version 1.2.9

Former-commit-id: f775a71e328b2ff44d9b004b9991b4bbad8a4725
corrected & operator to use &&
2026-01-14 15:53:36 +01:00 · 2015-03-06 05:59:59 -05:00 · 2015-03-05 06:16:31 -05:00 · 2015-03-05 06:15:43 -05:00 · 2015-03-03 05:59:52 -05:00 · 2015-03-01 21:43:52 -05:00
210 changed files with 27175 additions and 17123 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -7,6 +7,9 @@
 # Eclipse project files
 .classpath
 .project
+.settings
+maven-eclipse.xml
+.externalToolBuilders
 # Netbeans configuration
 nb-configuration.xml
 /target/
--- a/README.md
+++ b/README.md
@@ -40,7 +40,6 @@ The plugin can be configured using the following:
            <plugin>
              <groupId>org.owasp</groupId>
              <artifactId>dependency-check-maven</artifactId>
-              <version>1.0.2</version>
              <executions>
                  <execution>
                      <goals>
@@ -59,7 +58,7 @@ The plugin can be configured using the following:

 ### Ant Task

-For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-maven/installation.html).
+For instructions on the use of the Ant Task, please see the [dependency-check-ant github page](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).

 Development Usage
 -------------
@@ -106,4 +105,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
  [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
  [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
  [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -15,20 +15,19 @@ limitations under the License.

 Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.1</version>
+        <version>1.2.9</version>
    </parent>

    <artifactId>dependency-check-ant</artifactId>
    <packaging>jar</packaging>

    <name>Dependency-Check Ant Task</name>
-    <description>Dependency-check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -69,7 +68,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-resources-plugin</artifactId>
-                <version>2.6</version>
                <configuration>
                    <escapeWindowsPaths>false</escapeWindowsPaths>
                </configuration>
@@ -192,10 +190,18 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                    </execution>
                </executions>
            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-shade-plugin</artifactId>
-                <version>2.1</version>
+                <version>2.3</version>
                <configuration>
                    <transformers>
                        <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
@@ -219,29 +225,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                    </execution>
                </executions>
            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-                        </manifest>
-                    </archive>
-                    <excludes>
-                        <exclude>**/checkstyle*</exclude>
-                    </excludes>
-                </configuration>
-            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.6</version>
                <configuration>
-                    <instrumentation>
+                    <!--instrumentation>
                        <ignoreTrivial>true</ignoreTrivial>
-                    </instrumentation>
+                    </instrumentation-->
                    <check>
                        <branchRate>85</branchRate>
                        <lineRate>85</lineRate>
@@ -270,7 +260,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
-                <version>2.16</version>
                <configuration>
                    <systemProperties>
                        <property>
@@ -280,165 +269,150 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                    </systemProperties>
                </configuration>
            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
-                <configuration>
-                    <showDeprecation>false</showDeprecation>
-                    <source>1.6</source>
-                    <target>1.6</target>
-                </configuration>
-            </plugin>
-
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.3</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>org.apache.maven.doxia</groupId>
-                        <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.5</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <skipDeploy>true</skipDeploy>
-                    <reportPlugins>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
-                            <version>2.7</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>index</report>
-                                        <report>summary</report>
-                                        <report>license</report>
-                                        <report>help</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-javadoc-plugin</artifactId>
-                            <version>2.9.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <id>default</id>
-                                    <reports>
-                                        <report>javadoc</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>versions-maven-plugin</artifactId>
-                            <version>2.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>dependency-updates-report</report>
-                                        <report>plugin-updates-report</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-jxr-plugin</artifactId>
-                            <version>2.4</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.6</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-report-plugin</artifactId>
-                            <version>2.16</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>report-only</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>taglist-maven-plugin</artifactId>
-                            <version>2.4</version>
-                            <configuration>
-                                <tagListOptions>
-                                    <tagClasses>
-                                        <tagClass>
-                                            <displayName>Todo Work</displayName>
-                                            <tags>
-                                                <tag>
-                                                    <matchString>todo</matchString>
-                                                    <matchType>ignoreCase</matchType>
-                                                </tag>
-                                                <tag>
-                                                    <matchString>FIXME</matchString>
-                                                    <matchType>exact</matchType>
-                                                </tag>
-                                            </tags>
-                                        </tagClass>
-                                    </tagClasses>
-                                </tagListOptions>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-checkstyle-plugin</artifactId>
-                            <version>2.11</version>
-                            <configuration>
-                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.0.1</version>
-                            <configuration>
-                                <targetJdk>1.6</targetJdk>
-                                <linkXref>true</linkXref>
-                                <sourceEncoding>utf-8</sourceEncoding>
-                                <excludes>
-                                    <exclude>**/generated/*.java</exclude>
-                                </excludes>
-                                <rulesets>
-                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <ruleset>/rulesets/java/basic.xml</ruleset>
-                                    <ruleset>/rulesets/java/imports.xml</ruleset>
-                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                </rulesets>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>findbugs-maven-plugin</artifactId>
-                            <version>2.5.3</version>
-                        </plugin>
-                    </reportPlugins>
-                </configuration>
-            </plugin>
        </plugins>
    </build>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-project-info-reports-plugin</artifactId>
+                <version>2.7</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>index</report>
+                            <report>summary</report>
+                            <report>license</report>
+                            <report>help</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.9.1</version>
+                <configuration>
+                    <bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <id>default</id>
+                        <reports>
+                            <report>javadoc</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>versions-maven-plugin</artifactId>
+                <version>2.1</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependency-updates-report</report>
+                            <report>plugin-updates-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.4</version>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.16</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>report-only</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>taglist-maven-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <tagListOptions>
+                        <tagClasses>
+                            <tagClass>
+                                <displayName>Todo Work</displayName>
+                                <tags>
+                                    <tag>
+                                        <matchString>todo</matchString>
+                                        <matchType>ignoreCase</matchType>
+                                    </tag>
+                                    <tag>
+                                        <matchString>FIXME</matchString>
+                                        <matchType>exact</matchType>
+                                    </tag>
+                                </tags>
+                            </tagClass>
+                        </tagClasses>
+                    </tagListOptions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>2.11</version>
+                <configuration>
+                    <enableRulesSummary>false</enableRulesSummary>
+                    <enableFilesSummary>false</enableFilesSummary>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.0.1</version>
+                <configuration>
+                    <targetJdk>1.6</targetJdk>
+                    <linkXref>true</linkXref>
+                    <sourceEncoding>utf-8</sourceEncoding>
+                    <excludes>
+                        <exclude>**/generated/*.java</exclude>
+                    </excludes>
+                    <rulesets>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                    </rulesets>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>2.5.3</version>
+            </plugin>
+        </plugins>
+    </reporting>
    <dependencies>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.owasp</groupId>
            <artifactId>dependency-check-core</artifactId>
@@ -449,12 +423,12 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant</artifactId>
-            <version>1.9.3</version>
+            <version>1.9.4</version>
        </dependency>
        <dependency>
            <groupId>org.apache.ant</groupId>
            <artifactId>ant-testutil</artifactId>
-            <version>1.9.3</version>
+            <version>1.9.4</version>
            <scope>test</scope>
        </dependency>
    </dependencies>
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java
@@ -98,8 +98,8 @@ public class DependencyCheckTask extends Task {
    }

    /**
-     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the
-     * path object.
+     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
+     * object.
     *
     * @return the path
     */
@@ -215,9 +215,9 @@ public class DependencyCheckTask extends Task {
        this.reportOutputDirectory = reportOutputDirectory;
    }
    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
-     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
-     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
+     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
+     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
     */
    private float failBuildOnCVSS = 11;

@@ -239,8 +239,8 @@ public class DependencyCheckTask extends Task {
        this.failBuildOnCVSS = failBuildOnCVSS;
    }
    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
-     * false. Default is true.
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
+     * is true.
     */
    private boolean autoUpdate = true;

@@ -262,8 +262,8 @@ public class DependencyCheckTask extends Task {
        this.autoUpdate = autoUpdate;
    }
    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
-     * within the Site plugin unless the externalReport is set to true. Default is HTML.
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
+     * Site plugin unless the externalReport is set to true. Default is HTML.
     */
    private String reportFormat = "HTML";

@@ -285,26 +285,49 @@ public class DependencyCheckTask extends Task {
        this.reportFormat = reportFormat.getValue();
    }
    /**
-     * The Proxy URL.
+     * The Proxy Server.
     */
-    private String proxyUrl;
+    private String proxyServer;

    /**
-     * Get the value of proxyUrl.
+     * Get the value of proxyServer.
     *
-     * @return the value of proxyUrl
+     * @return the value of proxyServer
     */
-    public String getProxyUrl() {
-        return proxyUrl;
+    public String getProxyServer() {
+        return proxyServer;
    }

    /**
-     * Set the value of proxyUrl.
+     * Set the value of proxyServer.
     *
-     * @param proxyUrl new value of proxyUrl
+     * @param server new value of proxyServer
     */
+    public void setProxyServer(String server) {
+        this.proxyServer = server;
+    }
+
+    /**
+     * Get the value of proxyServer.
+     *
+     * @return the value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#getProxyServer()} instead
+     */
+    @Deprecated
+    public String getProxyUrl() {
+        return proxyServer;
+    }
+
+    /**
+     * Set the value of proxyServer.
+     *
+     * @param proxyUrl new value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)} instead
+     */
+    @Deprecated
    public void setProxyUrl(String proxyUrl) {
-        this.proxyUrl = proxyUrl;
+        LOGGER.warning("A deprecated configuration option 'proxyUrl' was detected; use 'proxyServer' instead.");
+        this.proxyServer = proxyUrl;
    }
    /**
     * The Proxy Port.
@@ -535,6 +558,28 @@ public class DependencyCheckTask extends Task {
    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
        this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
    }
+    /**
+     * Whether or not the central analyzer is enabled.
+     */
+    private boolean centralAnalyzerEnabled = false;
+
+    /**
+     * Get the value of centralAnalyzerEnabled.
+     *
+     * @return the value of centralAnalyzerEnabled
+     */
+    public boolean isCentralAnalyzerEnabled() {
+        return centralAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of centralAnalyzerEnabled.
+     *
+     * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
+     */
+    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
+        this.centralAnalyzerEnabled = centralAnalyzerEnabled;
+    }

    /**
     * Whether or not the nexus analyzer is enabled.
@@ -718,8 +763,8 @@ public class DependencyCheckTask extends Task {
    }

    /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
-     * like ZIP files.
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
+     * files.
     */
    private String zipExtensions;

@@ -934,8 +979,8 @@ public class DependencyCheckTask extends Task {
    }

    /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
-     * properties required to change the proxy url, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
+     * required to change the proxy server, port, and connection timeout.
     */
    private void populateSettings() {
        Settings.initialize();
@@ -967,8 +1012,8 @@ public class DependencyCheckTask extends Task {

        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);

-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -991,6 +1036,8 @@ public class DependencyCheckTask extends Task {
        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
        //NUSPEC ANALYZER
        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        //CENTRAL ANALYZER
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
        //NEXUS ANALYZER
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -32,7 +32,7 @@ failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score a
 format               | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
 logFile              | The file path to write verbose logging information. | &nbsp;
 suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../suppression.html) | &nbsp;
-proxyUrl             | The Proxy URL.                     | &nbsp;
+proxyServer          | The Proxy Server.                  | &nbsp;
 proxyPort            | The Proxy Port.                    | &nbsp;
 proxyUsername        | Defines the proxy user name.       | &nbsp;
 proxyPassword        | Defines the proxy password.        | &nbsp;
@@ -46,17 +46,18 @@ Note, that specific analyzers will automatically disable themselves if no file
 types that they support are detected - so specifically disabling them may not
 be needed.

-Property                | Description                        | Default Value
------------------------|------------------------------------|------------------
-archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                    | true
+Property                | Description                                                               | Default Value
+------------------------|---------------------------------------------------------------------------|------------------
+archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                           | true
 zipExtensions           | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
-jarAnalyzer             | Sets whether Jar Analyzer will be used.                            | true
-nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used.                          | true
-nexusUrl                | Defines the Nexus URL. | https://repository.sonatype.org/service/local/
+jarAnalyzer             | Sets whether the Jar Analyzer will be used.                                   | true
+centralAnalyzerEnabled  | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
+nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
+nexusUrl                | Defines the Nexus Pro URL. If not set the Nexus Analyzer will be disabled. | &nbsp;
 nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
-nuspecAnalyzerEnabled  | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.   | true
-assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.     | true
-pathToMono              | The path to Mono for .NET assembly analysis on non-windows systems | &nbsp;
+nuspecAnalyzerEnabled   | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.          | true
+assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.            | true
+pathToMono              | The path to Mono for .NET assembly analysis on non-windows systems.       | &nbsp;

 Advanced Configuration
 ====================
--- a/dependency-check-ant/src/site/markdown/installation.md.vm
+++ b/dependency-check-ant/src/site/markdown/installation.md.vm
@@ -3,7 +3,20 @@ Installation
 Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
 To install dependency-check-ant place the dependency-check-ant-${project.version}.jar into
 the lib directory of your Ant instalation directory. Once installed you can add
-the taskdef to you build.xml and add the task to a new or existing target.
+the taskdef to you build.xml and add the task to a new or existing target:
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
+```
+
+If you do not want to install dependency-check-ant into your ant's lib directory when you define the task def you
+must add the classpath to the taskdef:
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
+    <classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
+</taskdef>
+```

 It is important to understand that the first time this task is executed it may
 take 20 minutes or more as it downloads and processes the data from the National
--- a/dependency-check-ant/src/site/markdown/usage.md.vm
+++ b/dependency-check-ant/src/site/markdown/usage.md.vm
@@ -1,11 +1,19 @@
 Usage
 ====================
-First, add the dependency-check-ant taskdef to your build.xml:
+First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html):

 ```xml
 <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>
 ```

