*") || tmp.contains("?")) {
+                        baseDir = new File(".");
+                    } else {
+                        baseDir = new File(tmp);
+                        include = include.substring(pos + 1);
+                    }
+                } else { //no path info - must just be a file in the working directory
+                    baseDir = new File(".");
+                }
+                scanner.setBasedir(baseDir);
+                scanner.setIncludes(include);
+                if (excludes != null && excludes.length > 0) {
+                    scanner.addExcludes(excludes);
+                }
+                scanner.scan();
+                if (scanner.getIncludedFilesCount() > 0) {
+                    for (String s : scanner.getIncludedFiles()) {
+                        final File f = new File(baseDir, s);
+                        paths.add(f);
+                    }
+                }
+            }
+            engine.scan(paths);
+
+            engine.analyzeDependencies();
+            final List<Dependency> dependencies = engine.getDependencies();
            DatabaseProperties prop = null;
            CveDB cve = null;
            try {
@@ -115,28 +186,28 @@ public class App {
                cve.open();
                prop = cve.getDatabaseProperties();
            } catch (DatabaseException ex) {
-                Logger.getLogger(App.class.getName()).log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
            } finally {
                if (cve != null) {
                    cve.close();
                }
            }
-            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
+            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop);
            try {
                report.generateReports(reportDirectory, outputFormat);
            } catch (IOException ex) {
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, "There was an IO error while attempting to generate the report.");
+                LOGGER.log(Level.FINE, null, ex);
            } catch (Throwable ex) {
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "There was an error while attempting to generate the report.");
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, "There was an error while attempting to generate the report.");
+                LOGGER.log(Level.FINE, null, ex);
            }
        } catch (DatabaseException ex) {
-            Logger.getLogger(App.class.getName()).log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
-            Logger.getLogger(App.class.getName()).log(Level.FINE, "", ex);
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
        } finally {
-            if (scanner != null) {
-                scanner.cleanup();
+            if (engine != null) {
+                engine.cleanup();
            }
        }
    }
@@ -147,17 +218,22 @@ public class App {
     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
     * settings in the core engine.
     */
-    private void updateSettings(CliParser cli) {
+    private void populateSettings(CliParser cli) {

        final boolean autoUpdate = cli.isAutoUpdate();
        final String connectionTimeout = cli.getConnectionTimeout();
-        final String proxyUrl = cli.getProxyUrl();
+        final String proxyServer = cli.getProxyServer();
        final String proxyPort = cli.getProxyPort();
        final String proxyUser = cli.getProxyUsername();
        final String proxyPass = cli.getProxyPassword();
        final String dataDirectory = cli.getDataDirectory();
        final File propertiesFile = cli.getPropertiesFile();
        final String suppressionFile = cli.getSuppressionFile();
+        final boolean jarDisabled = cli.isJarDisabled();
+        final boolean archiveDisabled = cli.isArchiveDisabled();
+        final boolean assemblyDisabled = cli.isAssemblyDisabled();
+        final boolean nuspecDisabled = cli.isNuspecDisabled();
+        final boolean centralDisabled = cli.isCentralDisabled();
        final boolean nexusDisabled = cli.isNexusDisabled();
        final String nexusUrl = cli.getNexusUrl();
        final String databaseDriverName = cli.getDatabaseDriverName();
@@ -173,12 +249,12 @@ public class App {
                Settings.mergeProperties(propertiesFile);
            } catch (FileNotFoundException ex) {
                final String msg = String.format("Unable to load properties file '%s'", propertiesFile.getPath());
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            } catch (IOException ex) {
                final String msg = String.format("Unable to find properties file '%s'", propertiesFile.getPath());
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(App.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
        }
        // We have to wait until we've merged the properties before attempting to set whether we use
@@ -198,8 +274,8 @@ public class App {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -216,6 +292,14 @@ public class App {
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
+
+        //File Type Analyzer Settings
+        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
+
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled);
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
@@ -15,11 +15,11 @@
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
-package org.owasp.dependencycheck.cli;
+package org.owasp.dependencycheck;

 import java.io.File;
 import java.io.FileNotFoundException;
-
+import java.util.logging.Logger;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -40,6 +40,10 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public final class CliParser {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CliParser.class.getName());
    /**
     * The command line.
     */
@@ -86,16 +90,16 @@ public final class CliParser {
     */
    private void validateArgs() throws FileNotFoundException, ParseException {
        if (isRunScan()) {
-            validatePathExists(getScanFiles(), ArgumentName.SCAN);
-            validatePathExists(getReportDirectory(), ArgumentName.OUT);
+            validatePathExists(getScanFiles(), ARGUMENT.SCAN);
+            validatePathExists(getReportDirectory(), ARGUMENT.OUT);
            if (getPathToMono() != null) {
-                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
+                validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
            }
-            if (!line.hasOption(ArgumentName.APP_NAME)) {
+            if (!line.hasOption(ARGUMENT.APP_NAME)) {
                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
            }
-            if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
-                final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
+            if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
+                final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
                try {
                    Format.valueOf(format);
                } catch (IllegalArgumentException ex) {
@@ -130,10 +134,34 @@ public final class CliParser {
     * @throws FileNotFoundException is thrown if the path being validated does not exist.
     */
    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
-        final File f = new File(path);
-        if (!f.exists()) {
+        if (path == null) {
            isValid = false;
-            final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+            final String msg = String.format("Invalid '%s' argument: null", argumentName);
+            throw new FileNotFoundException(msg);
+        } else if (!path.contains("*") && !path.contains("?")) {
+            File f = new File(path);
+            if ("o".equals(argumentName.substring(0, 1).toLowerCase()) && !"ALL".equals(this.getReportFormat().toUpperCase())) {
+                final String checkPath = path.toLowerCase();
+                if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")) {
+                    if (f.getParentFile() == null) {
+                        f = new File(".", path);
+                    }
+                    if (!f.getParentFile().isDirectory()) {
+                        isValid = false;
+                        final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                        throw new FileNotFoundException(msg);
+                    }
+                }
+            } else {
+                if (!f.exists()) {
+                    isValid = false;
+                    final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                    throw new FileNotFoundException(msg);
+                }
+            }
+        } else if (path.startsWith("//") || path.startsWith("\\\\")) {
+            isValid = false;
+            final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
            throw new FileNotFoundException(msg);
        }
    }
@@ -145,11 +173,10 @@ public final class CliParser {
     */
    @SuppressWarnings("static-access")
    private Options createCommandLineOptions() {
-
        final Options options = new Options();
        addStandardOptions(options);
        addAdvancedOptions(options);
-
+        addDeprecatedOptions(options);
        return options;
    }

@@ -161,43 +188,50 @@ public final class CliParser {
     */
    @SuppressWarnings("static-access")
    private void addStandardOptions(final Options options) throws IllegalArgumentException {
-        final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
+        final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
                "Print this message.");

-        final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
+        final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP)
                .withDescription("Print the advanced help message.").create();

-        final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
+        final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
                false, "Print the version information.");

-        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+        final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
                false, "Disables the automatic updating of the CPE data.");

-        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
                .withDescription("The name of the application being scanned. This is a required argument.")
-                .create(ArgumentName.APP_NAME_SHORT);
+                .create(ARGUMENT.APP_NAME_SHORT);

-        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("The path to scan - this option can be specified multiple times.")
-                .create(ArgumentName.SCAN_SHORT);
+        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
+                .withDescription("The path to scan - this option can be specified multiple times. Ant style"
+                        + " paths are supported (e.g. path/**/*.jar).")
+                .create(ARGUMENT.SCAN_SHORT);

-        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
+        final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE)
+                .withDescription("Specify and exclusion pattern. This option can be specified multiple times"
+                        + " and it accepts Ant style excludsions.")
+                .create();
+
+        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
                .withDescription("A property file to load.")
-                .create(ArgumentName.PROP_SHORT);
+                .create(ARGUMENT.PROP_SHORT);

-        final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
-                .withDescription("The folder to write reports to. This defaults to the current directory.")
-                .create(ArgumentName.OUT_SHORT);
+        final Option out = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.OUT)
+                .withDescription("The folder to write reports to. This defaults to the current directory. "
+                        + "It is possible to set this to a specific file name if the format argument is not set to ALL.")
+                .create(ARGUMENT.OUT_SHORT);

-        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT)
                .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
-                .create(ArgumentName.OUTPUT_FORMAT_SHORT);
+                .create(ARGUMENT.OUTPUT_FORMAT_SHORT);

-        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
+        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG)
                .withDescription("The file path to write verbose logging information.")
-                .create(ArgumentName.VERBOSE_LOG_SHORT);
+                .create(ARGUMENT.VERBOSE_LOG_SHORT);

-        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESION_FILE)
+        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE)
                .withDescription("The file path to the suppression XML file.")
                .create();

@@ -205,7 +239,11 @@ public final class CliParser {
        final OptionGroup og = new OptionGroup();
        og.addOption(path);

+        final OptionGroup exog = new OptionGroup();
+        exog.addOption(excludes);
+
        options.addOptionGroup(og)
+                .addOptionGroup(exog)
                .addOption(out)
                .addOption(outputFormat)
                .addOption(appName)
@@ -228,74 +266,91 @@ public final class CliParser {
    @SuppressWarnings("static-access")
    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {

-        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
+        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
                .withDescription("The location of the H2 Database file. This option should generally not be set.")
-                .create(ArgumentName.DATA_DIRECTORY_SHORT);
+                .create(ARGUMENT.DATA_DIRECTORY_SHORT);

-        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
-                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+                .create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);

-        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
-                .withDescription("The proxy url to use when downloading resources.")
-                .create(ArgumentName.PROXY_URL_SHORT);
+        final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER)
+                .withDescription("The proxy server to use when downloading resources.")
+                .create();

-        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT)
                .withDescription("The proxy port to use when downloading resources.")
-                .create(ArgumentName.PROXY_PORT_SHORT);
+                .create();

-        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME)
                .withDescription("The proxy username to use when downloading resources.")
                .create();

-        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD)
                .withDescription("The proxy password to use when downloading resources.")
                .create();

-        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
+        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING)
                .withDescription("The connection string to the database.")
                .create();

-        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
+        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME)
                .withDescription("The username used to connect to the database.")
                .create();

-        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
+        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD)
                .withDescription("The password for connecting to the database.")
                .create();

-        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
+        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER)
                .withDescription("The database driver name.")
                .create();

-        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
+        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH)
                .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
                .create();

-        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
+        final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR)
+                .withDescription("Disable the Jar Analyzer.")
+                .create();
+        final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE)
+                .withDescription("Disable the Archive Analyzer.")
+                .create();
+        final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
+                .withDescription("Disable the Nuspec Analyzer.")
+                .create();
+        final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
+                .withDescription("Disable the .NET Assembly Analyzer.")
+                .create();
+
+        final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
+                .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable the Nexus Analyzer.")
+                .create();
+
+        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
                .withDescription("Disable the Nexus Analyzer.")
                .create();

-        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
-                .withDescription("The url to the Nexus Server.")
+        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
+                .withDescription("The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled.")
                .create();

-        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
                .create();

        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
-                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
-                .withDescription("A comma seperated list of additional extensions to be scanned as ZIP files "
+                .withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
+                .withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
                        + "(ZIP, EAR, WAR are already treated as zip files)")
                .create();

-        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
+        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO)
                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
                .create();

        options.addOption(proxyPort)
-                .addOption(proxyUrl)
+                .addOption(proxyServer)
                .addOption(proxyUsername)
                .addOption(proxyPassword)
                .addOption(connectionTimeout)
@@ -305,6 +360,11 @@ public final class CliParser {
                .addOption(dbPassword)
                .addOption(dbDriver)
                .addOption(dbDriverPath)
+                .addOption(disableJarAnalyzer)
+                .addOption(disableArchiveAnalyzer)
+                .addOption(disableAssemblyAnalyzer)
+                .addOption(disableNuspecAnalyzer)
+                .addOption(disableCentralAnalyzer)
                .addOption(disableNexusAnalyzer)
                .addOption(nexusUrl)
                .addOption(nexusUsesProxy)
@@ -312,13 +372,30 @@ public final class CliParser {
                .addOption(pathToMono);
    }

+    /**
+     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not
+     * including them in the help message. We need to add the deprecated options so as not to break existing scripts.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
+
+        final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
+                .withDescription("The proxy url argument is deprecated, use proxyserver instead.")
+                .create();
+
+        options.addOption(proxyServer);
+    }
+
    /**
     * Determines if the 'version' command line argument was passed in.
     *
     * @return whether or not the 'version' command line argument was passed in
     */
    public boolean isGetVersion() {
-        return (line != null) && line.hasOption(ArgumentName.VERSION);
+        return (line != null) && line.hasOption(ARGUMENT.VERSION);
    }

    /**
@@ -327,7 +404,7 @@ public final class CliParser {
     * @return whether or not the 'help' command line argument was passed in
     */
    public boolean isGetHelp() {
-        return (line != null) && line.hasOption(ArgumentName.HELP);
+        return (line != null) && line.hasOption(ARGUMENT.HELP);
    }

    /**
@@ -336,7 +413,43 @@ public final class CliParser {
     * @return whether or not the 'scan' command line argument was passed in
     */
    public boolean isRunScan() {
-        return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
+        return (line != null) && isValid && line.hasOption(ARGUMENT.SCAN);
+    }
+
+    /**
+     * Returns true if the disableJar command line argument was specified.
+     *
+     * @return true if the disableJar command line argument was specified; otherwise false
+     */
+    public boolean isJarDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
+    }
+
+    /**
+     * Returns true if the disableArchive command line argument was specified.
+     *
+     * @return true if the disableArchive command line argument was specified; otherwise false
+     */
+    public boolean isArchiveDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
+    }
+
+    /**
+     * Returns true if the disableNuspec command line argument was specified.
+     *
+     * @return true if the disableNuspec command line argument was specified; otherwise false
+     */
+    public boolean isNuspecDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
+    }
+
+    /**
+     * Returns true if the disableAssembly command line argument was specified.
+     *
+     * @return true if the disableAssembly command line argument was specified; otherwise false
+     */
+    public boolean isAssemblyDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
    }

    /**
@@ -345,7 +458,16 @@ public final class CliParser {
     * @return true if the disableNexus command line argument was specified; otherwise false
     */
    public boolean isNexusDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
+    }
+
+    /**
+     * Returns true if the disableCentral command line argument was specified.
+     *
+     * @return true if the disableCentral command line argument was specified; otherwise false
+     */
+    public boolean isCentralDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_CENTRAL);
    }

    /**
@@ -354,10 +476,10 @@ public final class CliParser {
     * @return the url to the nexus server; if none was specified this will return null;
     */
    public String getNexusUrl() {
-        if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
+        if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
            return null;
        } else {
-            return line.getOptionValue(ArgumentName.NEXUS_URL);
+            return line.getOptionValue(ARGUMENT.NEXUS_URL);
        }
    }

@@ -370,14 +492,14 @@ public final class CliParser {
    public boolean isNexusUsesProxy() {
        // If they didn't specify whether Nexus needs to use the proxy, we should
        // still honor the property if it's set.
-        if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
+        if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
            try {
                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
            } catch (InvalidSettingException ise) {
                return true;
            }
        } else {
-            return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
+            return Boolean.parseBoolean(line.getOptionValue(ARGUMENT.NEXUS_USES_PROXY));
        }
    }

@@ -388,7 +510,7 @@ public final class CliParser {
        final HelpFormatter formatter = new HelpFormatter();
        final Options options = new Options();
        addStandardOptions(options);
-        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
+        if (line != null && line.hasOption(ARGUMENT.ADVANCED_HELP)) {
            addAdvancedOptions(options);
        }
        final String helpMsg = String.format("%n%s"
@@ -402,7 +524,6 @@ public final class CliParser {
                options,
                "",
                true);
-
    }

    /**
@@ -411,7 +532,16 @@ public final class CliParser {
     * @return the file paths specified on the command line for scan
     */
    public String[] getScanFiles() {
-        return line.getOptionValues(ArgumentName.SCAN);
+        return line.getOptionValues(ARGUMENT.SCAN);
+    }
+
+    /**
+     * Retrieves the list of excluded file patterns specified by the 'exclude' argument.
+     *
+     * @return the excluded file patterns
+     */
+    public String[] getExcludeList() {
+        return line.getOptionValues(ARGUMENT.EXCLUDE);
    }

    /**
@@ -420,7 +550,7 @@ public final class CliParser {
     * @return the path to the reports directory.
     */
    public String getReportDirectory() {
-        return line.getOptionValue(ArgumentName.OUT, ".");
+        return line.getOptionValue(ARGUMENT.OUT, ".");
    }

    /**
@@ -429,7 +559,7 @@ public final class CliParser {
     * @return the path to Mono
     */
    public String getPathToMono() {
-        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
+        return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
    }

    /**
@@ -438,7 +568,7 @@ public final class CliParser {
     * @return the output format name.
     */
    public String getReportFormat() {
-        return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
+        return line.getOptionValue(ARGUMENT.OUTPUT_FORMAT, "HTML");
    }

    /**
@@ -447,7 +577,7 @@ public final class CliParser {
     * @return the application name.
     */
    public String getApplicationName() {
-        return line.getOptionValue(ArgumentName.APP_NAME);
+        return line.getOptionValue(ARGUMENT.APP_NAME);
    }

    /**
@@ -456,16 +586,24 @@ public final class CliParser {
     * @return the connection timeout
     */
    public String getConnectionTimeout() {
-        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+        return line.getOptionValue(ARGUMENT.CONNECTION_TIMEOUT);
    }

    /**
-     * Returns the proxy url.
+     * Returns the proxy server.
     *
-     * @return the proxy url
+     * @return the proxy server
     */
-    public String getProxyUrl() {
-        return line.getOptionValue(ArgumentName.PROXY_URL);
+    public String getProxyServer() {
+
+        String server = line.getOptionValue(ARGUMENT.PROXY_SERVER);
+        if (server == null) {
+            server = line.getOptionValue(ARGUMENT.PROXY_URL);
+            if (server != null) {
+                LOGGER.warning("An old command line argument 'proxyurl' was detected; use proxyserver instead");
+            }
+        }
+        return server;
    }

    /**
@@ -474,7 +612,7 @@ public final class CliParser {
     * @return the proxy port
     */
    public String getProxyPort() {
-        return line.getOptionValue(ArgumentName.PROXY_PORT);
+        return line.getOptionValue(ARGUMENT.PROXY_PORT);
    }

    /**
@@ -483,7 +621,7 @@ public final class CliParser {
     * @return the proxy username
     */
    public String getProxyUsername() {
-        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
+        return line.getOptionValue(ARGUMENT.PROXY_USERNAME);
    }

    /**
@@ -492,7 +630,7 @@ public final class CliParser {
     * @return the proxy password
     */
    public String getProxyPassword() {
-        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
+        return line.getOptionValue(ARGUMENT.PROXY_PASSWORD);
    }

    /**
@@ -501,7 +639,7 @@ public final class CliParser {
     * @return the value of dataDirectory
     */
    public String getDataDirectory() {
-        return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
+        return line.getOptionValue(ARGUMENT.DATA_DIRECTORY);
    }

    /**
@@ -510,7 +648,7 @@ public final class CliParser {
     * @return the properties file specified on the command line
     */
    public File getPropertiesFile() {
-        final String path = line.getOptionValue(ArgumentName.PROP);
+        final String path = line.getOptionValue(ARGUMENT.PROP);
        if (path != null) {
            return new File(path);
        }
@@ -523,7 +661,7 @@ public final class CliParser {
     * @return the path to the verbose log file
     */
    public String getVerboseLog() {
-        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
+        return line.getOptionValue(ARGUMENT.VERBOSE_LOG);
    }

    /**
@@ -532,7 +670,7 @@ public final class CliParser {
     * @return the path to the suppression file
     */
    public String getSuppressionFile() {
-        return line.getOptionValue(ArgumentName.SUPPRESION_FILE);
+        return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
    }

    /**
@@ -543,8 +681,8 @@ public final class CliParser {
     */
    public void printVersionInfo() {
        final String version = String.format("%s version %s",
-                Settings.getString("application.name", "DependencyCheck"),
-                Settings.getString("application.version", "Unknown"));
+                Settings.getString(Settings.KEYS.APPLICATION_VAME, "dependency-check"),
+                Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
        System.out.println(version);
    }

@@ -555,7 +693,7 @@ public final class CliParser {
     * @return if auto-update is allowed.
     */
    public boolean isAutoUpdate() {
-        return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
+        return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
    }

    /**
@@ -564,7 +702,7 @@ public final class CliParser {
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverName() {
-        return line.getOptionValue(ArgumentName.DB_DRIVER);
+        return line.getOptionValue(ARGUMENT.DB_DRIVER);
    }

    /**
@@ -573,7 +711,7 @@ public final class CliParser {
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverPath() {
-        return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
+        return line.getOptionValue(ARGUMENT.DB_DRIVER_PATH);
    }

    /**
@@ -582,7 +720,7 @@ public final class CliParser {
     * @return the database connection string if specified; otherwise null is returned
     */
    public String getConnectionString() {
-        return line.getOptionValue(ArgumentName.CONNECTION_STRING);
+        return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
    }

    /**
@@ -591,7 +729,7 @@ public final class CliParser {
     * @return the database database user name if specified; otherwise null is returned
     */
    public String getDatabaseUser() {
-        return line.getOptionValue(ArgumentName.DB_NAME);
+        return line.getOptionValue(ARGUMENT.DB_NAME);
    }

    /**
@@ -600,7 +738,7 @@ public final class CliParser {
     * @return the database database password if specified; otherwise null is returned
     */
    public String getDatabasePassword() {
-        return line.getOptionValue(ArgumentName.DB_PASSWORD);
+        return line.getOptionValue(ARGUMENT.DB_PASSWORD);
    }

    /**
@@ -609,13 +747,13 @@ public final class CliParser {
     * @return the additional Extensions; otherwise null is returned
     */
    public String getAdditionalZipExtensions() {
-        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
+        return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
    }

    /**
     * A collection of static final strings that represent the possible command line arguments.
     */
-    public static class ArgumentName {
+    public static class ARGUMENT {

        /**
         * The long CLI argument name specifying the directory/file to scan.
@@ -677,21 +815,20 @@ public final class CliParser {
         * The short CLI argument name asking for the version.
         */
        public static final String VERSION = "version";
-        /**
-         * The short CLI argument name indicating the proxy port.
-         */
-        public static final String PROXY_PORT_SHORT = "p";
        /**
         * The CLI argument name indicating the proxy port.
         */
        public static final String PROXY_PORT = "proxyport";
        /**
-         * The short CLI argument name indicating the proxy url.
+         * The CLI argument name indicating the proxy server.
         */
-        public static final String PROXY_URL_SHORT = "u";
+        public static final String PROXY_SERVER = "proxyserver";
        /**
         * The CLI argument name indicating the proxy url.
+         *
+         * @deprecated use {@link org.owasp.dependencycheck.cli.CliParser.ArgumentName#PROXY_SERVER} instead
         */
+        @Deprecated
        public static final String PROXY_URL = "proxyurl";
        /**
         * The CLI argument name indicating the proxy username.
@@ -736,7 +873,27 @@ public final class CliParser {
        /**
         * The CLI argument name for setting the location of the suppression file.
         */
-        public static final String SUPPRESION_FILE = "suppression";
+        public static final String SUPPRESSION_FILE = "suppression";
+        /**
+         * Disables the Jar Analyzer.
+         */
+        public static final String DISABLE_JAR = "disableJar";
+        /**
+         * Disables the Archive Analyzer.
+         */
+        public static final String DISABLE_ARCHIVE = "disableArchive";
+        /**
+         * Disables the Assembly Analyzer.
+         */
+        public static final String DISABLE_ASSEMBLY = "disableAssembly";
+        /**
+         * Disables the Nuspec Analyzer.
+         */
+        public static final String DISABLE_NUSPEC = "disableNuspec";
+        /**
+         * Disables the Central Analyzer.
+         */
+        public static final String DISABLE_CENTRAL = "disableCentral";
        /**
         * Disables the Nexus Analyzer.
         */
@@ -777,5 +934,9 @@ public final class CliParser {
         * The CLI argument name for setting extra extensions.
         */
        public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
+        /**
+         * Exclude path argument.
+         */
+        public static final String EXCLUDE = "exclude";
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
@@ -0,0 +1,61 @@
+/*
+ * This file is part of dependency-check-cli.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+/**
+ * Thrown if an invalid path is encountered.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+class InvalidScanPathException extends Exception {
+
+    /**
+     * Creates a new InvalidScanPathException.
+     */
+    public InvalidScanPathException() {
+        super();
+    }
+
+    /**
+     * Creates a new InvalidScanPathException.
+     *
+     * @param msg a message for the exception
+     */
+    public InvalidScanPathException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new InvalidScanPathException.
+     *
+     * @param ex the cause of the exception
+     */
+    public InvalidScanPathException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new InvalidScanPathException.
+     *
+     * @param msg a message for the exception
+     * @param ex the cause of the exception
+     */
+    public InvalidScanPathException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java
@@ -1,12 +0,0 @@
-/**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.cli</title>
- * </head>
- * <body>
- * Includes utility classes such as the CLI Parser,
- * </body>
- * </html>
-*/
-
-package org.owasp.dependencycheck.cli;
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -1,33 +1,44 @@
 Command Line Arguments
-====================
+======================

 The following table lists the command line arguments:

-Short  | Argument Name         | Parameter       | Description | Requirement
+Short  | Argument&nbsp;Name&nbsp;&nbsp; | Parameter       | Description | Requirement
 -------|-----------------------|-----------------|-------------|------------
 \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
- \-c   | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | Optional
- \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | Optional
+ \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required
+       | \-\-exclude           | \<pattern\>     | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**) . | Optional
+ \-o   | \-\-out               | \<path\>        | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional
 \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
- \-h   | \-\-help              |                 | Print the help message. | Optional
 \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
 \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
- \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
- \-p   | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | Optional
-       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | Optional
-       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | Optional
- \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. | Required
       | \-\-suppression       | \<file\>        | The file path to the suppression XML file; used to suppress [false positives](../suppression.html). | Optional
- \-u   | \-\-proxyurl          | \<url\>         | The proxy url to use when downloading resources. | Optional
- \-v   | \-\-version           |                 | Print the version information. | Optional
+ \-h   | \-\-help              |                 | Print the help message. | Optional
       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
-       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | Optional
-       | \-\-dbDriverName      | \<driver\>      | The database driver name. | Optional
-       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | Optional
-       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | Optional
-       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | Optional
-       | \-\-disableNexus      |                 | Disable the Nexus Analyzer. | Optional
-       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | Optional
-       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | Optional
-       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | Optional
-       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems. | Optional
+ \-v   | \-\-version           |                 | Print the version information. | Optional
+
+Advanced Options
+================
+Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                | Default&nbsp;Value
+-------|-----------------------|-----------------|-----------------------------------------------------------------------------|---------------
+       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                             | false
+       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+       | \-\-disableJar        |                 | Sets whether the Jar Analyzer will be used.                                     | false
+       | \-\-disableCentral    |                 | Sets whether the Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
+       | \-\-disableNexus      |                 | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
+       | \-\-nexus             | \<url\>         | The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled. | &nbsp;
+       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.   | true
+       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.            | false
+       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.              | false
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.         | &nbsp;
+       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                         | &nbsp;
+       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                           | &nbsp;
+       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
+       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources.                       | &nbsp;
+       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources.                       | &nbsp;
+       | \-\-connectionString  | \<connStr\>     | The connection string to the database.                                      | &nbsp;
+       | \-\-dbDriverName      | \<driver\>      | The database driver name.                                                   | &nbsp;
+       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
+       | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                | &nbsp;
+       | \-\-dbUser            | \<user\>        | The username used to connect to the database.                               | &nbsp;
+ \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
--- a/dependency-check-cli/src/site/markdown/installation.md.vm
+++ b/dependency-check-cli/src/site/markdown/installation.md.vm
@@ -8,20 +8,18 @@ script executable:
    $ chmod +777 dependency-check.sh

 To scan a folder on the system you can run:
+#set( $H = '#' )

-Windows
-------
+$H$H$H Windows
    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"

-\*nix
-------
+$H$H$H *nix
    dependency-check.sh --app "My App Name" --scan "/java/application/lib"

 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
-Windows
-------
+
+$H$H$H Windows
    dependency-check.bat --help

-\*nix
-------
+$H$H$H *nix
    dependency-check.sh --help
--- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
+++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
@@ -15,8 +15,9 @@
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
-package org.owasp.dependencycheck.cli;
+package org.owasp.dependencycheck;

+import org.owasp.dependencycheck.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
@@ -29,6 +30,7 @@ import org.junit.Assert;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
@@ -38,10 +40,12 @@ public class CliParserTest {

    @BeforeClass
    public static void setUpClass() throws Exception {
+        Settings.initialize();
    }

    @AfterClass
    public static void tearDownClass() throws Exception {
+        Settings.cleanup(true);
    }

    @Before
--- a/dependency-check-core/config/checkstyle-checks.xml
+++ b/dependency-check-core/config/checkstyle-checks.xml
@@ -1,223 +0,0 @@
-<?xml version="1.0"?>
-<!DOCTYPE module PUBLIC
-          "-//Puppy Crawl//DTD Check Configuration 1.3//EN"
-          "http://www.puppycrawl.com/dtds/configuration_1_3.dtd">
-
-<module name="Checker">
-  <!--
-      If you set the basedir property below, then all reported file
-      names will be relative to the specified directory. See
-      http://checkstyle.sourceforge.net/5.x/config.html#Checker
-
-      <property name="basedir" value="${basedir}"/>
-  -->
-
-  <property name="severity" value="error"/>
-
-  <module name="SuppressionFilter">
-    <property name="file" value="${checkstyle.suppressions.file}"/>
-  </module>
-
-  <module name="JavadocPackage">
-    <property name="allowLegacy" value="false"/>
-  </module>
-
-  <module name="Translation">
-    <property name="severity" value="warning"/>
-  </module>
-
-  <module name="FileTabCharacter">
-    <property name="eachLine" value="false"/>
-  </module>
-
-  <module name="FileLength">
-    <property name="fileExtensions" value="java"/>
-  </module>
-
-  <module name="NewlineAtEndOfFile">
-  <property name="fileExtensions" value="java"/>
-  <property name="lineSeparator" value="lf"/>
-  </module>
-
-  <module name="RegexpHeader">
-    <property name="headerFile" value="${checkstyle.header.file}"/>
-    <property name="fileExtensions" value="java"/>
-    <property name="id" value="header"/>
-  </module>
-
-  <module name="RegexpSingleline">
-    <property name="format" value="\s+$"/>
-    <property name="minimum" value="0"/>
-    <property name="maximum" value="0"/>
-  </module>
-
-  <module name="TreeWalker">
-    <property name="tabWidth" value="4"/>
-
-    <module name="AvoidStarImport"/>
-    <module name="ConstantName"/>
-    <module name="EmptyBlock"/>
-    <module name="EmptyForIteratorPad"/>
-    <module name="EqualsHashCode"/>
-    <module name="OneStatementPerLine"/>
-
-    <!-- module name="IllegalCatch"/ -->
-    <!--module name="ImportControl">
-      <property name="file" value="${checkstyle.importcontrol.file}"/>
-    </module-->
-    <module name="IllegalImport"/>
-    <module name="IllegalInstantiation"/>
-    <module name="IllegalThrows"/>
-    <module name="InnerAssignment"/>
-    <module name="JavadocType">
-      <property name="authorFormat" value="\S"/>
-    </module>
-    <module name="JavadocMethod">
-      <property name="allowUndeclaredRTE" value="true"/>
-      <property name="allowThrowsTagsForSubclasses" value="true"/>
-      <property name="allowMissingPropertyJavadoc" value="true"/>
-    </module>
-    <module name="JavadocVariable"/>
-    <module name="JavadocStyle">
-      <property name="scope" value="public"/>
-    </module>
-
-    <module name="LeftCurly">
-      <property name="option" value="eol"/>
-      <property name="tokens" value="CLASS_DEF"/>
-      <property name="tokens" value="CTOR_DEF"/>
-      <property name="tokens" value="INTERFACE_DEF"/>
-      <property name="tokens" value="METHOD_DEF"/>
-      <property name="tokens" value="LITERAL_CATCH"/>
-      <property name="tokens" value="LITERAL_DO"/>
-      <property name="tokens" value="LITERAL_ELSE"/>
-      <property name="tokens" value="LITERAL_FINALLY"/>
-      <property name="tokens" value="LITERAL_FOR"/>
-      <property name="tokens" value="LITERAL_IF"/>
-      <property name="tokens" value="LITERAL_SWITCH"/>
-      <property name="tokens" value="LITERAL_SYNCHRONIZED"/>
-      <property name="tokens" value="LITERAL_TRY"/>
-      <property name="tokens" value="LITERAL_WHILE"/>
-    </module>
-
-    <module name="OuterTypeNumber"/>
-    <module name="LineLength">
-      <property name="ignorePattern" value="^ *\* *[^ ]+$"/>
-    <property name="max" value="150"/>
-    </module>
-
-    <module name="MethodCount">
-      <property name="maxTotal" value="40"/>
-    </module>
-
-    <module name="LocalFinalVariableName"/>
-    <module name="LocalVariableName"/>
-    <module name="MemberName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="MethodLength">
-        <property name="max" value="160"/>
-        <property name="countEmpty" value="false"/>
-    </module>
-    <module name="MethodName"/>
-    <module name="MethodParamPad"/>
-    <module name="ModifierOrder"/>
-    <module name="NeedBraces"/>
-    <module name="NoWhitespaceAfter">
-      <property name="tokens" value="ARRAY_INIT"/>
-      <property name="tokens" value="BNOT"/>
-      <property name="tokens" value="DEC"/>
-      <property name="tokens" value="DOT"/>
-      <property name="tokens" value="INC"/>
-      <property name="tokens" value="LNOT"/>
-      <property name="tokens" value="UNARY_MINUS"/>
-      <property name="tokens" value="UNARY_PLUS"/>
-    </module>
-
-    <module name="NoWhitespaceBefore"/>
-    <module name="NoWhitespaceBefore">
-      <property name="tokens" value="DOT"/>
-      <property name="allowLineBreaks" value="true"/>
-    </module>
-
-    <module name="OperatorWrap"/>
-    <module name="OperatorWrap">
-      <property name="tokens" value="ASSIGN"/>
-      <property name="tokens" value="DIV_ASSIGN"/>
-      <property name="tokens" value="PLUS_ASSIGN"/>
-      <property name="tokens" value="MINUS_ASSIGN"/>
-      <property name="tokens" value="STAR_ASSIGN"/>
-      <property name="tokens" value="MOD_ASSIGN"/>
-      <property name="tokens" value="SR_ASSIGN"/>
-      <property name="tokens" value="BSR_ASSIGN"/>
-      <property name="tokens" value="SL_ASSIGN"/>
-      <property name="tokens" value="BXOR_ASSIGN"/>
-      <property name="tokens" value="BOR_ASSIGN"/>
-      <property name="tokens" value="BAND_ASSIGN"/>
-      <property name="option" value="eol"/>
-    </module>
-    <module name="PackageName"/>
-    <module name="ParameterName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="ParameterNumber">
-      <property name="id" value="paramNum"/>
-    </module>
-    <module name="ParenPad"/>
-    <module name="TypecastParenPad"/>
-    <module name="RedundantImport"/>
-    <module name="RedundantModifier"/>
-    <module name="RightCurly">
-      <property name="option" value="same"/>
-    </module>
-    <module name="SimplifyBooleanExpression"/>
-    <module name="SimplifyBooleanReturn"/>
-    <module name="StaticVariableName">
-      <property name="format" value="^[a-z][a-zA-Z0-9]*$"/>
-    </module>
-    <module name="TypeName"/>
-    <module name="UnusedImports"/>
-    <module name="UpperEll"/>
-    <module name="VisibilityModifier"/>
-    <module name="WhitespaceAfter"/>
-    <module name="WhitespaceAround"/>
-    <module name="GenericWhitespace"/>
-    <module name="FinalClass"/>
-    <module name="MissingSwitchDefault"/>
-    <!--module name="MagicNumber"/-->
-    <!--module name="Indentation">
-      <property name="basicOffset" value="4"/>
-      <property name="braceAdjustment" value="0"/>
-      <property name="caseIndent" value="0"/>
-    </module-->
-    <module name="ArrayTrailingComma"/>
-    <module name="FinalLocalVariable"/>
-    <module name="EqualsAvoidNull"/>
-    <module name="ParameterAssignment"/>
-
-    <!-- Generates quite a few errors -->
-    <module name="CyclomaticComplexity">
-      <property name="severity" value="ignore"/>
-    </module>
-
-    <module name="NestedForDepth">
-      <property name="max" value="2"/>
-    </module>
-    <module name="NestedIfDepth">
-      <property name="max" value="4"/>
-    </module>
-    <module name="NestedTryDepth">
-        <property name="max" value="2"/>
-    </module>
-    <!--module name="ExplicitInitialization"/-->
-    <module name="AnnotationUseStyle"/>
-    <module name="MissingDeprecated"/>
-    <module name="MissingOverride">
-      <property name="javaFiveCompatibility" value="true"/>
-    </module>
-    <module name="PackageAnnotation"/>
-    <module name="SuppressWarnings"/>
-    <module name="OuterTypeFilename"/>
-    <module name="HideUtilityClassConstructor"/>
-  </module>
-</module>
--- a/dependency-check-core/config/checkstyle-header.txt
+++ b/dependency-check-core/config/checkstyle-header.txt
@@ -1,18 +0,0 @@
-^/\*\s*$
-^ \* This file is part of dependency-check-core\.\s*$
-^ \*\s*$
-^ \* Licensed under the Apache License, Version 2\.0 \(the "License"\);\s*$
-^ \* you may not use this file except in compliance with the License.\s*$
-^ \* You may obtain a copy of the License at\s*$
-^ \*\s*$
-^ \*\s*http://www.apache.org/licenses/LICENSE-2\.0\s*$
-^ \*\s*$
-^ \* Unless required by applicable law or agreed to in writing, software\s*$
-^ \* distributed under the License is distributed on an "AS IS" BASIS,\s*$
-^ \* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied\.\s*$
-^ \* See the License for the specific language governing permissions and\s*$
-^ \* limitations under the License\.\s*$
-^ \*\s*$
-^ \* Copyright \(c\) 201[234] (Jeremy Long|Steve Springett)\. All Rights Reserved\.\s*$
-^ \*/\s*$
-^package
--- a/dependency-check-core/config/checkstyle-suppressions.xml
+++ b/dependency-check-core/config/checkstyle-suppressions.xml
@@ -1,12 +0,0 @@
-<?xml version="1.0"?>
-
-<!DOCTYPE suppressions PUBLIC
-     "-//Puppy Crawl//DTD Suppressions 1.0//EN"
-     "http://www.puppycrawl.com/dtds/suppressions_1_0.dtd">
-
-<suppressions>
-    <suppress checks=".*" files=".*[\\/]package-info\.java" />
-    <suppress checks=".*" files=".*org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Filter.java" />
-    <suppress checks=".*" files=".*org[\\/]owasp[\\/]dependencycheck[\\/]utils[\\/]Checksum.java" />
-    <suppress checks=".*" files=".*[\\/]generated[\\/].*.java" />
-</suppressions>
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -15,19 +15,19 @@ limitations under the License.