+Or
+
+```xml
+<taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask">
+    <classpath path="[path]/[to]/dependency-check-ant-${project.version}.jar"/>
+</taskdef>
+```
+
 Next, add the task to a target of your choosing:

 ```xml
--- a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
+++ b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
@@ -30,6 +30,10 @@ import org.owasp.dependencycheck.utils.Settings;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public class DependencyCheckTaskTest extends BuildFileTest {
+    //TODO: The use of deprecated class BuildFileTestcan possibly
+    //be replaced with BuildFileRule. However, it currently isn't included in the ant-testutil jar.
+    //This should be fixed in ant-testutil 1.9.5, so we can check back once that has been released.
+    //Reference: http://mail-archives.apache.org/mod_mbox/ant-user/201406.mbox/%3C000001cf87ba$8949b690$9bdd23b0$@de%3E

    @Before
    @Override
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -15,20 +15,19 @@ limitations under the License.

 Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.1</version>
+        <version>1.2.9</version>
    </parent>

    <artifactId>dependency-check-cli</artifactId>
    <packaging>jar</packaging>

    <name>Dependency-Check Command Line</name>
-    <description>Dependency-Check-Maven is a Maven Plugin that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.</description>
+    <description>dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -61,27 +60,21 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
                <configuration>
                    <archive>
                        <manifest>
                            <mainClass>org.owasp.dependencycheck.App</mainClass>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                        </manifest>
                    </archive>
-                    <excludes>
-                        <exclude>**/checkstyle*</exclude>
-                    </excludes>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.6</version>
                <configuration>
-                    <instrumentation>
+                    <!--instrumentation>
                        <ignoreTrivial>true</ignoreTrivial>
-                    </instrumentation>
+                    </instrumentation-->
                    <check>
                        <branchRate>85</branchRate>
                        <lineRate>85</lineRate>
@@ -115,7 +108,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
-                <version>2.16</version>
                <configuration>
                    <systemProperties>
                        <property>
@@ -134,162 +126,15 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
-                <configuration>
-                    <showDeprecation>false</showDeprecation>
-                    <source>1.6</source>
-                    <target>1.6</target>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.3</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>org.apache.maven.doxia</groupId>
-                        <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.5</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <skipDeploy>true</skipDeploy>
-                    <reportPlugins>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
-                            <version>2.7</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>index</report>
-                                        <report>summary</report>
-                                        <report>license</report>
-                                        <report>help</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-javadoc-plugin</artifactId>
-                            <version>2.9.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <id>default</id>
-                                    <reports>
-                                        <report>javadoc</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>versions-maven-plugin</artifactId>
-                            <version>2.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>dependency-updates-report</report>
-                                        <report>plugin-updates-report</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-jxr-plugin</artifactId>
-                            <version>2.4</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.6</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-report-plugin</artifactId>
-                            <version>2.16</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>report-only</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>taglist-maven-plugin</artifactId>
-                            <version>2.4</version>
-                            <configuration>
-                                <tagListOptions>
-                                    <tagClasses>
-                                        <tagClass>
-                                            <displayName>Todo Work</displayName>
-                                            <tags>
-                                                <tag>
-                                                    <matchString>todo</matchString>
-                                                    <matchType>ignoreCase</matchType>
-                                                </tag>
-                                                <tag>
-                                                    <matchString>FIXME</matchString>
-                                                    <matchType>exact</matchType>
-                                                </tag>
-                                            </tags>
-                                        </tagClass>
-                                    </tagClasses>
-                                </tagListOptions>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-checkstyle-plugin</artifactId>
-                            <version>2.11</version>
-                            <configuration>
-                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.1</version>
-                            <configuration>
-                                <targetJdk>1.6</targetJdk>
-                                <linkXref>true</linkXref>
-                                <sourceEncoding>utf-8</sourceEncoding>
-                                <excludes>
-                                    <exclude>**/generated/*.java</exclude>
-                                </excludes>
-                                <rulesets>
-                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <ruleset>/rulesets/java/basic.xml</ruleset>
-                                    <ruleset>/rulesets/java/imports.xml</ruleset>
-                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                </rulesets>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>findbugs-maven-plugin</artifactId>
-                            <version>2.5.3</version>
-                        </plugin>
-                    </reportPlugins>
-                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>appassembler-maven-plugin</artifactId>
-                <version>1.7</version>
                <configuration>
                    <programs>
                        <program>
                            <mainClass>org.owasp.dependencycheck.App</mainClass>
-                            <name>dependency-check</name>
+                            <id>dependency-check</id>
                        </program>
                    </programs>
                    <assembleDirectory>${project.build.directory}/release</assembleDirectory>
@@ -330,6 +175,137 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            </plugin>
        </plugins>
    </build>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-project-info-reports-plugin</artifactId>
+                <version>2.7</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>index</report>
+                            <report>summary</report>
+                            <report>license</report>
+                            <report>help</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.9.1</version>
+                <configuration>
+                    <bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <id>default</id>
+                        <reports>
+                            <report>javadoc</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>versions-maven-plugin</artifactId>
+                <version>2.1</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependency-updates-report</report>
+                            <report>plugin-updates-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.4</version>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.16</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>report-only</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>taglist-maven-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <tagListOptions>
+                        <tagClasses>
+                            <tagClass>
+                                <displayName>Todo Work</displayName>
+                                <tags>
+                                    <tag>
+                                        <matchString>todo</matchString>
+                                        <matchType>ignoreCase</matchType>
+                                    </tag>
+                                    <tag>
+                                        <matchString>FIXME</matchString>
+                                        <matchType>exact</matchType>
+                                    </tag>
+                                </tags>
+                            </tagClass>
+                        </tagClasses>
+                    </tagListOptions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>2.11</version>
+                <configuration>
+                    <enableRulesSummary>false</enableRulesSummary>
+                    <enableFilesSummary>false</enableFilesSummary>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <targetJdk>1.6</targetJdk>
+                    <linkXref>true</linkXref>
+                    <sourceEncoding>utf-8</sourceEncoding>
+                    <excludes>
+                        <exclude>**/generated/*.java</exclude>
+                    </excludes>
+                    <rulesets>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                    </rulesets>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>2.5.3</version>
+            </plugin>
+        </plugins>
+    </reporting>
    <dependencies>
        <dependency>
            <groupId>commons-cli</groupId>
@@ -341,5 +317,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <artifactId>dependency-check-core</artifactId>
            <version>${project.parent.version}</version>
        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
    </dependencies>
 </project>
--- a/dependency-check-cli/src/main/assembly/release.xml
+++ b/dependency-check-cli/src/main/assembly/release.xml
@@ -2,10 +2,8 @@
 <assembly
    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
-    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
-      http://maven.apache.org/xsd/assembly-1.1.2.xsd
-  "
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd"
 >
    <id>release</id>
    <formats>
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -21,15 +21,19 @@ import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.apache.commons.cli.ParseException;
-import org.owasp.dependencycheck.cli.CliParser;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.org.apache.tools.ant.DirectoryScanner;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.LogUtils;
 import org.owasp.dependencycheck.utils.Settings;
@@ -93,7 +97,11 @@ public class App {
            cli.printVersionInfo();
        } else if (cli.isRunScan()) {
            populateSettings(cli);
-            runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles());
+            try {
+                runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExcludeList());
+            } catch (InvalidScanPathException ex) {
+                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "An invalid scan path was detected; unable to scan '//*' paths");
+            }
        } else {
            cli.printHelp();
        }
@@ -106,18 +114,71 @@ public class App {
     * @param outputFormat the output format of the report
     * @param applicationName the application name for the report
     * @param files the files/directories to scan
+     * @param excludes the patterns for files/directories to exclude
+     *
+     * @throws InvalidScanPathException thrown if the path to scan starts with "//"
     */
-    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files) {
-        Engine scanner = null;
+    private void runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
+            String[] excludes) throws InvalidScanPathException {
+        Engine engine = null;
        try {
-            scanner = new Engine();
-
-            for (String file : files) {
-                scanner.scan(file);
+            engine = new Engine();
+            List<String> antStylePaths = new ArrayList<String>();
+            if (excludes == null || excludes.length == 0) {
+                for (String file : files) {
+                    if (file.contains("*") || file.contains("?")) {
+                        antStylePaths.add(file);
+                    } else {
+                        engine.scan(file);
+                    }
+                }
+            } else {
+                antStylePaths = Arrays.asList(files);
            }

-            scanner.analyzeDependencies();
-            final List<Dependency> dependencies = scanner.getDependencies();
+            final Set<File> paths = new HashSet<File>();
+            for (String file : antStylePaths) {
+                final DirectoryScanner scanner = new DirectoryScanner();
+                String include = file.replace('\\', '/');
+                File baseDir;
+
+                if (include.startsWith("//")) {
+                    throw new InvalidScanPathException("Unable to scan paths specified by //");
+                } else if (include.startsWith("./")) {
+                    baseDir = new File(".");
+                    include = include.substring(2);
+                } else if (include.startsWith("/")) {
+                    baseDir = new File("/");
+                    include = include.substring(1);
+                } else if (include.contains("/")) {
+                    final int pos = include.indexOf('/');
+                    final String tmp = include.substring(0, pos);
+                    if (tmp.contains("*") || tmp.contains("?")) {
+                        baseDir = new File(".");
+                    } else {
+                        baseDir = new File(tmp);
+                        include = include.substring(pos + 1);
+                    }
+                } else { //no path info - must just be a file in the working directory
+                    baseDir = new File(".");
+                }
+                scanner.setBasedir(baseDir);
+                scanner.setIncludes(include);
+                if (excludes != null && excludes.length > 0) {
+                    scanner.addExcludes(excludes);
+                }
+                scanner.scan();
+                if (scanner.getIncludedFilesCount() > 0) {
+                    for (String s : scanner.getIncludedFiles()) {
+                        final File f = new File(baseDir, s);
+                        paths.add(f);
+                    }
+                }
+            }
+            engine.scan(paths);
+
+            engine.analyzeDependencies();
+            final List<Dependency> dependencies = engine.getDependencies();
            DatabaseProperties prop = null;
            CveDB cve = null;
            try {
@@ -131,7 +192,7 @@ public class App {
                    cve.close();
                }
            }
-            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, scanner.getAnalyzers(), prop);
+            final ReportGenerator report = new ReportGenerator(applicationName, dependencies, engine.getAnalyzers(), prop);
            try {
                report.generateReports(reportDirectory, outputFormat);
            } catch (IOException ex) {
@@ -145,8 +206,8 @@ public class App {
            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
            LOGGER.log(Level.FINE, "", ex);
        } finally {
-            if (scanner != null) {
-                scanner.cleanup();
+            if (engine != null) {
+                engine.cleanup();
            }
        }
    }
@@ -161,7 +222,7 @@ public class App {

        final boolean autoUpdate = cli.isAutoUpdate();
        final String connectionTimeout = cli.getConnectionTimeout();
-        final String proxyUrl = cli.getProxyUrl();
+        final String proxyServer = cli.getProxyServer();
        final String proxyPort = cli.getProxyPort();
        final String proxyUser = cli.getProxyUsername();
        final String proxyPass = cli.getProxyPassword();
@@ -172,6 +233,7 @@ public class App {
        final boolean archiveDisabled = cli.isArchiveDisabled();
        final boolean assemblyDisabled = cli.isAssemblyDisabled();
        final boolean nuspecDisabled = cli.isNuspecDisabled();
+        final boolean centralDisabled = cli.isCentralDisabled();
        final boolean nexusDisabled = cli.isNexusDisabled();
        final String nexusUrl = cli.getNexusUrl();
        final String databaseDriverName = cli.getDatabaseDriverName();
@@ -212,8 +274,8 @@ public class App {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -237,6 +299,7 @@ public class App {
        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);

+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !centralDisabled);
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !nexusDisabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/CliParser.java
@@ -15,10 +15,11 @@
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
-package org.owasp.dependencycheck.cli;
+package org.owasp.dependencycheck;

 import java.io.File;
 import java.io.FileNotFoundException;
+import java.util.logging.Logger;
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -39,6 +40,10 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public final class CliParser {

+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CliParser.class.getName());
    /**
     * The command line.
     */
@@ -79,22 +84,22 @@ public final class CliParser {
    /**
     * Validates that the command line arguments are valid.
     *
-     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
-     * does not exist.
+     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that does not
+     * exist.
     * @throws ParseException is thrown if there is an exception parsing the command line.
     */
    private void validateArgs() throws FileNotFoundException, ParseException {
        if (isRunScan()) {
-            validatePathExists(getScanFiles(), ArgumentName.SCAN);
-            validatePathExists(getReportDirectory(), ArgumentName.OUT);
+            validatePathExists(getScanFiles(), ARGUMENT.SCAN);
+            validatePathExists(getReportDirectory(), ARGUMENT.OUT);
            if (getPathToMono() != null) {
-                validatePathExists(getPathToMono(), ArgumentName.PATH_TO_MONO);
+                validatePathExists(getPathToMono(), ARGUMENT.PATH_TO_MONO);
            }
-            if (!line.hasOption(ArgumentName.APP_NAME)) {
+            if (!line.hasOption(ARGUMENT.APP_NAME)) {
                throw new ParseException("Missing 'app' argument; the scan cannot be run without the an application name.");
            }
-            if (line.hasOption(ArgumentName.OUTPUT_FORMAT)) {
-                final String format = line.getOptionValue(ArgumentName.OUTPUT_FORMAT);
+            if (line.hasOption(ARGUMENT.OUTPUT_FORMAT)) {
+                final String format = line.getOptionValue(ARGUMENT.OUTPUT_FORMAT);
                try {
                    Format.valueOf(format);
                } catch (IllegalArgumentException ex) {
@@ -107,8 +112,8 @@ public final class CliParser {
    }

    /**
-     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
-     * file a FileNotFoundException is thrown.
+     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing file a
+     * FileNotFoundException is thrown.
     *
     * @param paths the paths to validate if they exists
     * @param optType the option being validated (e.g. scan, out, etc.)
@@ -129,14 +134,36 @@ public final class CliParser {
     * @throws FileNotFoundException is thrown if the path being validated does not exist.
     */
    private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
-        if (!path.contains("*.")) {
-            final File f = new File(path);
-            if (!f.exists()) {
-                isValid = false;
-                final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
-                throw new FileNotFoundException(msg);
+        if (path == null) {
+            isValid = false;
+            final String msg = String.format("Invalid '%s' argument: null", argumentName);
+            throw new FileNotFoundException(msg);
+        } else if (!path.contains("*") && !path.contains("?")) {
+            File f = new File(path);
+            if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && !"ALL".equalsIgnoreCase(this.getReportFormat())) {
+                final String checkPath = path.toLowerCase();
+                if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")) {
+                    if (f.getParentFile() == null) {
+                        f = new File(".", path);
+                    }
+                    if (!f.getParentFile().isDirectory()) {
+                        isValid = false;
+                        final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                        throw new FileNotFoundException(msg);
+                    }
+                }
+            } else {
+                if (!f.exists()) {
+                    isValid = false;
+                    final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                    throw new FileNotFoundException(msg);
+                }
            }
-        } // else { // TODO add a validation for *.zip extensions rather then relying on the engine to validate it.
+        } else if (path.startsWith("//") || path.startsWith("\\\\")) {
+            isValid = false;
+            final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
+            throw new FileNotFoundException(msg);
+        }
    }

    /**
@@ -146,11 +173,10 @@ public final class CliParser {
     */
    @SuppressWarnings("static-access")
    private Options createCommandLineOptions() {
-
        final Options options = new Options();
        addStandardOptions(options);
        addAdvancedOptions(options);
-
+        addDeprecatedOptions(options);
        return options;
    }

@@ -162,44 +188,50 @@ public final class CliParser {
     */
    @SuppressWarnings("static-access")
    private void addStandardOptions(final Options options) throws IllegalArgumentException {
-        final Option help = new Option(ArgumentName.HELP_SHORT, ArgumentName.HELP, false,
+        final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
                "Print this message.");

-        final Option advancedHelp = OptionBuilder.withLongOpt(ArgumentName.ADVANCED_HELP)
+        final Option advancedHelp = OptionBuilder.withLongOpt(ARGUMENT.ADVANCED_HELP)
                .withDescription("Print the advanced help message.").create();

-        final Option version = new Option(ArgumentName.VERSION_SHORT, ArgumentName.VERSION,
+        final Option version = new Option(ARGUMENT.VERSION_SHORT, ARGUMENT.VERSION,
                false, "Print the version information.");

-        final Option noUpdate = new Option(ArgumentName.DISABLE_AUTO_UPDATE_SHORT, ArgumentName.DISABLE_AUTO_UPDATE,
+        final Option noUpdate = new Option(ARGUMENT.DISABLE_AUTO_UPDATE_SHORT, ARGUMENT.DISABLE_AUTO_UPDATE,
                false, "Disables the automatic updating of the CPE data.");

-        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ArgumentName.APP_NAME)
+        final Option appName = OptionBuilder.withArgName("name").hasArg().withLongOpt(ARGUMENT.APP_NAME)
                .withDescription("The name of the application being scanned. This is a required argument.")
-                .create(ArgumentName.APP_NAME_SHORT);
+                .create(ARGUMENT.APP_NAME_SHORT);

-        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.SCAN)
-                .withDescription("The path to scan - this option can be specified multiple times. To limit the scan"
-                        + " to specific file types *.[ext] can be added to the end of the path.")
-                .create(ArgumentName.SCAN_SHORT);
+        final Option path = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.SCAN)
+                .withDescription("The path to scan - this option can be specified multiple times. Ant style"
+                        + " paths are supported (e.g. path/**/*.jar).")
+                .create(ARGUMENT.SCAN_SHORT);

-        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.PROP)
+        final Option excludes = OptionBuilder.withArgName("pattern").hasArg().withLongOpt(ARGUMENT.EXCLUDE)
+                .withDescription("Specify and exclusion pattern. This option can be specified multiple times"
+                        + " and it accepts Ant style excludsions.")
+                .create();
+
+        final Option props = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.PROP)
                .withDescription("A property file to load.")
-                .create(ArgumentName.PROP_SHORT);
+                .create(ARGUMENT.PROP_SHORT);

-        final Option out = OptionBuilder.withArgName("folder").hasArg().withLongOpt(ArgumentName.OUT)
-                .withDescription("The folder to write reports to. This defaults to the current directory.")
-                .create(ArgumentName.OUT_SHORT);
+        final Option out = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.OUT)
+                .withDescription("The folder to write reports to. This defaults to the current directory. "
+                        + "It is possible to set this to a specific file name if the format argument is not set to ALL.")
+                .create(ARGUMENT.OUT_SHORT);

-        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ArgumentName.OUTPUT_FORMAT)
+        final Option outputFormat = OptionBuilder.withArgName("format").hasArg().withLongOpt(ARGUMENT.OUTPUT_FORMAT)
                .withDescription("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
-                .create(ArgumentName.OUTPUT_FORMAT_SHORT);
+                .create(ARGUMENT.OUTPUT_FORMAT_SHORT);

-        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.VERBOSE_LOG)
+        final Option verboseLog = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.VERBOSE_LOG)
                .withDescription("The file path to write verbose logging information.")
-                .create(ArgumentName.VERBOSE_LOG_SHORT);
+                .create(ARGUMENT.VERBOSE_LOG_SHORT);

-        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ArgumentName.SUPPRESSION_FILE)
+        final Option suppressionFile = OptionBuilder.withArgName("file").hasArg().withLongOpt(ARGUMENT.SUPPRESSION_FILE)
                .withDescription("The file path to the suppression XML file.")
                .create();

@@ -207,7 +239,11 @@ public final class CliParser {
        final OptionGroup og = new OptionGroup();
        og.addOption(path);

+        final OptionGroup exog = new OptionGroup();
+        exog.addOption(excludes);
+
        options.addOptionGroup(og)
+                .addOptionGroup(exog)
                .addOption(out)
                .addOption(outputFormat)
                .addOption(appName)
@@ -221,8 +257,8 @@ public final class CliParser {
    }

    /**
-     * Adds the advanced command line options to the given options collection. These are split out for purposes of being
-     * able to display two different help messages.
+     * Adds the advanced command line options to the given options collection. These are split out for purposes of being able to
+     * display two different help messages.
     *
     * @param options a collection of command line arguments
     * @throws IllegalArgumentException thrown if there is an exception
@@ -230,87 +266,92 @@ public final class CliParser {
    @SuppressWarnings("static-access")
    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {

-        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DATA_DIRECTORY)
+        final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
                .withDescription("The location of the H2 Database file. This option should generally not be set.")
-                .create(ArgumentName.DATA_DIRECTORY_SHORT);
+                .create(ARGUMENT.DATA_DIRECTORY_SHORT);

-        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ArgumentName.CONNECTION_TIMEOUT)
+        final Option connectionTimeout = OptionBuilder.withArgName("timeout").hasArg().withLongOpt(ARGUMENT.CONNECTION_TIMEOUT)
                .withDescription("The connection timeout (in milliseconds) to use when downloading resources.")
-                .create(ArgumentName.CONNECTION_TIMEOUT_SHORT);
+                .create(ARGUMENT.CONNECTION_TIMEOUT_SHORT);

-        final Option proxyUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.PROXY_URL)
-                .withDescription("The proxy url to use when downloading resources.")
-                .create(ArgumentName.PROXY_URL_SHORT);
+        final Option proxyServer = OptionBuilder.withArgName("server").hasArg().withLongOpt(ARGUMENT.PROXY_SERVER)
+                .withDescription("The proxy server to use when downloading resources.")
+                .create();

-        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ArgumentName.PROXY_PORT)
+        final Option proxyPort = OptionBuilder.withArgName("port").hasArg().withLongOpt(ARGUMENT.PROXY_PORT)
                .withDescription("The proxy port to use when downloading resources.")
-                .create(ArgumentName.PROXY_PORT_SHORT);
+                .create();

-        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.PROXY_USERNAME)
+        final Option proxyUsername = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.PROXY_USERNAME)
                .withDescription("The proxy username to use when downloading resources.")
                .create();

-        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ArgumentName.PROXY_PASSWORD)
+        final Option proxyPassword = OptionBuilder.withArgName("pass").hasArg().withLongOpt(ARGUMENT.PROXY_PASSWORD)
                .withDescription("The proxy password to use when downloading resources.")
                .create();

-        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ArgumentName.CONNECTION_STRING)
+        final Option connectionString = OptionBuilder.withArgName("connStr").hasArg().withLongOpt(ARGUMENT.CONNECTION_STRING)
                .withDescription("The connection string to the database.")
                .create();

-        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ArgumentName.DB_NAME)
+        final Option dbUser = OptionBuilder.withArgName("user").hasArg().withLongOpt(ARGUMENT.DB_NAME)
                .withDescription("The username used to connect to the database.")
                .create();

-        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ArgumentName.DB_PASSWORD)
+        final Option dbPassword = OptionBuilder.withArgName("password").hasArg().withLongOpt(ARGUMENT.DB_PASSWORD)
                .withDescription("The password for connecting to the database.")
                .create();

-        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ArgumentName.DB_DRIVER)
+        final Option dbDriver = OptionBuilder.withArgName("driver").hasArg().withLongOpt(ARGUMENT.DB_DRIVER)
                .withDescription("The database driver name.")
                .create();

-        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.DB_DRIVER_PATH)
+        final Option dbDriverPath = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DB_DRIVER_PATH)
                .withDescription("The path to the database driver; note, this does not need to be set unless the JAR is outside of the classpath.")
                .create();

-        final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_JAR)
+        final Option disableJarAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_JAR)
                .withDescription("Disable the Jar Analyzer.")
                .create();
-        final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ARCHIVE)
+        final Option disableArchiveAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ARCHIVE)
                .withDescription("Disable the Archive Analyzer.")
                .create();
-        final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NUSPEC)
+        final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
                .withDescription("Disable the Nuspec Analyzer.")
                .create();
-        final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_ASSEMBLY)
+        final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
                .withDescription("Disable the .NET Assembly Analyzer.")
                .create();

-        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ArgumentName.DISABLE_NEXUS)
+        final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
+                .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+                        + "the Nexus Analyzer.")
+                .create();
+
+        final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
                .withDescription("Disable the Nexus Analyzer.")
                .create();

-        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ArgumentName.NEXUS_URL)
-                .withDescription("The url to the Nexus Server.")
+        final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
+                .withDescription("The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled.")
                .create();

-        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ArgumentName.NEXUS_USES_PROXY)
+        final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
                .withDescription("Whether or not the configured proxy should be used when connecting to Nexus.")
                .create();

        final Option additionalZipExtensions = OptionBuilder.withArgName("extensions").hasArg()
-                .withLongOpt(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS)
+                .withLongOpt(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS)
                .withDescription("A comma separated list of additional extensions to be scanned as ZIP files "
                        + "(ZIP, EAR, WAR are already treated as zip files)")
                .create();

-        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ArgumentName.PATH_TO_MONO)
+        final Option pathToMono = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.PATH_TO_MONO)
                .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
                .create();

        options.addOption(proxyPort)
-                .addOption(proxyUrl)
+                .addOption(proxyServer)
                .addOption(proxyUsername)
                .addOption(proxyPassword)
                .addOption(connectionTimeout)
@@ -324,6 +365,7 @@ public final class CliParser {
                .addOption(disableArchiveAnalyzer)
                .addOption(disableAssemblyAnalyzer)
                .addOption(disableNuspecAnalyzer)
+                .addOption(disableCentralAnalyzer)
                .addOption(disableNexusAnalyzer)
                .addOption(nexusUrl)
                .addOption(nexusUsesProxy)
@@ -331,13 +373,30 @@ public final class CliParser {
                .addOption(pathToMono);
    }

+    /**
+     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not including
+     * them in the help message. We need to add the deprecated options so as not to break existing scripts.
+     *
+     * @param options a collection of command line arguments
+     * @throws IllegalArgumentException thrown if there is an exception
+     */
+    @SuppressWarnings("static-access")
+    private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
+
+        final Option proxyServer = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.PROXY_URL)
+                .withDescription("The proxy url argument is deprecated, use proxyserver instead.")
+                .create();
+
+        options.addOption(proxyServer);
+    }
+
    /**
     * Determines if the 'version' command line argument was passed in.
     *
     * @return whether or not the 'version' command line argument was passed in
     */
    public boolean isGetVersion() {
-        return (line != null) && line.hasOption(ArgumentName.VERSION);
+        return (line != null) && line.hasOption(ARGUMENT.VERSION);
    }

    /**
@@ -346,7 +405,7 @@ public final class CliParser {
     * @return whether or not the 'help' command line argument was passed in
     */
    public boolean isGetHelp() {
-        return (line != null) && line.hasOption(ArgumentName.HELP);
+        return (line != null) && line.hasOption(ARGUMENT.HELP);
    }

    /**
@@ -355,7 +414,7 @@ public final class CliParser {
     * @return whether or not the 'scan' command line argument was passed in
     */
    public boolean isRunScan() {
-        return (line != null) && isValid && line.hasOption(ArgumentName.SCAN);
+        return (line != null) && isValid && line.hasOption(ARGUMENT.SCAN);
    }

    /**
@@ -364,7 +423,7 @@ public final class CliParser {
     * @return true if the disableJar command line argument was specified; otherwise false
     */
    public boolean isJarDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_JAR);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
    }

    /**
@@ -373,7 +432,7 @@ public final class CliParser {
     * @return true if the disableArchive command line argument was specified; otherwise false
     */
    public boolean isArchiveDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_ARCHIVE);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
    }

    /**
@@ -382,7 +441,7 @@ public final class CliParser {
     * @return true if the disableNuspec command line argument was specified; otherwise false
     */
    public boolean isNuspecDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_NUSPEC);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
    }

    /**
@@ -391,7 +450,7 @@ public final class CliParser {
     * @return true if the disableAssembly command line argument was specified; otherwise false
     */
    public boolean isAssemblyDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_ASSEMBLY);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
    }

    /**
@@ -400,7 +459,16 @@ public final class CliParser {
     * @return true if the disableNexus command line argument was specified; otherwise false
     */
    public boolean isNexusDisabled() {
-        return (line != null) && line.hasOption(ArgumentName.DISABLE_NEXUS);
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
+    }
+
+    /**
+     * Returns true if the disableCentral command line argument was specified.
+     *
+     * @return true if the disableCentral command line argument was specified; otherwise false
+     */
+    public boolean isCentralDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_CENTRAL);
    }

    /**
@@ -409,30 +477,29 @@ public final class CliParser {
     * @return the url to the nexus server; if none was specified this will return null;
     */
    public String getNexusUrl() {
-        if (line == null || !line.hasOption(ArgumentName.NEXUS_URL)) {
+        if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
            return null;
        } else {
-            return line.getOptionValue(ArgumentName.NEXUS_URL);
+            return line.getOptionValue(ARGUMENT.NEXUS_URL);
        }
    }

    /**
-     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
-     * returned.
+     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is returned.
     *
     * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
     */
    public boolean isNexusUsesProxy() {
        // If they didn't specify whether Nexus needs to use the proxy, we should
        // still honor the property if it's set.
-        if (line == null || !line.hasOption(ArgumentName.NEXUS_USES_PROXY)) {
+        if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
            try {
                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
            } catch (InvalidSettingException ise) {
                return true;
            }
        } else {
-            return Boolean.parseBoolean(line.getOptionValue(ArgumentName.NEXUS_USES_PROXY));
+            return Boolean.parseBoolean(line.getOptionValue(ARGUMENT.NEXUS_USES_PROXY));
        }
    }

@@ -443,7 +510,7 @@ public final class CliParser {
        final HelpFormatter formatter = new HelpFormatter();
        final Options options = new Options();
        addStandardOptions(options);
-        if (line != null && line.hasOption(ArgumentName.ADVANCED_HELP)) {
+        if (line != null && line.hasOption(ARGUMENT.ADVANCED_HELP)) {
            addAdvancedOptions(options);
        }
        final String helpMsg = String.format("%n%s"
@@ -457,7 +524,6 @@ public final class CliParser {
                options,
                "",
                true);
-
    }

    /**
@@ -466,7 +532,16 @@ public final class CliParser {
     * @return the file paths specified on the command line for scan
     */
    public String[] getScanFiles() {
-        return line.getOptionValues(ArgumentName.SCAN);
+        return line.getOptionValues(ARGUMENT.SCAN);
+    }
+
+    /**
+     * Retrieves the list of excluded file patterns specified by the 'exclude' argument.
+     *
+     * @return the excluded file patterns
+     */
+    public String[] getExcludeList() {
+        return line.getOptionValues(ARGUMENT.EXCLUDE);
    }

    /**
@@ -475,7 +550,7 @@ public final class CliParser {
     * @return the path to the reports directory.
     */
    public String getReportDirectory() {
-        return line.getOptionValue(ArgumentName.OUT, ".");
+        return line.getOptionValue(ARGUMENT.OUT, ".");
    }

    /**
@@ -484,7 +559,7 @@ public final class CliParser {
     * @return the path to Mono
     */
    public String getPathToMono() {
-        return line.getOptionValue(ArgumentName.PATH_TO_MONO);
+        return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
    }

    /**
@@ -493,7 +568,7 @@ public final class CliParser {
     * @return the output format name.
     */
    public String getReportFormat() {
-        return line.getOptionValue(ArgumentName.OUTPUT_FORMAT, "HTML");
+        return line.getOptionValue(ARGUMENT.OUTPUT_FORMAT, "HTML");
    }

    /**
@@ -502,7 +577,7 @@ public final class CliParser {
     * @return the application name.
     */
    public String getApplicationName() {
-        return line.getOptionValue(ArgumentName.APP_NAME);
+        return line.getOptionValue(ARGUMENT.APP_NAME);
    }

    /**
@@ -511,16 +586,24 @@ public final class CliParser {
     * @return the connection timeout
     */
    public String getConnectionTimeout() {
-        return line.getOptionValue(ArgumentName.CONNECTION_TIMEOUT);
+        return line.getOptionValue(ARGUMENT.CONNECTION_TIMEOUT);
    }

    /**
-     * Returns the proxy url.
+     * Returns the proxy server.
     *
-     * @return the proxy url
+     * @return the proxy server
     */
-    public String getProxyUrl() {
-        return line.getOptionValue(ArgumentName.PROXY_URL);
+    public String getProxyServer() {
+
+        String server = line.getOptionValue(ARGUMENT.PROXY_SERVER);
+        if (server == null) {
+            server = line.getOptionValue(ARGUMENT.PROXY_URL);
+            if (server != null) {
+                LOGGER.warning("An old command line argument 'proxyurl' was detected; use proxyserver instead");
+            }
+        }
+        return server;
    }

    /**
@@ -529,7 +612,7 @@ public final class CliParser {
     * @return the proxy port
     */
    public String getProxyPort() {
-        return line.getOptionValue(ArgumentName.PROXY_PORT);
+        return line.getOptionValue(ARGUMENT.PROXY_PORT);
    }

    /**
@@ -538,7 +621,7 @@ public final class CliParser {
     * @return the proxy username
     */
    public String getProxyUsername() {
-        return line.getOptionValue(ArgumentName.PROXY_USERNAME);
+        return line.getOptionValue(ARGUMENT.PROXY_USERNAME);
    }

    /**
@@ -547,7 +630,7 @@ public final class CliParser {
     * @return the proxy password
     */
    public String getProxyPassword() {
-        return line.getOptionValue(ArgumentName.PROXY_PASSWORD);
+        return line.getOptionValue(ARGUMENT.PROXY_PASSWORD);
    }

    /**
@@ -556,7 +639,7 @@ public final class CliParser {
     * @return the value of dataDirectory
     */
    public String getDataDirectory() {
-        return line.getOptionValue(ArgumentName.DATA_DIRECTORY);
+        return line.getOptionValue(ARGUMENT.DATA_DIRECTORY);
    }

    /**
@@ -565,7 +648,7 @@ public final class CliParser {
     * @return the properties file specified on the command line
     */
    public File getPropertiesFile() {
-        final String path = line.getOptionValue(ArgumentName.PROP);
+        final String path = line.getOptionValue(ARGUMENT.PROP);
        if (path != null) {
            return new File(path);
        }
@@ -578,7 +661,7 @@ public final class CliParser {
     * @return the path to the verbose log file
     */
    public String getVerboseLog() {
-        return line.getOptionValue(ArgumentName.VERBOSE_LOG);
+        return line.getOptionValue(ARGUMENT.VERBOSE_LOG);
    }

    /**
@@ -587,7 +670,7 @@ public final class CliParser {