 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.1.3</version>
+        <version>1.2.8</version>
    </parent>

    <artifactId>dependency-check-core</artifactId>
    <packaging>jar</packaging>

    <name>Dependency-Check Core</name>
+    <description>dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -220,6 +220,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <name>data.directory</name>
                            <value>${project.build.directory}/data</value>
                        </property>
+                        <property>
+                            <name>temp.directory</name>
+                            <value>${project.build.directory}/temp</value>
+                        </property>
+
                    </systemProperties>
                    <includes>
                        <include>**/*IntegrationTest.java</include>
@@ -267,6 +272,9 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-javadoc-plugin</artifactId>
                            <version>2.9.1</version>
+                            <configuration>
+                                <bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
+                            </configuration>
                            <reportSets>
                                <reportSet>
                                    <id>default</id>
@@ -348,16 +356,16 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <version>2.11</version>
                            <configuration>
                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/config/checkstyle-suppressions.xml</suppressionsLocation>
+                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
                            </configuration>
                        </plugin>
                        <plugin>
                            <groupId>org.apache.maven.plugins</groupId>
                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.0.1</version>
+                            <version>3.1</version>
                            <configuration>
                                <targetJdk>1.6</targetJdk>
                                <linkXref>true</linkXref>
@@ -365,6 +373,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                                <excludes>
                                    <exclude>**/generated/*.java</exclude>
                                </excludes>
+                                <rulesets>
+                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
+                                    <ruleset>/rulesets/java/basic.xml</ruleset>
+                                    <ruleset>/rulesets/java/imports.xml</ruleset>
+                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                                </rulesets>
                            </configuration>
                        </plugin>
                        <plugin>
@@ -386,6 +400,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                <version>3.1</version>
                <configuration>
                    <showDeprecation>false</showDeprecation>
+                    <compilerArgument>-Xlint:unchecked</compilerArgument>
                    <source>1.6</source>
                    <target>1.6</target>
                </configuration>
@@ -393,12 +408,23 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        </plugins>
    </build>
    <dependencies>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-test-framework</artifactId>
            <version>4.3.1</version>
            <scope>test</scope>
        </dependency>
+        <dependency>
+            <groupId>org.jmockit</groupId>
+            <artifactId>jmockit</artifactId>
+            <version>1.12</version>
+            <scope>test</scope>
+        </dependency>
        <dependency>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>annotations</artifactId>
@@ -410,6 +436,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <artifactId>commons-cli</artifactId>
            <version>1.2</version>
        </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-compress</artifactId>
+            <version>1.8.1</version>
+        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
            <artifactId>commons-io</artifactId>
@@ -440,50 +471,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <artifactId>velocity</artifactId>
            <version>1.7</version>
        </dependency>
-        <dependency>
-            <groupId>org.apache.velocity</groupId>
-            <artifactId>velocity-tools</artifactId>
-            <version>2.0</version>
-            <!-- very limited use of the velocity-tools, not all of the dependencies are needed-->
-            <exclusions>
-                <exclusion>
-                    <groupId>commons-chain</groupId>
-                    <artifactId>commons-chain</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>javax.servlet</groupId>
-                    <artifactId>servlet-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>commons-validator</groupId>
-                    <artifactId>commons-validator</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>dom4j</groupId>
-                    <artifactId>dom4j</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>sslext</groupId>
-                    <artifactId>sslext</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.struts</groupId>
-                    <artifactId>struts-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>antlr</groupId>
-                    <artifactId>antlr</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.struts</groupId>
-                    <artifactId>struts-taglib</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.struts</groupId>
-                    <artifactId>struts-tiles</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
@@ -495,11 +482,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <version>1.7.2</version>
            <type>jar</type>
        </dependency>
-        <dependency>
-            <groupId>org.apache.commons</groupId>
-            <artifactId>commons-compress</artifactId>
-            <version>1.5</version>
-        </dependency>
        <!-- The following dependencies are only used during testing -->
        <dependency>
            <groupId>org.apache.maven.scm</groupId>
@@ -515,6 +497,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>3.0.0.RELEASE</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
        <dependency>
            <groupId>com.hazelcast</groupId>
            <artifactId>hazelcast</artifactId>
@@ -581,6 +570,27 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
+        <dependency>
+            <groupId>org.apache.openjpa</groupId>
+            <artifactId>openjpa</artifactId>
+            <version>2.0.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.google.inject</groupId>
+            <artifactId>guice</artifactId>
+            <version>3.0</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>org.springframework.retry</groupId>
+            <artifactId>spring-retry</artifactId>
+            <version>1.1.0.RELEASE</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
    </dependencies>
    <profiles>
        <profile>
@@ -642,11 +652,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            Additionally, these are only added when using "allTests" to
            make the build slightly faster in most cases. -->
            <id>False Positive Tests</id>
-            <!--activation>
+            <activation>
                <property>
                    <name>allTests</name>
                </property>
-            </activation-->
+            </activation>
            <dependencies>
                <dependency>
                    <groupId>org.apache.xmlgraphics</groupId>
@@ -669,6 +679,56 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <scope>provided</scope>
                    <optional>true</optional>
                </dependency>
+                <dependency>
+                    <groupId>com.ganyo</groupId>
+                    <artifactId>gcm-server</artifactId>
+                    <version>1.0.2</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.python</groupId>
+                    <artifactId>jython-standalone</artifactId>
+                    <version>2.7-b1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.jruby</groupId>
+                    <artifactId>jruby-complete</artifactId>
+                    <version>1.7.4</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.jruby</groupId>
+                    <artifactId>jruby</artifactId>
+                    <version>1.6.3</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.glassfish.jersey.core</groupId>
+                    <artifactId>jersey-client</artifactId>
+                    <version>2.12</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.sun.jersey</groupId>
+                    <artifactId>jersey-client</artifactId>
+                    <version>1.11.1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.sun.faces</groupId>
+                    <artifactId>jsf-impl</artifactId>
+                    <version>2.2.8-02</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+
            </dependencies>
        </profile>
    </profiles>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -29,9 +29,8 @@ import java.util.logging.Logger;
 import org.owasp.dependencycheck.analyzer.AnalysisPhase;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
-import org.owasp.dependencycheck.data.cpe.IndexException;
 import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -56,15 +55,25 @@ public class Engine {
    /**
     * The list of dependencies.
     */
-    private final List<Dependency> dependencies;
+    private List<Dependency> dependencies = new ArrayList<Dependency>();
    /**
     * A Map of analyzers grouped by Analysis phase.
     */
-    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
+    private EnumMap<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+
    /**
-     * A set of extensions supported by the analyzers.
+     * A Map of analyzers grouped by Analysis phase.
     */
-    private final Set<String> extensions;
+    private Set<FileTypeAnalyzer> fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
+
+    /**
+     * The ClassLoader to use when dynamically loading Analyzer and Update services.
+     */
+    private ClassLoader serviceClassLoader = Thread.currentThread().getContextClassLoader();
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = Logger.getLogger(Engine.class.getName());

    /**
     * Creates a new Engine.
@@ -72,20 +81,27 @@ public class Engine {
     * @throws DatabaseException thrown if there is an error connecting to the database
     */
    public Engine() throws DatabaseException {
-        this.extensions = new HashSet<String>();
-        this.dependencies = new ArrayList<Dependency>();
-        this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
-        ConnectionFactory.initialize();
+        initializeEngine();
+    }

-        boolean autoUpdate = true;
-        try {
-            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
-        } catch (InvalidSettingException ex) {
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "Invalid setting for auto-update; using true.");
-        }
-        if (autoUpdate) {
-            doUpdates();
-        }
+    /**
+     * Creates a new Engine.
+     *
+     * @param serviceClassLoader a reference the class loader being used
+     * @throws DatabaseException thrown if there is an error connecting to the database
+     */
+    public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
+        this.serviceClassLoader = serviceClassLoader;
+        initializeEngine();
+    }
+
+    /**
+     * Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
+     *
+     * @throws DatabaseException thrown if there is an error connecting to the database
+     */
+    protected final void initializeEngine() throws DatabaseException {
+        ConnectionFactory.initialize();
        loadAnalyzers();
    }

@@ -100,18 +116,20 @@ public class Engine {
     * Loads the analyzers specified in the configuration file (or system properties).
     */
    private void loadAnalyzers() {
-
+        if (analyzers.size() > 0) {
+            return;
+        }
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            analyzers.put(phase, new ArrayList<Analyzer>());
        }

-        final AnalyzerService service = AnalyzerService.getInstance();
+        final AnalyzerService service = new AnalyzerService(serviceClassLoader);
        final Iterator<Analyzer> iterator = service.getAnalyzers();
        while (iterator.hasNext()) {
            final Analyzer a = iterator.next();
            analyzers.get(a.getAnalysisPhase()).add(a);
-            if (a.getSupportedExtensions() != null) {
-                extensions.addAll(a.getSupportedExtensions());
+            if (a instanceof FileTypeAnalyzer) {
+                this.fileTypeAnalyzers.add((FileTypeAnalyzer) a);
            }
        }
    }
@@ -135,151 +153,212 @@ public class Engine {
        return dependencies;
    }

+    /**
+     * Sets the dependencies.
+     *
+     * @param dependencies the dependencies
+     */
+    public void setDependencies(List<Dependency> dependencies) {
+        this.dependencies = dependencies;
+    }
+
    /**
     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param paths an array of paths to files or directories to be analyzed
+     * @return the list of dependencies scanned
     *
-     * @param paths an array of paths to files or directories to be analyzed.
+     * @since v0.3.2.5
     */
-    public void scan(String[] paths) {
+    public List<Dependency> scan(String[] paths) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (String path : paths) {
            final File file = new File(path);
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
-     * @param path the path to a file or directory to be analyzed.
+     * @param path the path to a file or directory to be analyzed
+     * @return the list of dependencies scanned
     */
-    public void scan(String path) {
+    public List<Dependency> scan(String path) {
        final File file = new File(path);
-        scan(file);
+        return scan(file);
    }

    /**
     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
-     *
     * @param files an array of paths to files or directories to be analyzed.
+     * @return the list of dependencies
+     *
+     * @since v0.3.2.5
     */
-    public void scan(File[] files) {
+    public List<Dependency> scan(File[] files) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param files a set of paths to files or directories to be analyzed
+     * @return the list of dependencies scanned
     *
-     * @param files a set of paths to files or directories to be analyzed.
+     * @since v0.3.2.5
     */
-    public void scan(Set<File> files) {
+    public List<Dependency> scan(Set<File> files) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param files a set of paths to files or directories to be analyzed
+     * @return the list of dependencies scanned
     *
-     * @param files a set of paths to files or directories to be analyzed.
+     * @since v0.3.2.5
     */
-    public void scan(List<File> files) {
+    public List<Dependency> scan(List<File> files) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
+     * @param file the path to a file or directory to be analyzed
+     * @return the list of dependencies scanned
+     *
     * @since v0.3.2.4
     *
-     * @param file the path to a file or directory to be analyzed.
     */
-    public void scan(File file) {
+    public List<Dependency> scan(File file) {
        if (file.exists()) {
            if (file.isDirectory()) {
-                scanDirectory(file);
+                return scanDirectory(file);
            } else {
-                scanFile(file);
+                final Dependency d = scanFile(file);
+                if (d != null) {
+                    final List<Dependency> deps = new ArrayList<Dependency>();
+                    deps.add(d);
+                    return deps;
+                }
            }
        }
+        return null;
    }

    /**
     * Recursively scans files and directories. Any dependencies identified are added to the dependency collection.
     *
-     * @param dir the directory to scan.
+     * @param dir the directory to scan
+     * @return the list of Dependency objects scanned
     */
-    protected void scanDirectory(File dir) {
+    protected List<Dependency> scanDirectory(File dir) {
        final File[] files = dir.listFiles();
+        final List<Dependency> deps = new ArrayList<Dependency>();
        if (files != null) {
            for (File f : files) {
                if (f.isDirectory()) {
-                    scanDirectory(f);
+                    final List<Dependency> d = scanDirectory(f);
+                    if (d != null) {
+                        deps.addAll(d);
+                    }
                } else {
-                    scanFile(f);
+                    final Dependency d = scanFile(f);
+                    deps.add(d);
                }
            }
        }
+        return deps;
    }

    /**
     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
     *
-     * @param file The file to scan.
+     * @param file The file to scan
+     * @return the scanned dependency
     */
-    protected void scanFile(File file) {
+    protected Dependency scanFile(File file) {
        if (!file.isFile()) {
            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-            return;
+            LOGGER.log(Level.FINE, msg);
+            return null;
        }
        final String fileName = file.getName();
        final String extension = FileUtils.getFileExtension(fileName);
+        Dependency dependency = null;
        if (extension != null) {
-            if (extensions.contains(extension)) {
-                final Dependency dependency = new Dependency(file);
+            if (supportsExtension(extension)) {
+                dependency = new Dependency(file);
                dependencies.add(dependency);
            }
        } else {
-            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
-                    file.toString());
-            Logger.getLogger(Engine.class.getName()).log(Level.FINEST, msg);
+            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
+            LOGGER.log(Level.FINE, msg);
        }
+        return dependency;
    }

    /**
     * Runs the analyzers against all of the dependencies.
     */
    public void analyzeDependencies() {
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
+        }
+        if (autoUpdate) {
+            doUpdates();
+        }
+
        //need to ensure that data exists
        try {
            ensureDataExists();
        } catch (NoDataException ex) {
            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
-            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
            return;
        } catch (DatabaseException ex) {
            final String msg = String.format("%s%n%nUnable to continue dependency-check analysis.", ex.getMessage());
-            Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
            return;

        }
@@ -288,75 +367,54 @@ public class Engine {
                + "----------------------------------------------------%n"
                + "BEGIN ANALYSIS%n"
                + "----------------------------------------------------");
-        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logHeader);
-        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Starting");
-
-        //phase one initialize
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
-            final List<Analyzer> analyzerList = analyzers.get(phase);
-            for (Analyzer a : analyzerList) {
-                try {
-                    final String msg = String.format("Initializing %s", a.getName());
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-                    a.initialize();
-                } catch (Throwable ex) {
-                    final String msg = String.format("Exception occurred initializing %s.", a.getName());
-                    Logger.getLogger(Engine.class.getName()).log(Level.SEVERE, msg);
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINE, null, ex);
-                    try {
-                        a.close();
-                    } catch (Throwable ex1) {
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex1);
-                    }
-                }
-            }
-        }
+        LOGGER.log(Level.FINE, logHeader);
+        LOGGER.log(Level.INFO, "Analysis Starting");

        // analysis phases
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);

            for (Analyzer a : analyzerList) {
+                a = initializeAnalyzer(a);
+
                /* need to create a copy of the collection because some of the
                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
                 * This is okay for adds/deletes because it happens per analyzer.
                 */
                final String msg = String.format("Begin Analyzer '%s'", a.getName());
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
+                LOGGER.log(Level.FINE, msg);
                final Set<Dependency> dependencySet = new HashSet<Dependency>();
                dependencySet.addAll(dependencies);
                for (Dependency d : dependencySet) {
-                    if (a.supportsExtension(d.getFileExtension())) {
+                    boolean shouldAnalyze = true;
+                    if (a instanceof FileTypeAnalyzer) {
+                        final FileTypeAnalyzer fAnalyzer = (FileTypeAnalyzer) a;
+                        shouldAnalyze = fAnalyzer.supportsExtension(d.getFileExtension());
+                    }
+                    if (shouldAnalyze) {
                        final String msgFile = String.format("Begin Analysis of '%s'", d.getActualFilePath());
-                        Logger.getLogger(Engine.class.getName()).log(Level.FINE, msgFile);
+                        LOGGER.log(Level.FINE, msgFile);
                        try {
                            a.analyze(d, this);
                        } catch (AnalysisException ex) {
-                            final String exMsg = String.format("An error occured while analyzing '%s'.", d.getActualFilePath());
-                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, exMsg);
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
+                            final String exMsg = String.format("An error occurred while analyzing '%s'.", d.getActualFilePath());
+                            LOGGER.log(Level.WARNING, exMsg);
+                            LOGGER.log(Level.FINE, "", ex);
                        } catch (Throwable ex) {
                            final String axMsg = String.format("An unexpected error occurred during analysis of '%s'", d.getActualFilePath());
                            //final AnalysisException ax = new AnalysisException(axMsg, ex);
-                            Logger.getLogger(Engine.class.getName()).log(Level.WARNING, axMsg);
-                            Logger.getLogger(Engine.class.getName()).log(Level.FINE, "", ex);
+                            LOGGER.log(Level.WARNING, axMsg);
+                            LOGGER.log(Level.FINE, "", ex);
                        }
                    }
                }
            }
        }
-
-        //close/cleanup
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            final List<Analyzer> analyzerList = analyzers.get(phase);
+
            for (Analyzer a : analyzerList) {
-                final String msg = String.format("Closing Analyzer '%s'", a.getName());
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE, msg);
-                try {
-                    a.close();
-                } catch (Throwable ex) {
-                    Logger.getLogger(Engine.class.getName()).log(Level.FINEST, null, ex);
-                }
+                closeAnalyzer(a);
            }
        }

@@ -364,27 +422,67 @@ public class Engine {
                + "----------------------------------------------------%n"
                + "END ANALYSIS%n"
                + "----------------------------------------------------");
-        Logger.getLogger(Engine.class.getName()).log(Level.FINE, logFooter);
-        Logger.getLogger(Engine.class.getName()).log(Level.INFO, "Analysis Complete");
+        LOGGER.log(Level.FINE, logFooter);
+        LOGGER.log(Level.INFO, "Analysis Complete");
+    }
+
+    /**
+     * Initializes the given analyzer.
+     *
+     * @param analyzer the analyzer to initialize
+     * @return the initialized analyzer
+     */
+    protected Analyzer initializeAnalyzer(Analyzer analyzer) {
+        try {
+            final String msg = String.format("Initializing %s", analyzer.getName());
+            LOGGER.log(Level.FINE, msg);
+            analyzer.initialize();
+        } catch (Throwable ex) {
+            final String msg = String.format("Exception occurred initializing %s.", analyzer.getName());
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
+            try {
+                analyzer.close();
+            } catch (Throwable ex1) {
+                LOGGER.log(Level.FINEST, null, ex1);
+            }
+        }
+        return analyzer;
+    }
+
+    /**
+     * Closes the given analyzer.
+     *
+     * @param analyzer the analyzer to close
+     */
+    protected void closeAnalyzer(Analyzer analyzer) {
+        final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
+        LOGGER.log(Level.FINE, msg);
+        try {
+            analyzer.close();
+        } catch (Throwable ex) {
+            LOGGER.log(Level.FINEST, null, ex);
+        }
    }

    /**
     * Cycles through the cached web data sources and calls update on all of them.
     */
    private void doUpdates() {
-        final UpdateService service = UpdateService.getInstance();
+        LOGGER.info("Checking for updates");
+        final UpdateService service = new UpdateService(serviceClassLoader);
        final Iterator<CachedWebDataSource> iterator = service.getDataSources();
        while (iterator.hasNext()) {
            final CachedWebDataSource source = iterator.next();
            try {
                source.update();
            } catch (UpdateException ex) {
-                Logger.getLogger(Engine.class.getName()).log(Level.WARNING,
+                LOGGER.log(Level.WARNING,
                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
-                Logger.getLogger(Engine.class.getName()).log(Level.FINE,
-                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
+                LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex);
            }
        }
+        LOGGER.info("Check for updates complete");
    }

    /**
@@ -411,15 +509,22 @@ public class Engine {
        if (ext == null) {
            return false;
        }
-        for (AnalysisPhase phase : AnalysisPhase.values()) {
-            final List<Analyzer> analyzerList = analyzers.get(phase);
-            for (Analyzer a : analyzerList) {
-                if (a.getSupportedExtensions() != null && a.supportsExtension(ext)) {
-                    return true;
-                }
-            }
+        boolean scan = false;
+        for (FileTypeAnalyzer a : this.fileTypeAnalyzers) {
+            /* note, we can't break early on this loop as the analyzers need to know if
+             they have files to work on prior to initialization */
+            scan |= a.supportsExtension(ext);
        }
-        return false;
+        return scan;
+    }
+
+    /**
+     * Returns the set of file type analyzers.
+     *
+     * @return the set of file type analyzers
+     */
+    public Set<FileTypeAnalyzer> getFileTypeAnalyzers() {
+        return this.fileTypeAnalyzers;
    }

    /**
@@ -429,22 +534,16 @@ public class Engine {
     * @throws DatabaseException thrown if there is an exception opening the database
     */
    private void ensureDataExists() throws NoDataException, DatabaseException {
-        final CpeMemoryIndex cpe = CpeMemoryIndex.getInstance();
        final CveDB cve = new CveDB();
-
        try {
            cve.open();
-            cpe.open(cve);
-        } catch (IndexException ex) {
-            throw new NoDataException(ex.getMessage(), ex);
+            if (!cve.dataExists()) {
+                throw new NoDataException("No documents exist");
+            }
        } catch (DatabaseException ex) {
            throw new NoDataException(ex.getMessage(), ex);
        } finally {
            cve.close();
        }
-        if (cpe.numDocs() <= 0) {
-            cpe.close();
-            throw new NoDataException("No documents exist");
-        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java
@@ -0,0 +1,13 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.agent</title>
+ * </head>
+ * <body>
+ * The agent package holds an agent API that can be used by other applications that have information about dependencies;
+ * but would rather implement something in their code directly rather then spawn a process to run the entire
+ * dependency-check engine. This basically provides programmatic access to running a scan.
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.agent;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java
@@ -17,33 +17,12 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import java.util.Collections;
-import java.util.HashSet;
-import java.util.Set;
-
 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public abstract class AbstractAnalyzer implements Analyzer {

-    /**
-     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
-     * final static declaration.<br/><br/>
-     *
-     * This implementation was copied from
-     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction
-     *
-     * @param strings a list of strings to add to the set.
-     * @return a Set of strings.
-     */
-    protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>();
-
-        Collections.addAll(set, strings);
-        return set;
-    }
-
    /**
     * The initialize method does nothing for this Analyzer.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
@@ -0,0 +1,237 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Constructor">
+    /**
+     * Base constructor that all children must call. This checks the configuration to determine if the analyzer is
+     * enabled.
+     */
+    public AbstractFileTypeAnalyzer() {
+        reset();
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Field definitions">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractFileTypeAnalyzer.class.getName());
+    /**
+     * Whether the file type analyzer detected any files it needs to analyze.
+     */
+    private boolean filesMatched = false;
+
+    /**
+     * Get the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @return the value of filesMatched
+     */
+    protected boolean isFilesMatched() {
+        return filesMatched;
+    }
+
+    /**
+     * Set the value of filesMatched. A flag indicating whether the scan included any file types this analyzer supports.
+     *
+     * @param filesMatched new value of filesMatched
+     */
+    protected void setFilesMatched(boolean filesMatched) {
+        this.filesMatched = filesMatched;
+    }
+
+    /**
+     * A flag indicating whether or not the analyzer is enabled.
+     */
+    private boolean enabled = true;
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Set the value of enabled.
+     *
+     * @param enabled new value of enabled
+     */
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
+    /**
+     * <p>
+     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
+     * getSupportedExtensions function would return a set with a single element "jar".</p>
+     *
+     * <p>
+     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
+     *
+     * @return The file extensions supported by this analyzer.
+     *
+     * <p>
+     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
+     * file loaded</p>
+     */
+    protected abstract Set<String> getSupportedExtensions();
+
+    /**
+     * Initializes the file type analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    protected abstract void initializeFileTypeAnalyzer() throws Exception;
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    protected abstract void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    protected abstract String getAnalyzerEnabledSettingKey();
+
+//</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
+    /**
+     * Initializes the analyzer.
+     *
+     * @throws Exception thrown if there is an exception during initialization
+     */
+    @Override
+    public final void initialize() throws Exception {
+        if (filesMatched) {
+            initializeFileTypeAnalyzer();
+        } else {
+            enabled = false;
+        }
+    }
+
+    /**
+     * Resets the enabled flag on the analyzer.
+     */
+    @Override
+    public final void reset() {
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            enabled = Settings.getBoolean(key, true);
+        } catch (InvalidSettingException ex) {
+            String msg = String.format("Invalid setting for property '%s'", key);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            msg = String.format("%s has been disabled", getName());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
+     * scanned, and added to the list of dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (enabled) {
+            analyzeFileType(dependency, engine);
+        }
+    }
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    @Override
+    public final boolean supportsExtension(String extension) {
+        if (!enabled) {
+            return false;
+        }
+        final Set<String> ext = getSupportedExtensions();
+        if (ext == null) {
+            final String msg = String.format("The '%s' analyzer is misconfigured and does not have any file extensions;"
+                    + " it will be disabled", getName());
+            LOGGER.log(Level.SEVERE, msg);
+            return false;
+        } else {
+            final boolean match = ext.contains(extension);
+            if (match) {
+                filesMatched = match;
+            }
+            return match;
+        }
+    }
+//</editor-fold>
+
+    //<editor-fold defaultstate="collapsed" desc="Static utility methods">
+    /**
+     * <p>
+     * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a
+     * final static declaration.</p>
+     *
+     * <p>
+     * This implementation was copied from
+     * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>
+     *
+     * @param strings a list of strings to add to the set.
+     * @return a Set of strings.
+     */
+    protected static Set<String> newHashSet(String... strings) {
+        final Set<String> set = new HashSet<String>();
+
+        Collections.addAll(set, strings);
+        return set;
+    }
+//</editor-fold>
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;

 import java.io.File;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
@@ -41,6 +42,11 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {

+    /**
+     * The Logger for use throughout the class
+     */
+    private static final Logger LOGGER = Logger.getLogger(AbstractSuppressionAnalyzer.class.getName());
+
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * Returns a list of file EXTENSIONS supported by this analyzer.
@@ -51,17 +57,6 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        return null;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    //</editor-fold>
    /**
     * The initialize method loads the suppression XML file.
@@ -73,6 +68,7 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
        super.initialize();
        loadSuppressionData();
    }
+
    /**
     * The list of suppression rules
     */
@@ -102,11 +98,17 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     * @throws SuppressionParseException thrown if the XML cannot be parsed.
     */
    private void loadSuppressionData() throws SuppressionParseException {
+        final SuppressionParser parser = new SuppressionParser();
+        File file = null;
+        try {
+            rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
+        } catch (SuppressionParseException ex) {
+            LOGGER.log(Level.FINE, "Unable to parse the base suppression data file", ex);
+        }
        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
        if (suppressionFilePath == null) {
            return;
        }
-        File file = null;
        boolean deleteTempFile = false;
        try {
            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
@@ -119,39 +121,58 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
                } catch (DownloadFailedException ex) {
                    Downloader.fetchFile(url, file, true);
                }
+            } else {
+                file = new File(suppressionFilePath);
+                if (!file.exists()) {
+                    final InputStream suppressionsFromClasspath = this.getClass().getClassLoader().getResourceAsStream(suppressionFilePath);
+                    if (suppressionsFromClasspath != null) {
+                        deleteTempFile = true;
+                        file = FileUtils.getTempFile("suppression", "xml");
+                        try {
+                            org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
+                        } catch (IOException ex) {
+                            throwSuppressionParseException("Unable to locate suppressions file in classpath", ex);
+                        }
+                    }
+                }
            }

            if (file != null) {
-                final SuppressionParser parser = new SuppressionParser();
                try {
-                    rules = parser.parseSuppressionRules(file);
+                    //rules = parser.parseSuppressionRules(file);
+                    rules.addAll(parser.parseSuppressionRules(file));
+                    LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
                } catch (SuppressionParseException ex) {
                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, msg);
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING, ex.getMessage());
-                    Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                    LOGGER.log(Level.WARNING, msg);
+                    LOGGER.log(Level.WARNING, ex.getMessage());
+                    LOGGER.log(Level.FINE, "", ex);
                    throw ex;
                }
            }
        } catch (DownloadFailedException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
-                    "Unable to fetch the configured suppression file");
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
-            throw new SuppressionParseException("Unable to fetch the configured suppression file", ex);
+            throwSuppressionParseException("Unable to fetch the configured suppression file", ex);
        } catch (MalformedURLException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
-                    "Configured suppression file has an invalid URL");
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
-            throw new SuppressionParseException("Configured suppression file has an invalid URL", ex);
+            throwSuppressionParseException("Configured suppression file has an invalid URL", ex);
        } catch (IOException ex) {
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.WARNING,
-                    "Unable to create temp file for suppressions");
-            Logger.getLogger(AbstractSuppressionAnalyzer.class.getName()).log(Level.FINE, "", ex);
-            throw new SuppressionParseException("Unable to create temp file for suppressions", ex);
+            throwSuppressionParseException("Unable to create temp file for suppressions", ex);
        } finally {
            if (deleteTempFile && file != null) {
                FileUtils.delete(file);
            }
        }
    }
+
+    /**
+     * Utility method to throw parse exceptions.
+     *
+     * @param message the exception message
+     * @param exception the cause of the exception
+     * @throws SuppressionParseException throws the generated SuppressionParseException
+     */
+    private void throwSuppressionParseException(String message, Exception exception) throws SuppressionParseException {
+        LOGGER.log(Level.WARNING, message);
+        LOGGER.log(Level.FINE, "", exception);
+        throw new SuppressionParseException(message, exception);
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java
@@ -17,9 +17,8 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;

 /**
@@ -42,22 +41,6 @@ public interface Analyzer {
     */
    void analyze(Dependency dependency, Engine engine) throws AnalysisException;

-    /**
-     * <p>
-     * Returns a list of supported file extensions. An example would be an analyzer that inspected java jar files. The
-     * getSupportedExtensions function would return a set with a single element "jar".</p>
-     *
-     * <p>
-     * <b>Note:</b> when implementing this the extensions returned MUST be lowercase.</p>
-     *
-     * @return The file extensions supported by this analyzer.
-     *
-     * <p>
-     * If the analyzer returns null it will not cause additional files to be analyzed but will be executed against every
-     * file loaded</p>
-     */
-    Set<String> getSupportedExtensions();
-
    /**
     * Returns the name of the analyzer.
     *
@@ -65,14 +48,6 @@ public interface Analyzer {
     */
    String getName();

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    boolean supportsExtension(String extension);
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java
@@ -21,15 +21,13 @@ import java.util.Iterator;
 import java.util.ServiceLoader;

 /**
+ * The Analyzer Service Loader. This class loads all services that implement
+ * org.owasp.dependencycheck.analyzer.Analyzer.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public final class AnalyzerService {
+public class AnalyzerService {

-    /**
-     * The analyzer service singleton.
-     */
-    private static AnalyzerService service;
    /**
     * The service loader for analyzers.
     */
@@ -37,21 +35,11 @@ public final class AnalyzerService {

    /**
     * Creates a new instance of AnalyzerService.
-     */
-    private AnalyzerService() {
-        loader = ServiceLoader.load(Analyzer.class);
-    }
-
-    /**
-     * Retrieve the singleton instance of AnalyzerService.
     *
-     * @return a singleton AnalyzerService.
+     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     */
-    public static synchronized AnalyzerService getInstance() {
-        if (service == null) {
-            service = new AnalyzerService();
-        }
-        return service;
+    public AnalyzerService(ClassLoader classLoader) {
+        loader = ServiceLoader.load(Analyzer.class, classLoader);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -27,6 +27,7 @@ import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.Collections;
+import java.util.Enumeration;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
@@ -35,7 +36,9 @@ import java.util.logging.Logger;
 import org.apache.commons.compress.archivers.ArchiveEntry;
 import org.apache.commons.compress.archivers.ArchiveInputStream;
 import org.apache.commons.compress.archivers.tar.TarArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipArchiveEntry;
 import org.apache.commons.compress.archivers.zip.ZipArchiveInputStream;
+import org.apache.commons.compress.archivers.zip.ZipFile;
 import org.apache.commons.compress.compressors.CompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipCompressorInputStream;
 import org.apache.commons.compress.compressors.gzip.GzipUtils;
@@ -53,8 +56,12 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ArchiveAnalyzer.class.getName());
    /**
     * The buffer size to use when extracting files from the archive.
     */
@@ -75,6 +82,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * Tracks the current scan/extraction depth for nested archives.
     */
    private int scanDepth = 0;
+
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
@@ -87,17 +95,22 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
    /**
     * The set of things we can handle with Zip methods
     */
-    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "nupkg");
+    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
    /**
     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need
     * to be explicitly handled in extractFiles().
     */
    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz");