     * @return the path to the suppression file
     */
    public String getSuppressionFile() {
-        return line.getOptionValue(ArgumentName.SUPPRESSION_FILE);
+        return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
    }

    /**
@@ -598,19 +681,18 @@ public final class CliParser {
     */
    public void printVersionInfo() {
        final String version = String.format("%s version %s",
-                Settings.getString("application.name", "DependencyCheck"),
-                Settings.getString("application.version", "Unknown"));
+                Settings.getString(Settings.KEYS.APPLICATION_VAME, "dependency-check"),
+                Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
        System.out.println(version);
    }

    /**
-     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
-     * return false.
+     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will return false.
     *
     * @return if auto-update is allowed.
     */
    public boolean isAutoUpdate() {
-        return (line == null) || !line.hasOption(ArgumentName.DISABLE_AUTO_UPDATE);
+        return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
    }

    /**
@@ -619,7 +701,7 @@ public final class CliParser {
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverName() {
-        return line.getOptionValue(ArgumentName.DB_DRIVER);
+        return line.getOptionValue(ARGUMENT.DB_DRIVER);
    }

    /**
@@ -628,7 +710,7 @@ public final class CliParser {
     * @return the database driver name if specified; otherwise null is returned
     */
    public String getDatabaseDriverPath() {
-        return line.getOptionValue(ArgumentName.DB_DRIVER_PATH);
+        return line.getOptionValue(ARGUMENT.DB_DRIVER_PATH);
    }

    /**
@@ -637,7 +719,7 @@ public final class CliParser {
     * @return the database connection string if specified; otherwise null is returned
     */
    public String getConnectionString() {
-        return line.getOptionValue(ArgumentName.CONNECTION_STRING);
+        return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
    }

    /**
@@ -646,7 +728,7 @@ public final class CliParser {
     * @return the database database user name if specified; otherwise null is returned
     */
    public String getDatabaseUser() {
-        return line.getOptionValue(ArgumentName.DB_NAME);
+        return line.getOptionValue(ARGUMENT.DB_NAME);
    }

    /**
@@ -655,7 +737,7 @@ public final class CliParser {
     * @return the database database password if specified; otherwise null is returned
     */
    public String getDatabasePassword() {
-        return line.getOptionValue(ArgumentName.DB_PASSWORD);
+        return line.getOptionValue(ARGUMENT.DB_PASSWORD);
    }

    /**
@@ -664,13 +746,13 @@ public final class CliParser {
     * @return the additional Extensions; otherwise null is returned
     */
    public String getAdditionalZipExtensions() {
-        return line.getOptionValue(ArgumentName.ADDITIONAL_ZIP_EXTENSIONS);
+        return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
    }

    /**
     * A collection of static final strings that represent the possible command line arguments.
     */
-    public static class ArgumentName {
+    public static class ARGUMENT {

        /**
         * The long CLI argument name specifying the directory/file to scan.
@@ -732,21 +814,20 @@ public final class CliParser {
         * The short CLI argument name asking for the version.
         */
        public static final String VERSION = "version";
-        /**
-         * The short CLI argument name indicating the proxy port.
-         */
-        public static final String PROXY_PORT_SHORT = "p";
        /**
         * The CLI argument name indicating the proxy port.
         */
        public static final String PROXY_PORT = "proxyport";
        /**
-         * The short CLI argument name indicating the proxy url.
+         * The CLI argument name indicating the proxy server.
         */
-        public static final String PROXY_URL_SHORT = "u";
+        public static final String PROXY_SERVER = "proxyserver";
        /**
         * The CLI argument name indicating the proxy url.
+         *
+         * @deprecated use {@link org.owasp.dependencycheck.cli.CliParser.ArgumentName#PROXY_SERVER} instead
         */
+        @Deprecated
        public static final String PROXY_URL = "proxyurl";
        /**
         * The CLI argument name indicating the proxy username.
@@ -808,6 +889,10 @@ public final class CliParser {
         * Disables the Nuspec Analyzer.
         */
        public static final String DISABLE_NUSPEC = "disableNuspec";
+        /**
+         * Disables the Central Analyzer.
+         */
+        public static final String DISABLE_CENTRAL = "disableCentral";
        /**
         * Disables the Nexus Analyzer.
         */
@@ -848,5 +933,9 @@ public final class CliParser {
         * The CLI argument name for setting extra extensions.
         */
        public static final String ADDITIONAL_ZIP_EXTENSIONS = "zipExtensions";
+        /**
+         * Exclude path argument.
+         */
+        public static final String EXCLUDE = "exclude";
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
@@ -0,0 +1,61 @@
+/*
+ * This file is part of dependency-check-cli.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+/**
+ * Thrown if an invalid path is encountered.
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+class InvalidScanPathException extends Exception {
+
+    /**
+     * Creates a new InvalidScanPathException.
+     */
+    public InvalidScanPathException() {
+        super();
+    }
+
+    /**
+     * Creates a new InvalidScanPathException.
+     *
+     * @param msg a message for the exception
+     */
+    public InvalidScanPathException(String msg) {
+        super(msg);
+    }
+
+    /**
+     * Creates a new InvalidScanPathException.
+     *
+     * @param ex the cause of the exception
+     */
+    public InvalidScanPathException(Throwable ex) {
+        super(ex);
+    }
+
+    /**
+     * Creates a new InvalidScanPathException.
+     *
+     * @param msg a message for the exception
+     * @param ex the cause of the exception
+     */
+    public InvalidScanPathException(String msg, Throwable ex) {
+        super(msg, ex);
+    }
+}
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/cli/package-info.java
@@ -1,12 +0,0 @@
-/**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.cli</title>
- * </head>
- * <body>
- * Includes utility classes such as the CLI Parser,
- * </body>
- * </html>
-*/
-
-package org.owasp.dependencycheck.cli;
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -3,11 +3,12 @@ Command Line Arguments

 The following table lists the command line arguments:

-Short  | Argument Name         | Parameter       | Description | Requirement
+Short  | Argument&nbsp;Name&nbsp;&nbsp; | Parameter       | Description | Requirement
 -------|-----------------------|-----------------|-------------|------------
 \-a   | \-\-app               | \<name\>        | The name of the application being scanned. This is a required argument. | Required
- \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify specific file types that should be scanned by supplying a scan path of '[path]/[to]/[scan]/*.zip'. The wild card can only be used to denote any file-name with a specific extension. | Required
- \-o   | \-\-out               | \<folder\>      | The folder to write reports to. This defaults to the current directory. | Optional
+ \-s   | \-\-scan              | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required
+       | \-\-exclude           | \<pattern\>     | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**) . | Optional
+ \-o   | \-\-out               | \<path\>        | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional
 \-f   | \-\-format            | \<format\>      | The output format to write to (XML, HTML, VULN, ALL). The default is HTML. | Required
 \-l   | \-\-log               | \<file\>        | The file path to write verbose logging information. | Optional
 \-n   | \-\-noupdate          |                 | Disables the automatic updating of the CPE data. | Optional
@@ -18,26 +19,27 @@ Short  | Argument Name         | Parameter       | Description | Requirement

 Advanced Options
 ================
-Short  | Argument Name         | Parameter       | Description | Default Value
-------|-----------------------|-----------------|-------------|---------------
-       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                      | false
+Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                | Default&nbsp;Value
+-------|-----------------------|-----------------|-----------------------------------------------------------------------------|---------------
+ \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
+       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                             | false
       | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
-       | \-\-disableJar        |                 | Sets whether Jar Analyzer will be used.                              | false
-       | \-\-disableNexus      |                 | Sets whether Nexus Analyzer will be used.                            | false
-       | \-\-disableNexus      |                 | Disable the Nexus Analyzer.                                          | &nbsp;
-       | \-\-nexus             | \<url\>         | The url to the Nexus Server. | https://repository.sonatype.org/service/local/
-       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus. | true
-       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.     | false
-       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.       | false
-       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.  | &nbsp;
-       | \-\-proxyurl          | \<url\>         | The proxy url to use when downloading resources. | &nbsp;
-       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources. | &nbsp;
+       | \-\-disableJar        |                 | Sets whether the Jar Analyzer will be used.                                     | false
+       | \-\-disableCentral    |                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
+       | \-\-disableNexus      |                 | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
+       | \-\-nexus             | \<url\>         | The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled. | &nbsp;
+       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.   | true
+       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.            | false
+       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.              | false
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.         | &nbsp;
+       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                         | &nbsp;
+       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                           | &nbsp;
       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
-       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources. | &nbsp;
-       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources. | &nbsp;
-       | \-\-connectionString  | \<connStr\>     | The connection string to the database. | &nbsp;
-       | \-\-dbDriverName      | \<driver\>      | The database driver name. | &nbsp;
+       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources.                       | &nbsp;
+       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources.                       | &nbsp;
+       | \-\-connectionString  | \<connStr\>     | The connection string to the database.                                      | &nbsp;
+       | \-\-dbDriverName      | \<driver\>      | The database driver name.                                                   | &nbsp;
       | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
-       | \-\-dbPassword        | \<password\>    | The password for connecting to the database. | &nbsp;
-       | \-\-dbUser            | \<user\>        | The username used to connect to the database. | &nbsp;
+       | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                | &nbsp;
+       | \-\-dbUser            | \<user\>        | The username used to connect to the database.                               | &nbsp;
 \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
--- a/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
+++ b/dependency-check-cli/src/test/java/org/owasp/dependencycheck/cli/CliParserTest.java
@@ -15,8 +15,9 @@
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
-package org.owasp.dependencycheck.cli;
+package org.owasp.dependencycheck;

+import org.owasp.dependencycheck.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -15,19 +15,19 @@ limitations under the License.

 Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 -->
-
 <project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
    <modelVersion>4.0.0</modelVersion>
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.1</version>
+        <version>1.2.9</version>
    </parent>

    <artifactId>dependency-check-core</artifactId>
    <packaging>jar</packaging>

    <name>Dependency-Check Core</name>
+    <description>dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.</description>
    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
    <distributionManagement>
        <site>
@@ -93,7 +93,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-dependency-plugin</artifactId>
-                <version>2.8</version>
                <executions>
                    <execution>
                        <phase>generate-resources</phase>
@@ -110,7 +109,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
                <executions>
                    <execution>
                        <id>jar</id>
@@ -127,24 +125,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                        </goals>
                    </execution>
                </executions>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-                        </manifest>
-                    </archive>
-                    <excludes>
-                        <exclude>**/checkstyle*</exclude>
-                    </excludes>
-                </configuration>
            </plugin>
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.6</version>
                <configuration>
                    <instrumentation>
-                        <ignoreTrivial>true</ignoreTrivial>
+                        <!--ignoreTrivial>true</ignoreTrivial-->
                        <ignores>
                            <ignore>.*\$KEYS\.class</ignore>
                            <ignore>.*\$Element\.class</ignore>
@@ -192,7 +179,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-surefire-plugin</artifactId>
-                <version>2.16</version>
                <configuration>
                    <systemProperties>
                        <property>
@@ -213,7 +199,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-failsafe-plugin</artifactId>
-                <version>2.16</version>
                <configuration>
                    <systemProperties>
                        <property>
@@ -221,205 +206,168 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                            <value>${project.build.directory}/data</value>
                        </property>
                    </systemProperties>
-                    <includes>
-                        <include>**/*IntegrationTest.java</include>
-                    </includes>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>integration-test</goal>
-                            <goal>verify</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.3</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>org.apache.maven.doxia</groupId>
-                        <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.5</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <skipDeploy>true</skipDeploy>
-                    <reportPlugins>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
-                            <version>2.7</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>index</report>
-                                        <report>summary</report>
-                                        <report>license</report>
-                                        <report>help</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-javadoc-plugin</artifactId>
-                            <version>2.9.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <id>default</id>
-                                    <reports>
-                                        <report>javadoc</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>versions-maven-plugin</artifactId>
-                            <version>2.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>dependency-updates-report</report>
-                                        <report>plugin-updates-report</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-jxr-plugin</artifactId>
-                            <version>2.4</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.6</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-report-plugin</artifactId>
-                            <version>2.16</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>report-only</report>
-                                    </reports>
-                                </reportSet>
-                                <reportSet>
-                                    <id>integration-tests</id>
-                                    <reports>
-                                        <report>report-only</report>
-                                        <report>failsafe-report-only</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>taglist-maven-plugin</artifactId>
-                            <version>2.4</version>
-                            <configuration>
-                                <tagListOptions>
-                                    <tagClasses>
-                                        <tagClass>
-                                            <displayName>Todo Work</displayName>
-                                            <tags>
-                                                <tag>
-                                                    <matchString>todo</matchString>
-                                                    <matchType>ignoreCase</matchType>
-                                                </tag>
-                                                <tag>
-                                                    <matchString>FIXME</matchString>
-                                                    <matchType>exact</matchType>
-                                                </tag>
-                                            </tags>
-                                        </tagClass>
-                                    </tagClasses>
-                                </tagListOptions>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-checkstyle-plugin</artifactId>
-                            <version>2.11</version>
-                            <configuration>
-                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.1</version>
-                            <configuration>
-                                <targetJdk>1.6</targetJdk>
-                                <linkXref>true</linkXref>
-                                <sourceEncoding>utf-8</sourceEncoding>
-                                <excludes>
-                                    <exclude>**/generated/*.java</exclude>
-                                </excludes>
-                                <rulesets>
-                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <ruleset>/rulesets/java/basic.xml</ruleset>
-                                    <ruleset>/rulesets/java/imports.xml</ruleset>
-                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                </rulesets>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>findbugs-maven-plugin</artifactId>
-                            <version>2.5.3</version>
-                        </plugin>
-                        <dependency>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>javancss-maven-plugin</artifactId>
-                            <version>2.0</version>
-                        </dependency>
-                    </reportPlugins>
                </configuration>
            </plugin>
            <plugin>
                <groupId>org.apache.maven.plugins</groupId>
                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
                <configuration>
-                    <showDeprecation>false</showDeprecation>
-                    <source>1.6</source>
-                    <target>1.6</target>
+                    <compilerArgument>-Xlint:unchecked</compilerArgument>
                </configuration>
            </plugin>
        </plugins>
    </build>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.9.1</version>
+                <configuration>
+                    <bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <id>default</id>
+                        <reports>
+                            <report>javadoc</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>versions-maven-plugin</artifactId>
+                <version>2.1</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependency-updates-report</report>
+                            <report>plugin-updates-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.4</version>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.16</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>report-only</report>
+                        </reports>
+                    </reportSet>
+                    <reportSet>
+                        <id>integration-tests</id>
+                        <reports>
+                            <report>report-only</report>
+                            <report>failsafe-report-only</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>taglist-maven-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <tagListOptions>
+                        <tagClasses>
+                            <tagClass>
+                                <displayName>Todo Work</displayName>
+                                <tags>
+                                    <tag>
+                                        <matchString>todo</matchString>
+                                        <matchType>ignoreCase</matchType>
+                                    </tag>
+                                    <tag>
+                                        <matchString>FIXME</matchString>
+                                        <matchType>exact</matchType>
+                                    </tag>
+                                </tags>
+                            </tagClass>
+                        </tagClasses>
+                    </tagListOptions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>2.11</version>
+                <configuration>
+                    <enableRulesSummary>false</enableRulesSummary>
+                    <enableFilesSummary>false</enableFilesSummary>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <targetJdk>1.6</targetJdk>
+                    <linkXref>true</linkXref>
+                    <sourceEncoding>utf-8</sourceEncoding>
+                    <excludes>
+                        <exclude>**/generated/*.java</exclude>
+                    </excludes>
+                    <rulesets>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                    </rulesets>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>2.5.3</version>
+            </plugin>
+        </plugins>
+    </reporting>
    <dependencies>
+        <!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.parent.version}</version>
+        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-test-framework</artifactId>
-            <version>4.3.1</version>
+            <version>${apache.lucene.version}</version>
+            <scope>test</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.jmockit</groupId>
+            <artifactId>jmockit</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>annotations</artifactId>
-            <version>2.0.1</version>
+            <version>3.0.0</version>
            <optional>true</optional>
        </dependency>
-        <dependency>
-            <groupId>commons-cli</groupId>
-            <artifactId>commons-cli</artifactId>
-            <version>1.2</version>
-        </dependency>
        <dependency>
            <groupId>org.apache.commons</groupId>
            <artifactId>commons-compress</artifactId>
-            <version>1.8</version>
+            <version>1.9</version>
        </dependency>
        <dependency>
            <groupId>commons-io</groupId>
@@ -429,76 +377,32 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        <dependency>
            <groupId>commons-lang</groupId>
            <artifactId>commons-lang</artifactId>
-            <version>2.5</version>
+            <version>2.6</version>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-core</artifactId>
-            <version>4.5.1</version>
+            <version>${apache.lucene.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-analyzers-common</artifactId>
-            <version>4.5.1</version>
+            <version>${apache.lucene.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.lucene</groupId>
            <artifactId>lucene-queryparser</artifactId>
-            <version>4.5.1</version>
+            <version>${apache.lucene.version}</version>
        </dependency>
        <dependency>
            <groupId>org.apache.velocity</groupId>
            <artifactId>velocity</artifactId>
            <version>1.7</version>
        </dependency>
-        <dependency>
-            <groupId>org.apache.velocity</groupId>
-            <artifactId>velocity-tools</artifactId>
-            <version>2.0</version>
-            <!-- very limited use of the velocity-tools, not all of the dependencies are needed-->
-            <exclusions>
-                <exclusion>
-                    <groupId>commons-chain</groupId>
-                    <artifactId>commons-chain</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>javax.servlet</groupId>
-                    <artifactId>servlet-api</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>commons-validator</groupId>
-                    <artifactId>commons-validator</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>dom4j</groupId>
-                    <artifactId>dom4j</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>sslext</groupId>
-                    <artifactId>sslext</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.struts</groupId>
-                    <artifactId>struts-core</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>antlr</groupId>
-                    <artifactId>antlr</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.struts</groupId>
-                    <artifactId>struts-taglib</artifactId>
-                </exclusion>
-                <exclusion>
-                    <groupId>org.apache.struts</groupId>
-                    <artifactId>struts-tiles</artifactId>
-                </exclusion>
-            </exclusions>
-        </dependency>
        <dependency>
            <groupId>com.h2database</groupId>
            <artifactId>h2</artifactId>
-            <version>1.3.172</version>
+            <version>1.3.176</version>
        </dependency>
        <dependency>
            <groupId>org.jsoup</groupId>
@@ -521,6 +425,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.security</groupId>
+            <artifactId>spring-security-web</artifactId>
+            <version>3.0.0.RELEASE</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
        <dependency>
            <groupId>com.hazelcast</groupId>
            <artifactId>hazelcast</artifactId>
@@ -601,6 +512,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <scope>provided</scope>
            <optional>true</optional>
        </dependency>
+        <dependency>
+            <groupId>org.springframework.retry</groupId>
+            <artifactId>spring-retry</artifactId>
+            <version>1.1.0.RELEASE</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
    </dependencies>
    <profiles>
        <profile>
@@ -616,7 +534,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
-                        <version>2.16</version>
+                        <version>2.18.1</version>
                        <configuration>
                            <skip>true</skip>
                        </configuration>
@@ -624,7 +542,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-failsafe-plugin</artifactId>
-                        <version>2.16</version>
+                        <version>2.18.1</version>
                        <configuration>
                            <systemProperties>
                                <property>
@@ -717,7 +635,54 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <scope>provided</scope>
                    <optional>true</optional>
                </dependency>
+                <dependency>
+                    <groupId>org.glassfish.jersey.core</groupId>
+                    <artifactId>jersey-client</artifactId>
+                    <version>2.12</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.sun.jersey</groupId>
+                    <artifactId>jersey-client</artifactId>
+                    <version>1.11.1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.sun.faces</groupId>
+                    <artifactId>jsf-impl</artifactId>
+                    <version>2.2.8-02</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.google.inject</groupId>
+                    <artifactId>guice</artifactId>
+                    <version>3.0</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.opensaml</groupId>
+                    <artifactId>xmltooling</artifactId>
+                    <version>1.4.1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-webmvc</artifactId>
+                    <version>3.2.12.RELEASE</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
            </dependencies>
        </profile>
    </profiles>
+    <properties>
+        <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
+        this, we cannot upgrade beyond 4.7.2 -->
+        <apache.lucene.version>4.7.2</apache.lucene.version>
+    </properties>
 </project>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -31,8 +31,6 @@ import org.owasp.dependencycheck.analyzer.Analyzer;
 import org.owasp.dependencycheck.analyzer.AnalyzerService;
 import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.data.cpe.CpeMemoryIndex;
-import org.owasp.dependencycheck.data.cpe.IndexException;
 import org.owasp.dependencycheck.data.nvdcve.ConnectionFactory;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -57,19 +55,21 @@ public class Engine {
    /**
     * The list of dependencies.
     */
-    private List<Dependency> dependencies;
+    private List<Dependency> dependencies = new ArrayList<Dependency>();
    /**
     * A Map of analyzers grouped by Analysis phase.
     */
-    private final EnumMap<AnalysisPhase, List<Analyzer>> analyzers;
+    private EnumMap<AnalysisPhase, List<Analyzer>> analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
+
    /**
     * A Map of analyzers grouped by Analysis phase.
     */
-    private final Set<FileTypeAnalyzer> fileTypeAnalyzers;
+    private Set<FileTypeAnalyzer> fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
+
    /**
     * The ClassLoader to use when dynamically loading Analyzer and Update services.
     */
-    private ClassLoader serviceClassLoader;
+    private ClassLoader serviceClassLoader = Thread.currentThread().getContextClassLoader();
    /**
     * The Logger for use throughout the class.
     */
@@ -81,32 +81,27 @@ public class Engine {
     * @throws DatabaseException thrown if there is an error connecting to the database
     */
    public Engine() throws DatabaseException {
-        this(Thread.currentThread().getContextClassLoader());
+        initializeEngine();
+    }
+
+    /**
+     * Creates a new Engine.
+     *
+     * @param serviceClassLoader a reference the class loader being used
+     * @throws DatabaseException thrown if there is an error connecting to the database
+     */
+    public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
+        this.serviceClassLoader = serviceClassLoader;
+        initializeEngine();
    }

    /**
     * Creates a new Engine using the specified classloader to dynamically load Analyzer and Update services.
     *
-     * @param serviceClassLoader the ClassLoader to use when dynamically loading Analyzer and Update services
     * @throws DatabaseException thrown if there is an error connecting to the database
     */
-    public Engine(ClassLoader serviceClassLoader) throws DatabaseException {
-        this.dependencies = new ArrayList<Dependency>();
-        this.analyzers = new EnumMap<AnalysisPhase, List<Analyzer>>(AnalysisPhase.class);
-        this.fileTypeAnalyzers = new HashSet<FileTypeAnalyzer>();
-        this.serviceClassLoader = serviceClassLoader;
-
+    protected final void initializeEngine() throws DatabaseException {
        ConnectionFactory.initialize();
-
-        boolean autoUpdate = true;
-        try {
-            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
-        } catch (InvalidSettingException ex) {
-            LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
-        }
-        if (autoUpdate) {
-            doUpdates();
-        }
        loadAnalyzers();
    }

@@ -121,7 +116,9 @@ public class Engine {
     * Loads the analyzers specified in the configuration file (or system properties).
     */
    private void loadAnalyzers() {
-
+        if (!analyzers.isEmpty()) {
+            return;
+        }
        for (AnalysisPhase phase : AnalysisPhase.values()) {
            analyzers.put(phase, new ArrayList<Analyzer>());
        }
@@ -156,159 +153,200 @@ public class Engine {
        return dependencies;
    }

+    /**
+     * Sets the dependencies.
+     *
+     * @param dependencies the dependencies
+     */
    public void setDependencies(List<Dependency> dependencies) {
        this.dependencies = dependencies;
-        //for (Dependency dependency: dependencies) {
-        //    dependencies.add(dependency);
-        //}
    }

    /**
     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param paths an array of paths to files or directories to be analyzed
+     * @return the list of dependencies scanned
     *
-     * @param paths an array of paths to files or directories to be analyzed.
+     * @since v0.3.2.5
     */
-    public void scan(String[] paths) {
+    public List<Dependency> scan(String[] paths) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (String path : paths) {
            final File file = new File(path);
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
-     * @param path the path to a file or directory to be analyzed.
+     * @param path the path to a file or directory to be analyzed
+     * @return the list of dependencies scanned
     */
-    public void scan(String path) {
-        if (path.matches("^.*[\\/]\\*\\.[^\\/:*|?<>\"]+$")) {
-            final String[] parts = path.split("\\*\\.");
-            final String[] ext = new String[]{parts[parts.length - 1]};
-            final File dir = new File(path.substring(0, path.length() - ext[0].length() - 2));
-            if (dir.isDirectory()) {
-                final List<File> files = (List<File>) org.apache.commons.io.FileUtils.listFiles(dir, ext, true);
-                scan(files);
-            } else {
-                final String msg = String.format("Invalid file path provided to scan '%s'", path);
-                LOGGER.log(Level.SEVERE, msg);
-            }
-        } else {
-            final File file = new File(path);
-            scan(file);
-        }
+    public List<Dependency> scan(String path) {
+        final File file = new File(path);
+        return scan(file);
    }

    /**
     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
-     *
     * @param files an array of paths to files or directories to be analyzed.
+     * @return the list of dependencies
+     *
+     * @since v0.3.2.5
     */
-    public void scan(File[] files) {
+    public List<Dependency> scan(File[] files) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param files a set of paths to files or directories to be analyzed
+     * @return the list of dependencies scanned
     *
-     * @param files a set of paths to files or directories to be analyzed.
+     * @since v0.3.2.5
     */
-    public void scan(Set<File> files) {
+    public List<Dependency> scan(Set<File> files) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
     * dependencies identified are added to the dependency collection.
     *
-     * @since v0.3.2.5
+     * @param files a set of paths to files or directories to be analyzed
+     * @return the list of dependencies scanned
     *
-     * @param files a set of paths to files or directories to be analyzed.
+     * @since v0.3.2.5
     */
-    public void scan(List<File> files) {
+    public List<Dependency> scan(List<File> files) {
+        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
-            scan(file);
+            final List<Dependency> d = scan(file);
+            if (d != null) {
+                deps.addAll(d);
+            }
        }
+        return deps;
    }

    /**
     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
+     * @param file the path to a file or directory to be analyzed
+     * @return the list of dependencies scanned
+     *
     * @since v0.3.2.4
     *
-     * @param file the path to a file or directory to be analyzed.
     */
-    public void scan(File file) {
+    public List<Dependency> scan(File file) {
        if (file.exists()) {
            if (file.isDirectory()) {
-                scanDirectory(file);
+                return scanDirectory(file);
            } else {
-                scanFile(file);
+                final Dependency d = scanFile(file);
+                if (d != null) {
+                    final List<Dependency> deps = new ArrayList<Dependency>();
+                    deps.add(d);
+                    return deps;
+                }
            }
        }
+        return null;
    }

    /**
     * Recursively scans files and directories. Any dependencies identified are added to the dependency collection.
     *
-     * @param dir the directory to scan.
+     * @param dir the directory to scan
+     * @return the list of Dependency objects scanned
     */
-    protected void scanDirectory(File dir) {
+    protected List<Dependency> scanDirectory(File dir) {
        final File[] files = dir.listFiles();
+        final List<Dependency> deps = new ArrayList<Dependency>();
        if (files != null) {
            for (File f : files) {
                if (f.isDirectory()) {
-                    scanDirectory(f);
+                    final List<Dependency> d = scanDirectory(f);
+                    if (d != null) {
+                        deps.addAll(d);
+                    }
                } else {
-                    scanFile(f);
+                    final Dependency d = scanFile(f);
+                    deps.add(d);
                }
            }
        }
+        return deps;
    }

    /**
     * Scans a specified file. If a dependency is identified it is added to the dependency collection.
     *
-     * @param file The file to scan.
+     * @param file The file to scan
+     * @return the scanned dependency
     */
-    protected void scanFile(File file) {
+    protected Dependency scanFile(File file) {
        if (!file.isFile()) {
            final String msg = String.format("Path passed to scanFile(File) is not a file: %s. Skipping the file.", file.toString());
            LOGGER.log(Level.FINE, msg);
-            return;
+            return null;
        }
        final String fileName = file.getName();
        final String extension = FileUtils.getFileExtension(fileName);
+        Dependency dependency = null;
        if (extension != null) {
            if (supportsExtension(extension)) {
-                final Dependency dependency = new Dependency(file);
+                dependency = new Dependency(file);
                dependencies.add(dependency);
            }
        } else {
-            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.",
-                    file.toString());
-            LOGGER.log(Level.FINEST, msg);
+            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
+            LOGGER.log(Level.FINE, msg);
        }
+        return dependency;
    }

    /**
     * Runs the analyzers against all of the dependencies.
     */
    public void analyzeDependencies() {
+        boolean autoUpdate = true;
+        try {
+            autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        } catch (InvalidSettingException ex) {
+            LOGGER.log(Level.FINE, "Invalid setting for auto-update; using true.");
+        }
+        if (autoUpdate) {
+            doUpdates();
+        }
+
        //need to ensure that data exists
        try {
            ensureDataExists();
@@ -337,7 +375,7 @@ public class Engine {
            final List<Analyzer> analyzerList = analyzers.get(phase);

            for (Analyzer a : analyzerList) {
-                initializeAnalyzer(a);
+                a = initializeAnalyzer(a);

                /* need to create a copy of the collection because some of the
                 * analyzers may modify it. This prevents ConcurrentModificationExceptions.
@@ -392,8 +430,9 @@ public class Engine {
     * Initializes the given analyzer.
     *
     * @param analyzer the analyzer to initialize
+     * @return the initialized analyzer
     */
-    private void initializeAnalyzer(Analyzer analyzer) {
+    protected Analyzer initializeAnalyzer(Analyzer analyzer) {
        try {
            final String msg = String.format("Initializing %s", analyzer.getName());
            LOGGER.log(Level.FINE, msg);
@@ -408,6 +447,7 @@ public class Engine {
                LOGGER.log(Level.FINEST, null, ex1);
            }
        }
+        return analyzer;
    }

    /**
@@ -415,7 +455,7 @@ public class Engine {
     *
     * @param analyzer the analyzer to close
     */
-    private void closeAnalyzer(Analyzer analyzer) {
+    protected void closeAnalyzer(Analyzer analyzer) {
        final String msg = String.format("Closing Analyzer '%s'", analyzer.getName());
        LOGGER.log(Level.FINE, msg);
        try {
@@ -429,6 +469,7 @@ public class Engine {
     * Cycles through the cached web data sources and calls update on all of them.
     */
    private void doUpdates() {
+        LOGGER.info("Checking for updates");
        final UpdateService service = new UpdateService(serviceClassLoader);
        final Iterator<CachedWebDataSource> iterator = service.getDataSources();
        while (iterator.hasNext()) {
@@ -438,10 +479,10 @@ public class Engine {
            } catch (UpdateException ex) {
                LOGGER.log(Level.WARNING,
                        "Unable to update Cached Web DataSource, using local data instead. Results may not include recent vulnerabilities.");
-                LOGGER.log(Level.FINE,
-                        String.format("Unable to update details for %s", source.getClass().getName()), ex);
+                LOGGER.log(Level.FINE, String.format("Unable to update details for %s", source.getClass().getName()), ex);
            }
        }
+        LOGGER.info("Check for updates complete");
    }

    /**
@@ -477,6 +518,15 @@ public class Engine {
        return scan;
    }

+    /**
+     * Returns the set of file type analyzers.
+     *
+     * @return the set of file type analyzers
+     */
+    public Set<FileTypeAnalyzer> getFileTypeAnalyzers() {
+        return this.fileTypeAnalyzers;
+    }
+
    /**
     * Checks the CPE Index to ensure documents exists. If none exist a NoDataException is thrown.
     *
@@ -484,22 +534,16 @@ public class Engine {
     * @throws DatabaseException thrown if there is an exception opening the database
     */
    private void ensureDataExists() throws NoDataException, DatabaseException {
-        final CpeMemoryIndex cpe = CpeMemoryIndex.getInstance();
        final CveDB cve = new CveDB();
-
        try {
            cve.open();
-            cpe.open(cve);
-        } catch (IndexException ex) {
-            throw new NoDataException(ex.getMessage(), ex);
+            if (!cve.dataExists()) {
+                throw new NoDataException("No documents exist");
+            }
        } catch (DatabaseException ex) {
            throw new NoDataException(ex.getMessage(), ex);
        } finally {
            cve.close();
        }
-        if (cpe.numDocs() <= 0) {
-            cpe.close();
-            throw new NoDataException("No documents exist");
-        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
@@ -13,7 +13,7 @@
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
- * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ * Copyright (c) 2014 Steve Springett. All Rights Reserved.
 */
 package org.owasp.dependencycheck.agent;

@@ -234,26 +234,49 @@ public class DependencyCheckScanAgent {
    }

    /**
-     * The Proxy URL.
+     * The Proxy Server.
     */
-    private String proxyUrl;
+    private String proxyServer;

    /**
-     * Get the value of proxyUrl.
+     * Get the value of proxyServer.
     *
-     * @return the value of proxyUrl
+     * @return the value of proxyServer
     */
-    public String getProxyUrl() {
-        return proxyUrl;
+    public String getProxyServer() {
+        return proxyServer;
    }

    /**
-     * Set the value of proxyUrl.
+     * Set the value of proxyServer.
     *
-     * @param proxyUrl new value of proxyUrl
+     * @param proxyServer new value of proxyServer
     */
+    public void setProxyServer(String proxyServer) {
+        this.proxyServer = proxyServer;
+    }
+
+    /**
+     * Get the value of proxyServer.
+     *