+    /**
+     * The set of file extensions to remove from the engine's collection of dependencies.
+     */
+    private static final Set<String> REMOVE_FROM_ANALYSIS = newHashSet("zip", "tar", "gz", "tgz"); //TODO add nupkg, apk, sar?
+
    static {
        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
        if (additionalZipExt != null) {
-            final HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
            ZIPPABLES.addAll(ext);
        }
        EXTENSIONS.addAll(ZIPPABLES);
@@ -108,6 +121,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
+    @Override
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
@@ -117,44 +131,40 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return the name of the analyzer.
     */
+    @Override
    public String getName() {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
+    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ARCHIVE_ENABLED;
+    }
+
    /**
     * The initialize method does nothing for this Analyzer.
     *
     * @throws Exception is thrown if there is an exception deleting or creating temporary files
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws Exception {
        final File baseDir = Settings.getTempDirectory();
-        if (!baseDir.exists()) {
-            if (!baseDir.mkdirs()) {
-                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
-                throw new AnalysisException(msg);
-            }
-        }
        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
        if (!tempFileLocation.delete()) {
            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -174,11 +184,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
    @Override
    public void close() throws Exception {
        if (tempFileLocation != null && tempFileLocation.exists()) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING,
-                        "Failed to delete some temporary files, see the log for more details");
+            if (!success && tempFileLocation != null && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
+                LOGGER.log(Level.WARNING, "Failed to delete some temporary files, see the log for more details");
            }
        }
    }
@@ -192,15 +201,15 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException thrown if there is an analysis exception
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        final File f = new File(dependency.getActualFilePath());
        final File tmpDir = getNextTempDirectory();
        extractFiles(f, tmpDir, engine);

        //make a copy
-        final List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
+        List<Dependency> dependencies = new ArrayList<Dependency>(engine.getDependencies());
        engine.scan(tmpDir);
-        final List<Dependency> newDependencies = engine.getDependencies();
+        List<Dependency> newDependencies = engine.getDependencies();
        if (dependencies.size() != newDependencies.size()) {
            //get the new dependencies
            final Set<Dependency> dependencySet = new HashSet<Dependency>();
@@ -212,9 +221,8 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                final String displayPath = String.format("%s%s",
                        dependency.getFilePath(),
                        d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
-                final String displayName = String.format("%s%s%s",
+                final String displayName = String.format("%s: %s",
                        dependency.getFileName(),
-                        File.separator,
                        d.getFileName());
                d.setFilePath(displayPath);
                d.setFileName(displayName);
@@ -228,6 +236,40 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                }
            }
        }
+        if (this.REMOVE_FROM_ANALYSIS.contains(dependency.getFileExtension())) {
+            if ("zip".equals(dependency.getFileExtension()) && isZipFileActuallyJarFile(dependency)) {
+                final File tdir = getNextTempDirectory();
+                final String fileName = dependency.getFileName();
+
+                LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName));
+
+                final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
+                try {
+                    org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
+                    dependencies = new ArrayList<Dependency>(engine.getDependencies());
+                    engine.scan(tmpLoc);
+                    newDependencies = engine.getDependencies();
+                    if (dependencies.size() != newDependencies.size()) {
+                        //get the new dependencies
+                        final Set<Dependency> dependencySet = new HashSet<Dependency>();
+                        dependencySet.addAll(newDependencies);
+                        dependencySet.removeAll(dependencies);
+                        if (dependencySet.size() != 1) {
+                            LOGGER.info("Deep copy of ZIP to JAR file resulted in more then one dependency?");
+                        }
+                        for (Dependency d : dependencySet) {
+                            //fix the dependency's display name and path
+                            d.setFilePath(dependency.getFilePath());
+                            d.setDisplayFileName(dependency.getFileName());
+                        }
+                    }
+                } catch (IOException ex) {
+                    final String msg = String.format("Unable to perform deep copy on '%s'", dependency.getActualFile().getPath());
+                    LOGGER.log(Level.FINE, msg, ex);
+                }
+            }
+            engine.getDependencies().remove(dependency);
+        }
        Collections.sort(engine.getDependencies());
    }

@@ -268,7 +310,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
        try {
            fis = new FileInputStream(archive);
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new AnalysisException("Archive file was not found.", ex);
        }
        final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
@@ -286,17 +328,17 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
            }
        } catch (ArchiveExtractionException ex) {
            final String msg = String.format("Exception extracting archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } catch (IOException ex) {
            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            try {
                fis.close();
            } catch (IOException ex) {
-                Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINE, null, ex);
            }
        }
    }
@@ -325,8 +367,10 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                    final File file = new File(destination, entry.getName());
                    final String ext = FileUtils.getFileExtension(file.getName());
                    if (engine.supportsExtension(ext)) {
+                        final String extracting = String.format("Extracting '%s'", file.getPath());
+                        LOGGER.fine(extracting);
                        BufferedOutputStream bos = null;
-                        FileOutputStream fos;
+                        FileOutputStream fos = null;
                        try {
                            final File parent = file.getParentFile();
                            if (!parent.isDirectory()) {
@@ -344,13 +388,11 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                            }
                            bos.flush();
                        } catch (FileNotFoundException ex) {
-                            Logger.getLogger(ArchiveAnalyzer.class
-                                    .getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("Unable to find file '%s'.", file.getName());
                            throw new AnalysisException(msg, ex);
                        } catch (IOException ex) {
-                            Logger.getLogger(ArchiveAnalyzer.class
-                                    .getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
                            throw new AnalysisException(msg, ex);
                        } finally {
@@ -358,8 +400,14 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                                try {
                                    bos.close();
                                } catch (IOException ex) {
-                                    Logger.getLogger(ArchiveAnalyzer.class
-                                            .getName()).log(Level.FINEST, null, ex);
+                                    LOGGER.log(Level.FINEST, null, ex);
+                                }
+                            }
+                            if (fos != null) {
+                                try {
+                                    fos.close();
+                                } catch (IOException ex) {
+                                    LOGGER.log(Level.FINEST, null, ex);
                                }
                            }
                        }
@@ -375,7 +423,7 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                try {
                    input.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -389,6 +437,8 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
     */
    private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
+        final String msg = String.format("Decompressing '%s'", outputFile.getPath());
+        LOGGER.fine(msg);
        FileOutputStream out = null;
        try {
            out = new FileOutputStream(outputFile);
@@ -398,19 +448,53 @@ public class ArchiveAnalyzer extends AbstractAnalyzer implements Analyzer {
                out.write(buffer, 0, n);
            }
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new ArchiveExtractionException(ex);
        } catch (IOException ex) {
-            Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new ArchiveExtractionException(ex);
        } finally {
            if (out != null) {
                try {
                    out.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ArchiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
    }
+
+    /**
+     * Attempts to determine if a zip file is actually a JAR file.
+     *
+     * @param dependency the dependency to check
+     * @return true if the dependency appears to be a JAR file; otherwise false
+     */
+    private boolean isZipFileActuallyJarFile(Dependency dependency) {
+        boolean isJar = false;
+        ZipFile zip = null;
+        try {
+            zip = new ZipFile(dependency.getActualFilePath());
+            if (zip.getEntry("META-INF/MANIFEST.MF") != null
+                    || zip.getEntry("META-INF/maven") != null) {
+                final Enumeration<ZipArchiveEntry> entries = zip.getEntries();
+                while (entries.hasMoreElements()) {
+                    final ZipArchiveEntry entry = entries.nextElement();
+                    if (!entry.isDirectory()) {
+                        final String name = entry.getName().toLowerCase();
+                        if (name.endsWith(".class")) {
+                            isJar = true;
+                            break;
+                        }
+                    }
+                }
+            }
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, String.format("Unable to unzip zip file '%s'", dependency.getFilePath()), ex);
+        } finally {
+            ZipFile.closeQuietly(zip);
+        }
+
+        return isJar;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -17,10 +17,12 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
+import java.io.InputStreamReader;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.Set;
@@ -46,7 +48,7 @@ import org.xml.sax.SAXException;
 * @author colezlaw
 *
 */
-public class AssemblyAnalyzer extends AbstractAnalyzer {
+public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {

    /**
     * The analyzer name
@@ -59,11 +61,11 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    /**
     * The list of supported extensions
     */
-    private static final Set<String> SUPORTED_EXTENSIONS = newHashSet("dll", "exe");
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("dll", "exe");
    /**
     * The temp value for GrokAssembly.exe
     */
-    private File grokAssemblyExe;
+    private File grokAssemblyExe = null;
    /**
     * The DocumentBuilder for parsing the XML
     */
@@ -71,7 +73,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    /**
     * Logger
     */
-    private static final Logger LOG = Logger.getLogger(AbstractAnalyzer.class.getName());
+    private static final Logger LOGGER = Logger.getLogger(AssemblyAnalyzer.class.getName(), "dependencycheck-resources");

    /**
     * Builds the beginnings of a List for ProcessBuilder
@@ -101,19 +103,43 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException if anything goes sideways
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine)
+    public void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        if (grokAssemblyExe == null) {
-            LOG.warning("GrokAssembly didn't get deployed");
+            LOGGER.warning("analyzer.AssemblyAnalyzer.notdeployed");
            return;
        }

        final List<String> args = buildArgumentList();
        args.add(dependency.getActualFilePath());
        final ProcessBuilder pb = new ProcessBuilder(args);
+        BufferedReader rdr = null;
+        Document doc = null;
        try {
            final Process proc = pb.start();
-            final Document doc = builder.parse(proc.getInputStream());
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
+            String line = null;
+            // CHECKSTYLE:OFF
+            while (rdr.ready() && (line = rdr.readLine()) != null) {
+                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
+            }
+            // CHECKSTYLE:ON
+            int rc = 0;
+            doc = builder.parse(proc.getInputStream());
+
+            try {
+                rc = proc.waitFor();
+            } catch (InterruptedException ie) {
+                return;
+            }
+            if (rc == 3) {
+                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.notassembly", dependency.getActualFilePath());
+                return;
+            } else if (rc != 0) {
+                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.rc", rc);
+            }
+
            final XPath xpath = XPathFactory.newInstance().newXPath();

            // First, see if there was an error
@@ -147,6 +173,14 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
        } catch (XPathExpressionException xpe) {
            // This shouldn't happen
            throw new AnalysisException(xpe);
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
        }
    }

@@ -156,8 +190,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     * @throws Exception if anything goes wrong
     */
    @Override
-    public void initialize() throws Exception {
-        super.initialize();
+    public void initializeFileTypeAnalyzer() throws Exception {
        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
        FileOutputStream fos = null;
        InputStream is = null;
@@ -172,47 +205,69 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
            grokAssemblyExe = tempFile;
            // Set the temp file to get deleted when we're done
            grokAssemblyExe.deleteOnExit();
-            LOG.log(Level.FINE, "Extracted GrokAssembly.exe to {0}", grokAssemblyExe.getPath());
+            LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.deployed", grokAssemblyExe.getPath());
        } catch (IOException ioe) {
-            LOG.log(Level.WARNING, "Could not extract GrokAssembly.exe: {0}", ioe.getMessage());
+            this.setEnabled(false);
+            LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.notdeployed", ioe.getMessage());
            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
        } finally {
            if (fos != null) {
                try {
                    fos.close();
                } catch (Throwable e) {
-                    LOG.fine("Error closing output stream");
+                    LOGGER.fine("Error closing output stream");
                }
            }
            if (is != null) {
                try {
                    is.close();
                } catch (Throwable e) {
-                    LOG.fine("Error closing input stream");
+                    LOGGER.fine("Error closing input stream");
                }
            }
        }

        // Now, need to see if GrokAssembly actually runs from this location.
        final List<String> args = buildArgumentList();
+        BufferedReader rdr = null;
        try {
-            final Process p = new ProcessBuilder(args).start();
+            final ProcessBuilder pb = new ProcessBuilder(args);
+            final Process p = pb.start();
+            // Try evacuating the error stream
+            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            // CHECKSTYLE:OFF
+            while (rdr.ready() && rdr.readLine() != null) {
+                // We expect this to complain
+            }
+            // CHECKSTYLE:ON
            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
            final XPath xpath = XPathFactory.newInstance().newXPath();
            final String error = xpath.evaluate("/assembly/error", doc);
            if (p.waitFor() != 1 || error == null || "".equals(error)) {
-                LOG.warning("An error occured with the .NET AssemblyAnalyzer, please see the log for more details.");
-                LOG.fine("GrokAssembly.exe is not working properly");
+                LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
+                LOGGER.fine("GrokAssembly.exe is not working properly");
                grokAssemblyExe = null;
+                this.setEnabled(false);
                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
            }
        } catch (Throwable e) {
-            LOG.warning("An error occured with the .NET AssemblyAnalyzer; "
-                    + "this can be ignored unless you are scanning .NET dlls. Please see the log for more details.");
-            LOG.log(Level.FINE, "Could not execute GrokAssembly {0}", e.getMessage());
-            throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+            if (e instanceof AnalysisException) {
+                throw (AnalysisException) e;
+            } else {
+                LOGGER.warning("analyzer.AssemblyAnalyzer.grokassembly.initialization.failed");
+                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.initialization.message", e.getMessage());
+                this.setEnabled(false);
+                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
+            }
+        } finally {
+            if (rdr != null) {
+                try {
+                    rdr.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
        }
-
        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    }

@@ -220,9 +275,11 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    public void close() throws Exception {
        super.close();
        try {
-            grokAssemblyExe.delete();
+            if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
+                grokAssemblyExe.deleteOnExit();
+            }
        } catch (SecurityException se) {
-            LOG.fine("Can't delete temporary GrokAssembly.exe");
+            LOGGER.fine("analyzer.AssemblyAnalyzer.grokassembly.notdeleted");
        }
    }

@@ -233,7 +290,7 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
     */
    @Override
    public Set<String> getSupportedExtensions() {
-        return SUPORTED_EXTENSIONS;
+        return SUPPORTED_EXTENSIONS;
    }

    /**
@@ -246,17 +303,6 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Gets whether the analyzer supports the provided extension.
-     *
-     * @param extension the extension to check
-     * @return whether the analyzer supports the extension
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return SUPORTED_EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase this analyzer runs under.
     *
@@ -266,4 +312,14 @@ public class AssemblyAnalyzer extends AbstractAnalyzer {
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -58,6 +58,10 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 */
 public class CPEAnalyzer implements Analyzer {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CPEAnalyzer.class.getName());
    /**
     * The maximum number of query results to return.
     */
@@ -87,6 +91,41 @@ public class CPEAnalyzer implements Analyzer {
     */
    private CveDB cve;

+    /**
+     * The URL to perform a search of the NVD CVE data at NIST.
+     */
+    public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
+
+    /**
+     * Returns the name of this analyzer.
+     *
+     * @return the name of this analyzer.
+     */
+    @Override
+    public String getName() {
+        return "CPE Analyzer";
+    }
+
+    /**
+     * Returns the analysis phase that this analyzer should run in.
+     *
+     * @return the analysis phase that this analyzer should run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.IDENTIFIER_ANALYSIS;
+    }
+
+    /**
+     * Creates the CPE Lucene Index.
+     *
+     * @throws Exception is thrown if there is an issue opening the index.
+     */
+    @Override
+    public void initialize() throws Exception {
+        this.open();
+    }
+
    /**
     * Opens the data source.
     *
@@ -95,15 +134,15 @@ public class CPEAnalyzer implements Analyzer {
     * by another process.
     */
    public void open() throws IOException, DatabaseException {
-        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Opening the CVE Database");
+        LOGGER.log(Level.FINE, "Opening the CVE Database");
        cve = new CveDB();
        cve.open();
-        Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "Creating the Lucene CPE Index");
+        LOGGER.log(Level.FINE, "Creating the Lucene CPE Index");
        cpe = CpeMemoryIndex.getInstance();
        try {
            cpe.open(cve);
        } catch (IndexException ex) {
-            Logger.getLogger(CPEAnalyzer.class.getName()).log(Level.FINE, "IndexException", ex);
+            LOGGER.log(Level.FINE, "IndexException", ex);
            throw new DatabaseException(ex);
        }
    }
@@ -131,29 +170,10 @@ public class CPEAnalyzer implements Analyzer {
     * @throws ParseException is thrown when the Lucene query cannot be parsed.
     */
    protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        Confidence confidence = Confidence.HIGHEST;
-
-        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
-        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
-        /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
-         * CPE identified. As such, we are "using" the evidence and ignoring the results. */
-        addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
-
-        int ctr = 0;
-        do {
-            if (!vendors.isEmpty() && !products.isEmpty()) {
-                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
-                        dependency.getVendorEvidence().getWeighting());
-
-                for (IndexEntry e : entries) {
-                    if (verifyEntry(e, dependency)) {
-                        final String vendor = e.getVendor();
-                        final String product = e.getProduct();
-                        determineIdentifiers(dependency, vendor, product);
-                    }
-                }
-            }
-            confidence = reduceConfidence(confidence);
+        //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
+        String vendors = "";
+        String products = "";
+        for (Confidence confidence : Confidence.values()) {
            if (dependency.getVendorEvidence().contains(confidence)) {
                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
            }
@@ -162,10 +182,28 @@ public class CPEAnalyzer implements Analyzer {
            }
            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
-            if (dependency.getVersionEvidence().contains(confidence)) {
-                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+//            if (dependency.getVersionEvidence().contains(confidence)) {
+//                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+//            }
+            if (!vendors.isEmpty() && !products.isEmpty()) {
+                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
+                        dependency.getVendorEvidence().getWeighting());
+                if (entries == null) {
+                    continue;
+                }
+                boolean identifierAdded = false;
+                for (IndexEntry e : entries) {
+                    if (verifyEntry(e, dependency)) {
+                        final String vendor = e.getVendor();
+                        final String product = e.getProduct();
+                        identifierAdded |= determineIdentifiers(dependency, vendor, product, confidence);
+                    }
+                }
+                if (identifierAdded) {
+                    break;
+                }
            }
-        } while ((++ctr) < 4);
+        }
    }

    /**
@@ -200,22 +238,6 @@ public class CPEAnalyzer implements Analyzer {
        return sb.toString().trim();
    }

-    /**
-     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
-     *
-     * @param c the confidence to reduce.
-     * @return One less then the confidence passed in.
-     */
-    private Confidence reduceConfidence(final Confidence c) {
-        if (c == Confidence.HIGHEST) {
-            return Confidence.HIGH;
-        } else if (c == Confidence.HIGH) {
-            return Confidence.MEDIUM;
-        } else {
-            return Confidence.LOW;
-        }
-    }
-
    /**
     * <p>
     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
@@ -230,27 +252,24 @@ public class CPEAnalyzer implements Analyzer {
     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
     * @return a list of possible CPE values
-     * @throws CorruptIndexException when the Lucene index is corrupt
-     * @throws IOException when the Lucene index is not found
-     * @throws ParseException when the generated query is not valid
     */
    protected List<IndexEntry> searchCPE(String vendor, String product,
-            Set<String> vendorWeightings, Set<String> productWeightings)
-            throws CorruptIndexException, IOException, ParseException {
+            Set<String> vendorWeightings, Set<String> productWeightings) {
+
        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);

        final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
        if (searchString == null) {
            return ret;
        }
-
-        final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
-        for (ScoreDoc d : docs.scoreDocs) {
-            if (d.score >= 0.08) {
-                final Document doc = cpe.getDocument(d.doc);
-                final IndexEntry entry = new IndexEntry();
-                entry.setVendor(doc.get(Fields.VENDOR));
-                entry.setProduct(doc.get(Fields.PRODUCT));
+        try {
+            final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
+            for (ScoreDoc d : docs.scoreDocs) {
+                if (d.score >= 0.08) {
+                    final Document doc = cpe.getDocument(d.doc);
+                    final IndexEntry entry = new IndexEntry();
+                    entry.setVendor(doc.get(Fields.VENDOR));
+                    entry.setProduct(doc.get(Fields.PRODUCT));
 //                if (d.score < 0.08) {
 //                    System.out.print(entry.getVendor());
 //                    System.out.print(":");
@@ -258,13 +277,23 @@ public class CPEAnalyzer implements Analyzer {
 //                    System.out.print(":");
 //                    System.out.println(d.score);
 //                }
-                entry.setSearchScore(d.score);
-                if (!ret.contains(entry)) {
-                    ret.add(entry);
+                    entry.setSearchScore(d.score);
+                    if (!ret.contains(entry)) {
+                        ret.add(entry);
+                    }
                }
            }
+            return ret;
+        } catch (ParseException ex) {
+            final String msg = String.format("Unable to parse: %s", searchString);
+            LOGGER.log(Level.WARNING, "An error occured querying the CPE data. See the log for more details.");
+            LOGGER.log(Level.INFO, msg, ex);
+        } catch (IOException ex) {
+            final String msg = String.format("IO Error with search string: %s", searchString);
+            LOGGER.log(Level.WARNING, "An error occured reading CPE data. See the log for more details.");
+            LOGGER.log(Level.INFO, msg, ex);
        }
-        return ret;
+        return null;
    }

    /**
@@ -461,57 +490,6 @@ public class CPEAnalyzer implements Analyzer {
        }
    }

-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    @Override
-    public Set<String> getSupportedExtensions() {
-        return null;
-    }
-
-    /**
-     * Returns the name of this analyzer.
-     *
-     * @return the name of this analyzer.
-     */
-    @Override
-    public String getName() {
-        return "CPE Analyzer";
-    }
-
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
-    /**
-     * Returns the analysis phase that this analyzer should run in.
-     *
-     * @return the analysis phase that this analyzer should run in.
-     */
-    @Override
-    public AnalysisPhase getAnalysisPhase() {
-        return AnalysisPhase.IDENTIFIER_ANALYSIS;
-    }
-
-    /**
-     * Opens the CPE Lucene Index.
-     *
-     * @throws Exception is thrown if there is an issue opening the index.
-     */
-    @Override
-    public void initialize() throws Exception {
-        this.open();
-    }
-
    /**
     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
@@ -520,14 +498,21 @@ public class CPEAnalyzer implements Analyzer {
     * @param dependency the Dependency being analyzed
     * @param vendor the vendor for the CPE being analyzed
     * @param product the product for the CPE being analyzed
+     * @param currentConfidence the current confidence being used during analysis
+     * @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
     */
-    private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
+    protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
+            Confidence currentConfidence) throws UnsupportedEncodingException {
        final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
        DependencyVersion bestGuess = new DependencyVersion("-");
        Confidence bestGuessConf = null;
+        boolean hasBroadMatch = false;
        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
        for (Confidence conf : Confidence.values()) {
+//            if (conf.compareTo(currentConfidence) > 0) {
+//                break;
+//            }
            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
                final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
                if (evVer == null) {
@@ -540,9 +525,13 @@ public class CPEAnalyzer implements Analyzer {
                    } else {
                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                    }
-                    if (dbVer == null //special case, no version specified - everything is vulnerable
-                            || evVer.equals(dbVer)) { //yeah! exact match
-                        final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
+                    if (dbVer == null) { //special case, no version specified - everything is vulnerable
+                        hasBroadMatch = true;
+                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
+                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.BROAD_MATCH, conf);
+                        collected.add(match);
+                    } else if (evVer.equals(dbVer)) { //yeah! exact match
+                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                        collected.add(match);
                    } else {
@@ -567,7 +556,11 @@ public class CPEAnalyzer implements Analyzer {
            }
        }
        final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
-        final String url = null; //String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(cpeName, "UTF-8"));
+        String url = null;
+        if (hasBroadMatch) { //if we have a broad match we can add the URL to the best guess.
+            final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
+            url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
+        }
        if (bestGuessConf == null) {
            bestGuessConf = Confidence.LOW;
        }
@@ -577,6 +570,7 @@ public class CPEAnalyzer implements Analyzer {
        Collections.sort(collected);
        final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
        final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
+        boolean identifierAdded = false;
        for (IdentifierMatch m : collected) {
            if (bestIdentifierQuality.equals(m.getConfidence())
                    && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
@@ -587,8 +581,10 @@ public class CPEAnalyzer implements Analyzer {
                    i.setConfidence(bestEvidenceQuality);
                }
                dependency.addIdentifier(i);
+                identifierAdded = true;
            }
        }
+        return identifierAdded;
    }

    /**
@@ -603,7 +599,12 @@ public class CPEAnalyzer implements Analyzer {
        /**
         * A best guess for the CPE.
         */
-        BEST_GUESS
+        BEST_GUESS,
+        /**
+         * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS
+         * that only specifies vendor/product.
+         */
+        BROAD_MATCH
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -0,0 +1,201 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.URL;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.central.CentralSearch;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
+ * SHA-1 digest.
+ *
+ * @author colezlaw
+ */
+public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Central Analyzer";
+
+    /**
+     * The phase in which this analyzer runs.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The types of files on which this will work.
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
+
+    /**
+     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
+     * occurred.
+     */
+    private boolean errorFlag = false;
+
+    /**
+     * The searcher itself.
+     */
+    private CentralSearch searcher;
+
+    /**
+     * Field indicating if the analyzer is enabled.
+     */
+    private final boolean enabled = checkEnabled();
+
+    /**
+     * Determine whether to enable this analyzer or not.
+     *
+     * @return whether the analyzer should be enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Determines if this analyzer is enabled.
+     *
+     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     */
+    private boolean checkEnabled() {
+        boolean retval = false;
+
+        try {
+            if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
+                if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
+                        || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
+                    LOGGER.fine("Enabling the Central analyzer");
+                    retval = true;
+                } else {
+                    LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
+                }
+            } else {
+                LOGGER.info("Central analyzer disabled");
+            }
+        } catch (InvalidSettingException ise) {
+            LOGGER.warning("Invalid setting. Disabling the Central analyzer");
+        }
+        return retval;
+    }
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @throws Exception if there's an error during initialization
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        LOGGER.fine("Initializing Central analyzer");
+        LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
+        if (isEnabled()) {
+            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
+            LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
+            searcher = new CentralSearch(new URL(searchUrl));
+        }
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the key used in the properties file to to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key.
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which the analyzer runs
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the extensions for which this Analyzer runs.
+     *
+     * @return the extensions for which this Analyzer runs
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        if (errorFlag || !isEnabled()) {
+            return;
+        }
+
+        try {
+            final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
+            final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
+            for (MavenArtifact ma : mas) {
+                LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
+                dependency.addAsEvidence("central", ma, confidence);
+            }
+        } catch (IllegalArgumentException iae) {
+            LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
+        } catch (FileNotFoundException fnfe) {
+            LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
+        } catch (IOException ioe) {
+            LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
+            errorFlag = true;
+        }
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java
@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
 */
 public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -17,7 +17,6 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -28,6 +27,7 @@ import java.util.logging.Logger;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.utils.DependencyVersion;
@@ -46,21 +46,22 @@ import org.owasp.dependencycheck.utils.LogUtils;
 */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DependencyBundlingAnalyzer.class.getName());
+
    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
    /**
     * A pattern for obtaining the first part of a filename.
     */
-    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
+    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
    /**
     * a flag indicating if this analyzer has run. This analyzer only runs once.
     */
    private boolean analyzed = false;
    //</editor-fold>
    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
    /**
     * The name of the analyzer.
     */
@@ -70,15 +71,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_FINDING_ANALYSIS;

-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
    /**
     * Returns the name of the analyzer.
     *
@@ -88,16 +80,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -125,21 +107,25 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            //for (Dependency nextDependency : engine.getDependencies()) {
            while (mainIterator.hasNext()) {
                final Dependency dependency = mainIterator.next();
-                if (mainIterator.hasNext()) {
+                if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                    while (subIterator.hasNext()) {
                        final Dependency nextDependency = subIterator.next();
-                        if (isShadedJar(dependency, nextDependency)) {
-                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
-                                dependenciesToRemove.add(dependency);
-                            } else {
-                                dependenciesToRemove.add(nextDependency);
-                            }
-                        } else if (hashesMatch(dependency, nextDependency)) {
-                            if (isCore(dependency, nextDependency)) {
+                        if (hashesMatch(dependency, nextDependency)) {
+                            if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
+                            }
+                        } else if (isShadedJar(dependency, nextDependency)) {
+                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                nextDependency.getRelatedDependencies().remove(dependency);
+                                break;
+                            } else {
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                                nextDependency.getRelatedDependencies().remove(nextDependency);
                            }
                        } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                && hasSameBasePath(dependency, nextDependency)
@@ -149,6 +135,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        }
                    }
@@ -156,9 +143,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            }
            //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
            // was difficult because of the inner iterator.
-            for (Dependency d : dependenciesToRemove) {
-                engine.getDependencies().remove(d);
-            }
+            engine.getDependencies().removeAll(dependenciesToRemove);
        }
    }

@@ -219,26 +204,24 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                || dependency2 == null || dependency2.getFileName() == null) {
            return false;
        }
-        String fileName1 = dependency1.getFileName();
-        String fileName2 = dependency2.getFileName();
-
-        //update to deal with archive analyzer, the starting name maybe the same
-        // as this is incorrectly looking at the starting path
-        final File one = new File(fileName1);
-        final File two = new File(fileName2);
-        final String oneParent = one.getParent();
-        final String twoParent = two.getParent();
-        if (oneParent != null) {
-            if (oneParent.equals(twoParent)) {
-                fileName1 = one.getName();
-                fileName2 = two.getName();
-            } else {
-                return false;
-            }
-        } else if (twoParent != null) {
-            return false;
-        }
+        final String fileName1 = dependency1.getActualFile().getName();
+        final String fileName2 = dependency2.getActualFile().getName();

+//        //REMOVED because this is attempting to duplicate what is in the hasSameBasePath function.
+//        final File one = new File(fileName1);
+//        final File two = new File(fileName2);
+//        final String oneParent = one.getParent();
+//        final String twoParent = two.getParent();
+//        if (oneParent != null) {
+//            if (oneParent.equals(twoParent)) {
+//                fileName1 = one.getName();
+//                fileName2 = two.getName();
+//            } else {
+//                return false;
+//            }
+//        } else if (twoParent != null) {
+//            return false;
+//        }
        //version check
        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
        final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
@@ -285,15 +268,17 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
            for (Identifier i : dependency1.getIdentifiers()) {
-                matches |= dependency2.getIdentifiers().contains(i);
-                if (!matches) {
-                    break;
+                if ("cpe".equals(i.getType())) {
+                    matches |= dependency2.getIdentifiers().contains(i);
+                    if (!matches) {
+                        break;
+                    }
                }
            }
        }
        if (LogUtils.isVerboseLoggingEnabled()) {
            final String msg = String.format("IdentifiersMatch=%s (%s, %s)", matches, dependency1.getFileName(), dependency2.getFileName());
-            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+            LOGGER.log(Level.FINE, msg);
        }
        return matches;
    }
@@ -356,6 +341,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                || !rightName.contains("core") && leftName.contains("core")
                || !rightName.contains("kernel") && leftName.contains("kernel")) {
            returnVal = true;
+//        } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
+//            returnVal = true;
+//        } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
+//            returnVal = false;
        } else {
            /*
             * considered splitting the names up and comparing the components,
@@ -364,13 +353,13 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             * be shorter:
             * axis2-saaj-1.4.1.jar
             * axis2-1.4.1.jar       <-----
-             * axis2-kernal-1.4.1.jar
+             * axis2-kernel-1.4.1.jar
             */
            returnVal = leftName.length() <= rightName.length();
        }
        if (LogUtils.isVerboseLoggingEnabled()) {
            final String msg = String.format("IsCore=%s (%s, %s)", returnVal, left.getFileName(), right.getFileName());
-            Logger.getLogger(DependencyBundlingAnalyzer.class.getName()).log(Level.FINE, msg);
+            LOGGER.log(Level.FINE, msg);
        }
        return returnVal;
    }
@@ -408,4 +397,43 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        return false;
    }
+
+    /**
+     * Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to
+     * determine if the first path is smaller.
+     *
+     * @param left the first path to compare
+     * @param right the second path to compare
+     * @return <code>true</code> if the leftPath is the shortest; otherwise <code>false</code>
+     */
+    protected boolean firstPathIsShortest(String left, String right) {
+        final String leftPath = left.replace('\\', '/');
+        final String rightPath = right.replace('\\', '/');
+
+        final int leftCount = countChar(leftPath, '/');
+        final int rightCount = countChar(rightPath, '/');
+        if (leftCount == rightCount) {
+            return leftPath.compareTo(rightPath) <= 0;
+        } else {
+            return leftCount < rightCount;
+        }
+    }
+
+    /**
+     * Counts the number of times the character is present in the string.
+     *
+     * @param string the string to count the characters in
+     * @param c the character to count
+     * @return the number of times the character is present in the string
+     */
+    private int countChar(String string, char c) {
+        int count = 0;
+        final int max = string.length();
+        for (int i = 0; i < max; i++) {
+            if (c == string.charAt(i)) {
+                count++;
+            }
+        }
+        return count;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -42,11 +42,11 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
    /**
-     * The set of file extensions supported by this analyzer.
+     * The Logger.
     */
-    private static final Set<String> EXTENSIONS = null;
+    private static final Logger LOGGER = Logger.getLogger(FalsePositiveAnalyzer.class.getName());
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -56,15 +56,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.POST_IDENTIFIER_ANALYSIS;

-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }
-
    /**
     * Returns the name of the analyzer.
     *
@@ -74,16 +65,6 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -105,11 +86,46 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        removeJreEntries(dependency);
        removeBadMatches(dependency);
+        removeBadSpringMatches(dependency);
        removeWrongVersionMatches(dependency);
        removeSpuriousCPE(dependency);
+        removeDuplicativeEntriesFromJar(dependency, engine);
        addFalseNegativeCPEs(dependency);
    }

+    /**
+     * Removes inaccurate matches on springframework CPEs.
+     *
+     * @param dependency the dependency to test for and remove known inaccurate CPE matches
+     */
+    private void removeBadSpringMatches(Dependency dependency) {
+        String mustContain = null;
+        for (Identifier i : dependency.getIdentifiers()) {
+            if ("maven".contains(i.getType())) {
+                if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
+                    final int endPoint = i.getValue().indexOf(":", 19);
+                    if (endPoint >= 0) {
+                        mustContain = i.getValue().substring(19, endPoint).toLowerCase();
+                        break;
+                    }
+                }
+            }
+        }
+        if (mustContain != null) {
+            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".contains(i.getType())
+                        && i.getValue() != null
+                        && i.getValue().startsWith("cpe:/a:springsource:")
+                        && !i.getValue().toLowerCase().contains(mustContain)) {
+                    itr.remove();
+                    //dependency.getIdentifiers().remove(i);
+                }
+            }
+        }
+    }
+
    /**
     * <p>
     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
@@ -155,8 +171,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        final String nextVersion = nextCpe.getVersion();
                        if (currentVersion == null && nextVersion == null) {
                            //how did we get here?
-                            Logger.getLogger(FalsePositiveAnalyzer.class
-                                    .getName()).log(Level.FINE, "currentVersion and nextVersion are both null?");
+                            LOGGER.log(Level.FINE, "currentVersion and nextVersion are both null?");
                        } else if (currentVersion == null && nextVersion != null) {
                            dependency.getIdentifiers().remove(currentId);
                        } else if (nextVersion == null && currentVersion != null) {
@@ -179,12 +194,21 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     * Regex to identify core java libraries and a few other commonly misidentified ones.
     */
    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
-            + "java(_platfrom_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
-            + "jdk|jre|jsf|jsse)($|:.*)");
+            + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
+            + "jdk|jre|jsse)($|:.*)");
+
+    /**
+     * Regex to identify core jsf libraries.
+     */
+    public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
    /**
     * Regex to identify core java library files. This is currently incomplete.
     */
-    public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    /**
+     * Regex to identify core jsf java library files. This is currently incomplete.
+     */
+    public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");

    /**
     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
@@ -201,27 +225,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
            if (coreCPE.matches() && !coreFiles.matches()) {
                itr.remove();
            }
-
-            //replacecd with the regex above.
-            //            if (("cpe:/a:sun:java".equals(i.getValue())
-            //                    || "cpe:/a:oracle:java".equals(i.getValue())
-            //                    || "cpe:/a:ibm:java".equals(i.getValue())
-            //                    || "cpe:/a:sun:j2se".equals(i.getValue())
-            //                    || "cpe:/a:oracle:j2se".equals(i.getValue())
-            //                    || i.getValue().startsWith("cpe:/a:sun:java:")
-            //                    || i.getValue().startsWith("cpe:/a:sun:j2se:")
-            //                    || i.getValue().startsWith("cpe:/a:sun:java:jre")
-            //                    || i.getValue().startsWith("cpe:/a:sun:java:jdk")
-            //                    || i.getValue().startsWith("cpe:/a:sun:java_se")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:java_se")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:java:")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:j2se:")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:jre")
-            //                    || i.getValue().startsWith("cpe:/a:oracle:jdk")
-            //                    || i.getValue().startsWith("cpe:/a:ibm:java:"))
-            //                    && !dependency.getFileName().toLowerCase().endsWith("rt.jar")) {
-            //                itr.remove();
-            //            }
+            final Matcher coreJsfCPE = CORE_JAVA_JSF.matcher(i.getValue());
+            final Matcher coreJsfFiles = CORE_JSF_FILES.matcher(dependency.getFileName());
+            if (coreJsfCPE.matches() && !coreJsfFiles.matches()) {
+                itr.remove();
+            }
        }
    }