+     * @return the value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
+     */
+    @Deprecated
+    public String getProxyUrl() {
+        return proxyServer;
+    }
+
+    /**
+     * Set the value of proxyServer.
+     *
+     * @param proxyUrl new value of proxyServer
+     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#setProxyServer(java.lang.String)
+     * } instead
+     */
+    @Deprecated
    public void setProxyUrl(String proxyUrl) {
-        this.proxyUrl = proxyUrl;
+        this.proxyServer = proxyUrl;
    }

    /**
@@ -417,6 +440,52 @@ public class DependencyCheckScanAgent {
        this.showSummary = showSummary;
    }

+    /**
+     * Whether or not the Maven Central analyzer is enabled.
+     */
+    private boolean centralAnalyzerEnabled = true;
+
+    /**
+     * Get the value of centralAnalyzerEnabled.
+     *
+     * @return the value of centralAnalyzerEnabled
+     */
+    public boolean isCentralAnalyzerEnabled() {
+        return centralAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of centralAnalyzerEnabled.
+     *
+     * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
+     */
+    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
+        this.centralAnalyzerEnabled = centralAnalyzerEnabled;
+    }
+
+    /**
+     * The URL of Maven Central.
+     */
+    private String centralUrl;
+
+    /**
+     * Get the value of centralUrl.
+     *
+     * @return the value of centralUrl
+     */
+    public String getCentralUrl() {
+        return centralUrl;
+    }
+
+    /**
+     * Set the value of centralUrl.
+     *
+     * @param centralUrl new value of centralUrl
+     */
+    public void setCentralUrl(String centralUrl) {
+        this.centralUrl = centralUrl;
+    }
+
    /**
     * Whether or not the nexus analyzer is enabled.
     */
@@ -792,7 +861,7 @@ public class DependencyCheckScanAgent {

    /**
     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
-     * properties required to change the proxy url, port, and connection timeout.
+     * properties required to change the proxy server, port, and connection timeout.
     */
    private void populateSettings() {
        Settings.initialize();
@@ -808,8 +877,8 @@ public class DependencyCheckScanAgent {

        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);

-        if (proxyUrl != null && !proxyUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_URL, proxyUrl);
+        if (proxyServer != null && !proxyServer.isEmpty()) {
+            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
        }
        if (proxyPort != null && !proxyPort.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
@@ -826,6 +895,10 @@ public class DependencyCheckScanAgent {
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        if (centralUrl != null && !centralUrl.isEmpty()) {
+            Settings.setString(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
+        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
@@ -41,16 +41,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
     * enabled.
     */
    public AbstractFileTypeAnalyzer() {
-        final String key = getAnalyzerEnabledSettingKey();
-        try {
-            enabled = Settings.getBoolean(key, true);
-        } catch (InvalidSettingException ex) {
-            String msg = String.format("Invalid setting for property '%s'", key);
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, "", ex);
-            msg = String.format("%s has been disabled", getName());
-            LOGGER.log(Level.WARNING, msg);
-        }
+        reset();
    }
 //</editor-fold>

@@ -164,6 +155,23 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
        }
    }

+    /**
+     * Resets the enabled flag on the analyzer.
+     */
+    @Override
+    public final void reset() {
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            enabled = Settings.getBoolean(key, true);
+        } catch (InvalidSettingException ex) {
+            String msg = String.format("Invalid setting for property '%s'", key);
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            msg = String.format("%s has been disabled", getName());
+            LOGGER.log(Level.WARNING, msg);
+        }
+    }
+
    /**
     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted,
     * scanned, and added to the list of dependencies within the engine.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java
@@ -98,11 +98,17 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
     * @throws SuppressionParseException thrown if the XML cannot be parsed.
     */
    private void loadSuppressionData() throws SuppressionParseException {
+        final SuppressionParser parser = new SuppressionParser();
+        File file = null;
+        try {
+            rules = parser.parseSuppressionRules(this.getClass().getClassLoader().getResourceAsStream("dependencycheck-base-suppression.xml"));
+        } catch (SuppressionParseException ex) {
+            LOGGER.log(Level.FINE, "Unable to parse the base suppression data file", ex);
+        }
        final String suppressionFilePath = Settings.getString(Settings.KEYS.SUPPRESSION_FILE);
        if (suppressionFilePath == null) {
            return;
        }
-        File file = null;
        boolean deleteTempFile = false;
        try {
            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
@@ -132,9 +138,9 @@ public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
            }

            if (file != null) {
-                final SuppressionParser parser = new SuppressionParser();
                try {
-                    rules = parser.parseSuppressionRules(file);
+                    //rules = parser.parseSuppressionRules(file);
+                    rules.addAll(parser.parseSuppressionRules(file));
                    LOGGER.log(Level.FINE, rules.size() + " suppression rules were loaded.");
                } catch (SuppressionParseException ex) {
                    final String msg = String.format("Unable to parse suppression xml file '%s'", file.getPath());
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
    static {
        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
        if (additionalZipExt != null) {
-            final HashSet ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
            ZIPPABLES.addAll(ext);
        }
        EXTENSIONS.addAll(ZIPPABLES);
@@ -186,7 +186,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
        if (tempFileLocation != null && tempFileLocation.exists()) {
            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success && tempFileLocation != null & tempFileLocation.exists()) {
+            if (!success && tempFileLocation != null && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
                LOGGER.log(Level.WARNING, "Failed to delete some temporary files, see the log for more details");
            }
        }
@@ -221,9 +221,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                final String displayPath = String.format("%s%s",
                        dependency.getFilePath(),
                        d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
-                final String displayName = String.format("%s%s%s",
+                final String displayName = String.format("%s: %s",
                        dependency.getFileName(),
-                        File.separator,
                        d.getFileName());
                d.setFilePath(displayPath);
                d.setFileName(displayName);
@@ -242,7 +241,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                final File tdir = getNextTempDirectory();
                final String fileName = dependency.getFileName();

-                LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a deep copy and analyzing it as a JAR.", fileName));
+                LOGGER.info(String.format("The zip file '%s' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName));

                final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
                try {
@@ -339,7 +338,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
            try {
                fis.close();
            } catch (IOException ex) {
-                LOGGER.log(Level.FINEST, null, ex);
+                LOGGER.log(Level.FINE, null, ex);
            }
        }
    }
@@ -368,8 +367,10 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                    final File file = new File(destination, entry.getName());
                    final String ext = FileUtils.getFileExtension(file.getName());
                    if (engine.supportsExtension(ext)) {
+                        final String extracting = String.format("Extracting '%s'", file.getPath());
+                        LOGGER.fine(extracting);
                        BufferedOutputStream bos = null;
-                        FileOutputStream fos;
+                        FileOutputStream fos = null;
                        try {
                            final File parent = file.getParentFile();
                            if (!parent.isDirectory()) {
@@ -381,7 +382,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                            fos = new FileOutputStream(file);
                            bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                            int count;
-                            final byte data[] = new byte[BUFFER_SIZE];
+                            final byte[] data = new byte[BUFFER_SIZE];
                            while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                                bos.write(data, 0, count);
                            }
@@ -402,6 +403,13 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                                    LOGGER.log(Level.FINEST, null, ex);
                                }
                            }
+                            if (fos != null) {
+                                try {
+                                    fos.close();
+                                } catch (IOException ex) {
+                                    LOGGER.log(Level.FINEST, null, ex);
+                                }
+                            }
                        }
                    }
                }
@@ -429,6 +437,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
     */
    private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
+        final String msg = String.format("Decompressing '%s'", outputFile.getPath());
+        LOGGER.fine(msg);
        FileOutputStream out = null;
        try {
            out = new FileOutputStream(outputFile);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -120,9 +120,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
            // Try evacuating the error stream
            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
            String line = null;
+            // CHECKSTYLE:OFF
            while (rdr.ready() && (line = rdr.readLine()) != null) {
                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
            }
+            // CHECKSTYLE:ON
            int rc = 0;
            doc = builder.parse(proc.getInputStream());

@@ -205,6 +207,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
            grokAssemblyExe.deleteOnExit();
            LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.deployed", grokAssemblyExe.getPath());
        } catch (IOException ioe) {
+            this.setEnabled(false);
            LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.notdeployed", ioe.getMessage());
            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
        } finally {
@@ -232,9 +235,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
            final Process p = pb.start();
            // Try evacuating the error stream
            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            // CHECKSTYLE:OFF
            while (rdr.ready() && rdr.readLine() != null) {
                // We expect this to complain
            }
+            // CHECKSTYLE:ON
            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
            final XPath xpath = XPathFactory.newInstance().newXPath();
            final String error = xpath.evaluate("/assembly/error", doc);
@@ -242,6 +247,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                LOGGER.warning("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
                LOGGER.fine("GrokAssembly.exe is not working properly");
                grokAssemblyExe = null;
+                this.setEnabled(false);
                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
            }
        } catch (Throwable e) {
@@ -250,6 +256,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
            } else {
                LOGGER.warning("analyzer.AssemblyAnalyzer.grokassembly.initialization.failed");
                LOGGER.log(Level.FINE, "analyzer.AssemblyAnalyzer.grokassembly.initialization.message", e.getMessage());
+                this.setEnabled(false);
                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
            }
        } finally {
@@ -261,7 +268,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                }
            }
        }
-
        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -51,8 +51,8 @@ import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;

 /**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
- * It uses the evidence contained within the dependency to search the Lucene index.
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
+ * the evidence contained within the dependency to search the Lucene index.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
@@ -130,8 +130,8 @@ public class CPEAnalyzer implements Analyzer {
     * Opens the data source.
     *
     * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
-     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
-     * by another process.
+     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
+     * process.
     */
    public void open() throws IOException, DatabaseException {
        LOGGER.log(Level.FINE, "Opening the CVE Database");
@@ -161,8 +161,8 @@ public class CPEAnalyzer implements Analyzer {
    }

    /**
-     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
-     * contained within. The dependency passed in is updated with any identified CPE values.
+     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
+     * within. The dependency passed in is updated with any identified CPE values.
     *
     * @param dependency the dependency to search for CPE entries on.
     * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -170,47 +170,45 @@ public class CPEAnalyzer implements Analyzer {
     * @throws ParseException is thrown when the Lucene query cannot be parsed.
     */
    protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        Confidence confidence = Confidence.HIGHEST;
-
-        String vendors = addEvidenceWithoutDuplicateTerms("", dependency.getVendorEvidence(), confidence);
-        String products = addEvidenceWithoutDuplicateTerms("", dependency.getProductEvidence(), confidence);
-        /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
-         * CPE identified. As such, we are "using" the evidence and ignoring the results. */
-        addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
-
-        int ctr = 0;
-        do {
-            if (!vendors.isEmpty() && !products.isEmpty()) {
-                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
-                        dependency.getVendorEvidence().getWeighting());
-
-                for (IndexEntry e : entries) {
-                    if (verifyEntry(e, dependency)) {
-                        final String vendor = e.getVendor();
-                        final String product = e.getProduct();
-                        determineIdentifiers(dependency, vendor, product);
-                    }
-                }
-            }
-            confidence = reduceConfidence(confidence);
+        //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
+        String vendors = "";
+        String products = "";
+        for (Confidence confidence : Confidence.values()) {
            if (dependency.getVendorEvidence().contains(confidence)) {
                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
+                LOGGER.fine(String.format("vendor search: %s", vendors));
            }
            if (dependency.getProductEvidence().contains(confidence)) {
                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
+                LOGGER.fine(String.format("product search: %s", products));
            }
-            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
-             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
-            if (dependency.getVersionEvidence().contains(confidence)) {
-                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
+            if (!vendors.isEmpty() && !products.isEmpty()) {
+                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
+                        dependency.getVendorEvidence().getWeighting());
+                if (entries == null) {
+                    continue;
+                }
+                boolean identifierAdded = false;
+                for (IndexEntry e : entries) {
+                    LOGGER.fine(String.format("Verifying entry: %s", e.toString()));
+                    if (verifyEntry(e, dependency)) {
+                        final String vendor = e.getVendor();
+                        final String product = e.getProduct();
+                        LOGGER.fine(String.format("identified vendor/product: %s/%s", vendor, product));
+                        identifierAdded |= determineIdentifiers(dependency, vendor, product, confidence);
+                    }
+                }
+                if (identifierAdded) {
+                    break;
+                }
            }
-        } while ((++ctr) < 4);
+        }
    }

    /**
-     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
-     * specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
-     * is longer then 200 characters it will be truncated.
+     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
+     * confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence is longer then 200
+     * characters it will be truncated.
     *
     * @param text the base text.
     * @param ec an EvidenceCollection
@@ -239,71 +237,55 @@ public class CPEAnalyzer implements Analyzer {
        return sb.toString().trim();
    }

-    /**
-     * Reduces the given confidence by one level. This returns LOW if the confidence passed in is not HIGH.
-     *
-     * @param c the confidence to reduce.
-     * @return One less then the confidence passed in.
-     */
-    private Confidence reduceConfidence(final Confidence c) {
-        if (c == Confidence.HIGHEST) {
-            return Confidence.HIGH;
-        } else if (c == Confidence.HIGH) {
-            return Confidence.MEDIUM;
-        } else {
-            return Confidence.LOW;
-        }
-    }
-
    /**
     * <p>
     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
     * version.</p>
     *
     * <p>
-     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
-     * factors to the search.</p>
+     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
+     * the search.</p>
     *
     * @param vendor the text used to search the vendor field
     * @param product the text used to search the product field
     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
     * @return a list of possible CPE values
-     * @throws CorruptIndexException when the Lucene index is corrupt
-     * @throws IOException when the Lucene index is not found
-     * @throws ParseException when the generated query is not valid
     */
    protected List<IndexEntry> searchCPE(String vendor, String product,
-            Set<String> vendorWeightings, Set<String> productWeightings)
-            throws CorruptIndexException, IOException, ParseException {
-        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+            Set<String> vendorWeightings, Set<String> productWeightings) {
+
+        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);

        final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
        if (searchString == null) {
            return ret;
        }
-
-        final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
-        for (ScoreDoc d : docs.scoreDocs) {
-            if (d.score >= 0.08) {
-                final Document doc = cpe.getDocument(d.doc);
-                final IndexEntry entry = new IndexEntry();
-                entry.setVendor(doc.get(Fields.VENDOR));
-                entry.setProduct(doc.get(Fields.PRODUCT));
-//                if (d.score < 0.08) {
-//                    System.out.print(entry.getVendor());
-//                    System.out.print(":");
-//                    System.out.print(entry.getProduct());
-//                    System.out.print(":");
-//                    System.out.println(d.score);
-//                }
-                entry.setSearchScore(d.score);
-                if (!ret.contains(entry)) {
-                    ret.add(entry);
+        try {
+            final TopDocs docs = cpe.search(searchString, MAX_QUERY_RESULTS);
+            for (ScoreDoc d : docs.scoreDocs) {
+                if (d.score >= 0.08) {
+                    final Document doc = cpe.getDocument(d.doc);
+                    final IndexEntry entry = new IndexEntry();
+                    entry.setVendor(doc.get(Fields.VENDOR));
+                    entry.setProduct(doc.get(Fields.PRODUCT));
+                    entry.setSearchScore(d.score);
+                    if (!ret.contains(entry)) {
+                        ret.add(entry);
+                    }
                }
            }
+            return ret;
+        } catch (ParseException ex) {
+            final String msg = String.format("Unable to parse: %s", searchString);
+            LOGGER.log(Level.WARNING, "An error occured querying the CPE data. See the log for more details.");
+            LOGGER.log(Level.INFO, msg, ex);
+        } catch (IOException ex) {
+            final String msg = String.format("IO Error with search string: %s", searchString);
+            LOGGER.log(Level.WARNING, "An error occured reading CPE data. See the log for more details.");
+            LOGGER.log(Level.INFO, msg, ex);
        }
-        return ret;
+        return null;
    }

    /**
@@ -311,8 +293,8 @@ public class CPEAnalyzer implements Analyzer {
     * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
     *
     * <p>
-     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
-     * factors to the search string generated.</p>
+     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
+     * the search string generated.</p>
     *
     * @param vendor text to search the vendor field
     * @param product text to search the product field
@@ -338,9 +320,8 @@ public class CPEAnalyzer implements Analyzer {
    }

    /**
-     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
-     * word is within the list of weighted words then an additional weighting is applied to the term as it is appended
-     * into the query.
+     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
+     * within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
     *
     * @param sb a StringBuilder that the query text will be appended to.
     * @param field the field within the Lucene index that the query is searching.
@@ -411,8 +392,8 @@ public class CPEAnalyzer implements Analyzer {
    }

    /**
-     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
-     * information for the CPE are contained within the dependencies evidence.
+     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
+     * for the CPE are contained within the dependencies evidence.
     *
     * @param entry a CPE entry.
     * @param dependency the dependency that the CPE entries could be for.
@@ -501,21 +482,28 @@ public class CPEAnalyzer implements Analyzer {
    }

    /**
-     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
-     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
-     * best effort "guess" based on the vendor, product, and version information.
+     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
+     * only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
+     * the vendor, product, and version information.
     *
     * @param dependency the Dependency being analyzed
     * @param vendor the vendor for the CPE being analyzed
     * @param product the product for the CPE being analyzed
+     * @param currentConfidence the current confidence being used during analysis
+     * @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
     * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
     */
-    private void determineIdentifiers(Dependency dependency, String vendor, String product) throws UnsupportedEncodingException {
+    protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
+            Confidence currentConfidence) throws UnsupportedEncodingException {
        final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
        DependencyVersion bestGuess = new DependencyVersion("-");
        Confidence bestGuessConf = null;
+        boolean hasBroadMatch = false;
        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
        for (Confidence conf : Confidence.values()) {
+//            if (conf.compareTo(currentConfidence) > 0) {
+//                break;
+//            }
            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
                final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
                if (evVer == null) {
@@ -528,10 +516,12 @@ public class CPEAnalyzer implements Analyzer {
                    } else {
                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                    }
-                    if (dbVer == null //special case, no version specified - everything is vulnerable
-                            || evVer.equals(dbVer)) { //yeah! exact match
-
-                        //final String url = String.format("http://web.nvd.nist.gov/view/vuln/search?cpe=%s", URLEncoder.encode(vs.getName(), "UTF-8"));
+                    if (dbVer == null) { //special case, no version specified - everything is vulnerable
+                        hasBroadMatch = true;
+                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
+                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.BROAD_MATCH, conf);
+                        collected.add(match);
+                    } else if (evVer.equals(dbVer)) { //yeah! exact match
                        final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                        final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                        collected.add(match);
@@ -557,7 +547,11 @@ public class CPEAnalyzer implements Analyzer {
            }
        }
        final String cpeName = String.format("cpe:/a:%s:%s:%s", vendor, product, bestGuess.toString());
-        final String url = null;
+        String url = null;
+        if (hasBroadMatch) { //if we have a broad match we can add the URL to the best guess.
+            final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
+            url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
+        }
        if (bestGuessConf == null) {
            bestGuessConf = Confidence.LOW;
        }
@@ -567,6 +561,7 @@ public class CPEAnalyzer implements Analyzer {
        Collections.sort(collected);
        final IdentifierConfidence bestIdentifierQuality = collected.get(0).getConfidence();
        final Confidence bestEvidenceQuality = collected.get(0).getEvidenceConfidence();
+        boolean identifierAdded = false;
        for (IdentifierMatch m : collected) {
            if (bestIdentifierQuality.equals(m.getConfidence())
                    && bestEvidenceQuality.equals(m.getEvidenceConfidence())) {
@@ -577,8 +572,10 @@ public class CPEAnalyzer implements Analyzer {
                    i.setConfidence(bestEvidenceQuality);
                }
                dependency.addIdentifier(i);
+                identifierAdded = true;
            }
        }
+        return identifierAdded;
    }

    /**
@@ -593,7 +590,12 @@ public class CPEAnalyzer implements Analyzer {
        /**
         * A best guess for the CPE.
         */
-        BEST_GUESS
+        BEST_GUESS,
+        /**
+         * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
+         * specifies vendor/product.
+         */
+        BROAD_MATCH
    }

    /**
@@ -739,8 +741,7 @@ public class CPEAnalyzer implements Analyzer {
        //</editor-fold>

        /**
-         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
-         * identifier.
+         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
         *
         * @param o the IdentifierMatch to compare to
         * @return the natural ordering of IdentifierMatch
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -0,0 +1,243 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.URL;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.central.CentralSearch;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.jaxb.pom.PomUtils;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
+ * digest.
+ *
+ * @author colezlaw
+ */
+public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CentralAnalyzer.class.getName());
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Central Analyzer";
+
+    /**
+     * The phase in which this analyzer runs.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The types of files on which this will work.
+     */
+    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
+
+    /**
+     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
+     */
+    private boolean errorFlag = false;
+
+    /**
+     * The searcher itself.
+     */
+    private CentralSearch searcher;
+    /**
+     * Utility to read POM files.
+     */
+    private PomUtils pomUtil = new PomUtils();
+    /**
+     * Field indicating if the analyzer is enabled.
+     */
+    private final boolean enabled = checkEnabled();
+
+    /**
+     * Determine whether to enable this analyzer or not.
+     *
+     * @return whether the analyzer should be enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Determines if this analyzer is enabled.
+     *
+     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     */
+    private boolean checkEnabled() {
+        boolean retval = false;
+
+        try {
+            if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
+                if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
+                        || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
+                    LOGGER.fine("Enabling the Central analyzer");
+                    retval = true;
+                } else {
+                    LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
+                }
+            } else {
+                LOGGER.info("Central analyzer disabled");
+            }
+        } catch (InvalidSettingException ise) {
+            LOGGER.warning("Invalid setting. Disabling the Central analyzer");
+        }
+        return retval;
+    }
+
+    /**
+     * Initializes the analyzer once before any analysis is performed.
+     *
+     * @throws Exception if there's an error during initialization
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        LOGGER.fine("Initializing Central analyzer");
+        LOGGER.fine(String.format("Central analyzer enabled: %s", isEnabled()));
+        if (isEnabled()) {
+            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
+            LOGGER.fine(String.format("Central Analyzer URL: %s", searchUrl));
+            searcher = new CentralSearch(new URL(searchUrl));
+        }
+    }
+
+    /**
+     * Returns the analyzer's name.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the key used in the properties file to to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key.
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_CENTRAL_ENABLED;
+    }
+
+    /**
+     * Returns the analysis phase under which the analyzer runs.
+     *
+     * @return the phase under which the analyzer runs
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the extensions for which this Analyzer runs.
+     *
+     * @return the extensions for which this Analyzer runs
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return SUPPORTED_EXTENSIONS;
+    }
+
+    /**
+     * Performs the analysis.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine
+     * @throws AnalysisException when there's an exception during analysis
+     */
+    @Override
+    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        if (errorFlag || !isEnabled()) {
+            return;
+        }
+
+        try {
+            final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
+            final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
+            for (MavenArtifact ma : mas) {
+                LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
+                dependency.addAsEvidence("central", ma, confidence);
+                boolean pomAnalyzed = false;
+                for (Evidence e : dependency.getVendorEvidence()) {
+                    if ("pom".equals(e.getSource())) {
+                        pomAnalyzed = true;
+                        break;
+                    }
+                }
+                if (!pomAnalyzed && ma.getPomUrl() != null) {
+                    File pomFile = null;
+                    try {
+                        final File baseDir = Settings.getTempDirectory();
+                        pomFile = File.createTempFile("pom", ".xml", baseDir);
+                        if (!pomFile.delete()) {
+                            final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
+                                    + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                            LOGGER.warning(msg);
+                            LOGGER.fine("Unable to delete temp file");
+                        }
+                        LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
+                        Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
+                        pomUtil.analyzePOM(dependency, pomFile);
+
+                    } catch (DownloadFailedException ex) {
+                        final String msg = String.format("Unable to download pom.xml for %s from Central; "
+                                + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                        LOGGER.warning(msg);
+                    } finally {
+                        if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                            pomFile.deleteOnExit();
+                        }
+                    }
+                }
+
+            }
+        } catch (IllegalArgumentException iae) {
+            LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
+        } catch (FileNotFoundException fnfe) {
+            LOGGER.fine(String.format("Artifact not found in repository: '%s", dependency.getFileName()));
+        } catch (IOException ioe) {
+            LOGGER.log(Level.FINE, "Could not connect to Central search", ioe);
+            errorFlag = true;
+        }
+    }
+
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -36,9 +36,9 @@ import org.owasp.dependencycheck.utils.LogUtils;

 /**
 * <p>
- * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
- * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
- * same relative path then these should be grouped into a single dependency under the core/main library.</p>
+ * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An
+ * example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path
+ * then these should be grouped into a single dependency under the core/main library.</p>
 * <p>
 * Note, this grouping only works on dependencies with identified CVE entries</p>
 *
@@ -55,7 +55,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    /**
     * A pattern for obtaining the first part of a filename.
     */
-    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z]*");
+    private static final Pattern STARTING_TEXT_PATTERN = Pattern.compile("^[a-zA-Z0-9]*");
    /**
     * a flag indicating if this analyzer has run. This analyzer only runs once.
     */
@@ -91,8 +91,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    //</editor-fold>

    /**
-     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
-     * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
+     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are
+     * likely related. The related dependencies are bundled into a single reportable item.
     *
     * @param ignore this analyzer ignores the dependency being analyzed
     * @param engine the engine that is scanning the dependencies
@@ -107,30 +107,34 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            //for (Dependency nextDependency : engine.getDependencies()) {
            while (mainIterator.hasNext()) {
                final Dependency dependency = mainIterator.next();
-                if (mainIterator.hasNext()) {
+                if (mainIterator.hasNext() && !dependenciesToRemove.contains(dependency)) {
                    final ListIterator<Dependency> subIterator = engine.getDependencies().listIterator(mainIterator.nextIndex());
                    while (subIterator.hasNext()) {
                        final Dependency nextDependency = subIterator.next();
                        if (hashesMatch(dependency, nextDependency)) {
-                            if (isCore(dependency, nextDependency)) {
+                            if (firstPathIsShortest(dependency.getFilePath(), nextDependency.getFilePath())) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        } else if (isShadedJar(dependency, nextDependency)) {
                            if (dependency.getFileName().toLowerCase().endsWith("pom.xml")) {
-                                dependenciesToRemove.add(dependency);
+                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                nextDependency.getRelatedDependencies().remove(dependency);
+                                break;
                            } else {
-                                dependenciesToRemove.add(nextDependency);
+                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
+                                nextDependency.getRelatedDependencies().remove(nextDependency);
                            }
                        } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                && hasSameBasePath(dependency, nextDependency)
                                && fileNameMatch(dependency, nextDependency)) {
-
                            if (isCore(dependency, nextDependency)) {
                                mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                            } else {
                                mergeDependencies(nextDependency, dependency, dependenciesToRemove);
+                                break; //since we merged into the next dependency - skip forward to the next in mainIterator
                            }
                        }
                    }
@@ -138,9 +142,7 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            }
            //removing dependencies here as ensuring correctness and avoiding ConcurrentUpdateExceptions
            // was difficult because of the inner iterator.
-            for (Dependency d : dependenciesToRemove) {
-                engine.getDependencies().remove(d);
-            }
+            engine.getDependencies().removeAll(dependenciesToRemove);
        }
    }

@@ -148,10 +150,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     * Adds the relatedDependency to the dependency's related dependencies.
     *
     * @param dependency the main dependency
-     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
-     * source of dependencies to remove
-     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
-     * function adds to this collection
+     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the source of
+     * dependencies to remove
+     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this function
+     * adds to this collection
     */
    private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
        dependency.addRelatedDependency(relatedDependency);
@@ -160,12 +162,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
            dependency.addRelatedDependency(i.next());
            i.remove();
        }
+        if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
+            dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
+        }
        dependenciesToRemove.add(relatedDependency);
    }

    /**
-     * Attempts to trim a maven repo to a common base path. This is typically
-     * [drive]\[repo_location]\repository\[path1]\[path2].
+     * Attempts to trim a maven repo to a common base path. This is typically [drive]\[repo_location]\repository\[path1]\[path2].
     *
     * @param path the path to trim
     * @return a string representing the base path.
@@ -201,25 +205,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                || dependency2 == null || dependency2.getFileName() == null) {
            return false;
        }
-        String fileName1 = dependency1.getFileName();
-        String fileName2 = dependency2.getFileName();
-
-        //update to deal with archive analyzer, the starting name maybe the same
-        // as this is incorrectly looking at the starting path
-        final File one = new File(fileName1);
-        final File two = new File(fileName2);
-        final String oneParent = one.getParent();
-        final String twoParent = two.getParent();
-        if (oneParent != null) {
-            if (oneParent.equals(twoParent)) {
-                fileName1 = one.getName();
-                fileName2 = two.getName();
-            } else {
-                return false;
-            }
-        } else if (twoParent != null) {
-            return false;
-        }
+        final String fileName1 = dependency1.getActualFile().getName();
+        final String fileName2 = dependency2.getActualFile().getName();

        //version check
        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
@@ -267,9 +254,11 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        if (cpeCount1 > 0 && cpeCount1 == cpeCount2) {
            for (Identifier i : dependency1.getIdentifiers()) {
-                matches |= dependency2.getIdentifiers().contains(i);
-                if (!matches) {
-                    break;
+                if ("cpe".equals(i.getType())) {
+                    matches |= dependency2.getIdentifiers().contains(i);
+                    if (!matches) {
+                        break;
+                    }
                }
            }
        }
@@ -318,8 +307,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    }

    /**
-     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
-     * to the 'right' library.
+     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
+     * 'right' library.
     *
     * @param left the dependency to test
     * @param right the dependency to test against
@@ -338,6 +327,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                || !rightName.contains("core") && leftName.contains("core")
                || !rightName.contains("kernel") && leftName.contains("kernel")) {
            returnVal = true;
+//        } else if (leftName.matches(".*struts2\\-core.*") && rightName.matches(".*xwork\\-core.*")) {
+//            returnVal = true;
+//        } else if (rightName.matches(".*struts2\\-core.*") && leftName.matches(".*xwork\\-core.*")) {
+//            returnVal = false;
        } else {
            /*
             * considered splitting the names up and comparing the components,
@@ -372,13 +365,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
    }

    /**
-     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
-     * dependency should be removed.
+     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency
+     * should be removed.
     *
     * @param dependency a dependency to check
     * @param nextDependency another dependency to check
-     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
-     * otherwise false
+     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false
     */
    private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
        final String mainName = dependency.getFileName().toLowerCase();
@@ -390,4 +382,43 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        }
        return false;
    }
+
+    /**
+     * Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the
+     * first path is smaller.
+     *
+     * @param left the first path to compare
+     * @param right the second path to compare
+     * @return <code>true</code> if the leftPath is the shortest; otherwise <code>false</code>
+     */
+    protected boolean firstPathIsShortest(String left, String right) {
+        final String leftPath = left.replace('\\', '/');
+        final String rightPath = right.replace('\\', '/');
+
+        final int leftCount = countChar(leftPath, '/');
+        final int rightCount = countChar(rightPath, '/');
+        if (leftCount == rightCount) {
+            return leftPath.compareTo(rightPath) <= 0;
+        } else {
+            return leftCount < rightCount;
+        }
+    }
+
+    /**
+     * Counts the number of times the character is present in the string.
+     *
+     * @param string the string to count the characters in
+     * @param c the character to count
+     * @return the number of times the character is present in the string
+     */
+    private int countChar(String string, char c) {
+        int count = 0;
+        final int max = string.length();
+        for (int i = 0; i < max; i++) {
+            if (c == string.charAt(i)) {
+                count++;
+            }
+        }
+        return count;
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -86,12 +86,46 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
        removeJreEntries(dependency);
        removeBadMatches(dependency);
+        removeBadSpringMatches(dependency);
        removeWrongVersionMatches(dependency);
        removeSpuriousCPE(dependency);
        removeDuplicativeEntriesFromJar(dependency, engine);
        addFalseNegativeCPEs(dependency);
    }

+    /**
+     * Removes inaccurate matches on springframework CPEs.
+     *
+     * @param dependency the dependency to test for and remove known inaccurate CPE matches
+     */
+    private void removeBadSpringMatches(Dependency dependency) {
+        String mustContain = null;
+        for (Identifier i : dependency.getIdentifiers()) {
+            if ("maven".contains(i.getType())) {
+                if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
+                    final int endPoint = i.getValue().indexOf(":", 19);
+                    if (endPoint >= 0) {
+                        mustContain = i.getValue().substring(19, endPoint).toLowerCase();
+                        break;
+                    }
+                }
+            }
+        }
+        if (mustContain != null) {
+            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if ("cpe".contains(i.getType())
+                        && i.getValue() != null
+                        && i.getValue().startsWith("cpe:/a:springsource:")
+                        && !i.getValue().toLowerCase().contains(mustContain)) {
+                    itr.remove();
+                    //dependency.getIdentifiers().remove(i);
+                }
+            }
+        }
+    }
+
    /**
     * <p>
     * Intended to remove spurious CPE entries. By spurious we mean duplicate, less specific CPE entries.</p>
@@ -161,11 +195,20 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     */
    public static final Pattern CORE_JAVA = Pattern.compile("^cpe:/a:(sun|oracle|ibm):(j2[ems]e|"
            + "java(_platform_micro_edition|_runtime_environment|_se|virtual_machine|se_development_kit|fx)?|"
-            + "jdk|jre|jsf|jsse)($|:.*)");
+            + "jdk|jre|jsse)($|:.*)");
+
+    /**
+     * Regex to identify core jsf libraries.
+     */
+    public static final Pattern CORE_JAVA_JSF = Pattern.compile("^cpe:/a:(sun|oracle|ibm):jsf($|:.*)");
    /**
     * Regex to identify core java library files. This is currently incomplete.
     */
-    public static final Pattern CORE_FILES = Pattern.compile("^((alt[-])?rt|jsf[-].*|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    public static final Pattern CORE_FILES = Pattern.compile("(^|/)((alt[-])?rt|jsse|jfxrt|jfr|jce|javaws|deploy|charsets)\\.jar$");
+    /**
+     * Regex to identify core jsf java library files. This is currently incomplete.
+     */
+    public static final Pattern CORE_JSF_FILES = Pattern.compile("(^|/)jsf[-][^/]*\\.jar$");

    /**
     * Removes any CPE entries for the JDK/JRE unless the filename ends with rt.jar
@@ -182,6 +225,11 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
            if (coreCPE.matches() && !coreFiles.matches()) {
                itr.remove();
            }
+            final Matcher coreJsfCPE = CORE_JAVA_JSF.matcher(i.getValue());
+            final Matcher coreJsfFiles = CORE_JSF_FILES.matcher(dependency.getFileName());
+            if (coreJsfCPE.matches() && !coreJsfFiles.matches()) {
+                itr.remove();
+            }
        }
    }

@@ -250,6 +298,14 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
                        || dependency.getFileName().toLowerCase().endsWith(".dll")
                        || dependency.getFileName().toLowerCase().endsWith(".exe"))) {
                    itr.remove();
+                } else if ((i.getValue().startsWith("cpe:/a:microsoft:excel")
+                        || i.getValue().startsWith("cpe:/a:microsoft:word")
+                        || i.getValue().startsWith("cpe:/a:microsoft:visio")
+                        || i.getValue().startsWith("cpe:/a:microsoft:powerpoint")
+                        || i.getValue().startsWith("cpe:/a:microsoft:office"))
+                        && (dependency.getFileName().toLowerCase().endsWith(".jar")
+                        || dependency.getFileName().toLowerCase().endsWith("pom.xml"))) {
+                    itr.remove();
                } else if (i.getValue().startsWith("cpe:/a:apache:maven")
                        && !dependency.getFileName().toLowerCase().matches("maven-core-[\\d\\.]+\\.jar")) {
                    itr.remove();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -73,7 +73,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {

        //strip any path information that may get added by ArchiveAnalyzer, etc.
-        final File f = new File(dependency.getFileName());
+        final File f = dependency.getActualFile();
        String fileName = f.getName();

        //remove file extension
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java
@@ -31,4 +31,9 @@ public interface FileTypeAnalyzer extends Analyzer {
     * @return whether or not the specified file extension is supported by this analyzer.
     */
    boolean supportsExtension(String extension);
+
+    /**
+     * Resets the analyzers state.
+     */
+    void reset();
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java
@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;

 import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -64,8 +65,8 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
    //</editor-fold>

    /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
-     * identifiers or vulnerabilities.
+     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of identifiers
+     * or vulnerabilities.
     *
     * @param dependency The dependency being analyzed
     * @param engine The scanning engine
@@ -84,24 +85,39 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                Confidence.HIGH);

        final Evidence springTest3 = new Evidence("Manifest",
+                "Implementation-Title",
+                "spring-core",
+                Confidence.HIGH);
+
+        final Evidence springTest4 = new Evidence("Manifest",
                "Bundle-Vendor",
                "SpringSource",
                Confidence.HIGH);

-        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
-        if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+        final Evidence springTest5 = new Evidence("jar",
+                "package name",
+                "springframework",
+                Confidence.LOW);
+
+        //springsource/vware problem
+        final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
+        final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
+
+        if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
+                || (dependency.getFileName().contains("spring") && (product.contains(springTest5) || vendor.contains(springTest5)))) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
        }

-        evidence = dependency.getVendorEvidence().getEvidence();
-        if (evidence.contains(springTest3)) {
+        if (vendor.contains(springTest4)) {
            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
            dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
        }
+
+        //sun/oracle problem
        final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        final List<Evidence> newEntries = new ArrayList<Evidence>();
        while (itr.hasNext()) {
            final Evidence e = itr.next();
            if ("sun".equalsIgnoreCase(e.getValue(false))) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -46,13 +46,6 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBElement;
-import javax.xml.bind.JAXBException;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
 import javax.xml.transform.sax.SAXSource;
 import org.jsoup.Jsoup;
 import org.owasp.dependencycheck.Engine;
@@ -60,21 +53,16 @@ import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
-import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
+import org.owasp.dependencycheck.jaxb.pom.PomUtils;
 import org.owasp.dependencycheck.jaxb.pom.generated.License;
 import org.owasp.dependencycheck.jaxb.pom.generated.Model;
 import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
-import org.owasp.dependencycheck.jaxb.pom.generated.Parent;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.NonClosingStream;
 import org.owasp.dependencycheck.utils.Settings;
 import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.XMLFilter;
-import org.xml.sax.XMLReader;

 /**
- *
 * Used to load a JAR file and collect information that can be used to determine the associated CPE.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
@@ -160,23 +148,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * A pattern to detect HTML within text.
     */
    private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
+
    /**
-     * The unmarshaller used to parse the pom.xml from a JAR file.
+     * The POM Utility for parsing POM files.
     */
-    private Unmarshaller pomUnmarshaller;
+    private PomUtils pomUtils = null;
    //</editor-fold>

    /**
     * Constructs a new JarAnalyzer.
     */
    public JarAnalyzer() {
-        try {
-            final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
-            pomUnmarshaller = jaxbContext.createUnmarshaller();
-        } catch (JAXBException ex) { //guess we will just have a null pointer exception later...
-            LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
-            LOGGER.log(Level.FINE, null, ex);
-        }
+        pomUtils = new PomUtils();
    }

    //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
@@ -244,7 +227,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    @Override
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
        try {
-            final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
+            final List<ClassNameInformation> classNames = collectClassNames(dependency);
            final String fileName = dependency.getFileName().toLowerCase();
            if (classNames.isEmpty()
                    && (fileName.endsWith("-sources.jar")
@@ -263,8 +246,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence.
-     * This will attempt to interpolate the strings contained within the pom.properties if one exists.
+     * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will
+     * attempt to interpolate the strings contained within the pom.properties if one exists.
     *
     * @param dependency the dependency being analyzed
     * @param classes a collection of class name information
@@ -272,7 +255,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @throws AnalysisException is thrown if there is an exception parsing the pom
     * @return whether or not evidence was added to the dependency
     */
-    protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
+    protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
        boolean foundSomething = false;
        final JarFile jar;
        try {
@@ -294,13 +277,23 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            LOGGER.log(Level.FINE, msg, ex);
            return false;
        }
+        File externalPom = null;
        if (pomEntries.isEmpty()) {
-            return false;
+            String pomPath = dependency.getActualFilePath();
+            pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
+            externalPom = new File(pomPath);
+            if (externalPom.isFile()) {
+                pomEntries.add(pomPath);
+            } else {
+                return false;
+            }
        }
        for (String path : pomEntries) {
            Properties pomProperties = null;
            try {
-                pomProperties = retrievePomProperties(path, jar);
+                if (externalPom == null) {
+                    pomProperties = retrievePomProperties(path, jar);
+                }
            } catch (IOException ex) {
                LOGGER.log(Level.FINEST, "ignore this, failed reading a non-existent pom.properties", ex);
            }
@@ -314,19 +307,23 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                    final String displayPath = String.format("%s%s%s",
                            dependency.getFilePath(),
                            File.separator,
-                            path); //.replaceAll("[\\/]", File.separator));
+                            path);
                    final String displayName = String.format("%s%s%s",
                            dependency.getFileName(),
                            File.separator,
-                            path); //.replaceAll("[\\/]", File.separator));
+                            path);

                    newDependency.setFileName(displayName);
                    newDependency.setFilePath(displayPath);
-                    addPomEvidence(newDependency, pom, pomProperties);
+                    setPomEvidence(newDependency, pom, pomProperties, null);
                    engine.getDependencies().add(newDependency);
                    Collections.sort(engine.getDependencies());
                } else {
-                    pom = retrievePom(path, jar);
+                    if (externalPom == null) {
+                        pom = retrievePom(path, jar);
+                    } else {
+                        pom = pomUtils.readPom(externalPom);
+                    }
                    foundSomething |= setPomEvidence(dependency, pom, pomProperties, classes);
                }
            } catch (AnalysisException ex) {
@@ -346,16 +343,25 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @return a Properties object or null if no pom.properties was found
     * @throws IOException thrown if there is an exception reading the pom.properties
     */
-    @edu.umd.cs.findbugs.annotations.SuppressWarnings(value = "OS_OPEN_STREAM",
-            justification = "The reader is closed by closing the zipEntry")
    private Properties retrievePomProperties(String path, final JarFile jar) throws IOException {
        Properties pomProperties = null;
        final String propPath = path.substring(0, path.length() - 7) + "pom.properies";
        final ZipEntry propEntry = jar.getEntry(propPath);
        if (propEntry != null) {
-            final Reader reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
-            pomProperties = new Properties();
-            pomProperties.load(reader);
+            Reader reader = null;
+            try {
+                reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
+                pomProperties = new Properties();
+                pomProperties.load(reader);
+            } finally {
+                if (reader != null) {
+                    try {
+                        reader.close();
+                    } catch (IOException ex) {
+                        LOGGER.log(Level.FINEST, "close error", ex);
+                    }
+                }
+            }
        }
        return pomProperties;
    }
@@ -402,7 +408,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            fos = new FileOutputStream(file);
            bos = new BufferedOutputStream(fos, BUFFER_SIZE);
            int count;
-            final byte data[] = new byte[BUFFER_SIZE];
+            final byte[] data = new byte[BUFFER_SIZE];
            while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                bos.write(data, 0, count);
            }
@@ -424,7 +430,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            final InputStreamReader reader = new InputStreamReader(fis, "UTF-8");
            final InputSource xml = new InputSource(reader);
            final SAXSource source = new SAXSource(xml);
-            model = readPom(source);
+            model = pomUtils.readPom(source);
        } catch (FileNotFoundException ex) {
            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (File Not Found)", path, jar.getName());
            LOGGER.log(Level.WARNING, msg);
@@ -494,7 +500,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
                final InputSource xml = new InputSource(reader);
                final SAXSource source = new SAXSource(xml);
-                model = readPom(source);
+                model = pomUtils.readPom(source);
            } catch (SecurityException ex) {
                final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
                LOGGER.log(Level.WARNING, msg);
@@ -515,81 +521,102 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
        return model;
    }

-    /**
-     * Retrieves the specified POM from a jar file and converts it to a Model.
-     *
-     * @param source the SAXSource input stream to read the POM from
-     * @return returns the POM object
-     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
-     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
-     */
-    private Model readPom(SAXSource source) throws AnalysisException {
-        Model model = null;
-        try {
-            final XMLFilter filter = new MavenNamespaceFilter();
-            final SAXParserFactory spf = SAXParserFactory.newInstance();
-            final SAXParser sp = spf.newSAXParser();
-            final XMLReader xr = sp.getXMLReader();
-            filter.setParent(xr);
-            final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
-            model = el.getValue();
-        } catch (SecurityException ex) {
-            throw new AnalysisException(ex);
-        } catch (ParserConfigurationException ex) {
-            throw new AnalysisException(ex);
-        } catch (SAXException ex) {
-            throw new AnalysisException(ex);
-        } catch (JAXBException ex) {
-            throw new AnalysisException(ex);
-        } catch (Throwable ex) {
-            throw new AnalysisException(ex);
-        }
-        return model;
-    }
-
    /**
     * Sets evidence from the pom on the supplied dependency.
     *
     * @param dependency the dependency to set data on
     * @param pom the information from the pom
     * @param pomProperties the pom properties file (null if none exists)
-     * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names
-     * within the JAR file being analyzed
+     * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR
+     * file being analyzed
     * @return true if there was evidence within the pom that we could use; otherwise false
     */
-    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
+    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, List<ClassNameInformation> classes) {
        boolean foundSomething = false;
+        boolean addAsIdentifier = true;
        if (pom == null) {
            return foundSomething;
        }
        String groupid = interpolateString(pom.getGroupId(), pomProperties);
-        if (groupid != null && !groupid.isEmpty()) {
-            if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
-                groupid = groupid.substring(4);
+        String parentGroupId = null;
+
+        if (pom.getParent() != null) {
+            parentGroupId = interpolateString(pom.getParent().getGroupId(), pomProperties);
+            if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
+                groupid = parentGroupId;
            }
+        }
+        final String originalGroupID = groupid;
+
+        if (groupid != null && !groupid.isEmpty()) {
            foundSomething = true;
-            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
+            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
            addMatchingValues(classes, groupid, dependency.getVendorEvidence());
            addMatchingValues(classes, groupid, dependency.getProductEvidence());
+            if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
+                dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
+                dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
+                addMatchingValues(classes, parentGroupId, dependency.getVendorEvidence());
+                addMatchingValues(classes, parentGroupId, dependency.getProductEvidence());
+            }
+        } else {
+            addAsIdentifier = false;
        }
+
        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
+        String parentArtifactId = null;
+
+        if (pom.getParent() != null) {
+            parentArtifactId = interpolateString(pom.getParent().getArtifactId(), pomProperties);
+            if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
+                artifactid = parentArtifactId;
+            }
+        }
+        final String originalArtifactID = artifactid;
        if (artifactid != null && !artifactid.isEmpty()) {
            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
                artifactid = artifactid.substring(4);
            }
            foundSomething = true;
-            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
            addMatchingValues(classes, artifactid, dependency.getVendorEvidence());
            addMatchingValues(classes, artifactid, dependency.getProductEvidence());
+            if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
+                dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
+                dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
+                addMatchingValues(classes, parentArtifactId, dependency.getVendorEvidence());
+                addMatchingValues(classes, parentArtifactId, dependency.getProductEvidence());
+            }
+        } else {
+            addAsIdentifier = false;
        }
        //version
-        final String version = interpolateString(pom.getVersion(), pomProperties);
+        String version = interpolateString(pom.getVersion(), pomProperties);
+        String parentVersion = null;
+
+        if (pom.getParent() != null) {
+            parentVersion = interpolateString(pom.getParent().getVersion(), pomProperties);
+            if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
+                version = parentVersion;
+            }
+        }
+
        if (version != null && !version.isEmpty()) {
            foundSomething = true;
            dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
+            if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
+                dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
+            }
+        } else {
+            addAsIdentifier = false;
        }
+
+        if (addAsIdentifier) {
+            dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.LOW);
+        }
+
        // org name
        final Organization org = pom.getOrganization();
        if (org != null && org.getName() != null) {
@@ -625,17 +652,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible
-     * vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
+     * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or
+     * product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
     *
     * @param classNames a list of class names
     * @param dependency a dependency to analyze
     * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
     */
-    protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
+    protected void analyzePackageNames(List<ClassNameInformation> classNames,
            Dependency dependency, boolean addPackagesAsEvidence) {
-        final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
-        final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
        analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);

        final int classCount = classNames.size();
@@ -648,7 +675,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                //TODO remove weighting
                vendor.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
-                    vendor.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
+                    vendor.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
@@ -657,7 +684,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            if (ratio > 0.5) {
                product.addWeighting(entry.getKey());
                if (addPackagesAsEvidence && entry.getKey().length() > 1) {
-                    product.addEvidence("jar", "package", entry.getKey(), Confidence.LOW);
+                    product.addEvidence("jar", "package name", entry.getKey(), Confidence.LOW);
                }
            }
        }
@@ -677,7 +704,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @return whether evidence was identified parsing the manifest
     * @throws IOException if there is an issue reading the JAR file
     */
-    protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
+    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
        boolean foundSomething = false;
        JarFile jar = null;
        try {
@@ -834,18 +861,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Adds a description to the given dependency. If the description contains one of the following strings beyond 100
-     * characters, then the description used will be trimmed to that position:
+     * Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters,
+     * then the description used will be trimmed to that position:
     * <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses "</li></ul>
     *
     * @param dependency a dependency
     * @param description the description
     * @param source the source of the evidence
     * @param key the "name" of the evidence
-     * @return if the description is trimmed, the trimmed version is returned; otherwise the original description is
-     * returned
+     * @return if the description is trimmed, the trimmed version is returned; otherwise the original description is returned
     */
-    private String addDescription(Dependency dependency, String description, String source, String key) {
+    public static String addDescription(Dependency dependency, String description, String source, String key) {
        if (dependency.getDescription() == null) {
            dependency.setDescription(description);
        }
@@ -950,12 +976,11 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {

    /**
     * <p>
-     * A utility function that will interpolate strings based on values given in the properties file. It will also
-     * interpolate the strings contained within the properties file so that properties can reference other
-     * properties.</p>
+     * A utility function that will interpolate strings based on values given in the properties file. It will also interpolate the
+     * strings contained within the properties file so that properties can reference other properties.</p>
     * <p>
-     * <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated
-     * string will be replaced with an empty string.
+     * <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated string will
+     * be replaced with an empty string.
     * </p>
     * <p>
     * Example:</p>
@@ -975,13 +1000,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @param properties a collection of properties that may be referenced within the text.
     * @return the interpolated text.
     */
-    protected String interpolateString(String text, Properties properties) {
-        Properties props = properties;
+    public static String interpolateString(String text, Properties properties) {
+        final Properties props = properties;
        if (text == null) {
            return text;
        }
        if (props == null) {
-            props = new Properties();
+            return text;
        }

        final int pos = text.indexOf("${");
@@ -1019,14 +1044,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class
-     * names. This does not include core Java package names (i.e. java.* or javax.*).
+     * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This
+     * does not include core Java package names (i.e. java.* or javax.*).
     *
     * @param dependency the dependency being analyzed
     * @return an list of fully qualified class names
     */
-    private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
-        final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
+    private List<ClassNameInformation> collectClassNames(Dependency dependency) {
+        final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
        JarFile jar = null;
        try {
            jar = new JarFile(dependency.getActualFilePath());
@@ -1057,17 +1082,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and
-     * product. This is helpful when analyzing vendor/product as many times this is included in the package name.
+     * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and product.
+     * This is helpful when analyzing vendor/product as many times this is included in the package name.
     *
     * @param classNames a list of class names
     * @param vendor HashMap of possible vendor names from package names (e.g. owasp)
     * @param product HashMap of possible product names from package names (e.g. dependencycheck)
     */
-    private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
-            HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
+    private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
+            Map<String, Integer> vendor, Map<String, Integer> product) {
        for (ClassNameInformation entry : classNames) {
-            final ArrayList<String> list = entry.getPackageStructure();
+            final List<String> list = entry.getPackageStructure();
            addEntry(vendor, list.get(0));

            if (list.size() == 2) {
@@ -1089,13 +1114,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists
-     * in the collection then the Integer is incremented by 1.
+     * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists in the
+     * collection then the Integer is incremented by 1.
     *
     * @param collection a collection of strings and their occurrence count
     * @param key the key to add to the collection
     */
-    private void addEntry(HashMap<String, Integer> collection, String key) {
+    private void addEntry(Map<String, Integer> collection, String key) {
        if (collection.containsKey(key)) {
            collection.put(key, collection.get(key) + 1);
        } else {
@@ -1104,16 +1129,16 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
    }

    /**
-     * Cycles through the collection of class name information to see if parts of the package names are contained in the
-     * provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one
-     * source corroborating the value.
+     * Cycles through the collection of class name information to see if parts of the package names are contained in the provided
+     * value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the
+     * value.
     *
     * @param classes a collection of class name information
     * @param value the value to check to see if it contains a package name
     * @param evidence the evidence collection to add new entries too
     */
-    private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
-        if (value == null || value.isEmpty()) {
+    private void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
+        if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
            return;
        }
        final String text = value.toLowerCase();
@@ -1140,93 +1165,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {

    }

-    /**
-     * Adds evidence from the POM to the dependency. This includes the GAV and in some situations the parent GAV if
-     * specified.
-     *
-     * @param dependency the dependency being analyzed
-     * @param pom the POM data
-     * @param pomProperties the properties file associated with the pom
-     */
-    private void addPomEvidence(Dependency dependency, Model pom, Properties pomProperties) {
-        if (pom == null) {
-            return;
-        }
-        String groupid = interpolateString(pom.getGroupId(), pomProperties);
-        if (groupid != null && !groupid.isEmpty()) {
-            if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
-                groupid = groupid.substring(4);
-            }
-            dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGH);
-            dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
-        }
-        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
-        if (artifactid != null && !artifactid.isEmpty()) {
-            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
-                artifactid = artifactid.substring(4);
-            }
-            dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
-        }
-        final String version = interpolateString(pom.getVersion(), pomProperties);
-        if (version != null && !version.isEmpty()) {
-            dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
-        }
-
-        final Parent parent = pom.getParent(); //grab parent GAV
-        if (parent != null) {
-            final String parentGroupId = interpolateString(parent.getGroupId(), pomProperties);
-            if (parentGroupId != null && !parentGroupId.isEmpty()) {
-                if (groupid == null || groupid.isEmpty()) {
-                    dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.HIGH);
-                } else {
-                    dependency.getVendorEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.MEDIUM);
-                }
-                dependency.getProductEvidence().addEvidence("pom", "parent.groupid", parentGroupId, Confidence.LOW);
-            }
-            final String parentArtifactId = interpolateString(parent.getArtifactId(), pomProperties);
-            if (parentArtifactId != null && !parentArtifactId.isEmpty()) {
-                if (artifactid == null || artifactid.isEmpty()) {
-                    dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.HIGH);
-                } else {
-                    dependency.getProductEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.MEDIUM);
-                }
-                dependency.getVendorEvidence().addEvidence("pom", "parent.artifactid", parentArtifactId, Confidence.LOW);
-            }
-            final String parentVersion = interpolateString(parent.getVersion(), pomProperties);
-            if (parentVersion != null && !parentVersion.isEmpty()) {
-                if (version == null || version.isEmpty()) {
-                    dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.HIGH);
-                } else {
-                    dependency.getVersionEvidence().addEvidence("pom", "parent.version", parentVersion, Confidence.LOW);
-                }
-            }
-        }
-        // org name
-        final Organization org = pom.getOrganization();
-        if (org != null && org.getName() != null) {
-            final String orgName = interpolateString(org.getName(), pomProperties);
-            if (orgName != null && !orgName.isEmpty()) {
-                dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
-            }
-        }
-        //pom name
-        final String pomName = interpolateString(pom.getName(), pomProperties);
-        if (pomName != null && !pomName.isEmpty()) {
-            dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
-            dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
-        }
-
-        //Description
-        if (pom.getDescription() != null) {
-            final String description = interpolateString(pom.getDescription(), pomProperties);
-            if (description != null && !description.isEmpty()) {
-                addDescription(dependency, description, "pom", "description");
-            }
-        }
-        extractLicense(pom, pomProperties, dependency);
-    }
-
    /**
     * Extracts the license information from the pom and adds it to the dependency.
     *
@@ -1234,7 +1172,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     * @param pomProperties the properties, used for string interpolation
     * @param dependency the dependency to add license information too
     */
-    private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
+    public static void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
        //license
        if (pom.getLicenses() != null) {
            String license = null;
@@ -1275,9 +1213,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {

        /**
         * <p>
-         * Stores information about a given class name. This class will keep the fully qualified class name and a list
-         * of the important parts of the package structure. Up to the first four levels of the package structure are
-         * stored, excluding a leading "org" or "com". Example:</p>
+         * Stores information about a given class name. This class will keep the fully qualified class name and a list of the
+         * important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a
+         * leading "org" or "com". Example:</p>
         * <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
         * System.out.println(obj.getName());
         * for (String p : obj.getPackageStructure())
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.analyzer;

+import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
@@ -24,12 +25,18 @@ import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.jaxb.pom.PomUtils;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.Settings;

 /**
@@ -48,6 +55,11 @@ import org.owasp.dependencycheck.utils.Settings;
 */
 public class NexusAnalyzer extends AbstractFileTypeAnalyzer {

+    /**
+     * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
+     */
+    public static final String DEFAULT_URL = "https://repository.sonatype.org/service/local/";
+
    /**
     * The logger.
     */
@@ -73,6 +85,51 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     */
    private NexusSearch searcher;

+    /**
+     * Field indicating if the analyzer is enabled.
+     */
+    private final boolean enabled = checkEnabled();
+    /**
+     * Field for doing POM work
+     */
+    private final PomUtils pomUtil = new PomUtils();
+
+    /**
+     * Determines if this analyzer is enabled
+     *
+     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     */
+    private boolean checkEnabled() {
+        /* Enable this analyzer ONLY if the Nexus URL has been set to something
+         other than the default one (if it's the default one, we'll use the
+         central one) and it's enabled by the user.
+         */
+        boolean retval = false;
+        try {
+            if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
+                LOGGER.info("Enabling Nexus analyzer");
+                retval = true;
+            } else {
+                LOGGER.fine("Nexus analyzer disabled, using Central instead");
+            }
+        } catch (InvalidSettingException ise) {
+            LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
+        }
+
+        return retval;
+    }
+
+    /**
+     * Determine whether to enable this analyzer or not.
+     *
+     * @return whether the analyzer should be enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
    /**
     * Initializes the analyzer once before any analysis is performed.
     *
@@ -149,19 +206,43 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     */
    @Override
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+        if (!isEnabled()) {
+            return;
+        }
        try {
            final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
-            if (ma.getGroupId() != null && !"".equals(ma.getGroupId())) {
-                dependency.getVendorEvidence().addEvidence("nexus", "groupid", ma.getGroupId(), Confidence.HIGH);
+            dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
+            boolean pomAnalyzed = false;
+            LOGGER.fine("POM URL " + ma.getPomUrl());
+            for (Evidence e : dependency.getVendorEvidence()) {
+                if ("pom".equals(e.getSource())) {
+                    pomAnalyzed = true;
+                    break;
+                }
            }
-            if (ma.getArtifactId() != null && !"".equals(ma.getArtifactId())) {
-                dependency.getProductEvidence().addEvidence("nexus", "artifactid", ma.getArtifactId(), Confidence.HIGH);
-            }
-            if (ma.getVersion() != null && !"".equals(ma.getVersion())) {
-                dependency.getVersionEvidence().addEvidence("nexus", "version", ma.getVersion(), Confidence.HIGH);
-            }
-            if (ma.getArtifactUrl() != null && !"".equals(ma.getArtifactUrl())) {
-                dependency.addIdentifier("maven", ma.toString(), ma.getArtifactUrl(), Confidence.HIGHEST);
+            if (!pomAnalyzed && ma.getPomUrl() != null) {
+                File pomFile = null;
+                try {
+                    final File baseDir = Settings.getTempDirectory();
+                    pomFile = File.createTempFile("pom", ".xml", baseDir);
+                    if (!pomFile.delete()) {
+                        final String msg = String.format("Unable to fetch pom.xml for %s from Nexus repository; "
+                                + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                        LOGGER.warning(msg);
+                        LOGGER.fine("Unable to delete temp file");
+                    }
+                    LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
+                    Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
+                    pomUtil.analyzePOM(dependency, pomFile);
+                } catch (DownloadFailedException ex) {
+                    final String msg = String.format("Unable to download pom.xml for %s from Nexus repository; "
+                            + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                    LOGGER.warning(msg);
+                } finally {
+                    if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                        pomFile.deleteOnExit();
+                    }
+                }
            }
        } catch (IllegalArgumentException iae) {
            //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -0,0 +1,161 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.central;
+
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.logging.Logger;
+import javax.xml.parsers.DocumentBuilder;
+import javax.xml.parsers.DocumentBuilderFactory;
+import javax.xml.xpath.XPath;
+import javax.xml.xpath.XPathConstants;
+import javax.xml.xpath.XPathFactory;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.w3c.dom.Document;
+import org.w3c.dom.NodeList;
+
+/**
+ * Class of methods to search Maven Central via Central.
+ *
+ * @author colezlaw
+ */
+public class CentralSearch {
+
+    /**
+     * The URL for the Central service
+     */
+    private final URL rootURL;
+
+    /**
+     * Whether to use the Proxy when making requests
+     */
+    private boolean useProxy;
+
+    /**
+     * Used for logging.
+     */
+    private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName());
+
+    /**
+     * Creates a NexusSearch for the given repository URL.
+     *
+     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
+     * end in /select)
+     */
+    public CentralSearch(URL rootURL) {
+        this.rootURL = rootURL;
+        if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)) {
+            useProxy = true;
+            LOGGER.fine("Using proxy");
+        } else {
+            useProxy = false;
+            LOGGER.fine("Not using proxy");
+        }
+    }
+
+    /**
+     * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
+     * populated with the GAV.
+     *
+     * @param sha1 the SHA-1 hash string for which to search
+     * @return the populated Maven GAV.
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
+     */
+    public List<MavenArtifact> searchSha1(String sha1) throws IOException {
+        if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
+            throw new IllegalArgumentException("Invalid SHA1 format");
+        }
+
+        final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
+
+        LOGGER.fine(String.format("Searching Central url %s", url.toString()));
+
+        // Determine if we need to use a proxy. The rules:
+        // 1) If the proxy is set, AND the setting is set to true, use the proxy
+        // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
+        // or proxy is specifically set to false)
+        final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
+
+        conn.setDoOutput(true);
+
+        // JSON would be more elegant, but there's not currently a dependency
+        // on JSON, so don't want to add one just for this
+        conn.addRequestProperty("Accept", "application/xml");
+        conn.connect();
+
+        if (conn.getResponseCode() == 200) {
+            boolean missing = false;
+            try {
+                final DocumentBuilder builder = DocumentBuilderFactory
+                        .newInstance().newDocumentBuilder();
+                final Document doc = builder.parse(conn.getInputStream());
+                final XPath xpath = XPathFactory.newInstance().newXPath();
+                final String numFound = xpath.evaluate("/response/result/@numFound", doc);
+                if ("0".equals(numFound)) {
+                    missing = true;
+                } else {
+                    final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
+                    final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
+                    for (int i = 0; i < docs.getLength(); i++) {
+                        final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
+                        LOGGER.finest(String.format("GroupId: %s", g));
+                        final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
+                        LOGGER.finest(String.format("ArtifactId: %s", a));
+                        final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
+                        final NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
+                        boolean pomAvailable = false;