@@ -240,7 +248,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        try {
            cpe.parseName(value);
        } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(FalsePositiveAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.log(Level.FINEST, null, ex);
            return null;
        }
        return cpe;
@@ -265,17 +273,36 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        //Set<Evidence> artifactId = dependency.getVendorEvidence().getEvidence("pom", "artifactid");
        while (itr.hasNext()) {
            final Identifier i = itr.next();
-            //TODO move this startswith expression to a configuration file?
+            //TODO move this startsWith expression to a configuration file?
            if ("cpe".equals(i.getType())) {
                if ((i.getValue().matches(".*c\\+\\+.*")
-                        || i.getValue().startsWith("cpe:/a:jquery:jquery")
-                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
-                        || i.getValue().startsWith("cpe:/a:yahoo:yui")
                        || i.getValue().startsWith("cpe:/a:file:file")
                        || i.getValue().startsWith("cpe:/a:mozilla:mozilla")
                        || i.getValue().startsWith("cpe:/a:cvs:cvs")
                        || i.getValue().startsWith("cpe:/a:ftp:ftp")
-                        || i.getValue().startsWith("cpe:/a:ssh:ssh"))
+                        || i.getValue().startsWith("cpe:/a:tcp:tcp")
+                        || i.getValue().startsWith("cpe:/a:ssh:ssh")
+                        || i.getValue().startsWith("cpe:/a:lookup:lookup"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                        || dependency.getFileName().toLowerCase().endsWith(".dll")
+                        || dependency.getFileName().toLowerCase().endsWith(".exe")
+                        || dependency.getFileName().toLowerCase().endsWith(".nuspec")
+                        || dependency.getFileName().toLowerCase().endsWith(".nupkg"))) {
+                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:jquery:jquery")
+                        || i.getValue().startsWith("cpe:/a:prototypejs:prototype")
+                        || i.getValue().startsWith("cpe:/a:yahoo:yui"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                        || dependency.getFileName().toLowerCase().endsWith(".dll")
+                        || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
+                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
+                        || i.getValue().startsWith("cpe:/a:microsoft:word")
+                        || i.getValue().startsWith("cpe:/a:microsoft:visio")
+                        || i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
+                        || i.getValue().startsWith("cpe:/a:microsoft:office"))
                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
                        || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
                    itr.remove();
@@ -286,7 +313,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        && !dependency.getEvidenceUsed().containsUsedString("m-core")) {
                    itr.remove();
                } else if (i.getValue().startsWith("cpe:/a:jboss:jboss")
-                        && !dependency.getFileName().toLowerCase().matches("jboss-[\\d\\.]+(GA)?\\.jar")) {
+                        && !dependency.getFileName().toLowerCase().matches("jboss-?[\\d\\.-]+(GA)?\\.jar")) {
                    itr.remove();
                }
            }
@@ -334,6 +361,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     * @param dependency the dependency being analyzed
     */
    private void addFalseNegativeCPEs(Dependency dependency) {
+        //TODO move this to the hint analyzer
        final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
        while (itr.hasNext()) {
            final Identifier i = itr.next();
@@ -349,21 +377,92 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                try {
                    dependency.addIdentifier("cpe",
                            newCpe,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe2,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe2, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe2, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe3,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe3, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe3, "UTF-8")));
                    dependency.addIdentifier("cpe",
                            newCpe4,
-                            String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(newCpe4, "UTF-8")));
+                            String.format(CPEAnalyzer.NVD_SEARCH_URL, URLEncoder.encode(newCpe4, "UTF-8")));
                } catch (UnsupportedEncodingException ex) {
-                    Logger.getLogger(FalsePositiveAnalyzer.class
-                            .getName()).log(Level.FINE, null, ex);
+                    LOGGER.log(Level.FINE, null, ex);
                }
            }
        }
    }
+
+    /**
+     * Removes duplicate entries identified that are contained within JAR files. These occasionally crop up due to POM
+     * entries or other types of files (such as DLLs and EXEs) being contained within the JAR.
+     *
+     * @param dependency the dependency that might be a duplicate
+     * @param engine the engine used to scan all dependencies
+     */
+    private void removeDuplicativeEntriesFromJar(Dependency dependency, Engine engine) {
+        if (dependency.getFileName().toLowerCase().endsWith("pom.xml")
+                || "dll".equals(dependency.getFileExtension())
+                || "exe".equals(dependency.getFileExtension())) {
+            String parentPath = dependency.getFilePath().toLowerCase();
+            if (parentPath.contains(".jar")) {
+                parentPath = parentPath.substring(0, parentPath.indexOf(".jar") + 4);
+                final Dependency parent = findDependency(parentPath, engine.getDependencies());
+                if (parent != null) {
+                    boolean remove = false;
+                    for (Identifier i : dependency.getIdentifiers()) {
+                        if ("cpe".equals(i.getType())) {
+                            final String trimmedCPE = trimCpeToVendor(i.getValue());
+                            for (Identifier parentId : parent.getIdentifiers()) {
+                                if ("cpe".equals(parentId.getType()) && parentId.getValue().startsWith(trimmedCPE)) {
+                                    remove |= true;
+                                }
+                            }
+                        }
+                        if (!remove) { //we can escape early
+                            return;
+                        }
+                    }
+                    if (remove) {
+                        engine.getDependencies().remove(dependency);
+                    }
+                }
+            }
+
+        }
+    }
+
+    /**
+     * Retrieves a given dependency, based on a given path, from a list of dependencies.
+     *
+     * @param dependencyPath the path of the dependency to return
+     * @param dependencies the collection of dependencies to search
+     * @return the dependency object for the given path, otherwise null
+     */
+    private Dependency findDependency(String dependencyPath, List<Dependency> dependencies) {
+        for (Dependency d : dependencies) {
+            if (d.getFilePath().equalsIgnoreCase(dependencyPath)) {
+                return d;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Takes a full CPE and returns the CPE trimmed to include only vendor and product.
+     *
+     * @param value the CPE value to trim
+     * @return a CPE value that only includes the vendor and product
+     */
+    private String trimCpeToVendor(String value) {
+        //cpe:/a:jruby:jruby:1.0.8
+        final int pos1 = value.indexOf(":", 7); //right of vendor
+        final int pos2 = value.indexOf(":", pos1 + 1); //right of product
+        if (pos2 < 0) {
+            return value;
+        } else {
+            return value.substring(0, pos2);
+        }
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -17,10 +17,9 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.File;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.DependencyVersion;
@@ -34,7 +33,7 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -43,19 +42,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }

    /**
     * Returns the name of the analyzer.
@@ -66,16 +52,6 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -97,7 +73,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {

        //strip any path information that may get added by ArchiveAnalyzer, etc.
-        final File f = new File(dependency.getFileName());
+        final File f = dependency.getActualFile();
        String fileName = f.getName();

        //remove file extension
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
@@ -0,0 +1,39 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+/**
+ * An Analyzer that scans specific file types.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public interface FileTypeAnalyzer extends Analyzer {
+
+    /**
+     * Returns whether or not this analyzer can process the given extension.
+     *
+     * @param extension the file extension to test for support.
+     * @return whether or not the specified file extension is supported by this analyzer.
+     */
+    boolean supportsExtension(String extension);
+
+    /**
+     * Resets the analyzers state.
+     */
+    void reset();
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -17,11 +17,11 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
 */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -41,44 +41,23 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_IDENTIFIER_ANALYSIS;
-    /**
-     * The set of file extensions supported by this analyzer.
-     */
-    private static final Set<String> EXTENSIONS = null;
-
-    /**
-     * Returns a list of file EXTENSIONS supported by this analyzer.
-     *
-     * @return a list of file EXTENSIONS supported by this analyzer.
-     */
-    public Set<String> getSupportedExtensions() {
-        return EXTENSIONS;
-    }

    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
+    @Override
    public String getName() {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
+    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -64,7 +64,6 @@ import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
 import org.owasp.dependencycheck.jaxb.pom.generated.License;
 import org.owasp.dependencycheck.jaxb.pom.generated.Model;
 import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
-import org.owasp.dependencycheck.jaxb.pom.generated.Parent;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.NonClosingStream;
 import org.owasp.dependencycheck.utils.Settings;
@@ -74,14 +73,17 @@ import org.xml.sax.XMLFilter;
 import org.xml.sax.XMLReader;

 /**
- *
 * Used to load a JAR file and collect information that can be used to determine the associated CPE.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class JarAnalyzer extends AbstractFileTypeAnalyzer {

    //<editor-fold defaultstate="collapsed" desc="Constants and Member Variables">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(JarAnalyzer.class.getName());
    /**
     * The buffer size to use when extracting files from the archive.
     */
@@ -111,9 +113,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            "buildjdk",
            "ant-version",
            "antversion",
+            "dynamicimportpackage",
+            "dynamicimport-package",
+            "dynamic-importpackage",
+            "dynamic-import-package",
            "import-package",
+            "ignore-package",
            "export-package",
            "importpackage",
+            "ignorepackage",
            "exportpackage",
            "sealed",
            "manifest-version",
@@ -125,7 +133,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            "tool",
            "bundle-manifestversion",
            "bundlemanifestversion",
-            "include-resource");
+            "include-resource",
+            "embed-dependency",
+            "ipojo-components",
+            "ipojo-extension",
+            "eclipse-sourcereferences");
    /**
     * item in some manifest, should be considered medium confidence.
     */
@@ -157,13 +169,15 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     */
    public JarAnalyzer() {
        try {
-            final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
+            //final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
+            final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
            pomUnmarshaller = jaxbContext.createUnmarshaller();
        } catch (JAXBException ex) { //guess we will just have a null pointer exception later...
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, "Unable to load parser. See the log for more details.");
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
        }
    }
+
    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
    /**
     * The name of the analyzer.
@@ -183,6 +197,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return a list of file EXTENSIONS supported by this analyzer.
     */
+    @Override
    public Set<String> getSupportedExtensions() {
        return EXTENSIONS;
    }
@@ -192,20 +207,11 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @return the name of the analyzer.
     */
+    @Override
    public String getName() {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -216,6 +222,16 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
    }
    //</editor-fold>

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_JAR_ENABLED;
+    }
+
    /**
     * Loads a specified JAR file and collects information from the manifest and checksums to identify the correct CPE
     * information.
@@ -225,7 +241,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException is thrown if there is an error reading the JAR file.
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        try {
            final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
            final String fileName = dependency.getFileName().toLowerCase();
@@ -263,8 +279,8 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
        } catch (IOException ex) {
            final String msg = String.format("Unable to read JarFile '%s'.", dependency.getActualFilePath());
            //final AnalysisException ax = new AnalysisException(msg, ex);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            return false;
        }
        List<String> pomEntries;
@@ -273,19 +289,33 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
        } catch (IOException ex) {
            final String msg = String.format("Unable to read Jar file entries in '%s'.", dependency.getActualFilePath());
            //final AnalysisException ax = new AnalysisException(msg, ex);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, msg, ex);
            return false;
        }
+        File externalPom = null;
        if (pomEntries.isEmpty()) {
-            return false;
+            if (dependency.getActualFilePath().matches(".*\\.m2.repository\\b.*")) {
+                String pomPath = dependency.getActualFilePath();
+                pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
+                externalPom = new File(pomPath);
+                if (externalPom.isFile()) {
+                    pomEntries.add(pomPath);
+                } else {
+                    return false;
+                }
+            } else {
+                return false;
+            }
        }
        for (String path : pomEntries) {
            Properties pomProperties = null;
            try {
-                pomProperties = retrievePomProperties(path, jar);
+                if (externalPom == null) {
+                    pomProperties = retrievePomProperties(path, jar);
+                }
            } catch (IOException ex) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, "ignore this, failed reading a non-existent pom.properties", ex);
+                LOGGER.log(Level.FINEST, "ignore this, failed reading a non-existent pom.properties", ex);
            }
            Model pom = null;
            try {
@@ -297,25 +327,29 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                    final String displayPath = String.format("%s%s%s",
                            dependency.getFilePath(),
                            File.separator,
-                            path); //.replaceAll("[\\/]", File.separator));
+                            path);
                    final String displayName = String.format("%s%s%s",
                            dependency.getFileName(),
                            File.separator,
-                            path); //.replaceAll("[\\/]", File.separator));
+                            path);

                    newDependency.setFileName(displayName);
                    newDependency.setFilePath(displayPath);
-                    addPomEvidence(newDependency, pom, pomProperties);
+                    setPomEvidence(newDependency, pom, pomProperties, null);
                    engine.getDependencies().add(newDependency);
                    Collections.sort(engine.getDependencies());
                } else {
-                    pom = retrievePom(path, jar);
+                    if (externalPom == null) {
+                        pom = retrievePom(path, jar);
+                    } else {
+                        pom = retrievePom(externalPom);
+                    }
                    foundSomething |= setPomEvidence(dependency, pom, pomProperties, classes);
                }
            } catch (AnalysisException ex) {
                final String msg = String.format("An error occured while analyzing '%s'.", dependency.getActualFilePath());
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, "", ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
            }
        }
        return foundSomething;
@@ -329,16 +363,25 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @return a Properties object or null if no pom.properties was found
     * @throws IOException thrown if there is an exception reading the pom.properties
     */
-    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "OS_OPEN_STREAM",
-            justification = "The reader is closed by closing the zipEntry")
    private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
        Properties pomProperties = null;
        final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
        final ZipEntry propEntry = jar.getEntry(propPath);
        if (propEntry != null) {
-            final Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
-            pomProperties = new Properties();
-            pomProperties.load(reader);
+            Reader reader = null;
+            try {
+                reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
+                pomProperties = new Properties();
+                pomProperties.load(reader);
+            } finally {
+                if (reader != null) {
+                    try {
+                        reader.close();
+                    } catch (IOException ex) {
+                        LOGGER.log(Level.FINEST, "close error", ex);
+                    }
+                }
+            }
        }
        return pomProperties;
    }
@@ -348,7 +391,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     *
     * @param jar the JarFile to search
     * @return a list of pom.xml entries
-     * @throws IOException thrown if there is an exception reading a JarEntryf
+     * @throws IOException thrown if there is an exception reading a JarEntry
     */
    private List<String> retrievePomListing(final JarFile jar) throws IOException {
        final List<String> pomEntries = new ArrayList<String>();
@@ -392,7 +435,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            bos.flush();
            dependency.setActualFilePath(file.getAbsolutePath());
        } catch (IOException ex) {
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
+            final String msg = String.format("An error occurred reading '%s' from '%s'.", path, dependency.getFilePath());
+            LOGGER.warning(msg);
+            LOGGER.log(Level.SEVERE, "", ex);
        } finally {
            closeStream(bos);
            closeStream(fos);
@@ -408,18 +453,18 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            model = readPom(source);
        } catch (FileNotFoundException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (File Not Found)", path, jar.getName());
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            throw new AnalysisException(ex);
        } catch (UnsupportedEncodingException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            throw new AnalysisException(ex);
        } catch (AnalysisException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
            throw ex;
        } finally {
            closeStream(fis);
@@ -437,7 +482,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            try {
                stream.close();
            } catch (IOException ex) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
@@ -452,7 +497,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            try {
                stream.close();
            } catch (IOException ex) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
@@ -478,27 +523,59 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                model = readPom(source);
            } catch (SecurityException ex) {
                final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
-                Logger
-                        .getLogger(JarAnalyzer.class
-                                .getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class
-                        .getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, null, ex);
                throw new AnalysisException(ex);
            } catch (IOException ex) {
                final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
                throw new AnalysisException(ex);
            } catch (Throwable ex) {
                final String msg = String.format("Unexpected error during parsing of the pom '%s' in jar '%s'", path, jar.getName());
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
                throw new AnalysisException(ex);
            }
        }
        return model;
    }

+    /**
+     * Reads in the specified POM and converts it to a Model.
+     *
+     * @param file the pom.xml file
+     * @return returns a
+     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
+     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
+     */
+    private Model retrievePom(File file) throws AnalysisException {
+        Model model = null;
+        try {
+            final FileInputStream stream = new FileInputStream(file);
+            final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
+            final InputSource xml = new InputSource(reader);
+            final SAXSource source = new SAXSource(xml);
+            model = readPom(source);
+        } catch (SecurityException ex) {
+            final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
+            throw new AnalysisException(ex);
+        } catch (IOException ex) {
+            final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            throw new AnalysisException(ex);
+        } catch (Throwable ex) {
+            final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            throw new AnalysisException(ex);
+        }
+        return model;
+    }
+
    /**
     * Retrieves the specified POM from a jar file and converts it to a Model.
     *
@@ -543,37 +620,90 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     */
    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
        boolean foundSomething = false;
+        boolean addAsIdentifier = true;
        if (pom == null) {
            return foundSomething;
        }
        String groupid = interpolateString(pom.getGroupId(), pomProperties);
-        if (groupid != null && !groupid.isEmpty()) {
-            if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
-                groupid = groupid.substring(4);
+        String parentGroupId = null;
+
+        if (pom.getParent() != null) {
+            parentGroupId = interpolateString(pom.getParent().getGroupId(), pomProperties);
+            if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
+                groupid = parentGroupId;
            }
+        }
+        final String originalGroupID = groupid;
+
+        if (groupid != null && !groupid.isEmpty()) {
            foundSomething = true;
-            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
            addMatchingValues(classes, groupid, dependency.getVendorEvidence());
            addMatchingValues(classes, groupid, dependency.getProductEvidence());
+            if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
+                dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
+                dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
+                addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence());
+                addMatchingValues(classes, parentGroupId, dependency.getProductEvidence());
+            }
+        } else {
+            addAsIdentifier = false;
        }
+
        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
+        String parentArtifactId = null;
+
+        if (pom.getParent() != null) {
+            parentArtifactId = interpolateString(pom.getParent().getArtifactId(), pomProperties);
+            if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
+                artifactid = parentArtifactId;
+            }
+        }
+        final String originalArtifactID = artifactid;
        if (artifactid != null && !artifactid.isEmpty()) {
            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
                artifactid = artifactid.substring(4);
            }
            foundSomething = true;
-            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
            addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
            addMatchingValues(classes, artifactid, dependency.getProductEvidence());
+            if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
+                dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
+                dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
+                addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence());
+                addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence());
+            }
+        } else {
+            addAsIdentifier = false;
        }
        //version
-        final String version = interpolateString(pom.getVersion(), pomProperties);
+        String version = interpolateString(pom.getVersion(), pomProperties);
+        String parentVersion = null;
+
+        if (pom.getParent() != null) {
+            parentVersion = interpolateString(pom.getParent().getVersion(), pomProperties);
+            if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
+                version = parentVersion;
+            }
+        }
+
        if (version != null && !version.isEmpty()) {
            foundSomething = true;
            dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
+            if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
+                dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
+            }
+        } else {
+            addAsIdentifier = false;
        }
+
+        if (addAsIdentifier) {
+            dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.LOW);
+        }
+
        // org name
        final Organization org = pom.getOrganization();
        if (org != null && org.getName() != null) {
@@ -632,7 +762,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                //TODO remove weighting
                vendor.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
-                    vendor.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
+                    vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
@@ -641,7 +771,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            if (ratio > 0.5) {
                product.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
-                    product.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
+                    product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
@@ -675,10 +805,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                        && !dependency.getFileName().toLowerCase().endsWith("-javadoc.jar")
                        && !dependency.getFileName().toLowerCase().endsWith("-src.jar")
                        && !dependency.getFileName().toLowerCase().endsWith("-doc.jar")) {
-                    Logger.getLogger(JarAnalyzer.class
-                            .getName()).log(Level.INFO,
-                                    String.format("Jar file '%s' does not contain a manifest.",
-                                            dependency.getFileName()));
+                    LOGGER.log(Level.FINE,
+                            String.format("Jar file '%s' does not contain a manifest.",
+                                    dependency.getFileName()));
                }
                return false;
            }
@@ -750,6 +879,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
                            && !key.endsWith("class-path")
                            && !key.endsWith("-scm") //todo change this to a regex?
                            && !key.startsWith("scm-")
+                            && !value.trim().startsWith("scm:")
                            && !isImportPackage(key, value)
                            && !isPackage(key, value)) {

@@ -899,19 +1029,13 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
    private File tempFileLocation = null;

    /**
-     * The initialize method does nothing for this Analyzer.
+     * Initializes the JarAnalyzer.
     *
     * @throws Exception is thrown if there is an exception creating a temporary directory
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws Exception {
        final File baseDir = Settings.getTempDirectory();
-        if (!baseDir.exists()) {
-            if (!baseDir.mkdirs()) {
-                final String msg = String.format("Unable to make a temporary folder '%s'", baseDir.getPath());
-                throw new AnalysisException(msg);
-            }
-        }
        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
        if (!tempFileLocation.delete()) {
            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
@@ -929,10 +1053,10 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
    @Override
    public void close() {
        if (tempFileLocation != null && tempFileLocation.exists()) {
-            Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINE, "Attempting to delete temporary files");
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
            if (!success) {
-                Logger.getLogger(JarAnalyzer.class.getName()).log(Level.WARNING,
+                LOGGER.log(Level.WARNING,
                        "Failed to delete some temporary files, see the log for more details");
            }
        }
@@ -1003,11 +1127,9 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @return true or false depending on if it is believed the entry is an "import" entry
     */
    private boolean isImportPackage(String key, String value) {
-        final Pattern packageRx = Pattern.compile("^((([a-zA-Z_#\\$0-9]\\.)+)\\s*\\;\\s*)+$");
-        if (packageRx.matcher(value).matches()) {
-            return (key.contains("import") || key.contains("include"));
-        }
-        return false;
+        final Pattern packageRx = Pattern.compile("^([a-zA-Z0-9_#\\$\\*\\.]+\\s*[,;]\\s*)+([a-zA-Z0-9_#\\$\\*\\.]+\\s*)?$");
+        final boolean matches = packageRx.matcher(value).matches();
+        return matches && (key.contains("import") || key.contains("include") || value.length() > 10);
    }

    /**
@@ -1034,17 +1156,14 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
            }
        } catch (IOException ex) {
            final String msg = String.format("Unable to open jar file '%s'.", dependency.getFileName());
-            Logger
-                    .getLogger(JarAnalyzer.class
-                            .getName()).log(Level.WARNING, msg);
-            Logger.getLogger(JarAnalyzer.class
-                    .getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            if (jar != null) {
                try {
                    jar.close();
                } catch (IOException ex) {
-                    Logger.getLogger(JarAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -1108,7 +1227,7 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @param evidence the evidence collection to add new entries too
     */
    private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
-        if (value == null || value.isEmpty()) {
+        if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
            return;
        }
        final String text = value.toLowerCase();
@@ -1135,93 +1254,6 @@ public class JarAnalyzer extends AbstractAnalyzer implements Analyzer {

    }

-    /**
-     * Adds evidence from the POM to the dependency. This includes the GAV and in some situations the parent GAV if
-     * specified.
-     *
-     * @param dependency the dependency being analyzed
-     * @param pom the POM data
-     * @param pomProperties the properties file associated with the pom
-     */
-    private void addPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
-        if (pom == null) {
-            return;
-        }
-        String groupid = interpolateString(pom.getGroupId(), pomProperties);
-        if (groupid != null && !groupid.isEmpty()) {
-            if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
-                groupid = groupid.substring(4);
-            }
-            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
-            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
-        }
-        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
-        if (artifactid != null && !artifactid.isEmpty()) {
-            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
-                artifactid = artifactid.substring(4);
-            }
-            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
-        }
-        final String version = interpolateString(pom.getVersion(), pomProperties);
-        if (version != null && !version.isEmpty()) {
-            dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
-        }
-
-        final Parent parent = pom.getParent(); //grab parent GAV
-        if (parent != null) {
-            final String parentGroupId = interpolateString(parent.getGroupId(), pomProperties);
-            if (parentGroupId != null && !parentGroupId.isEmpty()) {
-                if (groupid == null || groupid.isEmpty()) {
-                    dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.HIGH);
-                } else {
-                    dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.MEDIUM);
-                }
-                dependency.getProductEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.LOW);
-            }
-            final String parentArtifactId = interpolateString(parent.getArtifactId(), pomProperties);
-            if (parentArtifactId != null && !parentArtifactId.isEmpty()) {
-                if (artifactid == null || artifactid.isEmpty()) {
-                    dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.HIGH);
-                } else {
-                    dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.MEDIUM);
-                }
-                dependency.getVendorEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.LOW);
-            }
-            final String parentVersion = interpolateString(parent.getVersion(), pomProperties);
-            if (parentVersion != null && !parentVersion.isEmpty()) {
-                if (version == null || version.isEmpty()) {
-                    dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.HIGH);
-                } else {
-                    dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.LOW);
-                }
-            }
-        }
-        // org name
-        final Organization org = pom.getOrganization();
-        if (org != null && org.getName() != null) {
-            final String orgName = interpolateString(org.getName(), pomProperties);
-            if (orgName != null && !orgName.isEmpty()) {
-                dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
-            }
-        }
-        //pom name
-        final String pomName = interpolateString(pom.getName(), pomProperties);
-        if (pomName != null && !pomName.isEmpty()) {
-            dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
-        }
-
-        //Description
-        if (pom.getDescription() != null) {
-            final String description = interpolateString(pom.getDescription(), pomProperties);
-            if (description != null && !description.isEmpty()) {
-                addDescription(dependency, description, "pom", "description");
-            }
-        }
-        extractLicense(pom, pomProperties, dependency);
-    }
-
    /**
     * Extracts the license information from the pom and adds it to the dependency.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java
@@ -29,6 +29,7 @@ import java.util.regex.Pattern;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 *
@@ -36,9 +37,14 @@ import org.owasp.dependencycheck.dependency.Dependency;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
+public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {

-    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(JavaScriptAnalyzer.class.getName());
+
+    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
    /**
     * The name of the analyzer.
     */
@@ -72,17 +78,6 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
        return ANALYZER_NAME;
    }

-    /**
-     * Returns whether or not this analyzer can process the given extension.
-     *
-     * @param extension the file extension to test for support.
-     * @return whether or not the specified file extension is supported by this analyzer.
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return EXTENSIONS.contains(extension);
-    }
-
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
@@ -93,6 +88,15 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
        return ANALYSIS_PHASE;
    }
    //</editor-fold>
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_JAVASCRIPT_ENABLED;
+    }

    /**
     * Loads a specified JavaScript file and collects information from the copyright information contained within.
@@ -102,8 +106,8 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
     * @throws AnalysisException is thrown if there is an error reading the JavaScript file.
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        BufferedReader fin = null;;
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        BufferedReader fin = null;
        try {
            //  /\*([^\*][^/]|[\r\n\f])+?\*/
            final Pattern extractComments = Pattern.compile("(/\\*([^*]|[\\r\\n]|(\\*+([^*/]|[\\r\\n])))*\\*+/)|(//.*)", Pattern.MULTILINE);
@@ -118,15 +122,20 @@ public class JavaScriptAnalyzer extends AbstractAnalyzer implements Analyzer {
            final String msg = String.format("Dependency file not found: '%s'", dependency.getActualFilePath());
            throw new AnalysisException(msg, ex);
        } catch (IOException ex) {
-            Logger.getLogger(JavaScriptAnalyzer.class.getName()).log(Level.SEVERE, null, ex);
+            LOGGER.log(Level.SEVERE, null, ex);
        } finally {
            if (fin != null) {
                try {
                    fin.close();
                } catch (IOException ex) {
-                    Logger.getLogger(JavaScriptAnalyzer.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
    }
+
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -30,6 +30,7 @@ import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;

 /**
@@ -46,20 +47,25 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author colezlaw
 */
-public class NexusAnalyzer extends AbstractAnalyzer {
+public class NexusAnalyzer extends AbstractFileTypeAnalyzer {

    /**
-     * The logger
+     * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
+     */
+    public static final String DEFAULT_URL = "https://repository.sonatype.org/service/local/";
+
+    /**
+     * The logger.
     */
    private static final Logger LOGGER = Logger.getLogger(NexusAnalyzer.class.getName());

    /**
-     * The name of the analyzer
+     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Nexus Analyzer";

    /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;

@@ -68,40 +74,75 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     */
    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");

-    /**
-     * Whether this is actually enabled. Will get set during initialization.
-     */
-    private boolean enabled = false;
-
    /**
     * The Nexus Search to be set up for this analyzer.
     */
    private NexusSearch searcher;

+    /**
+     * Field indicating if the analyzer is enabled.
+     */
+    private final boolean enabled = checkEnabled();
+
+    /**
+     * Determines if this analyzer is enabled
+     *
+     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     */
+    private boolean checkEnabled() {
+        /* Enable this analyzer ONLY if the Nexus URL has been set to something
+         other than the default one (if it's the default one, we'll use the
+         central one) and it's enabled by the user.
+         */
+        boolean retval = false;
+        try {
+            if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
+                LOGGER.info("Enabling Nexus analyzer");
+                retval = true;
+            } else {
+                LOGGER.fine("Nexus analyzer disabled, using Central instead");
+            }
+        } catch (InvalidSettingException ise) {
+            LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
+        }
+
+        return retval;
+    }
+
+    /**
+     * Determine whether to enable this analyzer or not.
+     *
+     * @return whether the analyzer should be enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
    /**
     * Initializes the analyzer once before any analysis is performed.
     *
     * @throws Exception if there's an error during initialization
     */
    @Override
-    public void initialize() throws Exception {
-        enabled = Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED);
+    public void initializeFileTypeAnalyzer() throws Exception {
        LOGGER.fine("Initializing Nexus Analyzer");
-        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", enabled));
-        if (enabled) {
+        LOGGER.fine(String.format("Nexus Analyzer enabled: %s", isEnabled()));
+        if (isEnabled()) {
            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL);
            LOGGER.fine(String.format("Nexus Analyzer URL: %s", searchUrl));
            try {
                searcher = new NexusSearch(new URL(searchUrl));
                if (!searcher.preflightRequest()) {
                    LOGGER.warning("There was an issue getting Nexus status. Disabling analyzer.");
-                    enabled = false;
+                    setEnabled(false);
                }
            } catch (MalformedURLException mue) {
                // I know that initialize can throw an exception, but we'll
                // just disable the analyzer if the URL isn't valid
                LOGGER.warning(String.format("Property %s not a valid URL. Nexus Analyzer disabled", searchUrl));
-                enabled = false;
+                setEnabled(false);
            }
        }
    }
@@ -116,6 +157,16 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NEXUS_ENABLED;
+    }
+
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
@@ -136,17 +187,6 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        return SUPPORTED_EXTENSIONS;
    }

-    /**
-     * Determines whether the incoming extension is supported.
-     *
-     * @param extension the extension to check for support
-     * @return whether the extension is supported
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return SUPPORTED_EXTENSIONS.contains(extension);
-    }
-
    /**
     * Performs the analysis.
     *
@@ -155,32 +195,19 @@ public class NexusAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        // Make a quick exit if this analyzer is disabled
-        if (!enabled) {
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        if (!isEnabled()) {
            return;
        }
-
        try {
            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
-            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
-                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
-            }
-            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
-                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
-            }
-            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
-                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
-            }
-            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
-                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
-            }
+            dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
        } catch (IllegalArgumentException iae) {
            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
            LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));
        } catch (FileNotFoundException fnfe) {
            //dependency.addAnalysisException(new AnalysisException("Artifact not found on repository"));
-            LOGGER.fine(String.format("Artificat not found in repository '%s'", dependency.getFileName()));
+            LOGGER.fine(String.format("Artifact not found in repository '%s'", dependency.getFileName()));
            LOGGER.log(Level.FINE, fnfe.getMessage(), fnfe);
        } catch (IOException ioe) {
            //dependency.addAnalysisException(new AnalysisException("Could not connect to repository", ioe));
@@ -188,5 +215,3 @@ public class NexusAnalyzer extends AbstractAnalyzer {
        }
    }
 }
-
-// vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
@@ -18,36 +18,40 @@
 package org.owasp.dependencycheck.analyzer;

 import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.IOException;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nuget.NugetPackage;
+import org.owasp.dependencycheck.data.nuget.NuspecParseException;
 import org.owasp.dependencycheck.data.nuget.NuspecParser;
 import org.owasp.dependencycheck.data.nuget.XPathNuspecParser;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 * Analyzer which will parse a Nuspec file to gather module information.
 *
 * @author colezlaw
 */
-public class NuspecAnalyzer extends AbstractAnalyzer {
+public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {

    /**
-     * The logger
+     * The logger.
     */
    private static final Logger LOGGER = Logger.getLogger(NuspecAnalyzer.class.getName());

    /**
-     * The name of the analyzer
+     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Nuspec Analyzer";

    /**
-     * The phase in which the analyzer runs
+     * The phase in which the analyzer runs.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;

@@ -62,7 +66,7 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
     * @throws Exception if there's an error during initialization
     */
    @Override
-    public void initialize() throws Exception {
+    public void initializeFileTypeAnalyzer() throws Exception {
    }

    /**
@@ -75,6 +79,16 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        return ANALYZER_NAME;
    }

+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_NUSPEC_ENABLED;
+    }
+
    /**
     * Returns the analysis phase under which the analyzer runs.
     *
@@ -95,17 +109,6 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        return SUPPORTED_EXTENSIONS;
    }

-    /**
-     * Determines whether the incoming extension is supported.
-     *
-     * @param extension the extension to check for support
-     * @return whether the extension is supported
-     */
-    @Override
-    public boolean supportsExtension(String extension) {
-        return SUPPORTED_EXTENSIONS.contains(extension);
-    }
-
    /**
     * Performs the analysis.
     *
@@ -114,8 +117,8 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
     * @throws AnalysisException when there's an exception during analysis
     */
    @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
-        LOGGER.log(Level.INFO, "Checking Nuspec file {0}", dependency.toString());
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        LOGGER.log(Level.FINE, "Checking Nuspec file {0}", dependency.toString());
        try {
            final NuspecParser parser = new XPathNuspecParser();
            NugetPackage np = null;
@@ -123,11 +126,15 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
            try {
                fis = new FileInputStream(dependency.getActualFilePath());
                np = parser.parse(fis);
+            } catch (NuspecParseException ex) {
+                throw new AnalysisException(ex);
+            } catch (FileNotFoundException ex) {
+                throw new AnalysisException(ex);
            } finally {
                if (fis != null) {
                    try {
                        fis.close();
-                    } catch (Throwable e) {
+                    } catch (IOException e) {
                        LOGGER.fine("Error closing input stream");
                    }
                }
@@ -147,5 +154,3 @@ public class NuspecAnalyzer extends AbstractAnalyzer {
        }
    }
 }
-
-// vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
@@ -17,12 +17,11 @@
 */
 package org.owasp.dependencycheck.analyzer;

-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import java.io.IOException;
 import java.sql.SQLException;
 import java.util.List;
-import java.util.Set;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -62,6 +61,7 @@ public class NvdCveAnalyzer implements Analyzer {
    /**
     * Closes the data source.
     */
+    @Override
    public void close() {
        cveDB.close();
        cveDB = null;
@@ -96,6 +96,7 @@ public class NvdCveAnalyzer implements Analyzer {
     * @param engine The analysis engine
     * @throws AnalysisException is thrown if there is an issue analyzing the dependency
     */
+    @Override
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        for (Identifier id : dependency.getIdentifiers()) {
            if ("cpe".equals(id.getType())) {
@@ -108,15 +109,17 @@ public class NvdCveAnalyzer implements Analyzer {
                }
            }
        }
-    }
-
-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @return true.
-     */
-    public Set<String> getSupportedExtensions() {
-        return null;
+        for (Identifier id : dependency.getSuppressedIdentifiers()) {
+            if ("cpe".equals(id.getType())) {
+                try {
+                    final String value = id.getValue();
+                    final List<Vulnerability> vulns = cveDB.getVulnerabilities(value);
+                    dependency.getSuppressedVulnerabilities().addAll(vulns);
+                } catch (DatabaseException ex) {
+                    throw new AnalysisException(ex);
+                }
+            }
+        }
    }