+                        boolean jarAvailable = false;
+                        for (int x = 0; x < atts.getLength(); x++) {
+                            final String tmp = xpath.evaluate(".", atts.item(x));
+                            if (".pom".equals(tmp)) {
+                                pomAvailable = true;
+                            } else if (".jar".equals(tmp)) {
+                                jarAvailable = true;
+                            }
+                        }
+                        LOGGER.finest(String.format("Version: %s", v));
+                        result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable));
+                    }
+
+                    return result;
+                }
+            } catch (Throwable e) {
+                // Anything else is jacked up XML stuff that we really can't recover
+                // from well
+                throw new IOException(e.getMessage(), e);
+            }
+
+            if (missing) {
+                throw new FileNotFoundException("Artifact not found in Central");
+            }
+        } else {
+            final String msg = String.format("Could not connect to Central received response code: %d %s",
+                    conn.getResponseCode(), conn.getResponseMessage());
+            LOGGER.fine(msg);
+            throw new IOException(msg);
+        }
+
+        return null;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
@@ -0,0 +1,14 @@
+/**
+ * <html>
+ * <head>
+ * <title>org.owasp.dependencycheck.data.central</title>
+ * </head>
+ * <body>
+ * <p>
+ * Contains classes related to searching Maven Central.</p>
+ * <p>
+ * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
+ * </body>
+ * </html>
+ */
+package org.owasp.dependencycheck.data.central;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
@@ -48,12 +48,13 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.utils.Pair;

 /**
- * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
- * the NVD CVE data.
+ * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within the NVD
+ * CVE data.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class CpeMemoryIndex {
+
    /**
     * The logger.
     */
@@ -61,7 +62,7 @@ public final class CpeMemoryIndex {
    /**
     * singleton instance.
     */
-    private static CpeMemoryIndex instance = new CpeMemoryIndex();
+    private static final CpeMemoryIndex INSTANCE = new CpeMemoryIndex();

    /**
     * private constructor for singleton.
@@ -75,7 +76,7 @@ public final class CpeMemoryIndex {
     * @return the instance of the CpeMemoryIndex
     */
    public static CpeMemoryIndex getInstance() {
-        return instance;
+        return INSTANCE;
    }
    /**
     * The in memory Lucene index.
@@ -113,18 +114,20 @@ public final class CpeMemoryIndex {
     * @throws IndexException thrown if there is an error creating the index
     */
    public void open(CveDB cve) throws IndexException {
-        if (!openState) {
-            index = new RAMDirectory();
-            buildIndex(cve);
-            try {
-                indexReader = DirectoryReader.open(index);
-            } catch (IOException ex) {
-                throw new IndexException(ex);
+        synchronized (INSTANCE) {
+            if (!openState) {
+                index = new RAMDirectory();
+                buildIndex(cve);
+                try {
+                    indexReader = DirectoryReader.open(index);
+                } catch (IOException ex) {
+                    throw new IndexException(ex);
+                }
+                indexSearcher = new IndexSearcher(indexReader);
+                searchingAnalyzer = createSearchingAnalyzer();
+                queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
+                openState = true;
            }
-            indexSearcher = new IndexSearcher(indexReader);
-            searchingAnalyzer = createSearchingAnalyzer();
-            queryParser = new QueryParser(LuceneUtils.CURRENT_VERSION, Fields.DOCUMENT_KEY, searchingAnalyzer);
-            openState = true;
        }
    }
    /**
@@ -160,7 +163,7 @@ public final class CpeMemoryIndex {
     */
    @SuppressWarnings("unchecked")
    private Analyzer createSearchingAnalyzer() {
-        final Map fieldAnalyzers = new HashMap();
+        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
        productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
        vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck.data.cpe;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public abstract class Fields {
+public final class Fields {

    /**
     * The key for the name document id.
@@ -36,7 +36,10 @@ public abstract class Fields {
     * The key for the product field.
     */
    public static final String PRODUCT = "product";
+
    /**
-     * The key for the version field.
+     * Private constructor as this is more of an enumeration rather then a full class.
     */
+    private Fields() {
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java
@@ -29,10 +29,12 @@ import java.util.logging.Logger;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class CweDB {
+
    /**
     * The Logger.
     */
    private static final Logger LOGGER = Logger.getLogger(CweDB.class.getName());
+
    /**
     * Empty private constructor as this is a utility class.
     */
@@ -55,7 +57,9 @@ public final class CweDB {
            final String filePath = "data/cwe.hashmap.serialized";
            final InputStream input = CweDB.class.getClassLoader().getResourceAsStream(filePath);
            oin = new ObjectInputStream(input);
-            return (HashMap<String, String>) oin.readObject();
+            @SuppressWarnings("unchecked")
+            final HashMap<String, String> ret = (HashMap<String, String>) oin.readObject();
+            return ret;
        } catch (ClassNotFoundException ex) {
            LOGGER.log(Level.WARNING, "Unable to load CWE data. This should not be an issue.");
            LOGGER.log(Level.FINE, null, ex);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java
@@ -72,7 +72,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter {
     * @return whether or not a new term was added
     */
    protected boolean addTerm() {
-        final boolean termAdded = tokens.size() > 0;
+        final boolean termAdded = !tokens.isEmpty();
        if (termAdded) {
            final String term = tokens.pop();
            clearAttributes();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java
@@ -29,8 +29,8 @@ import org.apache.lucene.util.Version;

 /**
 * <p>
- * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
- * intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended
+ * purpose of this Analyzer is to index the CPE fields vendor and product.</p>
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.data.lucene;

+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.lucene.util.Version;

 /**
@@ -28,10 +29,10 @@ import org.apache.lucene.util.Version;
 public final class LuceneUtils {

    /**
-     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
-     * the code base.
+     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through the code
+     * base.
     */
-    public static final Version CURRENT_VERSION = Version.LUCENE_45;
+    public static final Version CURRENT_VERSION = Version.LUCENE_47;

    /**
     * Private constructor as this is a utility class.
@@ -46,7 +47,7 @@ public final class LuceneUtils {
     * @param text the data to be escaped
     */
    @SuppressWarnings("fallthrough")
-    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    @SuppressFBWarnings(
            value = "SF_SWITCH_NO_DEFAULT",
            justification = "The switch below does have a default.")
    public static void appendEscapedLuceneQuery(StringBuilder buf,
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java
@@ -39,8 +39,7 @@ public class SearchFieldAnalyzer extends Analyzer {
     */
    private final Version version;
    /**
-     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
-     * is re-used.
+     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer is re-used.
     */
    private TokenPairConcatenatingFilter concatenatingFilter;

@@ -85,8 +84,7 @@ public class SearchFieldAnalyzer extends Analyzer {

    /**
     * <p>
-     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
-     * analyzer.</p>
+     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the analyzer.</p>
     * <p>
     * <b>If this analyzer is re-used this method must be called between uses.</b></p>
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java
@@ -1,72 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.lucene;
-
-import java.io.Reader;
-import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.TokenStream;
-import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.LowerCaseFilter;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
-import org.apache.lucene.util.Version;
-
-/**
- * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- * @deprecated version information is no longer stored in lucene
- */
-@Deprecated
-public class SearchVersionAnalyzer extends Analyzer {
-    //TODO consider implementing payloads/custom attributes...
-    // use custom attributes for major, minor, x, x, x, rcx
-    // these can then be used to weight the score for searches on the version.
-    // see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
-    // look at this article to implement
-    // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
-
-    /**
-     * The Lucene Version used.
-     */
-    private final Version version;
-
-    /**
-     * Creates a new SearchVersionAnalyzer.
-     *
-     * @param version the Lucene version
-     */
-    public SearchVersionAnalyzer(Version version) {
-        this.version = version;
-    }
-
-    /**
-     * Creates the TokenStreamComponents
-     *
-     * @param fieldName the field name being analyzed
-     * @param reader the reader containing the input
-     * @return the TokenStreamComponents
-     */
-    @Override
-    protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
-        TokenStream stream = source;
-        stream = new LowerCaseFilter(version, stream);
-        stream = new VersionTokenizingFilter(stream);
-        return new TokenStreamComponents(source, stream);
-    }
-}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java
@@ -92,7 +92,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {

        //if we have a previousTerm - write it out as its own token concatenated
        // with the current word (if one is available).
-        if (previousWord != null && words.size() > 0) {
+        if (previousWord != null && !words.isEmpty()) {
            final String word = words.getFirst();
            clearAttributes();
            termAtt.append(previousWord).append(word);
@@ -100,7 +100,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
            return true;
        }
        //if we have words, write it out as a single token
-        if (words.size() > 0) {
+        if (!words.isEmpty()) {
            final String word = words.removeFirst();
            clearAttributes();
            termAtt.append(word);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java
@@ -60,7 +60,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
    public boolean incrementToken() throws IOException {
        final LinkedList<String> tokens = getTokens();
        final CharTermAttribute termAtt = getTermAtt();
-        if (tokens.size() == 0 && input.incrementToken()) {
+        if (tokens.isEmpty() && input.incrementToken()) {
            final String text = new String(termAtt.buffer(), 0, termAtt.length());
            if (UrlStringUtils.containsUrl(text)) {
                final String[] parts = text.split("\\s");
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java
@@ -1,71 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.lucene;
-
-import java.io.Reader;
-import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.TokenStream;
-import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.LowerCaseFilter;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
-import org.apache.lucene.util.Version;
-
-/**
- * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- * @deprecated version information is no longer stored in lucene
- */
-@Deprecated
-public class VersionAnalyzer extends Analyzer {
-    //TODO consider implementing payloads/custom attributes...
-    // use custom attributes for major, minor, x, x, x, rcx
-    // these can then be used to weight the score for searches on the version.
-    // see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
-    // look at this article to implement
-    // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
-
-    /**
-     * The Lucene Version used.
-     */
-    private final Version version;
-
-    /**
-     * Creates a new VersionAnalyzer.
-     *
-     * @param version the Lucene version
-     */
-    public VersionAnalyzer(Version version) {
-        this.version = version;
-    }
-
-    /**
-     * Creates the TokenStreamComponents
-     *
-     * @param fieldName the field name being analyzed
-     * @param reader the reader containing the input
-     * @return the TokenStreamComponents
-     */
-    @Override
-    protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
-        TokenStream stream = source;
-        stream = new LowerCaseFilter(version, stream);
-        return new TokenStreamComponents(source, stream);
-    }
-}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java
@@ -1,98 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.lucene;
-
-import java.io.IOException;
-import java.util.LinkedList;
-import org.apache.lucene.analysis.TokenStream;
-import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
-
-/**
- * <p>
- * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
- * <p>
- * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- * @deprecated version information is no longer stored in lucene
- */
-@Deprecated
-public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
-
-    /**
-     * Constructs a new VersionTokenizingFilter.
-     *
-     * @param stream the TokenStream that this filter will process
-     */
-    public VersionTokenizingFilter(TokenStream stream) {
-        super(stream);
-    }
-
-    /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * concatenating tokens with the previous token.
-     *
-     * @return whether or not we have hit the end of the TokenStream
-     * @throws IOException is thrown when an IOException occurs
-     */
-    @Override
-    public boolean incrementToken() throws IOException {
-        final LinkedList<String> tokens = getTokens();
-        final CharTermAttribute termAtt = getTermAtt();
-        if (tokens.size() == 0 && input.incrementToken()) {
-            final String version = new String(termAtt.buffer(), 0, termAtt.length());
-            final String[] toAnalyze = version.split("[_-]");
-            //ensure we analyze the whole string as one too
-            analyzeVersion(version);
-            for (String str : toAnalyze) {
-                analyzeVersion(str);
-            }
-        }
-        return addTerm();
-    }
-
-    /**
-     * <p>
-     * Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
-     * would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
-     * or build number will throw off the version identification.</p>
-     *
-     * <p>
-     * expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
-     *
-     * @param version the version to analyze
-     */
-    private void analyzeVersion(String version) {
-        //todo should we also be splitting on dash or underscore? we would need
-        //  to incorporate the dash or underscore back in...
-        final LinkedList<String> tokens = getTokens();
-        final String[] versionParts = version.split("\\.");
-        String dottedVersion = null;
-        for (String current : versionParts) {
-            if (!current.matches("^/d+$")) {
-                tokens.add(current);
-            }
-            if (dottedVersion == null) {
-                dottedVersion = current;
-            } else {
-                dottedVersion = dottedVersion + "." + current;
-            }
-            tokens.add(dottedVersion);
-        }
-    }
-}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java
@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.nexus;
 */
 public class MavenArtifact {

+    /**
+     * The base URL for download artifacts from Central.
+     */
+    private static final String CENTRAL_CONTENT_URL = "http://search.maven.org/remotecontent?filepath=";
+
    /**
     * The groupId
     */
@@ -43,6 +48,10 @@ public class MavenArtifact {
     * The artifact url. This may change depending on which Nexus server the search took place.
     */
    private String artifactUrl;
+    /**
+     * The url to download the POM from.
+     */
+    private String pomUrl;

    /**
     * Creates an empty MavenArtifact.
@@ -58,9 +67,34 @@ public class MavenArtifact {
     * @param version the version
     */
    public MavenArtifact(String groupId, String artifactId, String version) {
-        setGroupId(groupId);
-        setArtifactId(artifactId);
-        setVersion(version);
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+    }
+
+    /**
+     * Creates a MavenArtifact with the given attributes.
+     *
+     * @param groupId the groupId
+     * @param artifactId the artifactId
+     * @param version the version
+     * @param jarAvailable if the jar file is available from central
+     * @param pomAvailable if the pom file is available from central
+     */
+    public MavenArtifact(String groupId, String artifactId, String version, boolean jarAvailable, boolean pomAvailable) {
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+        if (jarAvailable) {
+            //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
+            this.artifactUrl = this.CENTRAL_CONTENT_URL + groupId.replace('.', '/') + "/" + artifactId.replace('.', '/') + "/"
+                    + version + "/" + artifactId + "-" + version + ".jar";
+        }
+        if (pomAvailable) {
+            //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
+            this.pomUrl = this.CENTRAL_CONTENT_URL + groupId.replace('.', '/') + "/" + artifactId.replace('.', '/') + "/"
+                    + version + "/" + artifactId + "-" + version + ".pom";
+        }
    }

    /**
@@ -72,10 +106,10 @@ public class MavenArtifact {
     * @param url the artifactLink url
     */
    public MavenArtifact(String groupId, String artifactId, String version, String url) {
-        setGroupId(groupId);
-        setArtifactId(artifactId);
-        setVersion(version);
-        setArtifactUrl(url);
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+        this.artifactUrl = url;
    }

    /**
@@ -159,6 +193,25 @@ public class MavenArtifact {
    public String getArtifactUrl() {
        return artifactUrl;
    }
+
+    /**
+     * Get the value of pomUrl.
+     *
+     * @return the value of pomUrl
+     */
+    public String getPomUrl() {
+        return pomUrl;
+    }
+
+    /**
+     * Set the value of pomUrl.
+     *
+     * @param pomUrl new value of pomUrl
+     */
+    public void setPomUrl(String pomUrl) {
+        this.pomUrl = pomUrl;
+    }
+
 }

 // vim: cc=120:sw=4:ts=4:sts=4
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -58,13 +58,13 @@ public class NexusSearch {
    /**
     * Creates a NexusSearch for the given repository URL.
     *
-     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
-     * relative to this URL, so it should end with a /
+     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated relative to this
+     * URL, so it should end with a /
     */
    public NexusSearch(URL rootURL) {
        this.rootURL = rootURL;
        try {
-            if (null != Settings.getString(Settings.KEYS.PROXY_URL)
+            if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
                useProxy = true;
                LOGGER.fine("Using proxy");
@@ -78,13 +78,12 @@ public class NexusSearch {
    }

    /**
-     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
-     * <code>MavenArtifact</code> is populated with the coordinate information.
+     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
+     * populated with the coordinate information.
     *
     * @param sha1 The SHA-1 hash string for which to search
     * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
-     * found.
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
     */
    public MavenArtifact searchSha1(String sha1) throws IOException {
        if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -131,7 +130,18 @@ public class NexusSearch {
                        .evaluate(
                                "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
                                doc);
-                return new MavenArtifact(groupId, artifactId, version, link);
+                final String pomLink = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink",
+                                doc);
+                final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
+                if (link != null && !"".equals(link)) {
+                    ma.setArtifactUrl(link);
+                }
+                if (pomLink != null && !"".equals(pomLink)) {
+                    ma.setPomUrl(pomLink);
+                }
+                return ma;
            } catch (Throwable e) {
                // Anything else is jacked-up XML stuff that we really can't recover
                // from well
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
@@ -42,6 +42,7 @@ import org.owasp.dependencycheck.utils.Settings;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class ConnectionFactory {
+
    /**
     * The Logger.
     */
@@ -49,7 +50,7 @@ public final class ConnectionFactory {
    /**
     * The version of the current DB Schema.
     */
-    public static final String DB_SCHEMA_VERSION = "2.9";
+    public static final String DB_SCHEMA_VERSION = Settings.getString(Settings.KEYS.DB_VERSION);
    /**
     * Resource location for SQL file used to create the database schema.
     */
@@ -111,7 +112,10 @@ public final class ConnectionFactory {
            //yes, yes - hard-coded password - only if there isn't one in the properties file.
            password = Settings.getString(Settings.KEYS.DB_PASSWORD, "DC-Pass1337!");
            try {
-                connectionString = getConnectionString();
+                connectionString = Settings.getConnectionString(
+                        Settings.KEYS.DB_CONNECTION_STRING,
+                        Settings.KEYS.DB_FILE_NAME,
+                        Settings.KEYS.DB_VERSION);
            } catch (IOException ex) {
                LOGGER.log(Level.FINE,
                        "Unable to retrieve the database connection string", ex);
@@ -120,7 +124,7 @@ public final class ConnectionFactory {
            boolean shouldCreateSchema = false;
            try {
                if (connectionString.startsWith("jdbc:h2:file:")) { //H2
-                    shouldCreateSchema = !dbSchemaExists();
+                    shouldCreateSchema = !h2DataFileExists();
                    LOGGER.log(Level.FINE, "Need to create DB Structure: {0}", shouldCreateSchema);
                }
            } catch (IOException ioex) {
@@ -217,51 +221,17 @@ public final class ConnectionFactory {
        return conn;
    }

-    /**
-     * Returns the configured connection string. If using the embedded H2 database this function will also ensure the
-     * data directory exists and if not create it.
-     *
-     * @return the connection string
-     * @throws IOException thrown the data directory cannot be created
-     */
-    private static String getConnectionString() throws IOException {
-        final String connStr = Settings.getString(Settings.KEYS.DB_CONNECTION_STRING, "jdbc:h2:file:%s;AUTO_SERVER=TRUE");
-        if (connStr.contains("%s")) {
-            final String directory = getDataDirectory().getCanonicalPath();
-            final File dataFile = new File(directory, "cve." + DB_SCHEMA_VERSION);
-            LOGGER.log(Level.FINE, String.format("File path for H2 file: '%s'", dataFile.toString()));
-            return String.format(connStr, dataFile.getAbsolutePath());
-        }
-        return connStr;
-    }
-
-    /**
-     * Retrieves the directory that the JAR file exists in so that we can ensure we always use a common data directory
-     * for the embedded H2 database. This is public solely for some unit tests; otherwise this should be private.
-     *
-     * @return the data directory to store data files
-     * @throws IOException is thrown if an IOException occurs of course...
-     */
-    public static File getDataDirectory() throws IOException {
-        final File path = Settings.getDataFile(Settings.KEYS.DATA_DIRECTORY);
-        if (!path.exists()) {
-            if (!path.mkdirs()) {
-                throw new IOException("Unable to create NVD CVE Data directory");
-            }
-        }
-        return path;
-    }
-
    /**
     * Determines if the H2 database file exists. If it does not exist then the data structure will need to be created.
     *
     * @return true if the H2 database file does not exist; otherwise false
     * @throws IOException thrown if the data directory does not exist and cannot be created
     */
-    private static boolean dbSchemaExists() throws IOException {
-        final File dir = getDataDirectory();
-        final String name = String.format("cve.%s.h2.db", DB_SCHEMA_VERSION);
-        final File file = new File(dir, name);
+    private static boolean h2DataFileExists() throws IOException {
+        final File dir = Settings.getDataDirectory();
+        final String name = Settings.getString(Settings.KEYS.DB_FILE_NAME);
+        final String fileName = String.format(name, DB_SCHEMA_VERSION);
+        final File file = new File(dir, fileName);
        return file.exists();
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;

+import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.sql.Connection;
 import java.sql.PreparedStatement;
@@ -24,8 +25,10 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
 import java.util.Set;
@@ -39,6 +42,7 @@ import org.owasp.dependencycheck.utils.DBUtils;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.Pair;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 * The database holding information about the NVD CVE data.
@@ -57,8 +61,8 @@ public class CveDB {
    private Connection conn;

    /**
-     * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller
-     * by calling the close method.
+     * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
+     * the close method.
     *
     * @throws DatabaseException thrown if there is an exception opening the database.
     */
@@ -87,7 +91,9 @@ public class CveDB {
     * @throws DatabaseException thrown if there is an error opening the database connection
     */
    public final void open() throws DatabaseException {
-        conn = ConnectionFactory.getConnection();
+        if (!isOpen()) {
+            conn = ConnectionFactory.getConnection();
+        }
    }

    /**
@@ -170,8 +176,8 @@ public class CveDB {
     */
    private static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE id = ?";
    /**
-     * SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works
-     * well to keep the data file size down a bit.
+     * SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works well to keep
+     * the data file size down a bit.
     */
    private static final String CLEANUP_ORPHANS = "DELETE FROM CpeEntry WHERE id not in (SELECT CPEEntryId FROM Software); ";
    /**
@@ -208,7 +214,8 @@ public class CveDB {
    private static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cve, cpe, previousVersion "
            + "FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveId "
            + "INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId "
-            + "WHERE vendor = ? AND product = ?";
+            + "WHERE vendor = ? AND product = ? "
+            + "ORDER BY cve, cpe"; //, previousVersion
    //unfortunately, the version info is too complicated to do in a select. Need to filter this afterwards
    //        + " AND (version = '-' OR previousVersion IS NOT NULL OR version=?)";
    //
@@ -248,6 +255,7 @@ public class CveDB {
    /**
     * SQL Statement to retrieve a property from the database.
     */
+    @SuppressWarnings("unused")
    private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
    /**
     * SQL Statement to insert a new property.
@@ -260,12 +268,13 @@ public class CveDB {
    /**
     * SQL Statement to delete a property.
     */
+    @SuppressWarnings("unused")
    private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";

    //</editor-fold>
    /**
-     * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
-     * The returned list will include all versions of the product that are registered in the NVD CVE data.
+     * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
+     * list will include all versions of the product that are registered in the NVD CVE data.
     *
     * @param vendor the identified vendor name of the dependency being analyzed
     * @param product the identified name of the product of the dependency being analyzed
@@ -304,14 +313,14 @@ public class CveDB {
     * @throws DatabaseException thrown when there is an error retrieving the data from the DB
     */
    public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
-        final HashSet data = new HashSet<Pair<String, String>>();
+        final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
        ResultSet rs = null;
        PreparedStatement ps = null;
        try {
            ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
            rs = ps.executeQuery();
            while (rs.next()) {
-                data.add(new Pair(rs.getString(1), rs.getString(2)));
+                data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
@@ -450,30 +459,41 @@ public class CveDB {
        final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();

        PreparedStatement ps;
-        final HashSet<String> cveEntries = new HashSet<String>();
        try {
            ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
            ps.setString(1, cpe.getVendor());
            ps.setString(2, cpe.getProduct());
            rs = ps.executeQuery();
+            String currentCVE = "";
+
+            final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
            while (rs.next()) {
                final String cveId = rs.getString(1);
+                if (!currentCVE.equals(cveId)) { //check for match and add
+                    final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
+                    if (matchedCPE != null) {
+                        final Vulnerability v = getVulnerability(currentCVE);
+                        v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
+                        vulnerabilities.add(v);
+                    }
+                    vulnSoftware.clear();
+                    currentCVE = cveId;
+                }
+
                final String cpeId = rs.getString(2);
                final String previous = rs.getString(3);
-                if (!cveEntries.contains(cveId) && isAffected(cpe.getVendor(), cpe.getProduct(), detectedVersion, cpeId, previous)) {
-                    cveEntries.add(cveId);
-                    final Vulnerability v = getVulnerability(cveId);
-                    v.setMatchedCPE(cpeId, previous);
-                    vulnerabilities.add(v);
-                }
+                final Boolean p = previous != null && !previous.isEmpty();
+                vulnSoftware.put(cpeId, p);
+            }
+            //remember to process the last set of CVE/CPE entries
+            final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
+            if (matchedCPE != null) {
+                final Vulnerability v = getVulnerability(currentCVE);
+                v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
+                vulnerabilities.add(v);
            }
            DBUtils.closeResultSet(rs);
            DBUtils.closeStatement(ps);
-//            for (String cve : cveEntries) {
-//                final Vulnerability v = getVulnerability(cve);
-//                vulnerabilities.add(v);
-//            }
-
        } catch (SQLException ex) {
            throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
        } finally {
@@ -699,8 +719,45 @@ public class CveDB {
    }

    /**
-     * It is possible that orphaned rows may be generated during database updates. This should be called after all
-     * updates have been completed to ensure orphan entries are removed.
+     * Checks to see if data exists so that analysis can be performed.
+     *
+     * @return <code>true</code> if data exists; otherwise <code>false</code>
+     */
+    public boolean dataExists() {
+        Statement cs = null;
+        ResultSet rs = null;
+        try {
+            cs = conn.createStatement();
+            rs = cs.executeQuery("SELECT COUNT(*) records FROM cpeEntry");
+            if (rs.next()) {
+                if (rs.getInt(1) > 0) {
+                    return true;
+                }
+            }
+        } catch (SQLException ex) {
+            String dd;
+            try {
+                dd = Settings.getDataDirectory().getAbsolutePath();
+            } catch (IOException ex1) {
+                dd = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            }
+            final String msg = String.format("Unable to access the local database.%n%nEnsure that '%s' is a writable directory. "
+                    + "If the problem persist try deleting the files in '%s' and running %s again. If the problem continues, please "
+                    + "create a log file (see documentation at http://jeremylong.github.io/DependencyCheck/) and open a ticket at "
+                    + "https://github.com/jeremylong/DependencyCheck/issues and include the log file.%n%n",
+                    dd, dd, Settings.getString(Settings.KEYS.APPLICATION_VAME));
+            LOGGER.log(Level.SEVERE, msg);
+            LOGGER.log(Level.FINE, "", ex);
+        } finally {
+            DBUtils.closeResultSet(rs);
+            DBUtils.closeStatement(cs);
+        }
+        return false;
+    }
+
+    /**
+     * It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
+     * been completed to ensure orphan entries are removed.
     */
    public void cleanupDatabase() {
        PreparedStatement ps = null;
@@ -719,46 +776,80 @@ public class CveDB {
    }

    /**
-     * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null,
-     * non-empty string passed to the previous version argument indicates that all previous versions are affected.
+     * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
+     * string passed to the previous version argument indicates that all previous versions are affected.
     *
     * @param vendor the vendor of the dependency being analyzed
     * @param product the product name of the dependency being analyzed
+     * @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
     * @param identifiedVersion the identified version of the dependency being analyzed
-     * @param cpeId the cpe identifier of software that has a known vulnerability
-     * @param previous a flag indicating if previous versions of the product are vulnerable
     * @return true if the identified version is affected, otherwise false
     */
-    private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
-        boolean affected = false;
-        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
-        final DependencyVersion v = parseDependencyVersion(cpeId);
-        final boolean prevAffected = previous != null && !previous.isEmpty();
-        if (v == null || "-".equals(v.toString())) { //all versions
-            affected = true;
-        } else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
-            if (prevAffected) {
-                affected = true;
+    Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
+            DependencyVersion identifiedVersion) {
+
+        final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
+
+        final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
+        final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
+        String majorVersionMatch = null;
+        for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
+            final DependencyVersion v = parseDependencyVersion(entry.getKey());
+            if (v == null || "-".equals(v.toString())) { //all versions
+                return entry;
            }
-        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
-            if (isStruts) { //struts 2 vulns don't affect struts 1
-                if (identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
-                    affected = true;
+            if (entry.getValue()) {
+                if (matchesAnyPrevious) {
+                    return entry;
                }
-            } else {
-                affected = true;
+                if (identifiedVersion != null && identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
+                    majorVersionMatch = v.getVersionParts().get(0);
+                }
+                majorVersionsAffectingAllPrevious.add(v.getVersionParts().get(0));
            }
        }
-        /*
-         * TODO consider utilizing the matchThreeVersion method to get additional results. However, this
-         *      might also introduce false positives.
-         */
-        return affected;
+        if (matchesAnyPrevious) {
+            return null;
+        }
+
+        final boolean canSkipVersions = majorVersionMatch != null && majorVersionsAffectingAllPrevious.size() > 1;
+        //yes, we are iterating over this twice. The first time we are skipping versions those that affect all versions
+        //then later we process those that affect all versions. This could be done with sorting...
+        for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
+            if (!entry.getValue()) {
+                final DependencyVersion v = parseDependencyVersion(entry.getKey());
+                //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
+                if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
+                    continue;
+                }
+                //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
+                //in the above loop or just after loop (if matchesAnyPrevious return null).
+                if (identifiedVersion.equals(v)) {
+                    return entry;
+                }
+            }
+        }
+        for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
+            if (entry.getValue()) {
+                final DependencyVersion v = parseDependencyVersion(entry.getKey());
+                //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
+                if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
+                    continue;
+                }
+                //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
+                //in the above loop or just after loop (if matchesAnyPrevious return null).
+                if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) {
+                    if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
+                        return entry;
+                    }
+                }
+            }
+        }
+        return null;
    }

    /**
-     * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is
-     * returned.
+     * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
     *
     * @param cpeStr a cpe identifier
     * @return a dependency version
@@ -782,9 +873,9 @@ public class CveDB {
     */
    private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
        DependencyVersion cpeVersion;
-        if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
+        if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
            String versionText;
-            if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
+            if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
                versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
            } else {
                versionText = cpe.getVersion();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
@@ -91,7 +91,7 @@ public class DatabaseProperties {
    }

    /**
-     * Writes a properties file containing the last updated date to the VULNERABLE_CPE directory.
+     * Saves the last updated information to the properties file.
     *
     * @param updatedValue the updated NVD CVE entry
     * @throws UpdateException is thrown if there is an update exception
@@ -100,8 +100,19 @@ public class DatabaseProperties {
        if (updatedValue == null) {
            return;
        }
-        properties.put(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
-        cveDB.saveProperty(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
+        save(LAST_UPDATED_BASE + updatedValue.getId(), String.valueOf(updatedValue.getTimestamp()));
+    }
+
+    /**
+     * Saves the key value pair to the properties store.
+     *
+     * @param key the property key
+     * @param value the property value
+     * @throws UpdateException is thrown if there is an update exception
+     */
+    public void save(String key, String value) throws UpdateException {
+        properties.put(key, value);
+        cveDB.saveProperty(key, value);
    }

    /**
@@ -142,8 +153,8 @@ public class DatabaseProperties {
     *
     * @return a map of the database meta data
     */
-    public Map getMetaData() {
-        final TreeMap map = new TreeMap();
+    public Map<String, String> getMetaData() {
+        final Map<String, String> map = new TreeMap<String, String>();
        for (Entry<Object, Object> entry : properties.entrySet()) {
            final String key = (String) entry.getKey();
            if (!"version".equals(key)) {
@@ -156,10 +167,10 @@ public class DatabaseProperties {
                        map.put(key, formatted);
                    } catch (Throwable ex) { //deliberately being broad in this catch clause
                        LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
-                        map.put(key, entry.getValue());
+                        map.put(key, (String) entry.getValue());
                    }
                } else {
-                    map.put(key, entry.getValue());
+                    map.put(key, (String) entry.getValue());
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
@@ -27,6 +27,7 @@ import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;

@@ -75,7 +76,7 @@ public final class DriverLoader {
     */
    public static Driver load(String className, String pathToDriver) throws DriverLoadException {
        final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
-        final ArrayList<URL> urls = new ArrayList<URL>();
+        final List<URL> urls = new ArrayList<URL>();
        final String[] paths = pathToDriver.split(File.pathSeparator);
        for (String path : paths) {
            final File file = new File(path);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
@@ -0,0 +1,214 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.data.update;
+
+import java.io.IOException;
+import java.net.HttpURLConnection;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.Date;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.apache.commons.io.IOUtils;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.utils.DateUtil;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.URLConnectionFactory;
+import org.owasp.dependencycheck.utils.URLConnectionFailureException;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public class EngineVersionCheck implements CachedWebDataSource {
+
+    /**
+     * Static logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(EngineVersionCheck.class.getName());
+    /**
+     * The property key indicating when the last version check occurred.
+     */
+    public static final String ENGINE_VERSION_CHECKED_ON = "VersionCheckOn";
+    /**
+     * The property key indicating when the last version check occurred.
+     */
+    public static final String CURRENT_ENGINE_RELEASE = "CurrentEngineRelease";
+    /**
+     * Reference to the Cve Database.
+     */
+    private CveDB cveDB = null;
+
+    /**
+     * The version retrieved from the database properties or web to check against.
+     */
+    private String updateToVersion;
+
+    /**
+     * Getter for updateToVersion - only used for testing. Represents the version retrieved from the database.
+     *
+     * @return the version to test
+     */
+    protected String getUpdateToVersion() {
+        return updateToVersion;
+    }
+
+    /**
+     * Setter for updateToVersion - only used for testing. Represents the version retrieved from the database.
+     *
+     * @param version the version to test
+     */
+    protected void setUpdateToVersion(String version) {
+        updateToVersion = version;
+    }
+
+    @Override
+    public void update() throws UpdateException {
+        try {
+            openDatabase();
+            LOGGER.fine("Begin Engine Version Check");
+            final DatabaseProperties properties = cveDB.getDatabaseProperties();
+            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+            final long now = (new Date()).getTime();
+            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+            LOGGER.fine("Last checked: " + lastChecked);
+            LOGGER.fine("Now: " + now);
+            LOGGER.fine("Current version: " + currentVersion);
+            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+            if (updateNeeded) {
+                final String msg = String.format("A new version of dependency-check is available. Consider updating to version %s.",
+                        updateToVersion);
+                LOGGER.warning(msg);
+            }
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.FINE, "Database Exception opening databases to retrieve properties", ex);
+            throw new UpdateException("Error occured updating database properties.");
+        } finally {
+            closeDatabase();
+        }
+    }
+
+    /**
+     * Determines if a new version of the dependency-check engine has been released.
+     *
+     * @param lastChecked the epoch time of the last version check
+     * @param now the current epoch time
+     * @param properties the database properties object
+     * @param currentVersion the current version of dependency-check
+     * @return <code>true</code> if a newer version of the database has been released; otherwise <code>false</code>
+     * @throws UpdateException thrown if there is an error connecting to the github documentation site or accessing the
+     * local database.
+     */
+    protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
+            String currentVersion) throws UpdateException {
+        //check every 30 days if we know there is an update, otherwise check every 7 days
+        int checkRange = 30;
+        if (updateToVersion.isEmpty()) {
+            checkRange = 7;
+        }
+        if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
+            LOGGER.fine("Checking web for new version.");
+            final String currentRelease = getCurrentReleaseVersion();
+            if (currentRelease != null) {
+                final DependencyVersion v = new DependencyVersion(currentRelease);
+                if (v.getVersionParts() != null && v.getVersionParts().size() >= 3) {
+                    updateToVersion = v.toString();
+                    if (!currentRelease.equals(updateToVersion)) {
+                        properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
+                    } else {
+                        properties.save(CURRENT_ENGINE_RELEASE, "");
+                    }
+                    properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
+                }
+            }
+            LOGGER.log(Level.FINE, "Current Release: {0}", updateToVersion);
+        }
+        final DependencyVersion running = new DependencyVersion(currentVersion);
+        final DependencyVersion released = new DependencyVersion(updateToVersion);
+        if (running.compareTo(released) < 0) {
+            LOGGER.fine("Upgrade recommended");
+            return true;
+        }
+        LOGGER.fine("Upgrade not needed");
+        return false;
+    }
+
+    /**
+     * Opens the CVE and CPE data stores.
+     *
+     * @throws DatabaseException thrown if a data store cannot be opened
+     */
+    protected final void openDatabase() throws DatabaseException {
+        if (cveDB != null) {
+            return;
+        }
+        cveDB = new CveDB();
+        cveDB.open();
+    }
+
+    /**
+     * Closes the CVE and CPE data stores.
+     */
+    protected void closeDatabase() {
+        if (cveDB != null) {
+            try {
+                cveDB.close();
+            } catch (Throwable ignore) {
+                LOGGER.log(Level.FINEST, "Error closing the cveDB", ignore);
+            }
+        }
+    }
+
+    /**
+     * Retrieves the current released version number from the github documentation site.
+     *
+     * @return the current released version number
+     */
+    protected String getCurrentReleaseVersion() {
+        HttpURLConnection conn = null;
+        try {
+            final String str = Settings.getString(Settings.KEYS.ENGINE_VERSION_CHECK_URL, "http://jeremylong.github.io/DependencyCheck/current.txt");
+            final URL url = new URL(str);
+            conn = URLConnectionFactory.createHttpURLConnection(url);
+            conn.connect();
+            if (conn.getResponseCode() != 200) {
+                return null;
+            }
+            final String releaseVersion = IOUtils.toString(conn.getInputStream(), "UTF-8");
+            if (releaseVersion != null) {
+                return releaseVersion.trim();
+            }
+        } catch (MalformedURLException ex) {
+            LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
+        } catch (URLConnectionFailureException ex) {
+            LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, "unable to retrieve current release version of dependency-check", ex);
+        } finally {
+            if (conn != null) {
+                conn.disconnect();
+            }
+        }
+        return null;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -22,6 +22,7 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Settings;

 /**
 * Class responsible for updating the NVD CVE and CPE data stores.
@@ -54,7 +55,11 @@ public class NvdCveUpdater implements CachedWebDataSource {
            LOGGER.log(Level.FINE, null, ex);
        } catch (DownloadFailedException ex) {
            LOGGER.log(Level.WARNING,
-                    "Unable to download the NVD CVE data, unable to update the data to use the most current data.");
+                    "Unable to download the NVD CVE data; the results may not include the most recent CPE/CVEs from the NVD.");
+            if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
+                LOGGER.log(Level.INFO,
+                        "If you are behind a proxy you may need to configure dependency-check to use the proxy.");
+            }
            LOGGER.log(Level.FINE, null, ex);
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java
@@ -34,8 +34,9 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
-import org.owasp.dependencycheck.data.update.task.CallableDownloadTask;
+import org.owasp.dependencycheck.data.update.task.DownloadTask;
 import org.owasp.dependencycheck.data.update.task.ProcessTask;
+import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
@@ -122,7 +123,7 @@ public class StandardUpdate {
            final Set<Future<Future<ProcessTask>>> downloadFutures = new HashSet<Future<Future<ProcessTask>>>(maxUpdates);
            for (NvdCveInfo cve : updateable) {
                if (cve.getNeedsUpdate()) {
-                    final CallableDownloadTask call = new CallableDownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
+                    final DownloadTask call = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());
                    downloadFutures.add(downloadExecutors.submit(call));
                }
            }
@@ -220,7 +221,7 @@ public class StandardUpdate {
                final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 7);
                if (lastUpdated == updates.getTimeStamp(MODIFIED)) {
                    updates.clear(); //we don't need to update anything.
-                } else if (withinRange(lastUpdated, now.getTime(), days)) {
+                } else if (DateUtil.withinDateRange(lastUpdated, now.getTime(), days)) {
                    for (NvdCveInfo entry : updates) {
                        if (MODIFIED.equals(entry.getId())) {
                            entry.setNeedsUpdate(true);
@@ -317,19 +318,4 @@ public class StandardUpdate {
            throw new UpdateException("Error updating the CPE/CVE data, please see the log file for more details.");
        }
    }
-
-    /**
-     * Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
-     * (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
-     * is considered valid.
-     *
-     * @param date the date to be checked.
-     * @param compareTo the date to compare to.
-     * @param range the range in days to be considered valid.
-     * @return whether or not the date is within the range.
-     */
-    protected boolean withinRange(long date, long compareTo, int range) {
-        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
-        return differenceInDays < range;
-    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/CallableDownloadTask.java
@@ -18,6 +18,9 @@
 package org.owasp.dependencycheck.data.update.task;

 import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.URL;
 import java.util.concurrent.Callable;
@@ -25,6 +28,8 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import java.util.zip.GZIPInputStream;
+import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
@@ -37,12 +42,12 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
+public class DownloadTask implements Callable<Future<ProcessTask>> {

    /**
     * The Logger.
     */
-    private static final Logger LOGGER = Logger.getLogger(CallableDownloadTask.class.getName());
+    private static final Logger LOGGER = Logger.getLogger(DownloadTask.class.getName());

    /**
     * Simple constructor for the callable download task.
@@ -54,7 +59,7 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
     * the dependencies have a correct reference to the global settings.
     * @throws UpdateException thrown if temporary files could not be created
     */
-    public CallableDownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
+    public DownloadTask(NvdCveInfo nvdCveInfo, ExecutorService processor, CveDB cveDB, Settings settings) throws UpdateException {
        this.nvdCveInfo = nvdCveInfo;
        this.processorService = processor;
        this.cveDB = cveDB;
@@ -188,13 +193,25 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
            } catch (DownloadFailedException ex) {
                msg = String.format("Download Failed for NVD CVE - %s%nSome CVEs may not be reported.", nvdCveInfo.getId());
                LOGGER.log(Level.WARNING, msg);
+                if (Settings.getString(Settings.KEYS.PROXY_SERVER) == null) {
+                    LOGGER.log(Level.INFO,
+                            "If you are behind a proxy you may need to configure dependency-check to use the proxy.");
+                }
                LOGGER.log(Level.FINE, null, ex);
                return null;
            }
+            if (url1.toExternalForm().endsWith(".xml.gz")) {
+                extractGzip(first);
+            }
+            if (url2.toExternalForm().endsWith(".xml.gz")) {
+                extractGzip(second);
+            }

            msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
            LOGGER.log(Level.INFO, msg);
-
+            if (this.processorService == null) {
+                return null;
+            }
            final ProcessTask task = new ProcessTask(cveDB, this, settings);
            return this.processorService.submit(task);

@@ -233,4 +250,56 @@ public class CallableDownloadTask implements Callable<Future<ProcessTask>> {
            }
        }
    }
+
+    /**
+     * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file
+     * specified.
+     *
+     * @param file the archive file
+     * @throws FileNotFoundException thrown if the file does not exist
+     * @throws IOException thrown if there is an error extracting the file.
+     */
+    private void extractGzip(File file) throws FileNotFoundException, IOException {
+        final String originalPath = file.getPath();
+        final File gzip = new File(originalPath + ".gz");
+        if (gzip.isFile() && !gzip.delete()) {
+            gzip.deleteOnExit();
+        }
+        if (!file.renameTo(gzip)) {
+            throw new IOException("Unable to rename '" + file.getPath() + "'");
+        }
+        final File newfile = new File(originalPath);
+
+        final byte[] buffer = new byte[4096];
+
+        GZIPInputStream cin = null;
+        FileOutputStream out = null;
+        try {
+            cin = new GZIPInputStream(new FileInputStream(gzip));
+            out = new FileOutputStream(newfile);
+
+            int len;
+            while ((len = cin.read(buffer)) > 0) {
+                out.write(buffer, 0, len);
+            }
+        } finally {
+            if (cin != null) {
+                try {
+                    cin.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+            if (out != null) {
+                try {
+                    out.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+            if (gzip.isFile()) {
+                FileUtils.deleteQuietly(gzip);
+            }
+        }
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java
@@ -79,7 +79,7 @@ public class ProcessTask implements Callable<ProcessTask> {
    /**
     * A reference to the callable download task.
     */
-    private final CallableDownloadTask filePair;
+    private final DownloadTask filePair;
    /**
     * A reference to the properties.
     */
@@ -97,7 +97,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     * @param settings a reference to the global settings object; this is necessary so that when the thread is started
     * the dependencies have a correct reference to the global settings.
     */
-    public ProcessTask(final CveDB cveDB, final CallableDownloadTask filePair, Settings settings) {
+    public ProcessTask(final CveDB cveDB, final DownloadTask filePair, Settings settings) {
        this.cveDB = cveDB;
        this.filePair = filePair;
        this.properties = cveDB.getDatabaseProperties();
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -19,23 +19,28 @@ package org.owasp.dependencycheck.dependency;

 import java.io.File;
 import java.io.IOException;
+import java.io.Serializable;
 import java.security.NoSuchAlgorithmException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
 import java.util.Set;
 import java.util.SortedSet;
 import java.util.TreeSet;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileUtils;

 /**
- * A program dependency. This object is one of the core components within DependencyCheck. It is used to collect
- * information about the dependency in the form of evidence. The Evidence is then used to determine if there are any
- * known, published, vulnerabilities associated with the program dependency.
+ * A program dependency. This object is one of the core components within DependencyCheck. It is used to collect information about
+ * the dependency in the form of evidence. The Evidence is then used to determine if there are any known, published,
+ * vulnerabilities associated with the program dependency.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class Dependency implements Comparable<Dependency> {
+public class Dependency implements Serializable, Comparable<Dependency> {

    /**
     * The logger.
@@ -119,8 +124,8 @@ public class Dependency implements Comparable<Dependency> {
    }

    /**
-     * Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack
-     * as I could not get the replace to work in the template itself.
+     * Returns the file name of the dependency with the backslash escaped for use in JavaScript. This is a complete hack as I
+     * could not get the replace to work in the template itself.
     *
     * @return the file name of the dependency with the backslash escaped for use in JavaScript
     */
@@ -192,8 +197,7 @@ public class Dependency implements Comparable<Dependency> {
    }

    /**
-     * Returns the file name to display in reports; if no display file name has been set it will default to the actual
-     * file name.
+     * Returns the file name to display in reports; if no display file name has been set it will default to the actual file name.
     *
     * @return the file name to display
     */
@@ -208,8 +212,8 @@ public class Dependency implements Comparable<Dependency> {
     * <p>
     * Gets the file path of the dependency.</p>
     * <p>
-     * <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be
-     * obtained via the getActualFilePath().</p>
+     * <b>NOTE:</b> This may not be the actual path of the file on disk. The actual path of the file on disk can be obtained via
+     * the getActualFilePath().</p>
     *
     * @return the file path of the dependency
     */
@@ -315,6 +319,43 @@ public class Dependency implements Comparable<Dependency> {
        this.identifiers.add(i);
    }

+    /**
+     * Adds the maven artifact as evidence.
+     *
+     * @param source The source of the evidence
+     * @param mavenArtifact The maven artifact
+     * @param confidence The confidence level of this evidence
+     */
+    public void addAsEvidence(String source, MavenArtifact mavenArtifact, Confidence confidence) {
+        if (mavenArtifact.getGroupId() != null && !mavenArtifact.getGroupId().isEmpty()) {
+            this.getVendorEvidence().addEvidence(source, "groupid", mavenArtifact.getGroupId(), confidence);
+        }
+        if (mavenArtifact.getArtifactId() != null && !mavenArtifact.getArtifactId().isEmpty()) {
+            this.getProductEvidence().addEvidence(source, "artifactid", mavenArtifact.getArtifactId(), confidence);
+        }
+        if (mavenArtifact.getVersion() != null && !mavenArtifact.getVersion().isEmpty()) {
+            this.getVersionEvidence().addEvidence(source, "version", mavenArtifact.getVersion(), confidence);
+        }
+        if (mavenArtifact.getArtifactUrl() != null && !mavenArtifact.getArtifactUrl().isEmpty()) {
+            boolean found = false;
+            for (Identifier i : this.getIdentifiers()) {
+                if ("maven".equals(i.getType()) && i.getValue().equals(mavenArtifact.toString())) {
+                    found = true;
+                    i.setConfidence(Confidence.HIGHEST);
+                    final String url = "http://search.maven.org/#search|ga|1|1%3A%22" + this.getSha1sum() + "%22";
+                    i.setUrl(url);
+                    //i.setUrl(mavenArtifact.getArtifactUrl());
+                    LOGGER.fine(String.format("Already found identifier %s. Confidence set to highest", i.getValue()));
+                    break;
+                }
+            }
+            if (!found) {
+                LOGGER.fine(String.format("Adding new maven identifier %s", mavenArtifact.toString()));
+                this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
+            }
+        }
+    }
+
    /**
     * Adds an entry to the list of detected Identifiers for the dependency file.
     *
@@ -323,6 +364,7 @@ public class Dependency implements Comparable<Dependency> {
    public void addIdentifier(Identifier identifier) {
        this.identifiers.add(identifier);
    }
+
    /**
     * A set of identifiers that have been suppressed.
     */
@@ -440,6 +482,7 @@ public class Dependency implements Comparable<Dependency> {
    public EvidenceCollection getVersionEvidence() {
        return this.versionEvidence;
    }
+
    /**
     * The description of the JAR file.
     */
@@ -462,6 +505,7 @@ public class Dependency implements Comparable<Dependency> {
    public void setDescription(String description) {
        this.description = description;
    }
+
    /**
     * The license that this dependency uses.
     */
@@ -484,6 +528,7 @@ public class Dependency implements Comparable<Dependency> {
    public void setLicense(String license) {
        this.license = license;
    }
+
    /**
     * A list of vulnerabilities for this dependency.
     */
@@ -539,6 +584,7 @@ public class Dependency implements Comparable<Dependency> {
    public void addVulnerability(Vulnerability vulnerability) {
        this.vulnerabilities.add(vulnerability);
    }
+
    /**
     * A collection of related dependencies.
     */
@@ -553,6 +599,47 @@ public class Dependency implements Comparable<Dependency> {
        return relatedDependencies;
    }

+    /**
+     * A list of projects that reference this dependency.
+     */
+    private Set<String> projectReferences = new HashSet<String>();
+
+    /**
+     * Get the value of projectReferences.
+     *
+     * @return the value of projectReferences
+     */
+    public Set<String> getProjectReferences() {
+        return projectReferences;
+    }
+
+    /**
+     * Set the value of projectReferences.
+     *
+     * @param projectReferences new value of projectReferences
+     */
+    public void setProjectReferences(Set<String> projectReferences) {
+        this.projectReferences = projectReferences;
+    }
+
+    /**
+     * Adds a project reference.
+     *
+     * @param projectReference a project reference
+     */
+    public void addProjectReference(String projectReference) {
+        this.projectReferences.add(projectReference);
+    }
+
+    /**
+     * Add a collection of project reference.
+     *
+     * @param projectReferences a set of project references
+     */
+    public void addAllProjectReferences(Set<String> projectReferences) {
+        this.projectReferences.addAll(projectReferences);
+    }
+
    /**
     * Set the value of relatedDependencies.
     *
@@ -568,7 +655,46 @@ public class Dependency implements Comparable<Dependency> {
     * @param dependency a reference to the related dependency
     */
    public void addRelatedDependency(Dependency dependency) {
-        relatedDependencies.add(dependency);
+        if (this == dependency) {
+            LOGGER.warning("Attempted to add a circular reference - please post the log file to issue #172 here "
+                    + "https://github.com/jeremylong/DependencyCheck/issues/172 ");
+            LOGGER.log(Level.FINE, "this: {0}", this.toString());
+            LOGGER.log(Level.FINE, "dependency: {0}", dependency.toString());
+        } else {
+            relatedDependencies.add(dependency);
+        }
+    }
+
+    /**
+     * A list of available versions.
+     */
+    private List<String> availableVersions = new ArrayList<String>();
+
+    /**
+     * Get the value of availableVersions.
+     *
+     * @return the value of availableVersions
+     */
+    public List<String> getAvailableVersions() {
+        return availableVersions;
+    }
+
+    /**
+     * Set the value of availableVersions.
+     *
+     * @param availableVersions new value of availableVersions
+     */
+    public void setAvailableVersions(List<String> availableVersions) {
+        this.availableVersions = availableVersions;
+    }
+
+    /**
+     * Adds a version to the available version list.
+     *
+     * @param version the version to add to the list
+     */
+    public void addAvailableVersion(String version) {
+        this.availableVersions.add(version);
    }

    /**
@@ -578,7 +704,7 @@ public class Dependency implements Comparable<Dependency> {
     * @return an integer representing the natural ordering
     */
    public int compareTo(Dependency o) {
-        return this.getFileName().compareToIgnoreCase(o.getFileName());
+        return this.getFilePath().compareToIgnoreCase(o.getFilePath());
    }

    /**
@@ -639,6 +765,15 @@ public class Dependency implements Comparable<Dependency> {
                && (this.relatedDependencies == null || !this.relatedDependencies.equals(other.relatedDependencies))) {
            return false;
        }
+        if (this.projectReferences != other.projectReferences
+                && (this.projectReferences == null || !this.projectReferences.equals(other.projectReferences))) {
+            return false;
+        }
+        if (this.availableVersions != other.availableVersions
+                && (this.availableVersions == null || !this.availableVersions.equals(other.availableVersions))) {
+            return false;
+        }
+
        return true;
    }

@@ -664,6 +799,8 @@ public class Dependency implements Comparable<Dependency> {
        hash = 47 * hash + (this.license != null ? this.license.hashCode() : 0);
        hash = 47 * hash + (this.vulnerabilities != null ? this.vulnerabilities.hashCode() : 0);
        hash = 47 * hash + (this.relatedDependencies != null ? this.relatedDependencies.hashCode() : 0);
+        hash = 47 * hash + (this.projectReferences != null ? this.projectReferences.hashCode() : 0);
+        hash = 47 * hash + (this.availableVersions != null ? this.availableVersions.hashCode() : 0);
        return hash;
    }

--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Evidence.java
@@ -17,12 +17,14 @@
 */
 package org.owasp.dependencycheck.dependency;

+import java.io.Serializable;
+
 /**
 * Evidence is a piece of information about a Dependency.
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class Evidence implements Comparable<Evidence> {
+public class Evidence implements Serializable, Comparable<Evidence> {

    /**
     * Creates a new Evidence object.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.dependency;

+import java.io.Serializable;
 import java.net.MalformedURLException;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -36,7 +37,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class EvidenceCollection implements Iterable<Evidence> {
+public class EvidenceCollection implements Serializable, Iterable<Evidence> {

    /**
     * The logger.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Identifier.java
@@ -17,11 +17,22 @@
 */
 package org.owasp.dependencycheck.dependency;

+import java.io.Serializable;
+
 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
-public class Identifier implements Comparable<Identifier> {
+public class Identifier implements Serializable, Comparable<Identifier> {
+
+    /**
+     * Default constructor. Should only be used for automatic class
+     * creation as is the case with many XML parsers (for the parsing
+     * of the Dependency-Check XML report). For all other use-cases,
+     * please use the non-default constructors.
+     */
+    public Identifier() {
+    }

    /**
     * Constructs a new Identifier with the specified data.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java
@@ -48,7 +48,7 @@ public class ScanAgentException extends IOException {
    }

    /**
-     * Creates a new NoDataException.
+     * Creates a new ScanAgentException.
     *
     * @param ex the cause of the exception.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/PomUtils.java
@@ -0,0 +1,226 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.jaxb.pom;
+
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.IOException;
+import java.io.InputStreamReader;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import javax.xml.bind.JAXBContext;
+import javax.xml.bind.JAXBElement;
+import javax.xml.bind.JAXBException;
+import javax.xml.bind.Unmarshaller;
+import javax.xml.parsers.ParserConfigurationException;
+import javax.xml.parsers.SAXParser;
+import javax.xml.parsers.SAXParserFactory;
+import javax.xml.transform.sax.SAXSource;
+
+import org.owasp.dependencycheck.analyzer.JarAnalyzer;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.jaxb.pom.generated.Model;
+import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
+import org.xml.sax.InputSource;
+import org.xml.sax.SAXException;
+import org.xml.sax.XMLFilter;
+import org.xml.sax.XMLReader;
+
+/**
+ *
+ * @author jeremy
+ */
+public class PomUtils {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(PomUtils.class.getName());
+
+    /**
+     * The unmarshaller used to parse the pom.xml from a JAR file.
+     */
+    private Unmarshaller pomUnmarshaller;
+
+    /**
+     * Constructs a new POM Utility.
+     */
+    public PomUtils() {
+        try {
+            //final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
+            final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
+            pomUnmarshaller = jaxbContext.createUnmarshaller();
+        } catch (JAXBException ex) { //guess we will just have a null pointer exception later...
+            LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
+            LOGGER.log(Level.FINE, null, ex);
+        }
+    }
+
+    /**
+     * Reads in the specified POM and converts it to a Model.
+     *
+     * @param file the pom.xml file
+     * @return returns a
+     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
+     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
+     */
+    public Model readPom(File file) throws AnalysisException {
+        Model model = null;
+        try {
+            final FileInputStream stream = new FileInputStream(file);
+            final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
+            final InputSource xml = new InputSource(reader);
+            final SAXSource source = new SAXSource(xml);
+            model = readPom(source);
+        } catch (SecurityException ex) {
+            final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            throw new AnalysisException(ex);
+        } catch (IOException ex) {
+            final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            throw new AnalysisException(ex);
+        } catch (Throwable ex) {
+            final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
+            LOGGER.log(Level.WARNING, msg);
+            LOGGER.log(Level.FINE, "", ex);
+            throw new AnalysisException(ex);
+        }
+        return model;
+    }
+
+    /**
+     * Retrieves the specified POM from a jar file and converts it to a Model.
+     *
+     * @param source the SAXSource input stream to read the POM from
+     * @return returns the POM object
+     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
+     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
+     */
+    public Model readPom(SAXSource source) throws AnalysisException {
+        Model model = null;
+        try {
+            final XMLFilter filter = new MavenNamespaceFilter();
+            final SAXParserFactory spf = SAXParserFactory.newInstance();
+            final SAXParser sp = spf.newSAXParser();
+            final XMLReader xr = sp.getXMLReader();
+            filter.setParent(xr);
+            final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
+            model = el.getValue();
+        } catch (SecurityException ex) {
+            throw new AnalysisException(ex);
+        } catch (ParserConfigurationException ex) {
+            throw new AnalysisException(ex);
+        } catch (SAXException ex) {
+            throw new AnalysisException(ex);
+        } catch (JAXBException ex) {
+            throw new AnalysisException(ex);
+        } catch (Throwable ex) {
+            throw new AnalysisException(ex);
+        }
+        return model;
+    }
+
+  /**
+   * Reads in the pom file and adds elements as evidence to the given dependency.
+   *
+   * @param dependency the dependency being analyzed
+   * @param pomFile the pom file to read
+   * @throws AnalysisException is thrown if there is an exception parsing the pom
+   */
+  public void analyzePOM(Dependency dependency, File pomFile) throws AnalysisException {
+    final Model pom = this.readPom(pomFile);
+
+    String groupid = pom.getGroupId();
+    String parentGroupId = null;
+
+    if (pom.getParent() != null) {
+      parentGroupId = pom.getParent().getGroupId();
+      if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
+        groupid = parentGroupId;
+      }
+    }
+    if (groupid != null && !groupid.isEmpty()) {
+      dependency.getVendorEvidence().addEvidence("pom", "groupid", groupid, Confidence.HIGHEST);
+      dependency.getProductEvidence().addEvidence("pom", "groupid", groupid, Confidence.LOW);
+      if (parentGroupId != null && !parentGroupId.isEmpty() && !parentGroupId.equals(groupid)) {
+        dependency.getVendorEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.MEDIUM);
+        dependency.getProductEvidence().addEvidence("pom", "parent-groupid", parentGroupId, Confidence.LOW);
+      }
+    }
+    String artifactid = pom.getArtifactId();
+    String parentArtifactId = null;
+    if (pom.getParent() != null) {
+      parentArtifactId = pom.getParent().getArtifactId();
+      if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
+        artifactid = parentArtifactId;
+      }
+    }
+    if (artifactid != null && !artifactid.isEmpty()) {
+      if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
+        artifactid = artifactid.substring(4);
+      }
+      dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
+      dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
+      if (parentArtifactId != null && !parentArtifactId.isEmpty() && !parentArtifactId.equals(artifactid)) {
+        dependency.getProductEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.MEDIUM);
+        dependency.getVendorEvidence().addEvidence("pom", "parent-artifactid", parentArtifactId, Confidence.LOW);
+      }
+    }
+    //version
+    String version = pom.getVersion();
+    String parentVersion = null;
+    if (pom.getParent() != null) {
+      parentVersion = pom.getParent().getVersion();
+      if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
+        version = parentVersion;
+      }
+    }
+    if (version != null && !version.isEmpty()) {
+      dependency.getVersionEvidence().addEvidence("pom", "version", version, Confidence.HIGHEST);
+      if (parentVersion != null && !parentVersion.isEmpty() && !parentVersion.equals(version)) {
+        dependency.getVersionEvidence().addEvidence("pom", "parent-version", version, Confidence.LOW);
+      }
+    }
+
+    final Organization org = pom.getOrganization();
+    if (org != null) {
+      final String orgName = org.getName();
+      if (orgName != null && !orgName.isEmpty()) {
+        dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
+      }
+    }
+    final String pomName = pom.getName();
+    if (pomName != null && !pomName.isEmpty()) {
+      dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
+      dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
+    }
+
+    if (pom.getDescription() != null) {
+      final String description = pom.getDescription();
+      if (description != null && !description.isEmpty()) {
+        JarAnalyzer.addDescription(dependency, description, "pom", "description");
+      }
+    }
+    JarAnalyzer.extractLicense(pom, null, dependency);
+  }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/Model.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/Model.java
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/ObjectFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/jaxb/pom/generated/ObjectFactory.java
@@ -31,7 +31,7 @@ import javax.xml.namespace.QName;
@XmlRegistry
 public class ObjectFactory {

-    private final static QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");
+    private static final QName _Project_QNAME = new QName("http://maven.apache.org/POM/4.0.0", "project");

    /**
     * Create a new ObjectFactory that can be used to create new instances of schema derived classes for package: org.owasp.dependencycheck.analyzer.pom.generated
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/ReportGenerator.java
@@ -113,7 +113,7 @@ public class ReportGenerator {
        context.put("scanDate", scanDate);
        context.put("scanDateXML", scanDateXML);
        context.put("enc", enc);
-        context.put("version", Settings.getString("application.version", "Unknown"));
+        context.put("version", Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
    }

    /**
@@ -137,6 +137,26 @@ public class ReportGenerator {
        return new VelocityContext();
    }

+    /**
+     * Generates the Dependency Reports for the identified dependencies.
+     *
+     * @param outputStream the OutputStream to send the generated report to
+     * @param format the format the report should be written in
+     * @throws IOException is thrown when the template file does not exist
+     * @throws Exception is thrown if there is an error writing out the reports.
+     */
+    public void generateReports(OutputStream outputStream, Format format) throws IOException, Exception {
+        if (format == Format.XML || format == Format.ALL) {
+            generateReport("XmlReport", outputStream);
+        }
+        if (format == Format.HTML || format == Format.ALL) {
+            generateReport("HtmlReport", outputStream);
+        }
+        if (format == Format.VULN || format == Format.ALL) {
+            generateReport("VulnerabilityReport", outputStream);
+        }
+    }
+
    /**
     * Generates the Dependency Reports for the identified dependencies.
     *
@@ -167,15 +187,28 @@ public class ReportGenerator {
     */
    public void generateReports(String outputDir, String outputFormat) throws IOException, Exception {
        final String format = outputFormat.toUpperCase();
+        final String pathToCheck = outputDir.toLowerCase();
        if (format.matches("^(XML|HTML|VULN|ALL)$")) {
            if ("XML".equalsIgnoreCase(format)) {
-                generateReports(outputDir, Format.XML);
+                if (pathToCheck.endsWith(".xml")) {
+                    generateReport("XmlReport", outputDir);
+                } else {
+                    generateReports(outputDir, Format.XML);
+                }
            }
            if ("HTML".equalsIgnoreCase(format)) {
-                generateReports(outputDir, Format.HTML);
+                if (pathToCheck.endsWith(".html") || pathToCheck.endsWith(".htm")) {
+                    generateReport("HtmlReport", outputDir);
+                } else {
+                    generateReports(outputDir, Format.HTML);
+                }
            }
            if ("VULN".equalsIgnoreCase(format)) {
-                generateReports(outputDir, Format.VULN);
+                if (pathToCheck.endsWith(".html") || pathToCheck.endsWith(".htm")) {
+                    generateReport("VulnReport", outputDir);
+                } else {
+                    generateReports(outputDir, Format.VULN);
+                }
            }
            if ("ALL".equalsIgnoreCase(format)) {
                generateReports(outputDir, Format.ALL);
@@ -189,11 +222,11 @@ public class ReportGenerator {
     * template file.
     *
     * @param templateName the name of the template to load.
-     * @param outFileName the filename and path to write the report to.
+     * @param outputStream the OutputStream to write the report to.
     * @throws IOException is thrown when the template file does not exist.
     * @throws Exception is thrown when an exception occurs.
     */
-    protected void generateReport(String templateName, String outFileName) throws IOException, Exception {
+    protected void generateReport(String templateName, OutputStream outputStream) throws IOException, Exception {
        InputStream input = null;
        String templatePath = null;
        final File f = new File(templateName);
@@ -216,18 +249,8 @@ public class ReportGenerator {

        final InputStreamReader reader = new InputStreamReader(input, "UTF-8");
        OutputStreamWriter writer = null;
-        OutputStream outputStream = null;

        try {
-            final File outDir = new File(outFileName).getParentFile();
-            if (!outDir.exists()) {
-                final boolean created = outDir.mkdirs();
-                if (!created) {
-                    throw new Exception("Unable to create directory '" + outDir.getAbsolutePath() + "'.");
-                }
-            }
-
-            outputStream = new FileOutputStream(outFileName);
            writer = new OutputStreamWriter(outputStream, "UTF-8");

            if (!engine.evaluate(context, writer, templatePath, reader)) {
@@ -256,4 +279,41 @@ public class ReportGenerator {
            }
        }
    }
+
+    /**
+     * Generates a report from a given Velocity Template. The template name provided can be the name of a template
+     * contained in the jar file, such as 'XmlReport' or 'HtmlReport', or the template name can be the path to a
+     * template file.
+     *
+     * @param templateName the name of the template to load.
+     * @param outFileName the filename and path to write the report to.
+     * @throws IOException is thrown when the template file does not exist.
+     * @throws Exception is thrown when an exception occurs.
+     */
+    protected void generateReport(String templateName, String outFileName) throws Exception {
+        File outFile = new File(outFileName);
+        if (outFile.getParentFile() == null) {
+            outFile = new File(".", outFileName);
+        }
+        if (!outFile.getParentFile().exists()) {
+            final boolean created = outFile.getParentFile().mkdirs();
+            if (!created) {
+                throw new Exception("Unable to create directory '" + outFile.getParentFile().getAbsolutePath() + "'.");
+            }
+        }
+
+        OutputStream outputSteam = null;
+        try {
+            outputSteam = new FileOutputStream(outFile);
+            generateReport(templateName, outputSteam);
+        } finally {
+            if (outputSteam != null) {
+                try {
+                    outputSteam.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINEST, "ignore", ex);
+                }
+            }
+        }
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
@@ -54,6 +54,10 @@ public class SuppressionHandler extends DefaultHandler {
     * The CWE element name.
     */
    public static final String CWE = "cwe";
+    /**
+     * The GAV element name.
+     */
+    public static final String GAV = "gav";
    /**
     * The cvssBelow element name.
     */
@@ -95,13 +99,16 @@ public class SuppressionHandler extends DefaultHandler {
     */
    @Override
    public void startElement(String uri, String localName, String qName, Attributes attributes) throws SAXException {
-        currentAttributes = null;
+        currentAttributes = attributes;
        currentText = new StringBuffer();
-
        if (SUPPRESS.equals(qName)) {
            rule = new SuppressionRule();
-        } else if (FILE_PATH.equals(qName)) {
-            currentAttributes = attributes;
+            final String base = currentAttributes.getValue("base");
+            if (base != null) {
+                rule.setBase(Boolean.parseBoolean(base));
+            } else {
+                rule.setBase(false);
+            }
        }
    }

@@ -123,6 +130,9 @@ public class SuppressionHandler extends DefaultHandler {
            rule.setFilePath(pt);
        } else if (SHA1.equals(qName)) {
            rule.setSha1(currentText.toString());
+        } else if (GAV.equals(qName)) {
+            final PropertyType pt = processPropertyType();
+            rule.setGav(pt);
        } else if (CPE.equals(qName)) {
            final PropertyType pt = processPropertyType();
            rule.addCpe(pt);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParseException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParseException.java
@@ -26,11 +26,6 @@ import java.io.IOException;
 */
 public class SuppressionParseException extends IOException {

-    /**
-     * The serial version UID.
-     */
-    private static final long serialVersionUID = 1L;
-
    /**
     * Creates a new SuppressionParseException.
     */
@@ -50,7 +45,7 @@ public class SuppressionParseException extends IOException {
    /**
     * Creates a new SuppressionParseException.
     *
-     * @param ex the cause of the download failure.
+     * @param ex the cause of the parse exception
     */
    public SuppressionParseException(Throwable ex) {
        super(ex);
@@ -60,7 +55,7 @@ public class SuppressionParseException extends IOException {
     * Creates a new SuppressionParseException.
     *
     * @param msg a message for the exception.
-     * @param ex the cause of the download failure.
+     * @param ex the cause of the parse exception
     */
    public SuppressionParseException(String msg, Throwable ex) {
        super(msg, ex);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionParser.java
@@ -66,10 +66,35 @@ public class SuppressionParser {
     * @throws SuppressionParseException thrown if the xml file cannot be parsed
     */
    public List<SuppressionRule> parseSuppressionRules(File file) throws SuppressionParseException {
+        FileInputStream fis = null;
+        try {
+            fis = new FileInputStream(file);
+            return parseSuppressionRules(fis);
+        } catch (IOException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new SuppressionParseException(ex);
+        } finally {
+            if (fis != null) {
+                try {
+                    fis.close();
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINE, "Unable to close stream", ex);
+                }
+            }
+        }
+    }
+
+    /**
+     * Parses the given xml stream and returns a list of the suppression rules contained.
+     *
+     * @param inputStream an InputStream containing suppression rues
+     * @return a list of suppression rules
+     * @throws SuppressionParseException if the xml cannot be parsed
+     */
+    public List<SuppressionRule> parseSuppressionRules(InputStream inputStream) throws SuppressionParseException {
        try {
            final InputStream schemaStream = this.getClass().getClassLoader().getResourceAsStream("schema/suppression.xsd");
            final SuppressionHandler handler = new SuppressionHandler();
-
            final SAXParserFactory factory = SAXParserFactory.newInstance();
            factory.setNamespaceAware(true);
            factory.setValidating(true);
@@ -80,7 +105,6 @@ public class SuppressionParser {
            xmlReader.setErrorHandler(new SuppressionErrorHandler());
            xmlReader.setContentHandler(handler);

-            final InputStream inputStream = new FileInputStream(file);
            final Reader reader = new InputStreamReader(inputStream, "UTF-8");
            final InputSource in = new InputSource(reader);
            //in.setEncoding("UTF-8");
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
@@ -112,7 +112,7 @@ public class SuppressionRule {
     * @return whether or not this suppression rule as CPE entries
     */
    public boolean hasCpe() {
-        return cpe.size() > 0;
+        return !cpe.isEmpty();
    }
    /**
     * The list of cvssBelow scores.
@@ -152,7 +152,7 @@ public class SuppressionRule {
     * @return whether or not this suppression rule has cvss suppressions
     */
    public boolean hasCvssBelow() {
-        return cvssBelow.size() > 0;
+        return !cvssBelow.isEmpty();
    }
    /**
     * The list of cwe entries to suppress.
@@ -192,7 +192,7 @@ public class SuppressionRule {
     * @return whether this suppression rule has CWE entries
     */
    public boolean hasCwe() {
-        return cwe.size() > 0;
+        return !cwe.isEmpty();
    }
    /**
     * The list of cve entries to suppress.
@@ -232,7 +232,62 @@ public class SuppressionRule {