    /**
@@ -124,34 +127,27 @@ public class NvdCveAnalyzer implements Analyzer {
     *
     * @return the name of this analyzer.
     */
+    @Override
    public String getName() {
        return "NVD CVE Analyzer";
    }

-    /**
-     * Returns true because this analyzer supports all dependency types.
-     *
-     * @param extension the file extension of the dependency being analyzed.
-     * @return true.
-     */
-    public boolean supportsExtension(String extension) {
-        return true;
-    }
-
    /**
     * Returns the analysis phase that this analyzer should run in.
     *
     * @return the analysis phase that this analyzer should run in.
     */
+    @Override
    public AnalysisPhase getAnalysisPhase() {
        return AnalysisPhase.FINDING_ANALYSIS;
    }

    /**
-     * Opens the NVD CVE Lucene Index.
+     * Opens the database used to gather NVD CVE data.
     *
     * @throws Exception is thrown if there is an issue opening the index.
     */
+    @Override
    public void initialize() throws Exception {
        this.open();
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -0,0 +1,151 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.central;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.logging.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.NodeList;
+
+/**
+ * Class of methods to search Maven Central via Central.
+ *
+ * @author colezlaw
+ */
+public class CentralSearch {
+
+    /**
+     * The URL for the Central service
+     */
+    private final URL rootURL;
+
+    /**
+     * Whether to use the Proxy when making requests
+     */
+    private boolean useProxy;
+
+    /**
+     * Used for logging.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName());
+
+    /**
+     * Creates a NexusSearch for the given repository URL.
+     *
+     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so
+     * it should end in /select)
+     */
+    public CentralSearch(URL rootURL) {
+        this.rootURL = rootURL;
+        if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) {
+            useProxy = true;
+            LOGGER.fine("Using proxy");
+        } else {
+            useProxy = false;
+            LOGGER.fine("Not using proxy");
+        }
+    }
+
+    /**
+     * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a
+     * <code>MavenArtifact</code> is populated with the GAV.
+     *
+     * @param sha1 the SHA-1 hash string for which to search
+     * @return the populated Maven GAV.
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
+     * found.
+     */
+    public List<MavenArtifact> searchSha1(String sha1) throws IOException {
+        if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
+            throw new IllegalArgumentException("Invalid SHA1 format");
+        }
+
+        final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
+
+        LOGGER.fine(String.format("Searching Central url %s", url.toString()));
+
+        // Determine if we need to use a proxy. The rules:
+        // 1) If the proxy is set, AND the setting is set to true, use the proxy
+        // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
+        // or proxy is specifically set to false)
+        final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+
+        conn.setDoOutput(true);
+
+        // JSON would be more elegant, but there's not currently a dependency
+        // on JSON, so don't want to add one just for this
+        conn.addRequestProperty("Accept", "application/xml");
+        conn.connect();
+
+        if (conn.getResponseCode() == 200) {
+            boolean missing = false;
+            try {
+                final DocumentBuilder builder = DocumentBuilderFactory
+                        .newInstance().newDocumentBuilder();
+                final Document doc = builder.parse(conn.getInputStream());
+                final XPath xpath = XPathFactory.newInstance().newXPath();
+                final String numFound = xpath.evaluate("/response/result/@numFound", doc);
+                if ("0".equals(numFound)) {
+                    missing = true;
+                } else {
+                    final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
+                    final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
+                    for (int i = 0; i < docs.getLength(); i++) {
+                        final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
+                        LOGGER.finest(String.format("GroupId: %s", g));
+                        final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
+                        LOGGER.finest(String.format("ArtifactId: %s", a));
+                        final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
+                        LOGGER.finest(String.format("Version: %s", v));
+                        result.add(new MavenArtifact(g, a, v, url.toString()));
+                    }
+
+                    return result;
+                }
+            } catch (Throwable e) {
+                // Anything else is jacked up XML stuff that we really can't recover
+                // from well
+                throw new IOException(e.getMessage(), e);
+            }
+
+            if (missing) {
+                throw new FileNotFoundException("Artifact not found in Central");
+            }
+        } else {
+            final String msg = String.format("Could not connect to Central received response code: %d %s",
+                    conn.getResponseCode(), conn.getResponseMessage());
+            LOGGER.fine(msg);
+            throw new IOException(msg);
+        }
+
+        return null;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
@@ -0,0 +1,14 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.data.central</title>
+ * </head>
+ * <body>
+ * <p>
+ * Contains classes related to searching Maven Central.</p>
+ * <p>
+ * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.data.central;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
@@ -55,10 +55,14 @@ import org.owasp.dependencycheck.utils.Pair;
 */
 public final class CpeMemoryIndex {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CpeMemoryIndex.class.getName());
    /**
     * singleton instance.
     */
-    private static CpeMemoryIndex instance = new CpeMemoryIndex();
+    private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex();

    /**
     * private constructor for singleton.
@@ -72,7 +76,7 @@ public final class CpeMemoryIndex {
     * @return the instance of the CpeMemoryIndex
     */
    public static CpeMemoryIndex getInstance() {
-        return instance;
+        return INSTANCE;
    }
    /**
     * The in memory Lucene index.
@@ -110,18 +114,20 @@ public final class CpeMemoryIndex {
     * @throws IndexException thrown if there is an error creating the index
     */
    public void open(CveDB cve) throws IndexException {
-        if (!openState) {
-            index = new RAMDirectory();
-            buildIndex(cve);
-            try {
-                indexReader = DirectoryReader.open(index);
-            } catch (IOException ex) {
-                throw new IndexException(ex);
+        synchronized (INSTANCE) {
+            if (!openState) {
+                index = new RAMDirectory();
+                buildIndex(cve);
+                try {
+                    indexReader = DirectoryReader.open(index);
+                } catch (IOException ex) {
+                    throw new IndexException(ex);
+                }
+                indexSearcher = new IndexSearcher(indexReader);
+                searchingAnalyzer = createSearchingAnalyzer();
+                queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
+                openState = true;
            }
-            indexSearcher = new IndexSearcher(indexReader);
-            searchingAnalyzer = createSearchingAnalyzer();
-            queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
-            openState = true;
        }
    }
    /**
@@ -157,7 +163,7 @@ public final class CpeMemoryIndex {
     */
    @SuppressWarnings("unchecked")
    private Analyzer createSearchingAnalyzer() {
-        final Map fieldAnalyzers = new HashMap();
+        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
        productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
        vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
@@ -197,7 +203,7 @@ public final class CpeMemoryIndex {
            try {
                indexReader.close();
            } catch (IOException ex) {
-                Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
            indexReader = null;
        }
@@ -229,7 +235,7 @@ public final class CpeMemoryIndex {
                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
                }
            } catch (DatabaseException ex) {
-                Logger.getLogger(CpeMemoryIndex.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.FINE, null, ex);
                throw new IndexException("Error reading CPE data", ex);
            }
        } catch (CorruptIndexException ex) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.cpe;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public abstract class Fields {
+public final class Fields {

    /**
     * The key for the name document id.
@@ -36,7 +36,10 @@ public abstract class Fields {
     * The key for the product field.
     */
    public static final String PRODUCT = "product";
+
    /**
-     * The key for the version field.
+     * Private constructor as this is more of an enumeration rather then a full class.
     */
+    private Fields() {
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
@@ -30,6 +30,11 @@ import java.util.logging.Logger;
 */
 public final class CweDB {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CweDB.class.getName());
+
    /**
     * Empty private constructor as this is a utility class.
     */
@@ -52,19 +57,21 @@ public final class CweDB {
            final String filePath = "data/cwe.hashmap.serialized";
            final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
            oin = new ObjectInputStream(input);
-            return (HashMap<String, String>) oin.readObject();
+            @SuppressWarnings("unchecked")
+            final HashMap<String, String> ret = (HashMap<String, String>) oin.readObject();
+            return ret;
        } catch (ClassNotFoundException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
-            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
+            LOGGER.log(Level.FINE, null, ex);
        } catch (IOException ex) {
-            Logger.getLogger(CweDB.class.getName()).log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
-            Logger.getLogger(CweDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, "Unable to load CWE data due to an IO Error. This should not be an issue.");
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            if (oin != null) {
                try {
                    oin.close();
                } catch (IOException ex) {
-                    Logger.getLogger(CweDB.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
@@ -36,7 +36,10 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
-
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(UrlTokenizingFilter.class.getName());
    /**
     * Constructs a new VersionTokenizingFilter.
     *
@@ -67,7 +70,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
                            final List<String> data = UrlStringUtils.extractImportantUrlData(part);
                            tokens.addAll(data);
                        } catch (MalformedURLException ex) {
-                            Logger.getLogger(UrlTokenizingFilter.class.getName()).log(Level.FINE, "error parsing " + part, ex);
+                            LOGGER.log(Level.FINE, "error parsing " + part, ex);
                            tokens.add(part);
                        }
                    } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -21,7 +21,6 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.HttpURLConnection;
 import java.net.URL;
-import java.net.URLConnection;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import javax.xml.parsers.DocumentBuilder;
@@ -65,7 +64,7 @@ public class NexusSearch {
    public NexusSearch(URL rootURL) {
        this.rootURL = rootURL;
        try {
-            if (null != Settings.getString(Settings.KEYS.PROXY_URL)
+            if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
                useProxy = true;
                LOGGER.fine("Using proxy");
@@ -84,7 +83,7 @@ public class NexusSearch {
     *
     * @param sha1 The SHA-1 hash string for which to search
     * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repositor or if the specified artifact is not
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
     * found.
     */
    public MavenArtifact searchSha1(String sha1) throws IOException {
@@ -102,8 +101,7 @@ public class NexusSearch {
        // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
        // or proxy is specifically
        // set to false
-        URLConnection conn = null;
-        conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+        final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);

        conn.setDoOutput(true);

@@ -112,36 +110,40 @@ public class NexusSearch {
        conn.addRequestProperty("Accept", "application/xml");
        conn.connect();

-        try {
-            final DocumentBuilder builder = DocumentBuilderFactory
-                    .newInstance().newDocumentBuilder();
-            final Document doc = builder.parse(conn.getInputStream());
-            final XPath xpath = XPathFactory.newInstance().newXPath();
-            final String groupId = xpath
-                    .evaluate(
-                            "/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
-                            doc);
-            final String artifactId = xpath.evaluate(
-                    "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
-                    doc);
-            final String version = xpath
-                    .evaluate(
-                            "/org.sonatype.nexus.rest.model.NexusArtifact/version",
-                            doc);
-            final String link = xpath
-                    .evaluate(
-                            "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
-                            doc);
-            return new MavenArtifact(groupId, artifactId, version, link);
-        } catch (FileNotFoundException fnfe) {
-            /* This is what we get when the SHA1 they sent doesn't exist in
-             * Nexus. This is useful upstream for recovery, so we just re-throw it
-             */
-            throw fnfe;
-        } catch (Throwable e) {
-            // Anything else is jacked-up XML stuff that we really can't recover
-            // from well
-            throw new IOException(e.getMessage(), e);
+        if (conn.getResponseCode() == 200) {
+            try {
+                final DocumentBuilder builder = DocumentBuilderFactory
+                        .newInstance().newDocumentBuilder();
+                final Document doc = builder.parse(conn.getInputStream());
+                final XPath xpath = XPathFactory.newInstance().newXPath();
+                final String groupId = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/groupId",
+                                doc);
+                final String artifactId = xpath.evaluate(
+                        "/org.sonatype.nexus.rest.model.NexusArtifact/artifactId",
+                        doc);
+                final String version = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/version",
+                                doc);
+                final String link = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
+                                doc);
+                return new MavenArtifact(groupId, artifactId, version, link);
+            } catch (Throwable e) {
+                // Anything else is jacked-up XML stuff that we really can't recover
+                // from well
+                throw new IOException(e.getMessage(), e);
+            }
+        } else if (conn.getResponseCode() == 404) {
+            throw new FileNotFoundException("Artifact not found in Nexus");
+        } else {
+            final String msg = String.format("Could not connect to Nexus received response code: %d %s",
+                    conn.getResponseCode(), conn.getResponseMessage());
+            LOGGER.fine(msg);
+            throw new IOException(msg);
        }
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/NuspecParseException.java
@@ -56,7 +56,7 @@ public class NuspecParseException extends Exception {
     * Note that the detail message associated with <code>cause</code> is <em>not</em>
     * automatically incorporated in this exception's detail message.
     *
-     * @param message the detail message (whcih is saved for later retrieval by the
+     * @param message the detail message (which is saved for later retrieval by the
     * {@link java.lang.Throwable#getMessage()} method.
     * @param cause the cause (which is saved for later retrieval by the {@link java.lang.Throwable#getCause()} method).
     * (A <code>null</code> value is permitted, and indicates that the cause is nonexistent or unknown).
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
@@ -43,10 +43,14 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public final class ConnectionFactory {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ConnectionFactory.class.getName());
    /**
     * The version of the current DB Schema.
     */
-    public static final String DB_SCHEMA_VERSION = "2.9";
+    public static final String DB_SCHEMA_VERSION = Settings.getString(Settings.KEYS.DB_VERSION);
    /**
     * Resource location for SQL file used to create the database schema.
     */
@@ -90,17 +94,17 @@ public final class ConnectionFactory {
            //load the driver if necessary
            final String driverName = Settings.getString(Settings.KEYS.DB_DRIVER_NAME, "");
            if (!driverName.isEmpty()) { //likely need to load the correct driver
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver: {0}", driverName);
+                LOGGER.log(Level.FINE, "Loading driver: {0}", driverName);
                final String driverPath = Settings.getString(Settings.KEYS.DB_DRIVER_PATH, "");
                try {
                    if (!driverPath.isEmpty()) {
-                        Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading driver from: {0}", driverPath);
+                        LOGGER.log(Level.FINE, "Loading driver from: {0}", driverPath);
                        driver = DriverLoader.load(driverName, driverPath);
                    } else {
                        driver = DriverLoader.load(driverName);
                    }
                } catch (DriverLoadException ex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to load database driver", ex);
+                    LOGGER.log(Level.FINE, "Unable to load database driver", ex);
                    throw new DatabaseException("Unable to load database driver");
                }
            }
@@ -108,25 +112,28 @@ public final class ConnectionFactory {
            //yes, yes - hard-coded password - only if there isn't one in the properties file.
            password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
            try {
-                connectionString = getConnectionString();
+                connectionString = Settings.getConnectionString(
+                        Settings.KEYS.DB_CONNECTION_STRING,
+                        Settings.KEYS.DB_FILE_NAME,
+                        Settings.KEYS.DB_VERSION);
            } catch (IOException ex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
+                LOGGER.log(Level.FINE,
                        "Unable to retrieve the database connection string", ex);
                throw new DatabaseException("Unable to retrieve the database connection string");
            }
            boolean shouldCreateSchema = false;
            try {
                if (connectionString.startsWith("jdbc:h2:file:")) { //H2
-                    shouldCreateSchema = !dbSchemaExists();
-                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
+                    shouldCreateSchema = !h2DataFileExists();
+                    LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
                }
            } catch (IOException ioex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to verify database exists", ioex);
+                LOGGER.log(Level.FINE, "Unable to verify database exists", ioex);
                throw new DatabaseException("Unable to verify database exists");
            }
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Loading database connection");
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Connection String: {0}", connectionString);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Database User: {0}", userName);
+            LOGGER.log(Level.FINE, "Loading database connection");
+            LOGGER.log(Level.FINE, "Connection String: {0}", connectionString);
+            LOGGER.log(Level.FINE, "Database User: {0}", userName);

            try {
                conn = DriverManager.getConnection(connectionString, userName, password);
@@ -136,14 +143,14 @@ public final class ConnectionFactory {
                    try {
                        conn = DriverManager.getConnection(connectionString, userName, password);
                        Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-                        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE,
+                        LOGGER.log(Level.FINE,
                                "Unable to start the database in server mode; reverting to single user mode");
                    } catch (SQLException sqlex) {
-                        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
+                        LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
                        throw new DatabaseException("Unable to connect to the database");
                    }
                } else {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Unable to connect to the database", ex);
+                    LOGGER.log(Level.FINE, "Unable to connect to the database", ex);
                    throw new DatabaseException("Unable to connect to the database");
                }
            }
@@ -152,14 +159,14 @@ public final class ConnectionFactory {
                try {
                    createTables(conn);
                } catch (DatabaseException dex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
+                    LOGGER.log(Level.FINE, null, dex);
                    throw new DatabaseException("Unable to create the database structure");
                }
            } else {
                try {
                    ensureSchemaVersion(conn);
                } catch (DatabaseException dex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, dex);
+                    LOGGER.log(Level.FINE, null, dex);
                    throw new DatabaseException("Database schema does not match this version of dependency-check");
                }
            }
@@ -168,7 +175,7 @@ public final class ConnectionFactory {
                try {
                    conn.close();
                } catch (SQLException ex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured closing the connection", ex);
+                    LOGGER.log(Level.FINE, "An error occurred closing the connection", ex);
                }
            }
        }
@@ -184,7 +191,10 @@ public final class ConnectionFactory {
            try {
                DriverManager.deregisterDriver(driver);
            } catch (SQLException ex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "An error occured unloading the databse driver", ex);
+                LOGGER.log(Level.FINE, "An error occurred unloading the database driver", ex);
+            } catch (Throwable unexpected) {
+                LOGGER.log(Level.FINE,
+                        "An unexpected throwable occurred unloading the database driver", unexpected);
            }
            driver = null;
        }
@@ -205,57 +215,23 @@ public final class ConnectionFactory {
        try {
            conn = DriverManager.getConnection(connectionString, userName, password);
        } catch (SQLException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new DatabaseException("Unable to connect to the database");
        }
        return conn;
    }

-    /**
-     * Returns the configured connection string. If using the embedded H2 database this function will also ensure the
-     * data directory exists and if not create it.
-     *
-     * @return the connection string
-     * @throws IOException thrown the data directory cannot be created
-     */
-    private static String getConnectionString() throws IOException {
-        final String connStr = Settings.getString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:h2:file:%s;AUTO_SERVER=TRUE");
-        if (connStr.contains("%s")) {
-            final String directory = getDataDirectory().getCanonicalPath();
-            final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
-            return String.format(connStr, dataFile.getAbsolutePath());
-        }
-        return connStr;
-    }
-
-    /**
-     * Retrieves the directory that the JAR file exists in so that we can ensure we always use a common data directory
-     * for the embedded H2 database. This is public solely for some unit tests; otherwise this should be private.
-     *
-     * @return the data directory to store data files
-     * @throws IOException is thrown if an IOException occurs of course...
-     */
-    public static File getDataDirectory() throws IOException {
-        final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
-        if (!path.exists()) {
-            if (!path.mkdirs()) {
-                throw new IOException("Unable to create NVD CVE Data directory");
-            }
-        }
-        return path;
-    }
-
    /**
     * Determines if the H2 database file exists. If it does not exist then the data structure will need to be created.
     *
     * @return true if the H2 database file does not exist; otherwise false
     * @throws IOException thrown if the data directory does not exist and cannot be created
     */
-    private static boolean dbSchemaExists() throws IOException {
-        final File dir = getDataDirectory();
-        final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
-        final File file = new File(dir, name);
+    private static boolean h2DataFileExists() throws IOException {
+        final File dir = Settings.getDataDirectory();
+        final String name = Settings.getString(Settings.KEYS.DB_FILE_NAME);
+        final String fileName = String.format(name, DB_SCHEMA_VERSION);
+        final File file = new File(dir, fileName);
        return file.exists();
    }

@@ -266,7 +242,7 @@ public final class ConnectionFactory {
     * @throws DatabaseException thrown if there is a Database Exception
     */
    private static void createTables(Connection conn) throws DatabaseException {
-        Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, "Creating database structure");
+        LOGGER.log(Level.FINE, "Creating database structure");
        InputStream is;
        InputStreamReader reader;
        BufferedReader in = null;
@@ -284,7 +260,7 @@ public final class ConnectionFactory {
                statement = conn.createStatement();
                statement.execute(sb.toString());
            } catch (SQLException ex) {
-                Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.FINE, null, ex);
                throw new DatabaseException("Unable to create database statement", ex);
            } finally {
                DBUtils.closeStatement(statement);
@@ -296,7 +272,7 @@ public final class ConnectionFactory {
                try {
                    in.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, null, ex);
                }
            }
        }
@@ -323,7 +299,7 @@ public final class ConnectionFactory {
                throw new DatabaseException("Database schema is missing");
            }
        } catch (SQLException ex) {
-            Logger.getLogger(ConnectionFactory.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new DatabaseException("Unable to check the database schema version");
        } finally {
            DBUtils.closeResultSet(rs);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;

+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
@@ -39,6 +40,7 @@ import org.owasp.dependencycheck.utils.DBUtils;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.Pair;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 * The database holding information about the NVD CVE data.
@@ -47,6 +49,10 @@ import org.owasp.dependencycheck.utils.Pair;
 */
 public class CveDB {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CveDB.class.getName());
    /**
     * Database connection
     */
@@ -83,7 +89,9 @@ public class CveDB {
     * @throws DatabaseException thrown if there is an error opening the database connection
     */
    public final void open() throws DatabaseException {
-        conn = ConnectionFactory.getConnection();
+        if (!isOpen()) {
+            conn = ConnectionFactory.getConnection();
+        }
    }

    /**
@@ -95,12 +103,12 @@ public class CveDB {
                conn.close();
            } catch (SQLException ex) {
                final String msg = "There was an error attempting to close the CveDB, see the log for more details.";
-                Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            } catch (Throwable ex) {
                final String msg = "There was an exception attempting to close the CveDB, see the log for more details.";
-                Logger.getLogger(DBUtils.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
            conn = null;
        }
@@ -135,7 +143,7 @@ public class CveDB {
    @Override
    @SuppressWarnings("FinalizeDeclaration")
    protected void finalize() throws Throwable {
-        Logger.getLogger(DBUtils.class.getName()).log(Level.FINE, "Entering finalize");
+        LOGGER.log(Level.FINE, "Entering finalize");
        close();
        super.finalize();
    }
@@ -244,6 +252,7 @@ public class CveDB {
    /**
     * SQL Statement to retrieve a property from the database.
     */
+    @SuppressWarnings("unused")
    private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
    /**
     * SQL Statement to insert a new property.
@@ -256,6 +265,7 @@ public class CveDB {
    /**
     * SQL Statement to delete a property.
     */
+    @SuppressWarnings("unused")
    private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";

    //</editor-fold>
@@ -284,8 +294,8 @@ public class CveDB {
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            DBUtils.closeResultSet(rs);
            DBUtils.closeStatement(ps);
@@ -300,14 +310,14 @@ public class CveDB {
     * @throws DatabaseException thrown when there is an error retrieving the data from the DB
     */
    public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
-        final HashSet data = new HashSet<Pair<String, String>>();
+        final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
        ResultSet rs = null;
        PreparedStatement ps = null;
        try {
            ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
            rs = ps.executeQuery();
            while (rs.next()) {
-                data.add(new Pair(rs.getString(1), rs.getString(2)));
+                data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
@@ -336,8 +346,8 @@ public class CveDB {
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            DBUtils.closeStatement(ps);
            DBUtils.closeResultSet(rs);
@@ -358,8 +368,8 @@ public class CveDB {
                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
                insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                LOGGER.log(Level.WARNING, "Unable to save properties to the database");
+                LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
                return;
            }
            for (Entry<Object, Object> entry : props.entrySet()) {
@@ -374,8 +384,8 @@ public class CveDB {
                    }
                } catch (SQLException ex) {
                    final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
-                    Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
-                    Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+                    LOGGER.log(Level.WARNING, msg);
+                    LOGGER.log(Level.FINE, null, ex);
                }
            }
        } finally {
@@ -397,8 +407,8 @@ public class CveDB {
            try {
                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                LOGGER.log(Level.WARNING, "Unable to save properties to the database");
+                LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
                return;
            }
            try {
@@ -408,8 +418,8 @@ public class CveDB {
                    try {
                        insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
                    } catch (SQLException ex) {
-                        Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, "Unable to save properties to the database");
-                        Logger.getLogger(CveDB.class.getName()).log(Level.FINE, "Unable to save properties to the database", ex);
+                        LOGGER.log(Level.WARNING, "Unable to save properties to the database");
+                        LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
                        return;
                    }
                    insertProperty.setString(1, key);
@@ -418,8 +428,8 @@ public class CveDB {
                }
            } catch (SQLException ex) {
                final String msg = String.format("Unable to save property '%s' with a value of '%s' to the database", key, value);
-                Logger.getLogger(CveDB.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, null, ex);
            }
        } finally {
            DBUtils.closeStatement(updateProperty);
@@ -440,7 +450,7 @@ public class CveDB {
        try {
            cpe.parseName(cpeStr);
        } catch (UnsupportedEncodingException ex) {
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.log(Level.FINEST, null, ex);
        }
        final DependencyVersion detectedVersion = parseDependencyVersion(cpe);
        final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
@@ -678,7 +688,7 @@ public class CveDB {

        } catch (SQLException ex) {
            final String msg = String.format("Error updating '%s'", vuln.getName());
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new DatabaseException(msg, ex);
        } finally {
            DBUtils.closeStatement(selectVulnerabilityId);
@@ -694,6 +704,43 @@ public class CveDB {
        }
    }

+    /**
+     * Checks to see if data exists so that analysis can be performed.
+     *
+     * @return <code>true</code> if data exists; otherwise <code>false</code>
+     */
+    public boolean dataExists() {
+        Statement cs = null;
+        ResultSet rs = null;
+        try {
+            cs = conn.createStatement();
+            rs = cs.executeQuery("SELECT COUNT(*) records FROM cpeEntry");
+            if (rs.next()) {
+                if (rs.getInt(1) > 0) {
+                    return true;
+                }
+            }
+        } catch (SQLException ex) {
+            String dd;
+            try {
+                dd = Settings.getDataDirectory().getAbsolutePath();
+            } catch (IOException ex1) {
+                dd = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            }
+            final String msg = String.format("Unable to access the local database.%n%nEnsure that '%s' is a writable directory. "
+                    + "If the problem persist try deleting the files in '%s' and running %s again. If the problem continues, please "
+                    + "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
+                    + "https://github.com/jeremylong/DependencyCheck/issues and include the log file.%n%n",
+                    dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, "", ex);
+        } finally {
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(cs);
+        }
+        return false;
+    }
+
    /**
     * It is possible that orphaned rows may be generated during database updates. This should be called after all
     * updates have been completed to ensure orphan entries are removed.
@@ -707,8 +754,8 @@ public class CveDB {
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
-            Logger.getLogger(CveDB.class.getName()).log(Level.SEVERE, msg);
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } finally {
            DBUtils.closeStatement(ps);
        }
@@ -725,13 +772,15 @@ public class CveDB {
     * @param previous a flag indicating if previous versions of the product are vulnerable
     * @return true if the identified version is affected, otherwise false
     */
-    private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
+    protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
        boolean affected = false;
        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
        final DependencyVersion v = parseDependencyVersion(cpeId);
        final boolean prevAffected = previous != null && !previous.isEmpty();
-        if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
-            if (v == null || "-".equals(v.toString())) {
+        if (v == null || "-".equals(v.toString())) { //all versions
+            affected = true;
+        } else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
+            if (prevAffected) {
                affected = true;
            }
        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
@@ -763,7 +812,7 @@ public class CveDB {
            cpe.parseName(cpeStr);
        } catch (UnsupportedEncodingException ex) {
            //never going to happen.
-            Logger.getLogger(CveDB.class.getName()).log(Level.FINEST, null, ex);
+            LOGGER.log(Level.FINEST, null, ex);
        }
        return parseDependencyVersion(cpe);
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
@@ -17,7 +17,6 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;

-import com.hazelcast.logging.Logger;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
 import java.util.Date;
@@ -26,6 +25,7 @@ import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.TreeMap;
 import java.util.logging.Level;
+import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;

@@ -36,6 +36,10 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
 */
 public class DatabaseProperties {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DatabaseProperties.class.getName());
    /**
     * Modified key word, used as a key to store information about the modified file (i.e. the containing the last 8
     * days of updates)..
@@ -87,7 +91,7 @@ public class DatabaseProperties {
    }

    /**
-     * Writes a properties file containing the last updated date to the VULNERABLE_CPE directory.
+     * Saves the last updated information to the properties file.
     *
     * @param updatedValue the updated NVD CVE entry
     * @throws UpdateException is thrown if there is an update exception
@@ -96,8 +100,19 @@ public class DatabaseProperties {
        if (updatedValue == null) {
            return;
        }
-        properties.put(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
-        cveDB.saveProperty(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
+        save(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
+    }
+
+    /**
+     * Saves the key value pair to the properties store.
+     *
+     * @param key the property key
+     * @param value the property value
+     * @throws UpdateException is thrown if there is an update exception
+     */
+    public void save(String key, String value) throws UpdateException {
+        properties.put(key, value);
+        cveDB.saveProperty(key, value);
    }

    /**
@@ -138,8 +153,8 @@ public class DatabaseProperties {
     *
     * @return a map of the database meta data
     */
-    public Map getMetaData() {
-        final TreeMap map = new TreeMap();
+    public Map<String, String> getMetaData() {
+        final TreeMap<String, String> map = new TreeMap<String, String>();
        for (Entry<Object, Object> entry : properties.entrySet()) {
            final String key = (String) entry.getKey();
            if (!"version".equals(key)) {
@@ -150,12 +165,12 @@ public class DatabaseProperties {
                        final DateFormat format = new SimpleDateFormat("dd/MM/yyyy HH:mm:ss");
                        final String formatted = format.format(date);
                        map.put(key, formatted);
-                    } catch (Throwable ex) { //deliberatly being broad in this catch clause
-                        Logger.getLogger(DatabaseProperties.class.getName()).log(Level.FINE, "Unable to parse timestamp from DB", ex);
-                        map.put(key, entry.getValue());
+                    } catch (Throwable ex) { //deliberately being broad in this catch clause
+                        LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
+                        map.put(key, (String) entry.getValue());
                    }
                } else {
-                    map.put(key, entry.getValue());
+                    map.put(key, (String) entry.getValue());
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
@@ -37,6 +37,11 @@ import java.util.logging.Logger;
 */
 public final class DriverLoader {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DriverLoader.class.getName());
+
    /**
     * Private constructor for a utility class.
     */
@@ -58,7 +63,7 @@ public final class DriverLoader {
    /**
     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver
     * with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
-     * loaded. Note, the pathTodriver can contain a semi-colon separated list of paths so any dependencies can be added
+     * loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
     * as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
     * class path.
     *
@@ -83,7 +88,7 @@ public final class DriverLoader {
                    } catch (MalformedURLException ex) {
                        final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
                                className, f.getAbsoluteFile());
-                        Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+                        LOGGER.log(Level.FINE, msg, ex);
                        throw new DriverLoadException(msg, ex);
                    }
                }
@@ -93,7 +98,7 @@ public final class DriverLoader {
                } catch (MalformedURLException ex) {
                    final String msg = String.format("Unable to load database driver '%s'; invalid path provided '%s'",
                            className, file.getAbsoluteFile());
-                    Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+                    LOGGER.log(Level.FINE, msg, ex);
                    throw new DriverLoadException(msg, ex);
                }
            }
@@ -127,19 +132,19 @@ public final class DriverLoader {
            return shim;
        } catch (ClassNotFoundException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        } catch (InstantiationException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        } catch (IllegalAccessException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        } catch (SQLException ex) {
            final String msg = String.format("Unable to load database driver '%s'", className);
-            Logger.getLogger(DriverLoader.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DriverLoadException(msg, ex);
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java
@@ -39,6 +39,10 @@ import java.util.logging.Logger;
 */
 class DriverShim implements Driver {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DriverShim.class.getName());
    /**
     * The database driver being wrapped.
     */
@@ -123,11 +127,11 @@ class DriverShim implements Driver {
            try {
                return (Logger) m.invoke(m);
            } catch (IllegalAccessException ex) {
-                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+                LOGGER.log(Level.FINER, null, ex);
            } catch (IllegalArgumentException ex) {
-                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+                LOGGER.log(Level.FINER, null, ex);
            } catch (InvocationTargetException ex) {
-                Logger.getLogger(DriverShim.class.getName()).log(Level.FINER, null, ex);
+                LOGGER.log(Level.FINER, null, ex);
            }
        }
        throw new SQLFeatureNotSupportedException();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
@@ -0,0 +1,214 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.update;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Date;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.io.IOUtils;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.utils.DateUtil;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.owasp.dependencycheck.utils.URLConnectionFailureException;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class EngineVersionCheck implements CachedWebDataSource {
+
+    /**
+     * Static logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(EngineVersionCheck.class.getName());
+    /**
+     * The property key indicating when the last version check occurred.
+     */
+    public static final String ENGINE_VERSION_CHECKED_ON = "VersionCheckOn";
+    /**
+     * The property key indicating when the last version check occurred.
+     */
+    public static final String CURRENT_ENGINE_RELEASE = "CurrentEngineRelease";
+    /**
+     * Reference to the Cve Database.
+     */
+    private CveDB cveDB = null;
+
+    /**
+     * The version retrieved from the database properties or web to check against.
+     */
+    private String updateToVersion;
+
+    /**
+     * Getter for updateToVersion - only used for testing. Represents the version retrieved from the database.
+     *
+     * @return the version to test
+     */
+    protected String getUpdateToVersion() {
+        return updateToVersion;
+    }
+
+    /**
+     * Setter for updateToVersion - only used for testing. Represents the version retrieved from the database.
+     *
+     * @param version the version to test
+     */
+    protected void setUpdateToVersion(String version) {
+        updateToVersion = version;
+    }
+
+    @Override
+    public void update() throws UpdateException {
+        try {
+            openDatabase();
+            LOGGER.fine("Begin Engine Version Check");
+            final DatabaseProperties properties = cveDB.getDatabaseProperties();
+            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+            final long now = (new Date()).getTime();
+            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+            LOGGER.fine("Last checked: " + lastChecked);
+            LOGGER.fine("Now: " + now);
+            LOGGER.fine("Current version: " + currentVersion);
+            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+            if (updateNeeded) {
+                final String msg = String.format("A new version of dependency-check is available. Consider updating to version %s.",
+                        updateToVersion);
+                LOGGER.warning(msg);
+            }
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.FINE, "Database Exception opening databases to retrieve properties", ex);
+            throw new UpdateException("Error occured updating database properties.");
+        } finally {
+            closeDatabase();
+        }
+    }
+
+    /**
+     * Determines if a new version of the dependency-check engine has been released.
+     *
+     * @param lastChecked the epoch time of the last version check
+     * @param now the current epoch time
+     * @param properties the database properties object
+     * @param currentVersion the current version of dependency-check
+     * @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
+     * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the
+     * local database.
+     */
+    protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
+            String currentVersion) throws UpdateException {
+        //check every 30 days if we know there is an update, otherwise check every 7 days
+        int checkRange = 30;
+        if (updateToVersion.isEmpty()) {
+            checkRange = 7;
+        }
+        if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
+            LOGGER.fine("Checking web for new version.");
+            final String currentRelease = getCurrentReleaseVersion();
+            if (currentRelease != null) {
+                final DependencyVersion v = new DependencyVersion(currentRelease);
+                if (v.getVersionParts() != null && v.getVersionParts().size() >= 3) {
+                    updateToVersion = v.toString();
+                    if (!currentRelease.equals(updateToVersion)) {
+                        properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
+                    } else {
+                        properties.save(CURRENT_ENGINE_RELEASE, "");
+                    }
+                    properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
+                }
+            }
+            LOGGER.log(Level.FINE, "Current Release: {0}", updateToVersion);
+        }
+        final DependencyVersion running = new DependencyVersion(currentVersion);
+        final DependencyVersion released = new DependencyVersion(updateToVersion);
+        if (running.compareTo(released) < 0) {
+            LOGGER.fine("Upgrade recommended");
+            return true;
+        }
+        LOGGER.fine("Upgrade not needed");
+        return false;
+    }
+
+    /**
+     * Opens the CVE and CPE data stores.
+     *
+     * @throws DatabaseException thrown if a data store cannot be opened
+     */
+    protected final void openDatabase() throws DatabaseException {
+        if (cveDB != null) {
+            return;
+        }
+        cveDB = new CveDB();
+        cveDB.open();
+    }
+
+    /**
+     * Closes the CVE and CPE data stores.
+     */
+    protected void closeDatabase() {
+        if (cveDB != null) {
+            try {
+                cveDB.close();
+            } catch (Throwable ignore) {
+                LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
+            }
+        }
+    }
+
+    /**
+     * Retrieves the current released version number from the github documentation site.
+     *
+     * @return the current released version number
+     */
+    protected String getCurrentReleaseVersion() {
+        HttpURLConnection conn = null;
+        try {
+            final String str = Settings.getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL, "http://jeremylong.github.io/DependencyCheck/current.txt");
+            final URL url = new URL(str);
+            conn = URLConnectionFactory.createHttpURLConnection(url);
+            conn.connect();
+            if (conn.getResponseCode() != 200) {
+                return null;
+            }
+            final String releaseVersion = IOUtils.toString(conn.getInputStream(), "UTF-8");
+            if (releaseVersion != null) {
+                return releaseVersion.trim();
+            }
+        } catch (MalformedURLException ex) {
+            LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
+        } catch (URLConnectionFailureException ex) {
+            LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
+        } finally {
+            if (conn != null) {
+                conn.disconnect();
+            }
+        }
+        return null;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -22,6 +22,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 * Class responsible for updating the NVD CVE and CPE data stores.
@@ -30,6 +31,11 @@ import org.owasp.dependencycheck.utils.DownloadFailedException;
 */
 public class NvdCveUpdater implements CachedWebDataSource {

+    /**
+     * The logger
+     */
+    private static final Logger LOGGER = Logger.getLogger(NvdCveUpdater.class.getName());
+
    /**
     * <p>
     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.</p>
@@ -44,13 +50,17 @@ public class NvdCveUpdater implements CachedWebDataSource {
                task.update();
            }
        } catch (MalformedURLException ex) {
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
+            LOGGER.log(Level.WARNING,
                    "NVD CVE properties files contain an invalid URL, unable to update the data to use the most current data.");
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
        } catch (DownloadFailedException ex) {
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.WARNING,
-                    "Unable to download the NVD CVE data, unable to update the data to use the most current data.");
-            Logger.getLogger(NvdCveUpdater.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING,
+                    "Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
+            if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
+                LOGGER.log(Level.INFO,
+                        "If you are behind a proxy you may need to configure dependency-check to use the proxy.");
+            }
+            LOGGER.log(Level.FINE, null, ex);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
@@ -34,8 +34,9 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
+import org.owasp.dependencycheck.data.update.task.DownloadTask;
 import org.owasp.dependencycheck.data.update.task.ProcessTask;
+import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
@@ -47,6 +48,10 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public class StandardUpdate {

+    /**
+     * Static logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(StandardUpdate.class.getName());
    /**
     * The max thread pool size to use when downloading files.
     */
@@ -104,7 +109,7 @@ public class StandardUpdate {
                return;
            }
            if (maxUpdates > 3) {
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO,
+                LOGGER.log(Level.INFO,
                        "NVD CVE requires several updates; this could take a couple of minutes.");
            }
            if (maxUpdates > 0) {
@@ -118,7 +123,7 @@ public class StandardUpdate {
            final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
            for (NvdCveInfo cve : updateable) {
                if (cve.getNeedsUpdate()) {
-                    final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB);
+                    final DownloadTask call = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
                    downloadFutures.add(downloadExecutors.submit(call));
                }
            }
@@ -134,19 +139,19 @@ public class StandardUpdate {
                    downloadExecutors.shutdownNow();
                    processExecutor.shutdownNow();

-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download", ex);
+                    LOGGER.log(Level.FINE, "Thread was interrupted during download", ex);
                    throw new UpdateException("The download was interrupted", ex);
                } catch (ExecutionException ex) {
                    downloadExecutors.shutdownNow();
                    processExecutor.shutdownNow();

-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download execution", ex);
+                    LOGGER.log(Level.FINE, "Thread was interrupted during download execution", ex);
                    throw new UpdateException("The execution of the download was interrupted", ex);
                }
                if (task == null) {
                    downloadExecutors.shutdownNow();
                    processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during download");
+                    LOGGER.log(Level.FINE, "Thread was interrupted during download");
                    throw new UpdateException("The download was interrupted; unable to complete the update");
                } else {
                    processFutures.add(task);
@@ -161,11 +166,11 @@ public class StandardUpdate {
                    }
                } catch (InterruptedException ex) {
                    processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Thread was interrupted during processing", ex);
+                    LOGGER.log(Level.FINE, "Thread was interrupted during processing", ex);
                    throw new UpdateException(ex);
                } catch (ExecutionException ex) {
                    processExecutor.shutdownNow();
-                    Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Execution Exception during process", ex);
+                    LOGGER.log(Level.FINE, "Execution Exception during process", ex);
                    throw new UpdateException(ex);
                } finally {
                    processExecutor.shutdown();
@@ -174,7 +179,9 @@ public class StandardUpdate {

            if (maxUpdates >= 1) { //ensure the modified file date gets written (we may not have actually updated it)
                properties.save(updateable.get(MODIFIED));
+                LOGGER.log(Level.INFO, "Begin database maintenance.");
                cveDB.cleanupDatabase();
+                LOGGER.log(Level.INFO, "End database maintenance.");
            }
        } finally {
            closeDataStores();
@@ -197,10 +204,10 @@ public class StandardUpdate {
            updates = retrieveCurrentTimestampsFromWeb();
        } catch (InvalidDataException ex) {
            final String msg = "Unable to retrieve valid timestamp from nvd cve downloads page";
-            Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new DownloadFailedException(msg, ex);
        } catch (InvalidSettingException ex) {
-            Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
+            LOGGER.log(Level.FINE, "Invalid setting found when retrieving timestamps", ex);
            throw new DownloadFailedException("Invalid settings", ex);
        }

@@ -214,7 +221,7 @@ public class StandardUpdate {
                final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
                if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
                    updates.clear(); //we don't need to update anything.
-                } else if (withinRange(lastUpdated, now.getTime(), days)) {
+                } else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) {
                    for (NvdCveInfo entry : updates) {
                        if (MODIFIED.equals(entry.getId())) {
                            entry.setNeedsUpdate(true);
@@ -233,9 +240,7 @@ public class StandardUpdate {
                            } catch (NumberFormatException ex) {
                                final String msg = String.format("Error parsing '%s' '%s' from nvdcve.lastupdated",
                                        DatabaseProperties.LAST_UPDATED_BASE, entry.getId());
-                                Logger
-                                        .getLogger(StandardUpdate.class
-                                                .getName()).log(Level.FINE, msg, ex);
+                                LOGGER.log(Level.FINE, msg, ex);
                            }
                            if (currentTimestamp == entry.getTimestamp()) {
                                entry.setNeedsUpdate(false);
@@ -245,8 +250,8 @@ public class StandardUpdate {
                }
            } catch (NumberFormatException ex) {
                final String msg = "An invalid schema version or timestamp exists in the data.properties file.";
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "", ex);
+                LOGGER.log(Level.WARNING, msg);
+                LOGGER.log(Level.FINE, "", ex);
            }
        }
        return updates;
@@ -290,7 +295,7 @@ public class StandardUpdate {
            try {
                cveDB.close();
            } catch (Throwable ignore) {
-                Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINEST, "Error closing the cveDB", ignore);
+                LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
            }
        }
    }
@@ -309,23 +314,8 @@ public class StandardUpdate {
            cveDB.open();
        } catch (DatabaseException ex) {
            closeDataStores();
-            Logger.getLogger(StandardUpdate.class.getName()).log(Level.FINE, "Database Exception opening databases", ex);
+            LOGGER.log(Level.FINE, "Database Exception opening databases", ex);
            throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
        }
    }
-
-    /**
-     * Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
-     * (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
-     * is considered valid.
-     *
-     * @param date the date to be checked.
-     * @param compareTo the date to compare to.
-     * @param range the range in days to be considered valid.
-     * @return whether or not the date is within the range.
-     */
-    protected boolean withinRange(long date, long compareTo, int range) {
-        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
-        return differenceInDays < range;
-    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java
@@ -21,37 +21,25 @@ import java.util.Iterator;
 import java.util.ServiceLoader;

 /**
+ * The CachedWebDataSource Service Loader. This class loads all services that implement
+ * org.owasp.dependencycheck.data.update.CachedWebDataSource.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public final class UpdateService {
+public class UpdateService {

-    /**
-     * the singleton reference to the service.
-     */
-    private static UpdateService service;
    /**
     * the service loader for CachedWebDataSource.
     */
    private final ServiceLoader<CachedWebDataSource> loader;

    /**
-     * Creates a new instance of UpdateService
-     */
-    private UpdateService() {
-        loader = ServiceLoader.load(CachedWebDataSource.class);
-    }
-
-    /**
-     * Retrieve the singleton instance of UpdateService.
+     * Creates a new instance of UpdateService.
     *
-     * @return a singleton UpdateService.
+     * @param classLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     */
-    public static synchronized UpdateService getInstance() {
-        if (service == null) {
-            service = new UpdateService();
-        }
-        return service;
+    public UpdateService(ClassLoader classLoader) {
+        loader = ServiceLoader.load(CachedWebDataSource.class, classLoader);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
@@ -18,6 +18,9 @@
 package org.owasp.dependencycheck.data.update.task;

 import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.URL;
 import java.util.concurrent.Callable;
@@ -25,8 +28,11 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.zip.GZIPInputStream;
+import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.Settings;
@@ -36,7 +42,12 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
+public class DownloadTask implements Callable<Future<ProcessTask>> {
+
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DownloadTask.class.getName());

    /**
     * Simple constructor for the callable download task.
@@ -44,11 +55,15 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
     * @param nvdCveInfo the NVD CVE info
     * @param processor the processor service to submit the downloaded files to
     * @param cveDB the CVE DB to use to store the vulnerability data
+     * @param settings a reference to the global settings object; this is necessary so that when the thread is started
+     * the dependencies have a correct reference to the global settings.
+     * @throws UpdateException thrown if temporary files could not be created
     */
-    public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB) {
+    public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
        this.nvdCveInfo = nvdCveInfo;
        this.processorService = processor;
        this.cveDB = cveDB;
+        this.settings = settings;

        final File file1;
        final File file2;
@@ -57,7 +72,7 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
        } catch (IOException ex) {
-            return;
+            throw new UpdateException("Unable to create temporary files", ex);
        }
        this.first = file1;
        this.second = file2;
@@ -75,6 +90,10 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
     * The NVD CVE Meta Data.
     */
    private NvdCveInfo nvdCveInfo;
+    /**
+     * A reference to the global settings object.
+     */
+    private Settings settings;

    /**
     * Get the value of nvdCveInfo.
@@ -163,30 +182,45 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
    @Override
    public Future<ProcessTask> call() throws Exception {
        try {
+            Settings.setInstance(settings);
            final URL url1 = new URL(nvdCveInfo.getUrl());
            final URL url2 = new URL(nvdCveInfo.getOldSchemaVersionUrl());
            String msg = String.format("Download Started for NVD CVE - %s", nvdCveInfo.getId());
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
+            LOGGER.log(Level.INFO, msg);
            try {
                Downloader.fetchFile(url1, first);
                Downloader.fetchFile(url2, second);
            } catch (DownloadFailedException ex) {
                msg = String.format("Download Failed for NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
-                Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
-                Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.WARNING, msg);
+                if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
+                    LOGGER.log(Level.INFO,
+                            "If you are behind a proxy you may need to configure dependency-check to use the proxy.");
+                }
+                LOGGER.log(Level.FINE, null, ex);
                return null;
            }
+            if (url1.toExternalForm().endsWith(".xml.gz")) {
+                extractGzip(first);
+            }
+            if (url2.toExternalForm().endsWith(".xml.gz")) {
+                extractGzip(second);
+            }

            msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.INFO, msg);
-
-            final ProcessTask task = new ProcessTask(cveDB, this);
+            LOGGER.log(Level.INFO, msg);
+            if (this.processorService == null) {
+                return null;
+            }
+            final ProcessTask task = new ProcessTask(cveDB, this, settings);
            return this.processorService.submit(task);

        } catch (Throwable ex) {
            final String msg = String.format("An exception occurred downloading NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(CallableDownloadTask.class.getName()).log(Level.FINE, "Download Task Failed", ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "Download Task Failed", ex);
+        } finally {
+            Settings.cleanup(false);
        }
        return null;
    }
@@ -216,4 +250,56 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
            }
        }
    }
+
+    /**
+     * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file
+     * specified.
+     *
+     * @param file the archive file
+     * @throws FileNotFoundException thrown if the file does not exist
+     * @throws IOException thrown if there is an error extracting the file.
+     */
+    private void extractGzip(File file) throws FileNotFoundException, IOException {
+        final String originalPath = file.getPath();
+        final File gzip = new File(originalPath + ".gz");
+        if (gzip.isFile() && !gzip.delete()) {
+            gzip.deleteOnExit();
+        }
+        if (!file.renameTo(gzip)) {
+            throw new IOException("Unable to rename '" + file.getPath() + "'");
+        }
+        final File newfile = new File(originalPath);
+
+        final byte[] buffer = new byte[4096];
+
+        GZIPInputStream cin = null;
+        FileOutputStream out = null;
+        try {
+            cin = new GZIPInputStream(new FileInputStream(gzip));
+            out = new FileOutputStream(newfile);
+
+            int len;
+            while ((len = cin.read(buffer)) > 0) {
+                out.write(buffer, 0, len);
+            }
+        } finally {
+            if (cin != null) {
+                try {
+                    cin.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+            if (out != null) {
+                try {
+                    out.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+            if (gzip.isFile()) {
+                FileUtils.deleteQuietly(gzip);
+            }
+        }
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
@@ -32,11 +32,11 @@ import javax.xml.parsers.SAXParserFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
-import org.owasp.dependencycheck.data.update.StandardUpdate;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.data.update.xml.NvdCve12Handler;
 import org.owasp.dependencycheck.data.update.xml.NvdCve20Handler;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.Settings;
 import org.xml.sax.SAXException;

 /**
@@ -46,6 +46,10 @@ import org.xml.sax.SAXException;
 */
 public class ProcessTask implements Callable<ProcessTask> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ProcessTask.class.getName());
    /**
     * A field to store any update exceptions that occur during the "call".
     */
@@ -75,22 +79,29 @@ public class ProcessTask implements Callable<ProcessTask> {
    /**
     * A reference to the callable download task.
     */
-    private final CallableDownloadTask filePair;
+    private final DownloadTask filePair;
    /**
     * A reference to the properties.
     */
    private final DatabaseProperties properties;
+    /**
+     * A reference to the global settings object.
+     */
+    private Settings settings;

    /**
     * Constructs a new ProcessTask used to process an NVD CVE update.
     *
     * @param cveDB the data store object
     * @param filePair the download task that contains the URL references to download
+     * @param settings a reference to the global settings object; this is necessary so that when the thread is started
+     * the dependencies have a correct reference to the global settings.
     */
-    public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair) {
+    public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
        this.cveDB = cveDB;
        this.filePair = filePair;
        this.properties = cveDB.getDatabaseProperties();
+        this.settings = settings;
    }

    /**
@@ -103,9 +114,12 @@ public class ProcessTask implements Callable<ProcessTask> {
    @Override
    public ProcessTask call() throws Exception {
        try {
+            Settings.setInstance(settings);
            processFiles();
        } catch (UpdateException ex) {
            this.exception = ex;
+        } finally {
+            Settings.cleanup(false);
        }
        return this;
    }
@@ -145,7 +159,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     */
    private void processFiles() throws UpdateException {
        String msg = String.format("Processing Started for NVD CVE - %s", filePair.getNvdCveInfo().getId());
-        Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
+        LOGGER.log(Level.INFO, msg);
        try {
            importXML(filePair.getFirst(), filePair.getSecond());
            cveDB.commit();
@@ -168,6 +182,6 @@ public class ProcessTask implements Callable<ProcessTask> {
            filePair.cleanup();
        }
        msg = String.format("Processing Complete for NVD CVE - %s", filePair.getNvdCveInfo().getId());
-        Logger.getLogger(StandardUpdate.class.getName()).log(Level.INFO, msg);
+        LOGGER.log(Level.INFO, msg);
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve20Handler.java
@@ -40,6 +40,10 @@ import org.xml.sax.helpers.DefaultHandler;
 */
 public class NvdCve20Handler extends DefaultHandler {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(NvdCve20Handler.class.getName());
    /**
     * the current supported schema version.
     */
@@ -168,8 +172,8 @@ public class NvdCve20Handler extends DefaultHandler {
                final float score = Float.parseFloat(nodeText.toString());
                vulnerability.setCvssScore(score);
            } catch (NumberFormatException ex) {
-                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.SEVERE, "Error parsing CVSS Score.");
-                Logger.getLogger(NvdCve20Handler.class.getName()).log(Level.FINE, null, ex);
+                LOGGER.log(Level.SEVERE, "Error parsing CVSS Score.");
+                LOGGER.log(Level.FINE, null, ex);
            }
            nodeText = null;
        } else if (current.isCVSSAccessVectorNode()) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -19,12 +19,14 @@ package org.owasp.dependencycheck.dependency;

 import java.io.File;
 import java.io.IOException;
+import java.io.Serializable;
 import java.security.NoSuchAlgorithmException;
 import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileUtils;

@@ -35,8 +37,12 @@ import org.owasp.dependencycheck.utils.FileUtils;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class Dependency implements Comparable<Dependency> {
+public class Dependency implements Serializable, Comparable<Dependency> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(Dependency.class.getName());
    /**
     * The actual file path of the dependency on disk.
     */
@@ -87,6 +93,8 @@ public class Dependency implements Comparable<Dependency> {
        versionEvidence = new EvidenceCollection();
        identifiers = new TreeSet<Identifier>();
        vulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
+        suppressedIdentifiers = new TreeSet<Identifier>();
+        suppressedVulnerabilities = new TreeSet<Vulnerability>(new VulnerabilityComparator());
    }

    /**
@@ -106,16 +114,26 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Returns the file name of the dependency.
     *
-     * @return the file name of the dependency.
+     * @return the file name of the dependency
     */
    public String getFileName() {
        return this.fileName;
    }

+    /**
+     * Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack
+     * as I could not get the replace to work in the template itself.
+     *
+     * @return the file name of the dependency with the backslash escaped for use in JavaScript
+     */
+    public String getFileNameForJavaScript() {
+        return this.fileName.replace("\\", "\\\\");
+    }
+
    /**
     * Sets the file name of the dependency.
     *
-     * @param fileName the file name of the dependency.
+     * @param fileName the file name of the dependency
     */
    public void setFileName(String fileName) {
        this.fileName = fileName;
@@ -124,7 +142,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets the actual file path of the dependency on disk.
     *
-     * @param actualFilePath the file path of the dependency.
+     * @param actualFilePath the file path of the dependency
     */
    public void setActualFilePath(String actualFilePath) {
        this.actualFilePath = actualFilePath;
@@ -137,7 +155,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Gets the file path of the dependency.
     *
-     * @return the file path of the dependency.
+     * @return the file path of the dependency
     */
    public String getActualFilePath() {
        return this.actualFilePath;
@@ -146,7 +164,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Gets a reference to the File object.
     *
-     * @return the File object.
+     * @return the File object
     */
    public File getActualFile() {
        return new File(this.actualFilePath);
@@ -155,12 +173,39 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets the file path of the dependency.
     *
-     * @param filePath the file path of the dependency.
+     * @param filePath the file path of the dependency
     */
    public void setFilePath(String filePath) {
        this.filePath = filePath;
    }

+    /**
+     * The file name to display in reports.
+     */
+    private String displayName = null;
+
+    /**
+     * Sets the file name to display in reports.
+     *
+     * @param displayName the name to display
+     */
+    public void setDisplayFileName(String displayName) {
+        this.displayName = displayName;
+    }
+
+    /**
+     * Returns the file name to display in reports; if no display file name has been set it will default to the actual
+     * file name.
+     *
+     * @return the file name to display
+     */
+    public String getDisplayFileName() {
+        if (displayName == null) {
+            return this.fileName;
+        }
+        return this.displayName;
+    }
+
    /**
     * <p>
     * Gets the file path of the dependency.</p>
@@ -168,7 +213,7 @@ public class Dependency implements Comparable<Dependency> {
     * <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be
     * obtained via the getActualFilePath().</p>
     *
-     * @return the file path of the dependency.
+     * @return the file path of the dependency
     */
    public String getFilePath() {
        return this.filePath;
@@ -177,7 +222,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets the file name of the dependency.
     *
-     * @param fileExtension the file name of the dependency.
+     * @param fileExtension the file name of the dependency
     */
    public void setFileExtension(String fileExtension) {
        this.fileExtension = fileExtension;
@@ -186,7 +231,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Gets the file extension of the dependency.
     *
-     * @return the file extension of the dependency.
+     * @return the file extension of the dependency
     */
    public String getFileExtension() {
        return this.fileExtension;
@@ -231,7 +276,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Returns a List of Identifiers.
     *
-     * @return an ArrayList of Identifiers.
+     * @return an ArrayList of Identifiers
     */
    public Set<Identifier> getIdentifiers() {
        return this.identifiers;
@@ -240,7 +285,7 @@ public class Dependency implements Comparable<Dependency> {
    /**
     * Sets a List of Identifiers.
     *
-     * @param identifiers A list of Identifiers.
+     * @param identifiers A list of Identifiers
     */
    public void setIdentifiers(Set<Identifier> identifiers) {
        this.identifiers = identifiers;
@@ -272,6 +317,41 @@ public class Dependency implements Comparable<Dependency> {
        this.identifiers.add(i);
    }

+    /**
+     * Adds the maven artifact as evidence.
+     *
+     * @param source The source of the evidence
+     * @param mavenArtifact The maven artifact
+     * @param confidence The confidence level of this evidence
+     */
+    public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
+        if (mavenArtifact.getGroupId() != null && !mavenArtifact.getGroupId().isEmpty()) {
+            this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence);
+        }
+        if (mavenArtifact.getArtifactId() != null && !mavenArtifact.getArtifactId().isEmpty()) {
+            this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence);
+        }
+        if (mavenArtifact.getVersion() != null && !mavenArtifact.getVersion().isEmpty()) {
+            this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence);
+        }
+        if (mavenArtifact.getArtifactUrl() != null && !mavenArtifact.getArtifactUrl().isEmpty()) {
+            boolean found = false;
+            for (Identifier i : this.getIdentifiers()) {
+                if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
+                    found = true;
+                    i.setConfidence(Confidence.HIGHEST);
+                    i.setUrl(mavenArtifact.getArtifactUrl());
+                    LOGGER.fine(String.format("Already found identifier %s. Confidence set to highest", i.getValue()));
+                    break;
+                }
+            }
+            if (!found) {
+                LOGGER.fine(String.format("Adding new maven identifier %s", mavenArtifact.toString()));
+                this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
+            }
+        }
+    }
+
    /**
     * Adds an entry to the list of detected Identifiers for the dependency file.
     *
@@ -281,6 +361,70 @@ public class Dependency implements Comparable<Dependency> {
        this.identifiers.add(identifier);
    }

+    /**
+     * A set of identifiers that have been suppressed.
+     */
+    private Set<Identifier> suppressedIdentifiers;
+
+    /**
+     * Get the value of suppressedIdentifiers.
+     *
+     * @return the value of suppressedIdentifiers
+     */
+    public Set<Identifier> getSuppressedIdentifiers() {
+        return suppressedIdentifiers;
+    }
+
+    /**
+     * Set the value of suppressedIdentifiers.
+     *
+     * @param suppressedIdentifiers new value of suppressedIdentifiers
+     */
+    public void setSuppressedIdentifiers(Set<Identifier> suppressedIdentifiers) {
+        this.suppressedIdentifiers = suppressedIdentifiers;
+    }
+
+    /**
+     * Adds an identifier to the list of suppressed identifiers.
+     *
+     * @param identifier an identifier that was suppressed.
+     */
+    public void addSuppressedIdentifier(Identifier identifier) {
+        this.suppressedIdentifiers.add(identifier);
+    }
+
+    /**
+     * A set of vulnerabilities that have been suppressed.
+     */
+    private SortedSet<Vulnerability> suppressedVulnerabilities;
+
+    /**
+     * Get the value of suppressedVulnerabilities.
+     *
+     * @return the value of suppressedVulnerabilities
+     */
+    public SortedSet<Vulnerability> getSuppressedVulnerabilities() {
+        return suppressedVulnerabilities;
+    }
+
+    /**
+     * Set the value of suppressedVulnerabilities.
+     *
+     * @param suppressedVulnerabilities new value of suppressedVulnerabilities
+     */
+    public void setSuppressedVulnerabilities(SortedSet<Vulnerability> suppressedVulnerabilities) {
+        this.suppressedVulnerabilities = suppressedVulnerabilities;
+    }
+
+    /**
+     * Adds a vulnerability to the set of suppressed vulnerabilities.
+     *
+     * @param vulnerability the vulnerability that was suppressed
+     */
+    public void addSuppressedVulnerability(Vulnerability vulnerability) {
+        this.suppressedVulnerabilities.add(vulnerability);
+    }
+
    /**
     * Returns the evidence used to identify this dependency.
     *
@@ -290,6 +434,15 @@ public class Dependency implements Comparable<Dependency> {
        return EvidenceCollection.merge(this.productEvidence, this.vendorEvidence, this.versionEvidence);
    }

+    /**
+     * Returns the evidence used to identify this dependency.
+     *
+     * @return an EvidenceCollection.
+     */
+    public Set<Evidence> getEvidenceForDisplay() {
+        return EvidenceCollection.mergeForDisplay(this.productEvidence, this.vendorEvidence, this.versionEvidence);
+    }
+
    /**
     * Returns the evidence used to identify this dependency.
     *
@@ -325,6 +478,7 @@ public class Dependency implements Comparable<Dependency> {
    public EvidenceCollection getVersionEvidence() {
        return this.versionEvidence;
    }
+
    /**
     * The description of the JAR file.
     */
@@ -347,6 +501,7 @@ public class Dependency implements Comparable<Dependency> {
    public void setDescription(String description) {
        this.description = description;
    }
+
    /**
     * The license that this dependency uses.
     */
@@ -369,6 +524,7 @@ public class Dependency implements Comparable<Dependency> {
    public void setLicense(String license) {
        this.license = license;
    }
+
    /**
     * A list of vulnerabilities for this dependency.
     */
@@ -405,12 +561,12 @@ public class Dependency implements Comparable<Dependency> {
            sha1 = Checksum.getSHA1Checksum(file);
        } catch (IOException ex) {
            final String msg = String.format("Unable to read '%s' to determine hashes.", file.getName());
-            Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        } catch (NoSuchAlgorithmException ex) {
            final String msg = "Unable to use MD5 of SHA1 checksums.";
-            Logger.getLogger(Dependency.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(Dependency.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
        }
        this.setMd5sum(md5);
        this.setSha1sum(sha1);
@@ -424,6 +580,7 @@ public class Dependency implements Comparable<Dependency> {
    public void addVulnerability(Vulnerability vulnerability) {
        this.vulnerabilities.add(vulnerability);
    }
+
    /**
     * A collection of related dependencies.
     */
@@ -453,7 +610,14 @@ public class Dependency implements Comparable<Dependency> {
     * @param dependency a reference to the related dependency
     */
    public void addRelatedDependency(Dependency dependency) {
-        relatedDependencies.add(dependency);
+        if (this == dependency) {
+            LOGGER.warning("Attempted to add a circular reference - please post the log file to issue #172 here "
+                    + "https://github.com/jeremylong/DependencyCheck/issues/172 ");
+            LOGGER.log(Level.FINE, "this: {0}", this.toString());
+            LOGGER.log(Level.FINE, "dependency: {0}", dependency.toString());
+        } else {
+            relatedDependencies.add(dependency);
+        }
    }

    /**
@@ -463,7 +627,7 @@ public class Dependency implements Comparable<Dependency> {
     * @return an integer representing the natural ordering
     */
    public int compareTo(Dependency o) {
-        return this.getFileName().compareToIgnoreCase(o.getFileName());
+        return this.getFilePath().compareToIgnoreCase(o.getFilePath());
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -17,12 +17,14 @@
 */
 package org.owasp.dependencycheck.dependency;

+import java.io.Serializable;
+
 /**
 * Evidence is a piece of information about a Dependency.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class Evidence implements Comparable<Evidence> {
+public class Evidence implements Serializable, Comparable<Evidence> {

    /**
     * Creates a new Evidence object.
@@ -220,22 +222,95 @@ public class Evidence implements Comparable<Evidence> {
     * @return an integer indicating the ordering of the two objects
     */
    public int compareTo(Evidence o) {
-        if (source.equals(o.source)) {
-            if (name.equals(o.name)) {
-                if (value.equals(o.value)) {
-                    if (confidence.equals(o.confidence)) {
+        if (o == null) {
+            return 1;
+        }
+        if (equalsWithNullCheck(source, o.source)) {
+            if (equalsWithNullCheck(name, o.name)) {
+                if (equalsWithNullCheck(value, o.value)) {
+                    if (equalsWithNullCheck(confidence, o.confidence)) {
                        return 0; //they are equal
                    } else {
-                        return confidence.compareTo(o.confidence);
+                        return compareToWithNullCheck(confidence, o.confidence);
                    }
                } else {
-                    return value.compareToIgnoreCase(o.value);
+                    return compareToIgnoreCaseWithNullCheck(value, o.value);
                }
            } else {
-                return name.compareToIgnoreCase(o.name);
+                return compareToIgnoreCaseWithNullCheck(name, o.name);
            }
        } else {
-            return source.compareToIgnoreCase(o.source);
+            return compareToIgnoreCaseWithNullCheck(source, o.source);
        }
    }
+
+    /**
+     * Equality check with an exhaustive, possibly duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private boolean equalsWithNullCheck(String me, String other) {
+        if (me == null && other == null) {
+            return true;
+        } else if (me == null || other == null) {
+            return false;
+        }
+        return me.equals(other);
+    }
+
+    /**
+     * Equality check with an exhaustive, possibly duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private boolean equalsWithNullCheck(Confidence me, Confidence other) {
+        if (me == null && other == null) {
+            return true;
+        } else if (me == null || other == null) {
+            return false;
+        }
+        return me.equals(other);
+    }
+
+    /**
+     * Wrapper around {@link java.lang.String#compareToIgnoreCase(java.lang.String) String.compareToIgnoreCase} with an
+     * exhaustive, possibly duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private int compareToIgnoreCaseWithNullCheck(String me, String other) {
+        if (me == null && other == null) {
+            return 0;
+        } else if (me == null) {
+            return -1; //the other string is greater then me
+        } else if (other == null) {
+            return 1; //me is greater then the other string
+        }
+        return me.compareToIgnoreCase(other);
+    }
+
+    /**
+     * Wrapper around {@link java.lang.Enum#compareTo(java.lang.Enum) Enum.compareTo} with an exhaustive, possibly
+     * duplicative, check against nulls.
+     *
+     * @param me the value to be compared
+     * @param other the other value to be compared
+     * @return true if the values are equal; otherwise false
+     */
+    private int compareToWithNullCheck(Confidence me, Confidence other) {
+        if (me == null && other == null) {
+            return 0;
+        } else if (me == null) {
+            return -1; //the other string is greater then me
+        } else if (other == null) {
+            return 1; //me is greater then the other string
+        }
+        return me.compareTo(other);
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.dependency;

+import java.io.Serializable;
 import java.net.MalformedURLException;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -36,8 +37,12 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class EvidenceCollection implements Iterable<Evidence> {
+public class EvidenceCollection implements Serializable, Iterable<Evidence> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(EvidenceCollection.class.getName());
    /**
     * Used to iterate over highest confidence evidence contained in the collection.
     */
@@ -307,6 +312,26 @@ public class EvidenceCollection implements Iterable<Evidence> {
        return ret;
    }

+    /**
+     * Merges multiple EvidenceCollections together; flattening all of the evidence items by removing the confidence.
+     *
+     * @param ec One or more EvidenceCollections
+     * @return new set of evidence resulting from merging the evidence in the collections
+     */
+    public static Set<Evidence> mergeForDisplay(EvidenceCollection... ec) {
+        final Set<Evidence> ret = new TreeSet<Evidence>();
+        for (EvidenceCollection col : ec) {
+            for (Evidence e : col) {
+                if (e.isUsed()) {
+                    final Evidence newEvidence = new Evidence(e.getSource(), e.getName(), e.getValue(), null);
+                    newEvidence.setUsed(true);
+                    ret.add(newEvidence);
+                }
+            }
+        }
+        return ret;
+    }
+
    /**
     * Returns a string of evidence 'values'.
     *
@@ -360,7 +385,7 @@ public class EvidenceCollection implements Iterable<Evidence> {
                    final List<String> data = UrlStringUtils.extractImportantUrlData(part);
                    sb.append(' ').append(StringUtils.join(data, ' '));
                } catch (MalformedURLException ex) {
-                    Logger.getLogger(EvidenceCollection.class.getName()).log(Level.FINE, "error parsing " + part, ex);
+                    LOGGER.log(Level.FINE, "error parsing " + part, ex);
                    sb.append(' ').append(part);
                }
            } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
@@ -17,11 +17,22 @@
 */
 package org.owasp.dependencycheck.dependency;

+import java.io.Serializable;
+
 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class Identifier implements Comparable<Identifier> {
+public class Identifier implements Serializable, Comparable<Identifier> {
+
+    /**
+     * Default constructor. Should only be used for automatic class
+     * creation as is the case with many XML parsers (for the parsing
+     * of the Dependency-Check XML report). For all other use-cases,
+     * please use the non-default constructors.
+     */
+    public Identifier() {
+    }

    /**
     * Constructs a new Identifier with the specified data.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/VulnerableSoftware.java
@@ -31,6 +31,10 @@ import org.owasp.dependencycheck.data.cpe.IndexEntry;
 */
 public class VulnerableSoftware extends IndexEntry implements Serializable, Comparable<VulnerableSoftware> {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(VulnerableSoftware.class.getName());
    /**
     * The serial version UID.
     */
@@ -46,8 +50,8 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
            parseName(cpe);
        } catch (UnsupportedEncodingException ex) {
            final String msg = String.format("Character encoding is unsupported for CPE '%s'.", cpe);
-            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.WARNING, msg);
-            Logger.getLogger(VulnerableSoftware.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, null, ex);
            setName(cpe);
        }
    }
@@ -73,19 +77,19 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
        if (cpeName != null && cpeName.length() > 7) {
            final String[] data = cpeName.substring(7).split(":");
            if (data.length >= 1) {
-                this.setVendor(URLDecoder.decode(data[0].replace("+", "%2B"), "UTF-8"));
+                this.setVendor(urlDecode(data[0]));
            }
            if (data.length >= 2) {
-                this.setProduct(URLDecoder.decode(data[1].replace("+", "%2B"), "UTF-8"));
+                this.setProduct(urlDecode(data[1]));
            }
            if (data.length >= 3) {
-                version = URLDecoder.decode(data[2].replace("+", "%2B"), "UTF-8");
+                version = urlDecode(data[2]);
            }
            if (data.length >= 4) {
-                revision = URLDecoder.decode(data[3].replace("+", "%2B"), "UTF-8");
+                revision = urlDecode(data[3]);
            }
            if (data.length >= 5) {
-                edition = URLDecoder.decode(data[4].replace("+", "%2B"), "UTF-8");
+                edition = urlDecode(data[4]);
            }
        }
    }
@@ -337,4 +341,25 @@ public class VulnerableSoftware extends IndexEntry implements Serializable, Comp
    public void setEdition(String edition) {
        this.edition = edition;
    }
+
+    /**
+     * Replaces '+' with '%2B' and then URL Decodes the string attempting first UTF-8, then ASCII, then default.
+     *
+     * @param string the string to URL Decode
+     * @return the URL Decoded string
+     */
+    private String urlDecode(String string) {
+        final String text = string.replace("+", "%2B");
+        String result;
+        try {
+            result = URLDecoder.decode(text, "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            try {
+                result = URLDecoder.decode(text, "ASCII");
+            } catch (UnsupportedEncodingException ex1) {
+                result = URLDecoder.decode(text);
+            }
+        }
+        return result;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
@@ -0,0 +1,68 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.exception;
+
+import java.io.IOException;
+
+/**
+ * An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
+ *
+ * @author Steve Springett <steve.springett@owasp.org>
+ */
+public class ScanAgentException extends IOException {
+
+    /**
+     * The serial version uid.
+     */
+    private static final long serialVersionUID = 1L;
+
+    /**
+     * Creates a new ScanAgentException.
+     */
+    public ScanAgentException() {
+        super();
+    }
+
+    /**
+     * Creates a new ScanAgentException.
+     *
+     * @param msg a message for the exception.
+     */
+    public ScanAgentException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new ScanAgentException.
+     *
+     * @param ex the cause of the exception.
+     */
+    public ScanAgentException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new ScanAgentException.
+     *
+     * @param msg a message for the exception.
+     * @param ex the cause of the exception.
+     */
+    public ScanAgentException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/MavenNamespaceFilter.java
@@ -56,16 +56,16 @@ public class MavenNamespaceFilter extends XMLFilterImpl {
     * @param uri the uri
     * @param localName the localName
     * @param qName the qualified name
-     * @param atts the attributes
+     * @param attributes the attributes
     * @throws SAXException thrown if there is a SAXException
     */
    @Override
-    public void startElement(String uri, String localName, String qName, Attributes atts) throws SAXException {
-        super.startElement(NAMESPACE, localName, qName, atts);
+    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
+        super.startElement(NAMESPACE, localName, qName, attributes);
    }

    /**
-     * Indicatees the start of the document.
+     * Indicates the start of the document.
     *
     * @param uri the uri
     * @param localName the localName
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/Model.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/Model.java
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/EscapeTool.java
@@ -0,0 +1,74 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.reporting;
+
+import java.io.UnsupportedEncodingException;
+import java.net.URLEncoder;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.lang.StringEscapeUtils;
+
+/**
+ * An extremely simple wrapper around various escape utils to perform URL and HTML encoding within the reports. This
+ * class was created to simplify the velocity configuration and avoid using the "built-in" escape tool.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class EscapeTool {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(EscapeTool.class.getName());
+
+    /**
+     * URL Encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the URL encoded text
+     */
+    public String url(String text) {
+        try {
+            return URLEncoder.encode(text, "UTF-8");
+        } catch (UnsupportedEncodingException ex) {
+            LOGGER.log(Level.WARNING, "UTF-8 is not supported?");
+            LOGGER.log(Level.INFO, null, ex);
+        }
+        return "";
+    }
+
+    /**
+     * HTML Encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the HTML encoded text
+     */
+    public String html(String text) {
+        return StringEscapeUtils.escapeHtml(text);
+    }
+
+    /**
+     * XML Encodes the provided text.
+     *
+     * @param text the text to encode
+     * @return the XML encoded text
+     */
+    public String xml(String text) {
+        return StringEscapeUtils.escapeXml(text);
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -26,15 +26,16 @@ import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.OutputStreamWriter;
+import java.text.DateFormat;
+import java.text.SimpleDateFormat;
+import java.util.Date;
 import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.apache.velocity.VelocityContext;
 import org.apache.velocity.app.VelocityEngine;
 import org.apache.velocity.context.Context;
 import org.apache.velocity.runtime.RuntimeConstants;
-import org.apache.velocity.runtime.resource.loader.ClasspathResourceLoader;
-import org.apache.velocity.tools.ToolManager;
-import org.apache.velocity.tools.config.EasyFactoryConfiguration;
 import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -48,6 +49,11 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public class ReportGenerator {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ReportGenerator.class.getName());
+
    /**
     * An enumeration of the report formats.
     */
@@ -93,11 +99,21 @@ public class ReportGenerator {

        engine.init();

+        final DateFormat dateFormat = new SimpleDateFormat("MMM d, yyyy 'at' HH:mm:ss z");
+        final DateFormat dateFormatXML = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSSZ");
+        final Date d = new Date();
+        final String scanDate = dateFormat.format(d);
+        final String scanDateXML = dateFormatXML.format(d);
+        final EscapeTool enc = new EscapeTool();
+
        context.put("applicationName", applicationName);
        context.put("dependencies", dependencies);
        context.put("analyzers", analyzers);
        context.put("properties", properties);
-        context.put("version", Settings.getString("application.version", "Unknown"));
+        context.put("scanDate", scanDate);
+        context.put("scanDateXML", scanDateXML);
+        context.put("enc", enc);
+        context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
    }

    /**
@@ -106,28 +122,39 @@ public class ReportGenerator {
     * @return a velocity engine.
     */
    private VelocityEngine createVelocityEngine() {
-        final VelocityEngine ve = new VelocityEngine();
-        ve.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
-        ve.setProperty(RuntimeConstants.RESOURCE_LOADER, "classpath");
-        ve.setProperty("classpath.resource.loader.class", ClasspathResourceLoader.class.getName());
-        return ve;
+        final VelocityEngine engine = new VelocityEngine();
+        // Logging redirection for Velocity - Required by Jenkins and other server applications
+        engine.setProperty(RuntimeConstants.RUNTIME_LOG_LOGSYSTEM_CLASS, VelocityLoggerRedirect.class.getName());
+        return engine;
    }

    /**
-     * Creates a new Velocity Context initialized with escape and date tools.
+     * Creates a new Velocity Context.
     *
     * @return a Velocity Context.
     */
-    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "RV_RETURN_VALUE_IGNORED_INFERRED",
-            justification = "No plan to fix this style issue")
    private Context createContext() {
-        final ToolManager manager = new ToolManager();
-        final Context c = manager.createContext();
-        final EasyFactoryConfiguration config = new EasyFactoryConfiguration();
-        config.addDefaultTools();
-        config.toolbox("application").tool("esc", "org.apache.velocity.tools.generic.EscapeTool").tool("org.apache.velocity.tools.generic.DateTool");
-        manager.configure(config);
-        return c;
+        return new VelocityContext();
+    }
+
+    /**
+     * Generates the Dependency Reports for the identified dependencies.
+     *
+     * @param outputStream the OutputStream to send the generated report to
+     * @param format the format the report should be written in
+     * @throws IOException is thrown when the template file does not exist
+     * @throws Exception is thrown if there is an error writing out the reports.
+     */
+    public void generateReports(OutputStream outputStream, Format format) throws IOException, Exception {
+        if (format == Format.XML || format == Format.ALL) {
+            generateReport("XmlReport", outputStream);
+        }
+        if (format == Format.HTML || format == Format.ALL) {
+            generateReport("HtmlReport", outputStream);
+        }
+        if (format == Format.VULN || format == Format.ALL) {
+            generateReport("VulnerabilityReport", outputStream);
+        }
    }

    /**
@@ -140,13 +167,13 @@ public class ReportGenerator {
     */
    public void generateReports(String outputDir, Format format) throws IOException, Exception {
        if (format == Format.XML || format == Format.ALL) {
-            generateReport("XmlReport", outputDir + File.separator + "DependencyCheck-Report.xml");
+            generateReport("XmlReport", outputDir + File.separator + "dependency-check-report.xml");
        }
        if (format == Format.HTML || format == Format.ALL) {
-            generateReport("HtmlReport", outputDir + File.separator + "DependencyCheck-Report.html");
+            generateReport("HtmlReport", outputDir + File.separator + "dependency-check-report.html");
        }
        if (format == Format.VULN || format == Format.ALL) {
-            generateReport("VulnerabilityReport", outputDir + File.separator + "DependencyCheck-Vulnerability.html");
+            generateReport("VulnerabilityReport", outputDir + File.separator + "dependency-check-vulnerability.html");
        }
    }

@@ -160,15 +187,28 @@ public class ReportGenerator {
     */
    public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
        final String format = outputFormat.toUpperCase();
+        final String pathToCheck = outputDir.toLowerCase();
        if (format.matches("^(XML|HTML|VULN|ALL)$")) {
            if ("XML".equalsIgnoreCase(format)) {
-                generateReports(outputDir, Format.XML);
+                if (pathToCheck.endsWith(".xml")) {
+                    generateReport("XmlReport", outputDir);
+                } else {
+                    generateReports(outputDir, Format.XML);
+                }
            }
            if ("HTML".equalsIgnoreCase(format)) {
-                generateReports(outputDir, Format.HTML);
+                if (pathToCheck.endsWith(".html") || pathToCheck.endsWith(".htm")) {
+                    generateReport("HtmlReport", outputDir);
+                } else {
+                    generateReports(outputDir, Format.HTML);
+                }
            }
            if ("VULN".equalsIgnoreCase(format)) {
-                generateReports(outputDir, Format.VULN);
+                if (pathToCheck.endsWith(".html") || pathToCheck.endsWith(".htm")) {
+                    generateReport("VulnReport", outputDir);
+                } else {
+                    generateReports(outputDir, Format.VULN);
+                }
            }
            if ("ALL".equalsIgnoreCase(format)) {
                generateReports(outputDir, Format.ALL);
@@ -176,6 +216,70 @@ public class ReportGenerator {
        }
    }

+    /**
+     * Generates a report from a given Velocity Template. The template name provided can be the name of a template
+     * contained in the jar file, such as 'XmlReport' or 'HtmlReport', or the template name can be the path to a
+     * template file.
+     *
+     * @param templateName the name of the template to load.
+     * @param outputStream the OutputStream to write the report to.
+     * @throws IOException is thrown when the template file does not exist.
+     * @throws Exception is thrown when an exception occurs.
+     */
+    protected void generateReport(String templateName, OutputStream outputStream) throws IOException, Exception {
+        InputStream input = null;
+        String templatePath = null;
+        final File f = new File(templateName);
+        if (f.exists() && f.isFile()) {
+            try {
+                templatePath = templateName;
+                input = new FileInputStream(f);
+            } catch (FileNotFoundException ex) {
+                final String msg = "Unable to generate the report, the report template file could not be found.";
+                LOGGER.log(Level.SEVERE, msg);
+                LOGGER.log(Level.FINE, null, ex);
+            }
+        } else {
+            templatePath = "templates/" + templateName + ".vsl";
+            input = this.getClass().getClassLoader().getResourceAsStream(templatePath);
+        }
+        if (input == null) {
+            throw new IOException("Template file doesn't exist");
+        }
+
+        final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
+        OutputStreamWriter writer = null;
+
+        try {
+            writer = new OutputStreamWriter(outputStream, "UTF-8");
+
+            if (!engine.evaluate(context, writer, templatePath, reader)) {
+                throw new Exception("Failed to convert the template into html.");
+            }
+            writer.flush();
+        } finally {
+            if (writer != null) {
+                try {
+                    writer.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+            if (outputStream != null) {
+                try {
+                    outputStream.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, null, ex);
+                }
+            }
+            try {
+                reader.close();
+            } catch (IOException ex) {
+                LOGGER.log(Level.FINEST, null, ex);
+            }
+        }
+    }
+
    /**
     * Generates a report from a given Velocity Template. The template name provided can be the name of a template
     * contained in the jar file, such as 'XmlReport' or 'HtmlReport', or the template name can be the path to a
@@ -186,67 +290,30 @@ public class ReportGenerator {
     * @throws IOException is thrown when the template file does not exist.
     * @throws Exception is thrown when an exception occurs.
     */
-    protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
-        InputStream input = null;
-        String templatePath = null;
-        final File f = new File(templateName);
-        if (f.exists() && f.isFile()) {
-            try {
-                templatePath = templateName;
-                input = new FileInputStream(f);
-            } catch (FileNotFoundException ex) {
-                final String msg = "Unable to generate the report, the report template file could not be found.";
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.SEVERE, msg);
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINE, null, ex);
+    protected void generateReport(String templateName, String outFileName) throws Exception {
+        File outFile = new File(outFileName);
+        if (outFile.getParentFile() == null) {
+            outFile = new File(".", outFileName);
+        }
+        if (!outFile.getParentFile().exists()) {
+            final boolean created = outFile.getParentFile().mkdirs();
+            if (!created) {
+                throw new Exception("Unable to create directory '" + outFile.getParentFile().getAbsolutePath() + "'.");
            }
-        } else {
-            templatePath = "templates/" + templateName + ".vsl";
-            input = this.getClass().getClassLoader().getResourceAsStream(templatePath);
-        }
-        if (input == null) {
-            throw new IOException("Template file doesn't exist");
        }

-        final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
-        OutputStreamWriter writer = null;
-        OutputStream outputStream = null;
-
+        OutputStream outputSteam = null;
        try {
-            final File outDir = new File(outFileName).getParentFile();
-            if (!outDir.exists()) {
-                final boolean created = outDir.mkdirs();
-                if (!created) {
-                    throw new Exception("Unable to create directory '" + outDir.getAbsolutePath() + "'.");
-                }
-            }
-
-            outputStream = new FileOutputStream(outFileName);
-            writer = new OutputStreamWriter(outputStream, "UTF-8");
-
-            if (!engine.evaluate(context, writer, templatePath, reader)) {
-                throw new Exception("Failed to convert the template into html.");
-            }
-            writer.flush();
+            outputSteam = new FileOutputStream(outFile);
+            generateReport(templateName, outputSteam);
        } finally {
-            if (writer != null) {
+            if (outputSteam != null) {
                try {
-                    writer.close();
+                    outputSteam.close();
                } catch (IOException ex) {
-                    Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
+                    LOGGER.log(Level.FINEST, "ignore", ex);
                }
            }
-            if (outputStream != null) {
-                try {
-                    outputStream.close();
-                } catch (IOException ex) {
-                    Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
-                }
-            }
-            try {
-                reader.close();
-            } catch (IOException ex) {
-                Logger.getLogger(ReportGenerator.class.getName()).log(Level.FINEST, null, ex);
-            }
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java
@@ -19,7 +19,6 @@ package org.owasp.dependencycheck.reporting;

 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.apache.velocity.app.Velocity;
 import org.apache.velocity.runtime.RuntimeServices;
 import org.apache.velocity.runtime.log.LogChute;

@@ -37,6 +36,11 @@ import org.apache.velocity.runtime.log.LogChute;
 */
 public class VelocityLoggerRedirect implements LogChute {

+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(VelocityLoggerRedirect.class.getName());
+
    /**
     * This will be invoked once by the LogManager.
     *
@@ -54,7 +58,7 @@ public class VelocityLoggerRedirect implements LogChute {
     * @param message the message to be logged
     */
    public void log(int level, String message) {
-        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message);
+        LOGGER.log(getLevel(level), message);
    }

    /**
@@ -66,7 +70,7 @@ public class VelocityLoggerRedirect implements LogChute {
     * @param t a throwable to log
     */
    public void log(int level, String message, Throwable t) {
-        Logger.getLogger(Velocity.class.getName()).log(getLevel(level), message, t);
+        LOGGER.log(getLevel(level), message, t);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionErrorHandler.java
@@ -30,6 +30,11 @@ import org.xml.sax.SAXParseException;
 */
 public class SuppressionErrorHandler implements ErrorHandler {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(SuppressionErrorHandler.class.getName());
+
    /**
     * Builds a prettier exception message.
     *
@@ -65,7 +70,7 @@ public class SuppressionErrorHandler implements ErrorHandler {
     */
    @Override
    public void warning(SAXParseException ex) throws SAXException {
-        Logger.getLogger(SuppressionErrorHandler.class.getName()).log(Level.FINE, null, ex);
+        LOGGER.log(Level.FINE, null, ex);
    }

    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
@@ -54,6 +54,10 @@ public class SuppressionHandler extends DefaultHandler {
     * The CWE element name.
     */
    public static final String CWE = "cwe";
+    /**
+     * The GAV element name.
+     */
+    public static final String GAV = "gav";
    /**
     * The cvssBelow element name.
     */
@@ -95,13 +99,16 @@ public class SuppressionHandler extends DefaultHandler {
     */
    @Override
    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
-        currentAttributes = null;
+        currentAttributes = attributes;
        currentText = new StringBuffer();
-
        if (SUPPRESS.equals(qName)) {
            rule = new SuppressionRule();
-        } else if (FILE_PATH.equals(qName)) {
-            currentAttributes = attributes;
+            final String base = currentAttributes.getValue("base");
+            if (base != null) {
+                rule.setBase(Boolean.parseBoolean(base));
+            } else {
+                rule.setBase(false);
+            }
        }
    }

@@ -123,6 +130,9 @@ public class SuppressionHandler extends DefaultHandler {
            rule.setFilePath(pt);
        } else if (SHA1.equals(qName)) {
            rule.setSha1(currentText.toString());
+        } else if (GAV.equals(qName)) {
+            final PropertyType pt = processPropertyType();
+            rule.setGav(pt);
        } else if (CPE.equals(qName)) {
            final PropertyType pt = processPropertyType();
            rule.addCpe(pt);
@@ -164,7 +174,7 @@ public class SuppressionHandler extends DefaultHandler {
                pt.setRegex(Boolean.parseBoolean(regex));
            }
            final String caseSensitive = currentAttributes.getValue("caseSensitive");
-            if (regex != null) {
+            if (caseSensitive != null) {
                pt.setCaseSensitive(Boolean.parseBoolean(caseSensitive));
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParseException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParseException.java
@@ -26,11 +26,6 @@ import java.io.IOException;
 */
 public class SuppressionParseException extends IOException {

-    /**
-     * The serial version UID.
-     */
-    private static final long serialVersionUID = 1L;
-
    /**
     * Creates a new SuppressionParseException.
     */
@@ -50,7 +45,7 @@ public class SuppressionParseException extends IOException {
    /**
     * Creates a new SuppressionParseException.
     *
-     * @param ex the cause of the download failure.
+     * @param ex the cause of the parse exception
     */
    public SuppressionParseException(Throwable ex) {
        super(ex);
@@ -60,7 +55,7 @@ public class SuppressionParseException extends IOException {
     * Creates a new SuppressionParseException.
     *
     * @param msg a message for the exception.
-     * @param ex the cause of the download failure.
+     * @param ex the cause of the parse exception
     */
    public SuppressionParseException(String msg, Throwable ex) {
        super(msg, ex);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
@@ -41,6 +41,10 @@ import org.xml.sax.XMLReader;
 */
 public class SuppressionParser {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(SuppressionParser.class.getName());
    /**
     * JAXP Schema Language. Source: http://docs.oracle.com/javase/tutorial/jaxp/sax/validation.html
     */
@@ -62,10 +66,35 @@ public class SuppressionParser {
     * @throws SuppressionParseException thrown if the xml file cannot be parsed
     */
    public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(file);
+            return parseSuppressionRules(fis);
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new SuppressionParseException(ex);
+        } finally {
+            if (fis != null) {
+                try {
+                    fis.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINE, "Unable to close stream", ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Parses the given xml stream and returns a list of the suppression rules contained.
+     *
+     * @param inputStream an InputStream containing suppression rues
+     * @return a list of suppression rules
+     * @throws SuppressionParseException if the xml cannot be parsed
+     */
+    public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException {
        try {
            final InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream("schema/suppression.xsd");
            final SuppressionHandler handler = new SuppressionHandler();
-
            final SAXParserFactory factory = SAXParserFactory.newInstance();
            factory.setNamespaceAware(true);
            factory.setValidating(true);
@@ -76,7 +105,6 @@ public class SuppressionParser {
            xmlReader.setErrorHandler(new SuppressionErrorHandler());
            xmlReader.setContentHandler(handler);

-            final InputStream inputStream = new FileInputStream(file);
            final Reader reader = new InputStreamReader(inputStream, "UTF-8");
            final InputSource in = new InputSource(reader);
            //in.setEncoding("UTF-8");
@@ -85,16 +113,16 @@ public class SuppressionParser {

            return handler.getSuppressionRules();
        } catch (ParserConfigurationException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        } catch (SAXException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        } catch (IOException ex) {
-            Logger.getLogger(SuppressionParser.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new SuppressionParseException(ex);
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
@@ -234,6 +234,61 @@ public class SuppressionRule {
    public boolean hasCve() {
        return cve.size() > 0;
    }
+    /**
+     * A Maven GAV to suppression.
+     */
+    private PropertyType gav = null;
+
+    /**
+     * Get the value of Maven GAV.
+     *
+     * @return the value of gav
+     */
+    public PropertyType getGav() {
+        return gav;
+    }
+
+    /**
+     * Set the value of Maven GAV.
+     *
+     * @param gav new value of Maven gav
+     */
+    public void setGav(PropertyType gav) {
+        this.gav = gav;
+    }
+
+    /**
+     * Returns whether or not this suppression rule as GAV entries.
+     *
+     * @return whether or not this suppression rule as GAV entries
+     */
+    public boolean hasGav() {
+        return gav != null;
+    }
+
+    /**
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
+     * resulting report in the "suppressed" section.
+     */
+    private boolean base;
+
+    /**
+     * Get the value of base.
+     *
+     * @return the value of base
+     */
+    public boolean isBase() {
+        return base;
+    }
+
+    /**
+     * Set the value of base.
+     *
+     * @param base new value of base
+     */
+    public void setBase(boolean base) {
+        this.base = base;
+    }

    /**
     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
@@ -248,12 +303,30 @@ public class SuppressionRule {
        if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
            return;
        }
+        if (gav != null) {
+            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+            boolean gavFound = false;
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if (identifierMatches("maven", this.gav, i)) {
+                    gavFound = true;
+                    break;
+                }
+            }
+            if (!gavFound) {
+                return;
+            }
+        }
+
        if (this.hasCpe()) {
            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
            while (itr.hasNext()) {
                final Identifier i = itr.next();
                for (PropertyType c : this.cpe) {
-                    if (cpeMatches(c, i)) {
+                    if (identifierMatches("cpe", c, i)) {
+                        if (!isBase()) {
+                            dependency.addSuppressedIdentifier(i);
+                        }
                        itr.remove();
                        break;
                    }
@@ -292,6 +365,9 @@ public class SuppressionRule {
                    }
                }
                if (remove) {
+                    if (!isBase()) {
+                        dependency.addSuppressedVulnerability(v);
+                    }
                    itr.remove();
                }
            }
@@ -307,7 +383,7 @@ public class SuppressionRule {
    boolean cpeHasNoVersion(PropertyType c) {
        if (c.isRegex()) {
            return false;
-        } // cpe:/a:jboss:jboss:1.0.0:
+        }
        if (countCharacter(c.getValue(), ':') == 3) {
            return true;
        }
@@ -334,26 +410,75 @@ public class SuppressionRule {
    /**
     * Determines if the cpeEntry specified as a PropertyType matches the given Identifier.
     *
-     * @param cpeEntry a suppression rule entry
+     * @param identifierType the type of identifier ("cpe", "maven", etc.)
+     * @param suppressionEntry a suppression rule entry
     * @param identifier a CPE identifier to check
     * @return true if the entry matches; otherwise false
     */
-    boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
-        if (cpeEntry.matches(identifier.getValue())) {
-            return true;
-        } else if (cpeHasNoVersion(cpeEntry)) {
-            if (cpeEntry.isCaseSensitive()) {
-                if (identifier.getValue().startsWith(cpeEntry.getValue())) {
-                    return true;
-                }
-            } else {
-                final String id = identifier.getValue().toLowerCase();
-                final String check = cpeEntry.getValue().toLowerCase();
-                if (id.startsWith(check)) {
-                    return true;
+    boolean identifierMatches(String identifierType, PropertyType suppressionEntry, Identifier identifier) {
+        if (identifierType.equals(identifier.getType())) {
+            if (suppressionEntry.matches(identifier.getValue())) {
+                return true;
+            } else if ("cpe".equals(identifierType) && cpeHasNoVersion(suppressionEntry)) {
+                if (suppressionEntry.isCaseSensitive()) {
+                    return identifier.getValue().startsWith(suppressionEntry.getValue());
+                } else {
+                    final String id = identifier.getValue().toLowerCase();
+                    final String check = suppressionEntry.getValue().toLowerCase();
+                    return id.startsWith(check);
                }
            }
        }
        return false;
    }
+
+    /**
+     * Standard toString implementation.
+     *
+     * @return a string representation of this object
+     */
+    @Override
+    public String toString() {
+        final StringBuilder sb = new StringBuilder();
+        sb.append("SuppressionRule{");
+        if (filePath != null) {
+            sb.append("filePath=").append(filePath).append(",");
+        }
+        if (sha1 != null) {
+            sb.append("sha1=").append(sha1).append(",");
+        }
+        if (gav != null) {
+            sb.append("gav=").append(gav).append(",");
+        }
+        if (cpe != null && cpe.size() > 0) {
+            sb.append("cpe={");
+            for (PropertyType pt : cpe) {
+                sb.append(pt).append(",");
+            }
+            sb.append("}");
+        }
+        if (cwe != null && cwe.size() > 0) {
+            sb.append("cwe={");
+            for (String s : cwe) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        if (cve != null && cve.size() > 0) {
+            sb.append("cve={");
+            for (String s : cve) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        if (cvssBelow != null && cvssBelow.size() > 0) {
+            sb.append("cvssBelow={");
+            for (Float s : cvssBelow) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        sb.append("}");
+        return sb.toString();
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
@@ -23,7 +23,6 @@ import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.logging.Level;
 import java.util.logging.Logger;
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;

 /**
@@ -32,6 +31,11 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 */
 public final class DBUtils {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(DBUtils.class.getName());
+
    /**
     * Private constructor for a utility class.
     */
@@ -50,7 +54,9 @@ public final class DBUtils {
        int id = 0;
        try {
            rs = statement.getGeneratedKeys();
-            rs.next();
+            if (!rs.next()) {
+                throw new DatabaseException("Unable to get primary key for inserted row");
+            }
            id = rs.getInt(1);
        } catch (SQLException ex) {
            throw new DatabaseException("Unable to get primary key for inserted row");
@@ -70,8 +76,7 @@ public final class DBUtils {
            try {
                statement.close();
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class
-                        .getName()).log(Level.FINEST, statement.toString(), ex);
+                LOGGER.log(Level.FINEST, statement.toString(), ex);
            }
        }
    }
@@ -86,8 +91,7 @@ public final class DBUtils {
            try {
                rs.close();
            } catch (SQLException ex) {
-                Logger.getLogger(CveDB.class
-                        .getName()).log(Level.FINEST, rs.toString(), ex);
+                LOGGER.log(Level.FINEST, rs.toString(), ex);
            }
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java
@@ -0,0 +1,46 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class DateUtil {
+
+    /**
+     * Private constructor for utility class.
+     */
+    private DateUtil() {
+    }
+
+    /**
+     * Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
+     * (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
+     * is considered valid.
+     *
+     * @param date the date to be checked.
+     * @param compareTo the date to compare to.
+     * @param range the range in days to be considered valid.
+     * @return whether or not the date is within the range.
+     */
+    public static boolean withinDateRange(long date, long compareTo, int range) {
+        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
+        return differenceInDays < range;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
@@ -47,10 +47,10 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion

    /**
     * Constructor for a DependencyVersion that will parse a version string.
-     * <b>Note</b>, this should only be used when the version passed in is already known to be a well formated version
+     * <b>Note</b>, this should only be used when the version passed in is already known to be a well formatted version
     * number. Otherwise, DependencyVersionUtil.parseVersion() should be used instead.
     *
-     * @param version the well formated version number to parse
+     * @param version the well formatted version number to parse
     */
    public DependencyVersion(String version) {
        parseVersion(version);
@@ -65,7 +65,7 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
    public final void parseVersion(String version) {
        versionParts = new ArrayList<String>();
        if (version != null) {
-            final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+|(release|beta|alpha)$)");
+            final Pattern rx = Pattern.compile("(\\d+[a-z]{1,3}$|[a-z]+\\d+|\\d+|(release|beta|alpha)$)");
            final Matcher matcher = rx.matcher(version.toLowerCase());
            while (matcher.find()) {
                versionParts.add(matcher.group());
@@ -189,17 +189,23 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
        if (version == null) {
            return false;
        }
-
-        boolean ret = true;
-        int max = (this.versionParts.size() < version.versionParts.size())
-                ? this.versionParts.size() : version.versionParts.size();
-
-        if (max > 3) {
-            max = 3;
+        if (Math.abs(this.versionParts.size() - version.versionParts.size()) >= 3) {
+            return false;
        }

+        final int max = (this.versionParts.size() < version.versionParts.size())
+                ? this.versionParts.size() : version.versionParts.size();
+
+        boolean ret = true;
        for (int i = 0; i < max; i++) {
-            if (this.versionParts.get(i) == null || !this.versionParts.get(i).equals(version.versionParts.get(i))) {
+            final String thisVersion = this.versionParts.get(i);
+            final String otherVersion = version.getVersionParts().get(i);
+            if (i >= 3) {
+                if (thisVersion.compareToIgnoreCase(otherVersion) >= 0) {
+                    ret = false;
+                    break;
+                }
+            } else if (!thisVersion.equals(otherVersion)) {
                ret = false;
                break;
            }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
@@ -32,7 +32,7 @@ public final class DependencyVersionUtil {
    /**
     * Regular expression to extract version numbers from file names.
     */
-    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha)|[a-zA-Z_-]{1,3}\\d{1,8}))?");
+    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha|\\d+)|[a-zA-Z_-]{1,3}\\d{0,8}))?");
    /**
     * Regular expression to extract a single version number without periods. This is a last ditch effort just to check
     * in case we are missing a version number using the previous regex.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
@@ -13,7 +13,7 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.utils;

@@ -24,22 +24,23 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.net.URLDecoder;
-import java.util.UUID;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.zip.ZipEntry;
 import java.util.zip.ZipInputStream;
 import org.owasp.dependencycheck.Engine;
+import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;

 /**
- * A collection of utilities for processing information about files.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public final class FileUtils {
+public final class ExtractionUtil {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ExtractionUtil.class.getName());
    /**
     * The buffer size to use when extracting files from the archive.
     */
@@ -48,103 +49,7 @@ public final class FileUtils {
    /**
     * Private constructor for a utility class.
     */
-    private FileUtils() {
-    }
-
-    /**
-     * Returns the (lowercase) file extension for a specified file.
-     *
-     * @param fileName the file name to retrieve the file extension from.
-     * @return the file extension.
-     */
-    public static String getFileExtension(String fileName) {
-        String ret = null;
-        final int pos = fileName.lastIndexOf(".");
-        if (pos >= 0) {
-            ret = fileName.substring(pos + 1, fileName.length()).toLowerCase();
-        }
-        return ret;
-    }
-
-    /**
-     * Deletes a file. If the File is a directory it will recursively delete the contents.
-     *
-     * @param file the File to delete
-     * @return true if the file was deleted successfully, otherwise false
-     */
-    public static boolean delete(File file) {
-        boolean success = true;
-        if (file.isDirectory()) { //some of this may duplicative of deleteQuietly....
-            for (File f : file.listFiles()) {
-                success &= delete(f);
-            }
-        }
-        if (!org.apache.commons.io.FileUtils.deleteQuietly(file)) {
-            success = false;
-            final String msg = String.format("Failed to delete file: %s", file.getPath());
-            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg);
-        }
-        return success;
-    }
-
-    /**
-     * Generates a new temporary file name that is guaranteed to be unique.
-     *
-     * @param prefix the prefix for the file name to generate
-     * @param extension the extension of the generated file name
-     * @return a temporary File
-     */
-    public static File getTempFile(String prefix, String extension) {
-        final File dir = Settings.getTempDirectory();
-        if (!dir.exists()) {
-            dir.mkdirs();
-        }
-        final String tempFileName = String.format("%s%s.%s", prefix, UUID.randomUUID().toString(), extension);
-        final File tempFile = new File(dir, tempFileName);
-        if (tempFile.exists()) {
-            return getTempFile(prefix, extension);
-        }
-        return tempFile;
-    }
-
-    /**
-     * Returns the data directory. If a path was specified in dependencycheck.properties or was specified using the
-     * Settings object, and the path exists, that path will be returned as a File object. If it does not exist, then a
-     * File object will be created based on the file location of the JAR containing the specified class.
-     *
-     * @param configuredFilePath the configured relative or absolute path
-     * @param clazz the class to resolve the path
-     * @return a File object
-     * @throws IOException is thrown if the path could not be decoded
-     * @deprecated This method should no longer be used. See the implementation in dependency-check-cli/App.java to see
-     * how the data directory should be set.
-     */
-    @java.lang.Deprecated
-    public static File getDataDirectory(String configuredFilePath, Class clazz) throws IOException {
-        final File file = new File(configuredFilePath);
-        if (file.isDirectory() && file.canWrite()) {
-            return new File(file.getCanonicalPath());
-        } else {
-            final File exePath = getPathToJar(clazz);
-            return new File(exePath, configuredFilePath);
-        }
-    }
-
-    /**
-     * Retrieves the physical path to the parent directory containing the provided class. For example, if a JAR file
-     * contained a class org.something.clazz this method would return the parent directory of the JAR file.
-     *
-     * @param clazz the class to determine the parent directory of
-     * @return the parent directory of the file containing the specified class.
-     * @throws UnsupportedEncodingException thrown if UTF-8 is not supported.
-     * @deprecated this should no longer be used.
-     */
-    @java.lang.Deprecated
-    public static File getPathToJar(Class clazz) throws UnsupportedEncodingException {
-        final String filePath = clazz.getProtectionDomain().getCodeSource().getLocation().getPath();
-        final String decodedPath = URLDecoder.decode(filePath, "UTF-8");
-        final File jarPath = new File(decodedPath);
-        return jarPath.getParentFile();
+    private ExtractionUtil() {
    }

    /**
@@ -179,7 +84,7 @@ public final class FileUtils {
        try {
            fis = new FileInputStream(archive);
        } catch (FileNotFoundException ex) {
-            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
+            LOGGER.log(Level.FINE, null, ex);
            throw new ExtractionException("Archive file was not found.", ex);
        }
        zis = new ZipInputStream(new BufferedInputStream(fis));
@@ -208,11 +113,11 @@ public final class FileUtils {
                            }
                            bos.flush();
                        } catch (FileNotFoundException ex) {
-                            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("Unable to find file '%s'.", file.getName());
                            throw new ExtractionException(msg, ex);
                        } catch (IOException ex) {
-                            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, null, ex);
+                            LOGGER.log(Level.FINE, null, ex);
                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
                            throw new ExtractionException(msg, ex);
                        } finally {
@@ -220,7 +125,7 @@ public final class FileUtils {
                                try {
                                    bos.close();
                                } catch (IOException ex) {
-                                    Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
+                                    LOGGER.log(Level.FINEST, null, ex);
                                }
                            }
                        }
@@ -229,13 +134,13 @@ public final class FileUtils {
            }
        } catch (IOException ex) {
            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
-            Logger.getLogger(FileUtils.class.getName()).log(Level.FINE, msg, ex);
+            LOGGER.log(Level.FINE, msg, ex);
            throw new ExtractionException(msg, ex);
        } finally {
            try {
                zis.close();
            } catch (IOException ex) {
-                Logger.getLogger(FileUtils.class.getName()).log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINEST, null, ex);
            }
        }
    }
--- a/dependency-check-core/src/main/resources/GrokAssembly.exe
+++ b/dependency-check-core/src/main/resources/GrokAssembly.exe
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
@@ -8,6 +8,7 @@ org.owasp.dependencycheck.analyzer.CpeSuppressionAnalyzer
 org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer
 org.owasp.dependencycheck.analyzer.NvdCveAnalyzer
 org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer
+org.owasp.dependencycheck.analyzer.CentralAnalyzer
 org.owasp.dependencycheck.analyzer.NexusAnalyzer
 org.owasp.dependencycheck.analyzer.NuspecAnalyzer
 org.owasp.dependencycheck.analyzer.AssemblyAnalyzer
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.data.update.CachedWebDataSource
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.data.update.CachedWebDataSource
@@ -1 +1,2 @@
-org.owasp.dependencycheck.data.update.NvdCveUpdater
+org.owasp.dependencycheck.data.update.NvdCveUpdater
+org.owasp.dependencycheck.data.update.EngineVersionCheck
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -0,0 +1,65 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring security.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.security:spring.*</gav>
+        <cpe>cpe:/a:mod_security:mod_security</cpe>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring security.
+        ]]></notes>
+        <filePath regex="true">.*spring-security-[^\\/]*\.jar$</filePath>
+        <cpe>cpe:/a:mod_security:mod_security</cpe>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
+            com.springsource.com.thoughtworks.xstream-1.3.1.jar
+        ]]></notes>
+        <gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on velocity tools.
+        ]]></notes>
+        <gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
+        <cpe>cpe:/a:apache:struts</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath>
+        <cpe>cpe:/a:sandbox:sandbox</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on Jersey core client.
+        ]]></notes>
+        <gav regex="true">(com\.sun\.jersey|org\.glassfish\.jersey\.core):jersey-(client|common):.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+        <cpe>cpe:/a:oracle:oracle_client</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Suppresses false positives on the grizzly-framework
+        ]]></notes>
+        <gav regex="true">org\.glassfish\.grizzly:grizzly-framework:.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+        Suppresses false positives on the grizzly-framework
+        ]]></notes>
+        <gav regex="true">org\.forgerock\.opendj:opendj-ldap-sdk:.*</gav>
+        <cpe>cpe:/a:ldap_project:ldap</cpe>
+    </suppress>
+</suppressions>
--- a/dependency-check-core/src/main/resources/dependencycheck-resources.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck-resources.properties
@@ -0,0 +1,10 @@
+analyzer.AssemblyAnalyzer.notdeployed=GrokAssembly didn't get deployed
+analyzer.AssemblyAnalyzer.grokassembly.stderr=Error from GrokAssembly: {0}
+analyzer.AssemblyAnalyzer.notassembly={0} is not a .NET assembly or executable and as such cannot be analyzed by dependency-check
+analyzer.AssemblyAnalyzer.grokassembly.rc=Return code {0} from GrokAssembly
+analyzer.AssemblyAnalyzer.grokassembly.deployed=Extracted GrokAssembly.exe to {0}
+analyzer.AssemblyAnalyzer.grokassembly.notdeployed=Could not extract GrokAssembly.exe: {0}
+analyzer.AssemblyAnalyzer.grokassembly.initialization.failed=An error occurred with the .NET AssemblyAnalyzer; \
+    this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
+analyzer.AssemblyAnalyzer.grokassembly.initialization.message=Could not execute GrokAssembly {0}
+analyzer.AssemblyAnalyzer.grokassembly.notdeleted=Can't delete temporary GrokAssembly.exe
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -3,6 +3,9 @@ application.version=${pom.version}
 autoupdate=true
 max.download.threads=3

+# the url to obtain the current engine version from
+engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
+
 #temp.directory defaults to System.getProperty("java.io.tmpdir")
 #temp.directory=[path to temp directory]

@@ -13,8 +16,12 @@ max.download.threads=3
 # will not be used. The data.directory will be resolved and if the connection string
 # below contains a %s then the data.directory will replace the %s.
 data.directory=[JAR]/data
-data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
+#if the filename has a %s it will be replaced with the current expected version
+data.file_name=cve.%s.h2.db
+data.version=2.9
+data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
+
 # user name and password for the database connection. The inherent case is to use H2.
 # As such, this unsecure username/password exist.
 data.user=dcuser
@@ -36,15 +43,30 @@ data.driver_path=
 cve.url.modified.validfordays=7

 # the path to the modified nvd cve xml file.
-cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
-cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
+#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
+#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.startyear=2002
-cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
-cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
+#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
+#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+
+
+# file type analyzer settings:
+analyzer.archive.enabled=true
+analyzer.jar.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.assembly.enabled=true

 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
-analyzer.nexus.url=http://repository.sonatype.org/service/local/
+analyzer.nexus.url=https://repository.sonatype.org/service/local/
 # If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
 # are configured
 analyzer.nexus.proxy=true
+
+# the URL for searching search.maven.org for SHA-1 and whether it's enabled
+analyzer.central.enabled=true
+analyzer.central.url=http://search.maven.org/solrsearch/select
--- a/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd
+++ b/dependency-check-core/src/main/resources/schema/DependencyCheck.xsd
@@ -1,5 +1,5 @@
 <?xml version="1.0" encoding="utf-8"?>
-<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.1">
+<xs:schema id="analysis" xmlns:xs="http://www.w3.org/2001/XMLSchema" elementFormDefault="qualified" targetNamespace="https://www.owasp.org/index.php/OWASP_Dependency_Check#1.2">
    <xs:element name="analysis">
        <xs:complexType>
            <xs:sequence minOccurs="0" maxOccurs="unbounded">
@@ -119,64 +119,124 @@
                                        <xs:element name="identifiers" minOccurs="0" maxOccurs="1">
                                            <xs:complexType>
                                                <xs:sequence>
-                                                    <xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
-                                                        <xs:complexType>
-                                                            <xs:sequence>
-                                                                <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
-                                                                <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
-                                                            </xs:sequence>
-                                                            <xs:attribute name="type" type="xs:string" use="required" />
-                                                            <xs:attribute name="confidence" type="xs:string" use="optional" />
-                                                        </xs:complexType>
-                                                    </xs:element>
+                                                    <xs:sequence>
+                                                        <xs:element name="identifier" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                </xs:sequence>
+                                                                <xs:attribute name="type" type="xs:string" use="required" />
+                                                                <xs:attribute name="confidence" type="xs:string" use="optional" />
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
+                                                    <xs:sequence>
+                                                        <xs:element name="suppressedIdentifier" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="url" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                </xs:sequence>
+                                                                <xs:attribute name="type" type="xs:string" use="required" />
+                                                                <xs:attribute name="confidence" type="xs:string" use="optional" />
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
                                                </xs:sequence>
                                            </xs:complexType>
                                        </xs:element>
                                        <xs:element name="vulnerabilities" minOccurs="0" maxOccurs="1">
                                            <xs:complexType>
                                                <xs:sequence>
-                                                    <xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
-                                                        <xs:complexType>
-                                                            <xs:sequence>
-                                                                <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
-                                                                <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                <xs:element name="references" minOccurs="0" maxOccurs="1">
-                                                                    <xs:complexType>
-                                                                        <xs:sequence>
-                                                                            <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
-                                                                                <xs:complexType>
-                                                                                    <xs:sequence>
-                                                                                        <xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                                        <xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                                        <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
-                                                                                    </xs:sequence>
-                                                                                </xs:complexType>
-                                                                            </xs:element>
-                                                                        </xs:sequence>
-                                                                    </xs:complexType>
-                                                                </xs:element>
-                                                                <xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
-                                                                    <xs:complexType>
-                                                                        <xs:sequence>
-                                                                            <xs:element name="software" minOccurs="0" maxOccurs="unbounded">
-                                                                                <xs:complexType>
-                                                                                    <xs:simpleContent>
-                                                                                        <xs:extension base="xs:string">
-                                                                                            <xs:attribute name="allPreviousVersion" type="xs:boolean" />
-                                                                                        </xs:extension>
-                                                                                    </xs:simpleContent>
-                                                                                </xs:complexType>
-                                                                            </xs:element>
-                                                                        </xs:sequence>
-                                                                    </xs:complexType>
-                                                                </xs:element>
-                                                            </xs:sequence>
-                                                        </xs:complexType>
-                                                    </xs:element>
+                                                    <xs:sequence>
+                                                        <xs:element name="vulnerability" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="references" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:sequence>
+                                                                                            <xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                        </xs:sequence>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                    <xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="software" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:simpleContent>
+                                                                                            <xs:extension base="xs:string">
+                                                                                                <xs:attribute name="allPreviousVersion" type="xs:boolean" />
+                                                                                            </xs:extension>
+                                                                                        </xs:simpleContent>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                </xs:sequence>
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
+                                                    <xs:sequence>
+                                                        <xs:element name="suppressedVulnerability" minOccurs="0" maxOccurs="unbounded">
+                                                            <xs:complexType>
+                                                                <xs:sequence>
+                                                                    <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cvssScore" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="severity" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="cwe" type="xs:string" minOccurs="0" maxOccurs="1" />
+                                                                    <xs:element name="description" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                    <xs:element name="references" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="reference" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:sequence>
+                                                                                            <xs:element name="source" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="url" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                            <xs:element name="name" type="xs:string" minOccurs="1" maxOccurs="1" />
+                                                                                        </xs:sequence>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                    <xs:element name="vulnerableSoftware" minOccurs="0" maxOccurs="1">
+                                                                        <xs:complexType>
+                                                                            <xs:sequence>
+                                                                                <xs:element name="software" minOccurs="0" maxOccurs="unbounded">
+                                                                                    <xs:complexType>
+                                                                                        <xs:simpleContent>
+                                                                                            <xs:extension base="xs:string">
+                                                                                                <xs:attribute name="allPreviousVersion" type="xs:boolean" />
+                                                                                            </xs:extension>
+                                                                                        </xs:simpleContent>
+                                                                                    </xs:complexType>
+                                                                                </xs:element>
+                                                                            </xs:sequence>
+                                                                        </xs:complexType>
+                                                                    </xs:element>
+                                                                </xs:sequence>
+                                                            </xs:complexType>
+                                                        </xs:element>
+                                                    </xs:sequence>
                                                </xs:sequence>
                                            </xs:complexType>
                                        </xs:element>
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -41,6 +41,7 @@
                            <xs:choice minOccurs="0" maxOccurs="1">
                                <xs:element name="filePath" type="dc:regexStringType"/>
                                <xs:element name="sha1" type="dc:sha1Type"/>
+                                <xs:element name="gav" type="dc:regexStringType"/>
                            </xs:choice>
                            <xs:choice minOccurs="0" maxOccurs="unbounded">
                                <xs:element name="cpe" type="dc:regexStringType"/>
@@ -49,6 +50,7 @@
                                <xs:element name="cvssBelow" type="dc:cvssScoreType"/>
                            </xs:choice>
                        </xs:sequence>
+                        <xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
                    </xs:complexType>
                </xs:element>
            </xs:sequence>
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -33,21 +33,30 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        </script>
        <script type="text/javascript">
            $(document).ready(function() {
-                $(".expandable").click(function (e) {
-                    e = e || window.event;
+                $(".expandable").click(function (event) {
+                    e = event || window.event;
                    var h = e.target || e.srcElement;
                    var content = "#content" + h.id.substr(6);
                    var header = "#" + h.id;
                    $(content).slideToggle("fast");
-                    var exprx = /expandablesubsection/;
+                    var exprx = /expandable\b/;
                    if (exprx.exec($(header).attr("class"))) {
+                        $(header).addClass("collapsed");
+                        $(header).removeClass("expandable");
+                    } else {
+                        $(header).addClass("expandable");
+                        $(header).removeClass("collapsed");
+                    }
+                    var essrx = /expandablesubsection/;
+                    var cssrx = /collaspablesubsection/;
+                    if (essrx.exec($(header).attr("class"))) {
                        $(header).addClass("collaspablesubsection");
                        $(header).removeClass("expandablesubsection");
-                    } else {
+                    } else if (cssrx.exec($(header).attr("class"))) {
                        $(header).addClass("expandablesubsection");
                        $(header).removeClass("collaspablesubsection");
                    }
-
+                    return false;
                });
            });

@@ -76,13 +85,14 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                $('#modal-text').focus();
                $('#modal-text').select();
            }
-            function toggleDisplay(el, clzName) {
+            function toggleDisplay(el, clzName, all, some) {
                $(clzName).toggle();
-                if (el.innerHTML == 'show all') {
-                    el.innerHTML = 'less';
+                if (el.innerHTML == all) {
+                    el.innerHTML = some;
                } else {
-                    el.innerHTML = 'show all';
+                    el.innerHTML = all;
                }
+                return false;
            }
        </script>
        <style type="text/css">
@@ -129,6 +139,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            #modal-text:focus {
                outline: none;
            }
+            .suppressedLabel {
+                cursor: default;
+                padding:1px;
+                background-color: #eeeeee;
+                border: 1px solid #555555;
+                color:#555555;
+                text-decoration:none;
+                -moz-border-radius: 3px;
+                -webkit-border-radius: 3px;
+                -khtml-border-radius: 3px;
+                -o-border-radius: 3px;
+                border-radius: 3px;
+            }
            .copybutton {
                padding:1px;
                background-color: #eeeeee;
@@ -215,24 +238,25 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            .hidden {
                display: none;
            }
-            .exandable {}
-            .expandablesubsection {
+            .expandable {
                cursor: pointer;
-                /*background-image: url(img/plus.gif);*/
                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIcjI8Hy22Q1FNwhnpxhW3d2XFWJn2PNiZbyERuAQA7);
                background-repeat: no-repeat;
                background-position: 98% 50%;
+            }
+            .collapsed {
+                cursor: pointer;
+                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
+                background-repeat: no-repeat;
+                background-position: 98% 50%;
+            }
+            .expandablesubsection {
                -moz-border-radius-bottomleft:15px; /* bottom left corner */
                -webkit-border-bottom-left-radius:15px; /* bottom left corner */
                border-bottom-left-radius: 15px;
                border-bottom: 1px solid #cccccc;
            }
            .collaspablesubsection {
-                cursor: pointer;
-                /*background-image: url(img/minus.gif);*/
-                background-image: url(data:image/gif;base64,R0lGODlhDAAMAIABAICAgP///yH5BAEAAAEALAAAAAAMAAwAAAIajI8Hy22Q1IszQHphW3ZuXUUZ1ZXi8zFkUgAAOw==);
-                background-repeat: no-repeat;
-                background-position: 98% 50%;
                -moz-border-radius-bottomleft:0px; /* bottom left corner */
                -webkit-border-bottom-left-radius:0px; /* bottom left corner */
                border-bottom-left-radius: 0px;
@@ -244,7 +268,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                border-bottom-left-radius: 0px;
                border-bottom: 0px solid #ffffff;
            }
-
            .content {
                margin-top:0px;
                margin-left:20px;
@@ -406,15 +429,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            .indent {
                margin-left:20px;
            }
-            td, th {
+            td{
+                vertical-align:text-top;
                padding:6px;
                margin:0px;
            }
+            th {
+                text-align:left
+                vertical-align:text-top;
+                padding:6px;
+                margin:0px;
+                border-bottom:1px;
+                border-color: black;
+            }
            table {
                border: 0px;
            }
            table.lined tr:nth-child(even) {
-                background-color: #fbfbfb;
+                background-color: #f3f3f3;
            }
            .fullwidth {
                width:100%;
@@ -427,10 +459,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                margin-bottom:3px;
            }
            .vulnerable {
-            	color: #f00;
-            }
-            .vulnerable li {
-            	color: #000;
+                color: #000;
            }
            .notvulnerable {
                display:none;
@@ -448,6 +477,11 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                color: blue;
                float:right;
            }
+            .disclaimer {
+                color: #888888;
+                font: 9px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif
+            }
+
        </style>
    </head>
    <body>
@@ -455,80 +489,169 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        <div id="modal-content">
            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                <textarea id="modal-text" cols="50" rows="10"></textarea><br/>
-                <button id="modal-add-header" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
+                <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
        </div>
        <div class="wrapper">
            <h1>Dependency-Check Report</h1>
+<p class="disclaimer">Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
+false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
+the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
+implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
+is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
+arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
 ]]#
-            <h2 class="">Project:&nbsp;$esc.html($applicationName)</h2>
+            <h2 class="">Project:&nbsp;$enc.html($applicationName)</h2>
            <div class="">
                #set($depCount=$dependencies.size())
+                #set($vulnDepCount=0)
                #set($vulnCount=0)
+                #set($vulnSuppressedCount=0)
+                #set($cpeSuppressedCount=0)

                #foreach($dependency in $dependencies)
                    #set($depCount=$depCount+$dependency.getRelatedDependencies().size())
                    #if($dependency.getVulnerabilities().size()>0)
-                        #set($vulnCount=$vulnCount+1)
+                        #set($vulnDepCount=$vulnDepCount+1)
+                        #set($vulnCount=$vulnCount+$dependency.getVulnerabilities().size())
+                    #end
+                    #if($dependency.getSuppressedIdentifiers().size()>0)
+                        #set($cpeSuppressedCount=$cpeSuppressedCount+1)
+                    #end
+                    #if($dependency.getSuppressedVulnerabilities().size()>0)
+                        #set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
                    #end
                #end
-                Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo');  return false;">show all</a>):<br/>
+                Scan Information (<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.scaninfo', 'show all', 'show less');  return false;">show all</a>):<br/>
                    <ul class="indent">
                        <li><i>dependency-check version</i>: $version</li>
-                        <li><i>Report Generated On</i>: $date</li>
+                        <li><i>Report Generated On</i>: $scanDate</li>
                        <li><i>Dependencies Scanned</i>:&nbsp;$depCount</li>
-                        <li><i>Vulnerable Dependencies</i>:&nbsp;$vulnCount</li>
+                        <li><i>Vulnerable Dependencies</i>:&nbsp;$vulnDepCount</li>
+                        <li><i>Vulnerabilities Found</i>:&nbsp;$vulnCount</li>
+                        <li><i>Vulnerabilities Suppressed</i>:&nbsp;$vulnSuppressedCount</li>
                        <li class="scaninfo">...</li>
                        #foreach($prop in $properties.getMetaData().entrySet())
-                        <li class="scaninfo hidden"><i>$esc.html($prop.key)</i>: $esc.html($prop.value)</li>
+                        <li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
                        #end
                    </ul><br/>
-                Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
-                <ul class="indent">
+                Display:&nbsp;<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.notvulnerable', 'Showing Vulnerable Dependencies', 'Showing All Dependencies'); return false;">Showing Vulnerable Dependencies</a><br/><br/>
                #set($lnkcnt=0)
-                #foreach($dependency in $dependencies)
+                <table class="lined">
+                    <tr style="text-align:left">
+                        <th title="The name of the dependency">Dependency</th>
+                        <th title="The Common Platform Enumeration">CPE</th>
+                        <th title="The Maven GAV Coordinates">GAV</th>
+                        <th title="The highest CVE Severity">Highest Severity</th>
+                        <th title="The number of Common Vulnerability and Exposure (CVE) entries">CVE Count</th>
+                        <th title="The confidence rating dependency-check has for the identified CPE">CPE Confidence</th>
+                        <th title="The count of evidence used to identify the CPE">Evidence Count</th>
+                    </tr>
+                    #foreach($dependency in $dependencies)
                    #set($lnkcnt=$lnkcnt+1)
-                    <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
-                    <a href="#l${lnkcnt}_$esc.html($esc.url($dependency.Sha1sum))">$esc.html($dependency.FileName)</a>
-                    #if($dependency.getRelatedDependencies().size()>0)
-                        <ul>
-                        #foreach($related in $dependency.getRelatedDependencies())
-                        <li>$esc.html($related.FileName)</li>
+                    <tr class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
+                        <td><a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a></td>
+                        #set($mavenlink="")
+                        #set($cpeIdCount=0)
+                        #set($cpeIdConf="")
+                        <td>
+                        #foreach($id in $dependency.getIdentifiers())
+                            #if ($id.type=="maven")
+                                #if ($mavenlink=="" || !$mavenlink.url)
+                                    #set($mavenlink=$id)
+                                #end
+                            #else
+                                #if ($cpeIdCount>=1)
+                                    <br/>
+                                #end
+                                #if( $id.url )
+                                    <a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
+                                #else
+                                    $enc.html($id.value)
+                                #end
+                                #if ($cpeIdConf == "")
+                                    #set($cpeIdConf=$id.confidence)
+                                #elseif ($cpeIdConf.compareTo($id.confidence)>0)
+                                    #set($cpeIdConf=$id.confidence)
+                                #end
+                                #set($cpeIdCount=$cpeIdCount+1)
+                            #end
                        #end
-                        </ul>
+                        </td>
+                        <td>#if( $mavenlink.url )
+                            ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
+                            <a href="$enc.html($mavenlink.url)" target="_blank">$enc.html($mavenlink.value)</a>
+                        #elseif ($mavenlink.value)
+                            $enc.html($mavenlink.value)
+                        #end</td>
+                        #set($cveImpact=-1)
+                        #foreach($vuln in $dependency.getVulnerabilities())
+                            #if ($cveImpact<$vuln.cvssScore)
+                                #set($cveImpact=$vuln.cvssScore)
+                            #end
+                        #end
+                        <td>
+                        #if ($cveImpact<0)
+                            &nbsp;
+                        #elseif ($cveImpact<4.0)
+                            Low
+                        #elseif ($cveImpact>=7.0)
+                            High
+                        #else
+                            Medium
+                        #end
+                        </td>
+                        <td>$dependency.getVulnerabilities().size()</td>
+                        <td>$cpeIdConf</td>
+                        <td>$dependency.getEvidenceForDisplay().size()</td>
+                    </tr>
                    #end
-                    </li>
-                #end
-                </ul>
+                </table>
+##                <ul class="indent">
+##                #set($lnkcnt=0)
+##                #foreach($dependency in $dependencies)
+##                    #set($lnkcnt=$lnkcnt+1)
+##                    <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
+##                    <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
+##                    #if($dependency.getRelatedDependencies().size()>0)
+##                        <ul>
+##                        #foreach($related in $dependency.getRelatedDependencies())
+##                        <li>$enc.html($related.DisplayFileName)</li>
+##                        #end
+##                        </ul>
+##                    #end
+##                    </li>
+##                #end
+##                </ul>
                <h2>Dependencies</h2>
                #set($lnkcnt=0)
                #set($cnt=0)
                #set($vsctr=0) ##counter to create unique groups for vulnerable software
                #foreach($dependency in $dependencies)
                    #set($lnkcnt=$lnkcnt+1)
-                    <h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$esc.html($dependency.Sha1sum)"></a>$esc.html($dependency.FileName)</h3>
+                    <h3 class="subsectionheader standardsubsection#if($dependency.getVulnerabilities().size()==0) notvulnerable#end"><a name="l${lnkcnt}_$enc.html($dependency.Sha1sum)"></a>$enc.html($dependency.DisplayFileName)</h3>
                    <div class="subsectioncontent#if($dependency.getVulnerabilities().size()==0) notvulnerable#end">
                        #if ($dependency.description)
-                            <p><b>Description:</b>&nbsp;$esc.html($dependency.description)<br/></p>
+                            <p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
                        #end
                        <p>
                        #if ($dependency.license)
                            #if ($dependency.license.startsWith("http://"))
-                            <b>License:</b><pre class="indent"><a href="$esc.html($dependency.license)">$esc.html($dependency.license)</a></pre>
+                            <b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
                            #else
-                            <b>License:</b><pre class="indent">$esc.html($dependency.license)</pre>
+                            <b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
                            #end
                        #end
-                            <b>File&nbsp;Path:</b>&nbsp;$esc.html($dependency.FilePath)<br/>
-                            <b>MD5:</b>&nbsp;$esc.html($dependency.Md5sum)<br/>
-                            <b>SHA1:</b>&nbsp;$esc.html($dependency.Sha1sum)
+                            <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
+                            <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
+                            <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
                        </p>
                        #set($cnt=$cnt+1)
                        <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
                        <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
                            <table class="lined fullwidth" border="0">
                                <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
-                                #foreach($evidence in $dependency.getEvidenceUsed())
-                                    <tr><td>$esc.html($evidence.getSource())</td><td>$esc.html($evidence.getName())</td><td>$esc.html($evidence.getValue())</td></tr>
+                                #foreach($evidence in $dependency.getEvidenceForDisplay())
+                                    <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
                                #end
                            </table>
                        </div>
@@ -538,18 +661,18 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
                            <ul>
                            #foreach($related in $dependency.getRelatedDependencies())
-                                <li>$esc.html($related.FileName)
+                                <li>$enc.html($related.DisplayFileName)
                                    <ul>
-                                        <li>File Path:&nbsp;$esc.html($related.FilePath)</li>
-                                        <li>SHA1:&nbsp;$esc.html($related.Sha1sum)</li>
-                                        <li>MD5:&nbsp;$esc.html($related.Md5sum)</li>
+                                        <li>File Path:&nbsp;$enc.html($related.FilePath)</li>
+                                        <li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
+                                        <li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
                                        #foreach($id in $related.getIdentifiers())
                                            #if ($id.type=="maven")
                                                #if( $id.url )
                                                    ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
-                                                    <li>$esc.html($id.type):&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
+                                                    <li>$enc.html($id.type):&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
                                                #else
-                                                    <li>$esc.html($id.type):&nbsp;$esc.html($id.value)
+                                                    <li>$enc.html($id.type):&nbsp;$enc.html($id.value)
                                                #end
                                                </li>
                                            #end
@@ -568,7 +691,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            #end
                        #end
                        <h4 id="header$cnt" class="subsectionheader white">Identifiers</h4>
-                        ##:&nbsp;<a href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($cpevalue)" target="_blank">$esc.html($cpevalue)</a></h4>
+                        ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
                        <div id="content$cnt" class="subsectioncontent standardsubsection">
                        #if ($dependency.getIdentifiers().size()==0)
                            <ul><li><b>None</b></li></ul>
@@ -577,19 +700,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            #foreach($id in $dependency.getIdentifiers())
                                #if( $id.url )
                                    ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
-                                    <li><b>$esc.html($id.type):</b>&nbsp;<a href="$esc.html($id.url)" target="_blank">$esc.html($id.value)</a>
+                                    <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
                                #else
-                                    <li><b>$esc.html($id.type):</b>&nbsp;$esc.html($id.value)
+                                    <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)
                                #end
                                #if ($id.confidence)
                                    &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
                                #end
                                #if ($id.type=="cpe")
                                    ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
-                                    &nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileName)', '$esc.html($dependency.Sha1sum)', 'cpe', '$esc.html($id.value)')">suppress</button>
+                                    &nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
                                #end
                                #if ($id.description)
-                                    <br/>$esc.html($id.description)
+                                    <br/>$enc.html($id.description)
                                #end
                                </li>
                            #end
@@ -602,7 +725,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <div id="content$cnt" class="subsectioncontent standardsubsection">
                        #foreach($vuln in $dependency.getVulnerabilities())
                            #set($vsctr=$vsctr+1)
-                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$esc.html($dependency.FileName)', '$esc.html($dependency.Sha1sum)', 'cve', '$esc.html($vuln.name)')">suppress</button></p>
+                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
                            <p>Severity:
                            #if ($vuln.cvssScore<4.0)
                                Low
@@ -615,29 +738,174 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            #if ($vuln.cwe)
                                <br/>CWE: $vuln.cwe
                            #end</p>
-                            <p>$esc.html($vuln.description)
+                            <p>$enc.html($vuln.description)
                                #if ($vuln.getReferences().size()>0)
                                    <ul>
                                    #foreach($ref in $vuln.getReferences())
-                                        <li>$esc.html($ref.source) - <a target="_blank" href="$esc.html($ref.url)">$ref.name</a></li>
+                                        <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
                                    #end
                                    </ul>
                                #end
                            </p>
-                            <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
-                                <li class="vs$vsctr"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vuln.matchedCPE)">$esc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
-                                <li class="vs$vsctr">...</li>
-                            #foreach($vs in $vuln.getVulnerableSoftware())
-                                <li class="vs$vsctr hidden"><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/search-results?cpe=$esc.url($vs.name)">$esc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
+
+                            #if ($vuln.getVulnerableSoftware().size()<2)
+                                <p>Vulnerable Software &amp; Versions:<ul>
+                                    <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                </ul></p>
+                            #else
+                                <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="return toggleDisplay(this,'.vs$vsctr', 'show all', 'show less');">show all</a>)<ul>
+                                    <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                    <li class="vs$vsctr">...</li>
+                                #foreach($vs in $vuln.getVulnerableSoftware())
+                                    <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
+                                #end
+                                </ul></p>
                            #end
-                            </ul></p>
                        #end
                    </div>
                    #end
                </div>
                #end
+
+
+
+## BEGIN SUPPRESSED VULNERABILITIES
+                #if ($vulnSuppressedCount>0 || $cpeSuppressedCount>0)
+                    #set($cnt=$cnt+1)
+                    <h2 id="header$cnt" class="expandable">Suppressed Vulnerabilities</h3>
+                    <div id="content$cnt" class="hidden">
+
+                    #foreach($dependency in $dependencies)
+                        #if ($dependency.getSuppressedIdentifiers().size()>0 || $dependency.getSuppressedVulnerabilities().size()>0)
+                            #set($lnkcnt=$lnkcnt+1)
+                            <h3 class="subsectionheader standardsubsection">$enc.html($dependency.DisplayFileName)</h3>
+                            <div class="subsectioncontent">
+                                #if ($dependency.description)
+                                    <p><b>Description:</b>&nbsp;$enc.html($dependency.description)<br/></p>
+                                #end
+                                <p>
+                                #if ($dependency.license)
+                                    #if ($dependency.license.startsWith("http://"))
+                                    <b>License:</b><pre class="indent"><a href="$enc.html($dependency.license)">$enc.html($dependency.license)</a></pre>
+                                    #else
+                                    <b>License:</b><pre class="indent">$enc.html($dependency.license)</pre>
+                                    #end
+                                #end
+                                    <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
+                                    <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
+                                    <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                                </p>
+                                #set($cnt=$cnt+1)
+                                <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
+                                <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
+                                    <table class="lined fullwidth" border="0">
+                                        <tr><th class="left" style="width:10%;">Source</th><th class="left" style="width:20%;">Name</th><th class="left" style="width:70%;">Value</th></tr>
+                                        #foreach($evidence in $dependency.getEvidenceForDisplay())
+                                            <tr><td>$enc.html($evidence.getSource())</td><td>$enc.html($evidence.getName())</td><td>$enc.html($evidence.getValue())</td></tr>
+                                        #end
+                                    </table>
+                                </div>
+                                #if($dependency.getRelatedDependencies().size()>0)
+                                    #set($cnt=$cnt+1)
+                                    <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Related Dependencies</h4>
+                                    <div id="content$cnt" class="subsectioncontent standardsubsection hidden">
+                                    <ul>
+                                    #foreach($related in $dependency.getRelatedDependencies())
+                                        <li>$enc.html($related.DisplayFileName)
+                                            <ul>
+                                                <li>File Path:&nbsp;$enc.html($related.FilePath)</li>
+                                                <li>SHA1:&nbsp;$enc.html($related.Sha1sum)</li>
+                                                <li>MD5:&nbsp;$enc.html($related.Md5sum)</li>
+                                             </ul>
+                                        </li>
+                                    #end
+                                    </ul>
+                                    </div>
+                                #end
+                                #set($cnt=$cnt+1)
+                                #set($cpeCount=0)
+                                #foreach($id in $dependency.getSuppressedIdentifiers())
+                                    #if($id.type.equals("cpe"))
+                                        #set($cpeCount=$cpeCount+1)
+                                    #end
+                                #end
+                                <h4 id="header$cnt" class="subsectionheader white">Suppressed Identifiers</h4>
+                                ##:&nbsp;<a href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($cpevalue)" target="_blank">$enc.html($cpevalue)</a></h4>
+                                <div id="content$cnt" class="subsectioncontent standardsubsection">
+                                #if ($dependency.getSuppressedIdentifiers().size()==0)
+                                    <ul><li><b>None</b></li></ul>
+                                #else ## ($dependency.getSuppressedIdentifiers().size()>0)
+                                    <ul>
+                                    #foreach($id in $dependency.getSuppressedIdentifiers())
+                                        #if( $id.url )
+                                            ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
+                                            <li><b>$enc.html($id.type):</b>&nbsp;<a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
+                                        #else
+                                            <li><b>$enc.html($id.type):</b>&nbsp;$enc.html($id.value)&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span>
+                                        #end
+                                        #if ($id.confidence)
+                                            &nbsp;&nbsp;<i>Confidence</i>:$id.confidence
+                                        #end
+                                        #if ($id.description)
+                                            <br/>$enc.html($id.description)
+                                        #end
+                                        </li>
+                                    #end
+                                    </ul>
+                                #end
+                                </div>
+                            #if($dependency.getSuppressedVulnerabilities().size()>0)
+                            #set($cnt=$cnt+1)
+                            <h4 id="header$cnt" class="subsectionheader expandable collaspablesubsection white">Suppressed Vulnerabilities</h4>
+                            <div id="content$cnt" class="subsectioncontent standardsubsection">
+                                #foreach($vuln in $dependency.getSuppressedVulnerabilities())
+                                    #set($vsctr=$vsctr+1)
+                                    <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<span class="suppressedLabel" >suppressed</span></p>
+                                    <p>Severity:
+                                    #if ($vuln.cvssScore<4.0)
+                                        Low
+                                    #elseif ($vuln.cvssScore>=7.0)
+                                        High
+                                    #else
+                                        Medium
+                                    #end
+                                    <br/>CVSS Score: $vuln.cvssScore
+                                    #if ($vuln.cwe)
+                                        <br/>CWE: $vuln.cwe
+                                    #end</p>
+                                    <p>$enc.html($vuln.description)
+                                        #if ($vuln.getReferences().size()>0)
+                                            <ul>
+                                            #foreach($ref in $vuln.getReferences())
+                                                <li>$enc.html($ref.source) - <a target="_blank" href="$enc.html($ref.url)">$ref.name</a></li>
+                                            #end
+                                            </ul>
+                                        #end
+                                    </p>
+                                    #if ($vuln.getVulnerableSoftware().size()<2)
+                                        <p>Vulnerable Software &amp; Versions:<ul>
+                                            git st<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                        </ul></p>
+                                    #else
+                                        <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="return toggleDisplay(this,'.vs$vsctr', 'show all', 'show less');">show all</a>)<ul>
+                                            <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
+                                            <li class="vs$vsctr">...</li>
+                                        #foreach($vs in $vuln.getVulnerableSoftware())
+                                            <li class="vs$vsctr hidden"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vs.name)">$enc.html($vs.name)</a> #if($vs.hasPreviousVersion()) and all previous versions#end</li>
+                                        #end
+                                        </ul></p>
+                                    #end
+                                #end
+                                </div>
+                            #end
+                            </div>
+                        #end
+                    #end
+                    </div>
+                #end
+## END SUPPRESSED VULNERABILITIES
            </div>
        </div>
-        <div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div>
+        <div><br/><br/>This report contains data retrieved from the <a href="http://nvd.nist.gov">National Vulnerability Database</a>.</div>
    </body>
 </html>
--- a/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
@@ -161,14 +161,25 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                margin-top:3px;
                margin-bottom:3px;
            }
+            .disclaimer {
+                color: #888888;
+                font: 9px "Droid Sans",Arial,"Helvetica Neue","Lucida Grande",sans-serif
+            }
+
        </style>
    </head>
    <body>
        <div>
            <h1 class="sectionheader">Vulnerability Report</h1>
+<p class="disclaimer">Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
+false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
+the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
+implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
+is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
+arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.</p>
 ]]#
-            <h2 class="sectionheader white">Project:&nbsp;$esc.html($applicationName)</h2>
-            <div class="sectioncontent">Report Generated On: $date<br/><br/>
+            <h2 class="sectionheader white">Project:&nbsp;$enc.html($applicationName)</h2>
+            <div class="sectioncontent">Report Generated On: $scanDate<br/><br/>
                #set($depCount=$dependencies.size())
                #set($vulnCount=0)

@@ -194,7 +205,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                    #if($dependency.getVulnerabilities().size()>0)
                        #foreach($vuln in $dependency.getVulnerabilities())
                            <tr>
-                                <td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$esc.url($vuln.name)">$esc.html($vuln.name)</a></td>
+                                <td><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></td>
                                <td>
                                #if ($vuln.cwe)
                                    $vuln.cwe
@@ -211,10 +222,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                                ($vuln.cvssScore)
                                <td>#set($cnt=$cnt+1)
                                    #if($dependency.getRelatedDependencies().size()>0)<span id="header$cnt" class="expandable collapsedList">#end
-                                    $esc.html($dependency.FileName)
+                                    $enc.html($dependency.DisplayFileName)
                                    #if($dependency.getRelatedDependencies().size()>0)&nbsp;&nbsp;&nbsp;</span><div id="content$cnt" class="hidden">#end
                                    #foreach($related in $dependency.getRelatedDependencies())
-                                    $esc.html($related.FileName)<br/>
+                                    $enc.html($related.DisplayFileName)<br/>
                                    #end
                                    #if($dependency.getRelatedDependencies().size()>0)</div#end
                                </td>
@@ -225,6 +236,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                </tbody>
                </table>
            </div>
-        <p><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</p>
+        <p><br/><br/>This report contains data retrieved from the <a href="http://nvd.nist.gov">National Vulnerability Database</a>.</p>
    </body>
 </html>
--- a/Show More
+++ b/Show More