     * @return whether this suppression rule has CVE entries
     */
    public boolean hasCve() {
-        return cve.size() > 0;
+        return !cve.isEmpty();
+    }
+    /**
+     * A Maven GAV to suppression.
+     */
+    private PropertyType gav = null;
+
+    /**
+     * Get the value of Maven GAV.
+     *
+     * @return the value of gav
+     */
+    public PropertyType getGav() {
+        return gav;
+    }
+
+    /**
+     * Set the value of Maven GAV.
+     *
+     * @param gav new value of Maven gav
+     */
+    public void setGav(PropertyType gav) {
+        this.gav = gav;
+    }
+
+    /**
+     * Returns whether or not this suppression rule as GAV entries.
+     *
+     * @return whether or not this suppression rule as GAV entries
+     */
+    public boolean hasGav() {
+        return gav != null;
+    }
+
+    /**
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
+     * resulting report in the "suppressed" section.
+     */
+    private boolean base;
+
+    /**
+     * Get the value of base.
+     *
+     * @return the value of base
+     */
+    public boolean isBase() {
+        return base;
+    }
+
+    /**
+     * Set the value of base.
+     *
+     * @param base new value of base
+     */
+    public void setBase(boolean base) {
+        this.base = base;
    }

    /**
@@ -248,13 +303,30 @@ public class SuppressionRule {
        if (sha1 != null && !sha1.equalsIgnoreCase(dependency.getSha1sum())) {
            return;
        }
+        if (gav != null) {
+            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
+            boolean gavFound = false;
+            while (itr.hasNext()) {
+                final Identifier i = itr.next();
+                if (identifierMatches("maven", this.gav, i)) {
+                    gavFound = true;
+                    break;
+                }
+            }
+            if (!gavFound) {
+                return;
+            }
+        }
+
        if (this.hasCpe()) {
            final Iterator<Identifier> itr = dependency.getIdentifiers().iterator();
            while (itr.hasNext()) {
                final Identifier i = itr.next();
                for (PropertyType c : this.cpe) {
-                    if (cpeMatches(c, i)) {
-                        dependency.addSuppressedIdentifier(i);
+                    if (identifierMatches("cpe", c, i)) {
+                        if (!isBase()) {
+                            dependency.addSuppressedIdentifier(i);
+                        }
                        itr.remove();
                        break;
                    }
@@ -293,7 +365,9 @@ public class SuppressionRule {
                    }
                }
                if (remove) {
-                    dependency.addSuppressedVulnerability(v);
+                    if (!isBase()) {
+                        dependency.addSuppressedVulnerability(v);
+                    }
                    itr.remove();
                }
            }
@@ -309,7 +383,7 @@ public class SuppressionRule {
    boolean cpeHasNoVersion(PropertyType c) {
        if (c.isRegex()) {
            return false;
-        } // cpe:/a:jboss:jboss:1.0.0:
+        }
        if (countCharacter(c.getValue(), ':') == 3) {
            return true;
        }
@@ -336,26 +410,75 @@ public class SuppressionRule {
    /**
     * Determines if the cpeEntry specified as a PropertyType matches the given Identifier.
     *
-     * @param cpeEntry a suppression rule entry
+     * @param identifierType the type of identifier ("cpe", "maven", etc.)
+     * @param suppressionEntry a suppression rule entry
     * @param identifier a CPE identifier to check
     * @return true if the entry matches; otherwise false
     */
-    boolean cpeMatches(PropertyType cpeEntry, Identifier identifier) {
-        if (cpeEntry.matches(identifier.getValue())) {
-            return true;
-        } else if (cpeHasNoVersion(cpeEntry)) {
-            if (cpeEntry.isCaseSensitive()) {
-                if (identifier.getValue().startsWith(cpeEntry.getValue())) {
-                    return true;
-                }
-            } else {
-                final String id = identifier.getValue().toLowerCase();
-                final String check = cpeEntry.getValue().toLowerCase();
-                if (id.startsWith(check)) {
-                    return true;
+    boolean identifierMatches(String identifierType, PropertyType suppressionEntry, Identifier identifier) {
+        if (identifierType.equals(identifier.getType())) {
+            if (suppressionEntry.matches(identifier.getValue())) {
+                return true;
+            } else if ("cpe".equals(identifierType) && cpeHasNoVersion(suppressionEntry)) {
+                if (suppressionEntry.isCaseSensitive()) {
+                    return identifier.getValue().startsWith(suppressionEntry.getValue());
+                } else {
+                    final String id = identifier.getValue().toLowerCase();
+                    final String check = suppressionEntry.getValue().toLowerCase();
+                    return id.startsWith(check);
                }
            }
        }
        return false;
    }
+
+    /**
+     * Standard toString implementation.
+     *
+     * @return a string representation of this object
+     */
+    @Override
+    public String toString() {
+        final StringBuilder sb = new StringBuilder();
+        sb.append("SuppressionRule{");
+        if (filePath != null) {
+            sb.append("filePath=").append(filePath).append(",");
+        }
+        if (sha1 != null) {
+            sb.append("sha1=").append(sha1).append(",");
+        }
+        if (gav != null) {
+            sb.append("gav=").append(gav).append(",");
+        }
+        if (cpe != null && !cpe.isEmpty()) {
+            sb.append("cpe={");
+            for (PropertyType pt : cpe) {
+                sb.append(pt).append(",");
+            }
+            sb.append("}");
+        }
+        if (cwe != null && !cwe.isEmpty()) {
+            sb.append("cwe={");
+            for (String s : cwe) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        if (cve != null && !cve.isEmpty()) {
+            sb.append("cve={");
+            for (String s : cve) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        if (cvssBelow != null && !cvssBelow.isEmpty()) {
+            sb.append("cvssBelow={");
+            for (Float s : cvssBelow) {
+                sb.append(s).append(",");
+            }
+            sb.append("}");
+        }
+        sb.append("}");
+        return sb.toString();
+    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DBUtils.java
@@ -54,7 +54,9 @@ public final class DBUtils {
        int id = 0;
        try {
            rs = statement.getGeneratedKeys();
-            rs.next();
+            if (!rs.next()) {
+                throw new DatabaseException("Unable to get primary key for inserted row");
+            }
            id = rs.getInt(1);
        } catch (SQLException ex) {
            throw new DatabaseException("Unable to get primary key for inserted row");
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java
@@ -0,0 +1,46 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class DateUtil {
+
+    /**
+     * Private constructor for utility class.
+     */
+    private DateUtil() {
+    }
+
+    /**
+     * Determines if the epoch date is within the range specified of the compareTo epoch time. This takes the
+     * (compareTo-date)/1000/60/60/24 to get the number of days. If the calculated days is less then the range the date
+     * is considered valid.
+     *
+     * @param date the date to be checked.
+     * @param compareTo the date to compare to.
+     * @param range the range in days to be considered valid.
+     * @return whether or not the date is within the range.
+     */
+    public static boolean withinDateRange(long date, long compareTo, int range) {
+        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
+        return differenceInDays < range;
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
@@ -65,7 +65,7 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
    public final void parseVersion(String version) {
        versionParts = new ArrayList<String>();
        if (version != null) {
-            final Pattern rx = Pattern.compile("(\\d+|[a-z]+\\d+|(release|beta|alpha)$)");
+            final Pattern rx = Pattern.compile("(\\d+[a-z]{1,3}$|[a-z]+\\d+|\\d+|(release|beta|alpha)$)");
            final Matcher matcher = rx.matcher(version.toLowerCase());
            while (matcher.find()) {
                versionParts.add(matcher.group());
@@ -189,17 +189,23 @@ public class DependencyVersion implements Iterable, Comparable<DependencyVersion
        if (version == null) {
            return false;
        }
-
-        boolean ret = true;
-        int max = (this.versionParts.size() < version.versionParts.size())
-                ? this.versionParts.size() : version.versionParts.size();
-
-        if (max > 3) {
-            max = 3;
+        if (Math.abs(this.versionParts.size() - version.versionParts.size()) >= 3) {
+            return false;
        }

+        final int max = (this.versionParts.size() < version.versionParts.size())
+                ? this.versionParts.size() : version.versionParts.size();
+
+        boolean ret = true;
        for (int i = 0; i < max; i++) {
-            if (this.versionParts.get(i) == null || !this.versionParts.get(i).equals(version.versionParts.get(i))) {
+            final String thisVersion = this.versionParts.get(i);
+            final String otherVersion = version.getVersionParts().get(i);
+            if (i >= 3) {
+                if (thisVersion.compareToIgnoreCase(otherVersion) >= 0) {
+                    ret = false;
+                    break;
+                }
+            } else if (!thisVersion.equals(otherVersion)) {
                ret = false;
                break;
            }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java
@@ -18,6 +18,7 @@
 package org.owasp.dependencycheck.utils;

 import java.util.ArrayList;
+import java.util.List;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;

@@ -32,7 +33,7 @@ public final class DependencyVersionUtil {
    /**
     * Regular expression to extract version numbers from file names.
     */
-    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha)|[a-zA-Z_-]{1,3}\\d{1,8}))?");
+    private static final Pattern RX_VERSION = Pattern.compile("\\d+(\\.\\d{1,6})+(\\.?([_-](release|beta|alpha|\\d+)|[a-zA-Z_-]{1,3}\\d{0,8}))?");
    /**
     * Regular expression to extract a single version number without periods. This is a last ditch effort just to check
     * in case we are missing a version number using the previous regex.
@@ -62,7 +63,7 @@ public final class DependencyVersionUtil {
        //'-' is a special case used within the CVE entries, just include it as the version.
        if ("-".equals(text)) {
            final DependencyVersion dv = new DependencyVersion();
-            final ArrayList<String> list = new ArrayList<String>();
+            final List<String> list = new ArrayList<String>();
            list.add(text);
            dv.setVersionParts(list);
            return dv;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
@@ -0,0 +1,147 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.BufferedInputStream;
+import java.io.BufferedOutputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FileOutputStream;
+import java.io.IOException;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipInputStream;
+import org.owasp.dependencycheck.Engine;
+import static org.owasp.dependencycheck.utils.FileUtils.getFileExtension;
+
+/**
+ *
+ * @author Jeremy Long <jeremy.long@owasp.org>
+ */
+public final class ExtractionUtil {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger.getLogger(ExtractionUtil.class.getName());
+    /**
+     * The buffer size to use when extracting files from the archive.
+     */
+    private static final int BUFFER_SIZE = 4096;
+
+    /**
+     * Private constructor for a utility class.
+     */
+    private ExtractionUtil() {
+    }
+
+    /**
+     * Extracts the contents of an archive into the specified directory.
+     *
+     * @param archive an archive file such as a WAR or EAR
+     * @param extractTo a directory to extract the contents to
+     * @throws ExtractionException thrown if an exception occurs while extracting the files
+     */
+    public static void extractFiles(File archive, File extractTo) throws ExtractionException {
+        extractFiles(archive, extractTo, null);
+    }
+
+    /**
+     * Extracts the contents of an archive into the specified directory. The files are only extracted if they are
+     * supported by the analyzers loaded into the specified engine. If the engine is specified as null then all files
+     * are extracted.
+     *
+     * @param archive an archive file such as a WAR or EAR
+     * @param extractTo a directory to extract the contents to
+     * @param engine the scanning engine
+     * @throws ExtractionException thrown if there is an error extracting the files
+     */
+    public static void extractFiles(File archive, File extractTo, Engine engine) throws ExtractionException {
+        if (archive == null || extractTo == null) {
+            return;
+        }
+
+        FileInputStream fis = null;
+        ZipInputStream zis = null;
+
+        try {
+            fis = new FileInputStream(archive);
+        } catch (FileNotFoundException ex) {
+            LOGGER.log(Level.FINE, null, ex);
+            throw new ExtractionException("Archive file was not found.", ex);
+        }
+        zis = new ZipInputStream(new BufferedInputStream(fis));
+        ZipEntry entry;
+        try {
+            while ((entry = zis.getNextEntry()) != null) {
+                if (entry.isDirectory()) {
+                    final File d = new File(extractTo, entry.getName());
+                    if (!d.exists() && !d.mkdirs()) {
+                        final String msg = String.format("Unable to create '%s'.", d.getAbsolutePath());
+                        throw new ExtractionException(msg);
+                    }
+                } else {
+                    final File file = new File(extractTo, entry.getName());
+                    final String ext = getFileExtension(file.getName());
+                    if (engine == null || engine.supportsExtension(ext)) {
+                        BufferedOutputStream bos = null;
+                        FileOutputStream fos;
+                        try {
+                            fos = new FileOutputStream(file);
+                            bos = new BufferedOutputStream(fos, BUFFER_SIZE);
+                            int count;
+                            final byte[] data = new byte[BUFFER_SIZE];
+                            while ((count = zis.read(data, 0, BUFFER_SIZE)) != -1) {
+                                bos.write(data, 0, count);
+                            }
+                            bos.flush();
+                        } catch (FileNotFoundException ex) {
+                            LOGGER.log(Level.FINE, null, ex);
+                            final String msg = String.format("Unable to find file '%s'.", file.getName());
+                            throw new ExtractionException(msg, ex);
+                        } catch (IOException ex) {
+                            LOGGER.log(Level.FINE, null, ex);
+                            final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
+                            throw new ExtractionException(msg, ex);
+                        } finally {
+                            if (bos != null) {
+                                try {
+                                    bos.close();
+                                } catch (IOException ex) {
+                                    LOGGER.log(Level.FINEST, null, ex);
+                                }
+                            }
+                        }
+                    }
+                }
+            }
+        } catch (IOException ex) {
+            final String msg = String.format("Exception reading archive '%s'.", archive.getName());
+            LOGGER.log(Level.FINE, msg, ex);
+            throw new ExtractionException(msg, ex);
+        } finally {
+            try {
+                zis.close();
+            } catch (IOException ex) {
+                LOGGER.log(Level.FINEST, null, ex);
+            }
+        }
+    }
+}
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/UrlStringUtils.java
@@ -23,6 +23,7 @@ import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Set;
 import java.util.regex.Pattern;

 /**
@@ -68,7 +69,7 @@ public final class UrlStringUtils {
    /**
     * A listing of domain parts that should not be used as evidence. Yes, this is an incomplete list.
     */
-    private static final HashSet<String> IGNORE_LIST = new HashSet<String>(
+    private static final Set<String> IGNORE_LIST = new HashSet<String>(
            Arrays.asList("www", "com", "org", "gov", "info", "name", "net", "pro", "tel", "mobi", "xxx"));

    /**
@@ -86,7 +87,7 @@ public final class UrlStringUtils {
     * @throws MalformedURLException thrown if the URL is malformed
     */
    public static List<String> extractImportantUrlData(String text) throws MalformedURLException {
-        final ArrayList<String> importantParts = new ArrayList<String>();
+        final List<String> importantParts = new ArrayList<String>();
        final URL url = new URL(text);
        final String[] domain = url.getHost().split("\\.");
        //add the domain except www and the tld.
--- a/dependency-check-core/src/main/resources/GrokAssembly.exe
+++ b/dependency-check-core/src/main/resources/GrokAssembly.exe
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
@@ -8,6 +8,7 @@ org.owasp.dependencycheck.analyzer.CpeSuppressionAnalyzer
 org.owasp.dependencycheck.analyzer.DependencyBundlingAnalyzer
 org.owasp.dependencycheck.analyzer.NvdCveAnalyzer
 org.owasp.dependencycheck.analyzer.VulnerabilitySuppressionAnalyzer
+org.owasp.dependencycheck.analyzer.CentralAnalyzer
 org.owasp.dependencycheck.analyzer.NexusAnalyzer
 org.owasp.dependencycheck.analyzer.NuspecAnalyzer
 org.owasp.dependencycheck.analyzer.AssemblyAnalyzer
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.data.update.CachedWebDataSource
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.data.update.CachedWebDataSource
@@ -1 +1,2 @@
-org.owasp.dependencycheck.data.update.NvdCveUpdater
+org.owasp.dependencycheck.data.update.NvdCveUpdater
+org.owasp.dependencycheck.data.update.EngineVersionCheck
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -0,0 +1,87 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<suppressions xmlns="https://www.owasp.org/index.php/OWASP_Dependency_Check_Suppression">
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring security.
+        ]]></notes>
+        <gav regex="true">org\.springframework\.security:spring.*</gav>
+        <cpe>cpe:/a:mod_security:mod_security</cpe>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on spring security.
+        ]]></notes>
+        <filePath regex="true">.*spring-security-[^\\/]*\.jar$</filePath>
+        <cpe>cpe:/a:mod_security:mod_security</cpe>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+        <cpe>cpe:/a:vmware:springsource_spring_framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppreses additional false positives for the xstream library that occur because spring has a copy of this library.
+            com.springsource.com.thoughtworks.xstream-1.3.1.jar
+        ]]></notes>
+        <gav regex="true">com\.thoughtworks\.xstream:xstream:.*</gav>
+        <cpe>cpe:/a:springsource:spring_framework</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on velocity tools.
+        ]]></notes>
+        <gav regex="true">org\.apache\.velocity:velocity-tools:.*</gav>
+        <cpe>cpe:/a:apache:struts</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Sandbox is a php blog platform and should not be flagged as a CPE for java or .net dependencies.
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|dll|exe|ear|war|pom)</filePath>
+        <cpe>cpe:/a:sandbox:sandbox</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on Jersey core client.
+        ]]></notes>
+        <gav regex="true">(com\.sun\.jersey|org\.glassfish\.jersey\.core):jersey-(client|common):.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+        <cpe>cpe:/a:oracle:oracle_client</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on the grizzly-framework
+        ]]></notes>
+        <gav regex="true">org\.glassfish\.grizzly:grizzly-framework:.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on the grizzly-framework
+        ]]></notes>
+        <gav regex="true">org\.forgerock\.opendj:opendj-ldap-sdk:.*</gav>
+        <cpe>cpe:/a:ldap_project:ldap</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on the org.opensaml:xmltooling
+        ]]></notes>
+        <gav regex="true">org\.opensaml:xmltooling:.*</gav>
+        <cpe>cpe:/a:shibboleth:opensaml</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on the org.opensaml:openws
+        ]]></notes>
+        <gav regex="true">org\.opensaml:openws:.*</gav>
+        <cpe>cpe:/a:internet2:opensaml</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Suppresses false positives on the org.opensaml:xmltooling
+        ]]></notes>
+        <gav regex="true">org\.opensaml:xmltooling:.*</gav>
+        <cpe>cpe:/a:internet2:opensaml</cpe>
+    </suppress>
+
+</suppressions>
--- a/dependency-check-core/src/main/resources/dependencycheck-resources.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck-resources.properties
@@ -4,7 +4,7 @@ analyzer.AssemblyAnalyzer.notassembly={0} is not a .NET assembly or executable a
 analyzer.AssemblyAnalyzer.grokassembly.rc=Return code {0} from GrokAssembly
 analyzer.AssemblyAnalyzer.grokassembly.deployed=Extracted GrokAssembly.exe to {0}
 analyzer.AssemblyAnalyzer.grokassembly.notdeployed=Could not extract GrokAssembly.exe: {0}
-analyzer.AssemblyAnalyzer.grokassembly.initlization.failed=An error occurred with the .NET AssemblyAnalyzer; \
+analyzer.AssemblyAnalyzer.grokassembly.initialization.failed=An error occurred with the .NET AssemblyAnalyzer; \
    this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.
 analyzer.AssemblyAnalyzer.grokassembly.initialization.message=Could not execute GrokAssembly {0}
 analyzer.AssemblyAnalyzer.grokassembly.notdeleted=Can't delete temporary GrokAssembly.exe
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -3,6 +3,9 @@ application.version=${pom.version}
 autoupdate=true
 max.download.threads=3

+# the url to obtain the current engine version from
+engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
+
 #temp.directory defaults to System.getProperty("java.io.tmpdir")
 #temp.directory=[path to temp directory]

@@ -13,8 +16,10 @@ max.download.threads=3
 # will not be used. The data.directory will be resolved and if the connection string
 # below contains a %s then the data.directory will replace the %s.
 data.directory=[JAR]/data
+#if the filename has a %s it will be replaced with the current expected version
+data.file_name=cve.%s.h2.db
+data.version=2.9
 data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
-#data.connection_string=jdbc:h2:file:%s;AUTO_SERVER=TRUE;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck

 # user name and password for the database connection. The inherent case is to use H2.
@@ -38,11 +43,16 @@ data.driver_path=
 cve.url.modified.validfordays=7

 # the path to the modified nvd cve xml file.
-cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
-cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
+#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
+#cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.startyear=2002
-cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
-cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
+#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
+#cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+

 # file type analyzer settings:
 analyzer.archive.enabled=true
@@ -56,3 +66,7 @@ analyzer.nexus.url=https://repository.sonatype.org/service/local/
 # If set to true, the proxy will still ONLY be used if the proxy properties (proxy.url, proxy.port)
 # are configured
 analyzer.nexus.proxy=true
+
+# the URL for searching search.maven.org for SHA-1 and whether it's enabled
+analyzer.central.enabled=true
+analyzer.central.url=http://search.maven.org/solrsearch/select
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -41,6 +41,7 @@
                            <xs:choice minOccurs="0" maxOccurs="1">
                                <xs:element name="filePath" type="dc:regexStringType"/>
                                <xs:element name="sha1" type="dc:sha1Type"/>
+                                <xs:element name="gav" type="dc:regexStringType"/>
                            </xs:choice>
                            <xs:choice minOccurs="0" maxOccurs="unbounded">
                                <xs:element name="cpe" type="dc:regexStringType"/>
@@ -49,6 +50,7 @@
                                <xs:element name="cvssBelow" type="dc:cvssScoreType"/>
                            </xs:choice>
                        </xs:sequence>
+                        <xs:attribute name="base" use="optional" type="xs:boolean" default="false"/>
                    </xs:complexType>
                </xs:element>
            </xs:sequence>
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -33,8 +33,8 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        </script>
        <script type="text/javascript">
            $(document).ready(function() {
-                $(".expandable").click(function (e) {
-                    e = e || window.event;
+                $(".expandable").click(function (event) {
+                    e = event || window.event;
                    var h = e.target || e.srcElement;
                    var content = "#content" + h.id.substr(6);
                    var header = "#" + h.id;
@@ -56,6 +56,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                        $(header).addClass("expandablesubsection");
                        $(header).removeClass("collaspablesubsection");
                    }
+                    return false;
                });
            });

@@ -84,13 +85,14 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                $('#modal-text').focus();
                $('#modal-text').select();
            }
-            function toggleDisplay(el, clzName) {
+            function toggleDisplay(el, clzName, all, some) {
                $(clzName).toggle();
-                if (el.innerHTML == 'show all') {
-                    el.innerHTML = 'less';
+                if (el.innerHTML == all) {
+                    el.innerHTML = some;
                } else {
-                    el.innerHTML = 'show all';
+                    el.innerHTML = all;
                }
+                return false;
            }
        </script>
        <style type="text/css">
@@ -427,15 +429,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            .indent {
                margin-left:20px;
            }
-            td, th {
+            td{
+                vertical-align:text-top;
                padding:6px;
                margin:0px;
            }
+            th {
+                text-align:left
+                vertical-align:text-top;
+                padding:6px;
+                margin:0px;
+                border-bottom:1px;
+                border-color: black;
+            }
            table {
                border: 0px;
            }
            table.lined tr:nth-child(even) {
-                background-color: #fbfbfb;
+                background-color: #f3f3f3;
            }
            .fullwidth {
                width:100%;
@@ -448,10 +459,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                margin-bottom:3px;
            }
            .vulnerable {
-            	color: #f00;
-            }
-            .vulnerable li {
-            	color: #000;
+                color: #000;
            }
            .notvulnerable {
                display:none;
@@ -481,7 +489,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
        <div id="modal-content">
            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                <textarea id="modal-text" cols="50" rows="10"></textarea><br/>
-                <button id="modal-add-header" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
+                <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
        </div>
        <div class="wrapper">
            <h1>Dependency-Check Report</h1>
@@ -513,7 +521,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                        #set($vulnSuppressedCount=$vulnSuppressedCount+$dependency.getSuppressedVulnerabilities().size())
                    #end
                #end
-                Scan Information (<a href="#" onclick="toggleDisplay(this, '.scaninfo');  return false;">show all</a>):<br/>
+                Scan Information (<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.scaninfo', 'show all', 'show less');  return false;">show all</a>):<br/>
                    <ul class="indent">
                        <li><i>dependency-check version</i>: $version</li>
                        <li><i>Report Generated On</i>: $scanDate</li>
@@ -526,23 +534,78 @@ arising out of or in connection with the use of this tool, the analysis performe
                        <li class="scaninfo hidden"><i>$enc.html($prop.key)</i>: $enc.html($prop.value)</li>
                        #end
                    </ul><br/>
-                Dependency Display:&nbsp;<a href="#" onclick="toggleDisplay(this,'.notvulnerable'); return false;">show all</a><br/><br/>
-                <ul class="indent">
+                Display:&nbsp;<a href="#" title="Click to toggle display" onclick="return toggleDisplay(this, '.notvulnerable', 'Showing Vulnerable Dependencies (click to show all)', 'Showing All Dependencies (click to show less)'); return false;">Showing Vulnerable Dependencies (click to show all)</a><br/><br/>
                #set($lnkcnt=0)
-                #foreach($dependency in $dependencies)
+                <table class="lined">
+                    <tr style="text-align:left">
+                        <th title="The name of the dependency">Dependency</th>
+                        <th title="The Common Platform Enumeration">CPE</th>
+                        <th title="The Maven GAV Coordinates">GAV</th>
+                        <th title="The highest CVE Severity">Highest Severity</th>
+                        <th title="The number of Common Vulnerability and Exposure (CVE) entries">CVE Count</th>
+                        <th title="The confidence rating dependency-check has for the identified CPE">CPE Confidence</th>
+                        <th title="The count of evidence used to identify the CPE">Evidence Count</th>
+                    </tr>
+                    #foreach($dependency in $dependencies)
                    #set($lnkcnt=$lnkcnt+1)
-                    <li class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
-                    <a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a>
-                    #if($dependency.getRelatedDependencies().size()>0)
-                        <ul>
-                        #foreach($related in $dependency.getRelatedDependencies())
-                        <li>$enc.html($related.DisplayFileName)</li>
+                    <tr class="#if($dependency.getVulnerabilities().size()==0)notvulnerable#else vulnerable#end">
+                        <td><a href="#l${lnkcnt}_$enc.html($enc.url($dependency.Sha1sum))">$enc.html($dependency.DisplayFileName)</a></td>
+                        #set($mavenlink="")
+                        #set($cpeIdCount=0)
+                        #set($cpeIdConf="")
+                        <td>
+                        #foreach($id in $dependency.getIdentifiers())
+                            #if ($id.type=="maven")
+                                #if ($mavenlink=="" || !$mavenlink.url)
+                                    #set($mavenlink=$id)
+                                #end
+                            #else
+                                #if ($cpeIdCount>=1)
+                                    <br/>
+                                #end
+                                #if( $id.url )
+                                    <a href="$enc.html($id.url)" target="_blank">$enc.html($id.value)</a>
+                                #else
+                                    $enc.html($id.value)
+                                #end
+                                #if ($cpeIdConf == "")
+                                    #set($cpeIdConf=$id.confidence)
+                                #elseif ($cpeIdConf.compareTo($id.confidence)>0)
+                                    #set($cpeIdConf=$id.confidence)
+                                #end
+                                #set($cpeIdCount=$cpeIdCount+1)
+                            #end
                        #end
-                        </ul>
+                        </td>
+                        <td>#if( $mavenlink.url )
+                            ##yes, we are HTML Encoding the href. this is okay. We can't URL encode as we have to trust the analyzer here...
+                            <a href="$enc.html($mavenlink.url)" target="_blank">$enc.html($mavenlink.value)</a>
+                        #elseif ($mavenlink.value)
+                            $enc.html($mavenlink.value)
+                        #end</td>
+                        #set($cveImpact=-1)
+                        #foreach($vuln in $dependency.getVulnerabilities())
+                            #if ($cveImpact<$vuln.cvssScore)
+                                #set($cveImpact=$vuln.cvssScore)
+                            #end
+                        #end
+                        <td>
+                        #if ($cveImpact<0)
+                            &nbsp;
+                        #elseif ($cveImpact<4.0)
+                            Low
+                        #elseif ($cveImpact>=7.0)
+                            High
+                        #else
+                            Medium
+                        #end
+                        </td>
+                        <td>$dependency.getVulnerabilities().size()</td>
+                        <td>$cpeIdConf</td>
+                        <td>$dependency.getEvidenceForDisplay().size()</td>
+                    </tr>
                    #end
-                    </li>
-                #end
-                </ul>
+                </table>
                <h2>Dependencies</h2>
                #set($lnkcnt=0)
                #set($cnt=0)
@@ -565,6 +628,19 @@ arising out of or in connection with the use of this tool, the analysis performe
                            <b>File&nbsp;Path:</b>&nbsp;$enc.html($dependency.FilePath)<br/>
                            <b>MD5:</b>&nbsp;$enc.html($dependency.Md5sum)<br/>
                            <b>SHA1:</b>&nbsp;$enc.html($dependency.Sha1sum)
+                            #if ($dependency.projectReferences.size()==1)
+                                <br/><b>Referenced In Project:</b>
+                                #foreach($ref in $dependency.projectReferences)
+                                    $enc.html($ref)
+                                #end
+                            #end
+                            #if ($dependency.projectReferences.size()>1)
+                                <br/><b>Referenced In Projects:</b><ul>
+                                #foreach($ref in $dependency.projectReferences)
+                                    <li>$enc.html($ref)</li>
+                                #end
+                                </ul>
+                            #end
                        </p>
                        #set($cnt=$cnt+1)
                        <h4 id="header$cnt" class="subsectionheader expandable expandablesubsection white">Evidence</h4>
@@ -630,7 +706,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                                #end
                                #if ($id.type=="cpe")
                                    ##yes, we are HTML Encoding into JavaScript... the escape utils don't have a JS Encode and I haven't written one yet
-                                    &nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
+                                    &nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CPE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cpe', '$enc.html($id.value)')">suppress</button>
                                #end
                                #if ($id.description)
                                    <br/>$enc.html($id.description)
@@ -646,7 +722,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                    <div id="content$cnt" class="subsectioncontent standardsubsection">
                        #foreach($vuln in $dependency.getVulnerabilities())
                            #set($vsctr=$vsctr+1)
-                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
+                            <p><b><a target="_blank" href="http://web.nvd.nist.gov/view/vuln/detail?vulnId=$enc.url($vuln.name)">$enc.html($vuln.name)</a></b>&nbsp;&nbsp;<button class="copybutton" title="Generate Suppression XML for this CCE for this file" onclick="copyText('$enc.html($dependency.FileNameForJavaScript)', '$enc.html($dependency.Sha1sum)', 'cve', '$enc.html($vuln.name)')">suppress</button></p>
                            <p>Severity:
                            #if ($vuln.cvssScore<4.0)
                                Low
@@ -674,7 +750,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                                    <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
                                </ul></p>
                            #else
-                                <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
+                                <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="return toggleDisplay(this,'.vs$vsctr', 'show all', 'show less');">show all</a>)<ul>
                                    <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
                                    <li class="vs$vsctr">...</li>
                                #foreach($vs in $vuln.getVulnerableSoftware())
@@ -808,7 +884,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                                            git st<li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
                                        </ul></p>
                                    #else
-                                        <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="toggleDisplay(this,'.vs$vsctr'); return false;">show all</a>)<ul>
+                                        <p>Vulnerable Software &amp; Versions:&nbsp;(<a href="#" onclick="return toggleDisplay(this,'.vs$vsctr', 'show all', 'show less');">show all</a>)<ul>
                                            <li class="vs$vsctr"><a target="_blank" href="https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=$enc.url($vuln.matchedCPE)">$enc.html($vuln.matchedCPE)</a> #if($vuln.hasMatchedAllPreviousCPE()) and all previous versions#end</li>
                                            <li class="vs$vsctr">...</li>
                                        #foreach($vs in $vuln.getVulnerableSoftware())
@@ -827,6 +903,6 @@ arising out of or in connection with the use of this tool, the analysis performe
 ## END SUPPRESSED VULNERABILITIES
            </div>
        </div>
-        <div><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</div>
+        <div><br/><br/>This report contains data retrieved from the <a href="http://nvd.nist.gov">National Vulnerability Database</a>.</div>
    </body>
 </html>
--- a/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/VulnerabilityReport.vsl
@@ -236,6 +236,6 @@ arising out of or in connection with the use of this tool, the analysis performe
                </tbody>
                </table>
            </div>
-        <p><br/><br/>This report contains data retrieved from the <a href="nvd.nist.gov">National Vulnerability Database</a>.</p>
+        <p><br/><br/>This report contains data retrieved from the <a href="http://nvd.nist.gov">National Vulnerability Database</a>.</p>
    </body>
 </html>
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseTest.java
@@ -15,7 +15,10 @@
 */
 package org.owasp.dependencycheck;

+import java.io.File;
+import java.io.InputStream;
 import org.junit.AfterClass;
+import org.junit.Assume;
 import org.junit.BeforeClass;
 import org.owasp.dependencycheck.utils.Settings;

@@ -34,4 +37,31 @@ public class BaseTest {
    public static void tearDownClass() throws Exception {
        Settings.cleanup(true);
    }
+
+    /**
+     * Returns the given resource as an InputStream using the object's class loader. The org.junit.Assume API is used so that test
+     * cases are skipped if the resource is not available.
+     *
+     * @param o the object used to obtain a reference to the class loader
+     * @param resource the name of the resource to load
+     * @return the resource as an InputStream
+     */
+    public static InputStream getResourceAsStream(Object o, String resource) {
+        getResourceAsFile(o, resource);
+        return o.getClass().getClassLoader().getResourceAsStream(resource);
+    }
+
+    /**
+     * Returns the given resource as a File using the object's class loader. The org.junit.Assume API is used so that test cases
+     * are skipped if the resource is not available.
+     *
+     * @param o the object used to obtain a reference to the class loader
+     * @param resource the name of the resource to load
+     * @return the resource as an File
+     */
+    public static File getResourceAsFile(Object o, String resource) {
+        File f = new File(o.getClass().getClassLoader().getResource(resource).getPath());
+        Assume.assumeTrue(String.format("%n%n[SEVERE] Unable to load resource for test case: %s%n%n", resource), f.exists());
+        return f;
+    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
@@ -23,7 +23,6 @@ import org.junit.Before;
 import org.junit.Test;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
-import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;

@@ -42,26 +41,6 @@ public class EngineIntegrationTest extends BaseTest {
    public void tearDown() {
    }

-    /**
-     * Test of scan method, of class Engine.
-     *
-     * @throws Exception is thrown when an exception occurs.
-     */
-    @Test
-    public void testScan() throws Exception {
-        String testClasses = "target/test-classes/*.zip";
-        boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
-        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
-        Engine instance = new Engine();
-        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        instance.scan(testClasses);
-        assertTrue(instance.getDependencies().size() > 0);
-        for (Dependency d : instance.getDependencies()) {
-            assertTrue("non-zip file collected " + d.getFileName(), d.getFileName().toLowerCase().endsWith(".zip"));
-        }
-        instance.cleanup();
-    }
-
    /**
     * Test running the entire engine.
     *
@@ -70,10 +49,10 @@ public class EngineIntegrationTest extends BaseTest {
    @Test
    public void testEngine() throws Exception {
        String testClasses = "target/test-classes";
-//        boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
-//        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+        boolean autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
        Engine instance = new Engine();
-//        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
        instance.scan(testClasses);
        assertTrue(instance.getDependencies().size() > 0);
        instance.analyzeDependencies();
@@ -81,8 +60,7 @@ public class EngineIntegrationTest extends BaseTest {
        cveDB.open();
        DatabaseProperties dbProp = cveDB.getDatabaseProperties();
        cveDB.close();
-        ReportGenerator rg = new ReportGenerator("DependencyCheck",
-                instance.getDependencies(), instance.getAnalyzers(), dbProp);
+        ReportGenerator rg = new ReportGenerator("DependencyCheck", instance.getDependencies(), instance.getAnalyzers(), dbProp);
        rg.generateReports("./target/", "ALL");
        instance.cleanup();
    }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzerTest.java
@@ -34,8 +34,8 @@ import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;

-import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;

 /**
 * @author Jeremy Long <jeremy.long@owasp.org>
@@ -67,7 +67,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
        instance.initialize();
        int expCount = 5;
        List<SuppressionRule> result = instance.getRules();
-        assertEquals(expCount, result.size());
+        assertTrue(expCount <= result.size());
    }

    /**
@@ -79,7 +79,7 @@ public class AbstractSuppressionAnalyzerTest extends BaseTest {
        instance.initialize();
        int expCount = 5;
        List<SuppressionRule> result = instance.getRules();
-        assertEquals(expCount, result.size());
+        assertTrue(expCount <= result.size());
    }

    @Test(expected = SuppressionParseException.class)
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
@@ -23,6 +23,7 @@ import java.util.Set;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -40,7 +41,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
    @Test
    public void testGetSupportedExtensions() {
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
-        Set expResult = new HashSet<String>();
+        Set<String> expResult = new HashSet<String>();
        expResult.add("zip");
        expResult.add("war");
        expResult.add("ear");
@@ -129,11 +130,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        instance.supportsExtension("ear");
        try {
            instance.initialize();
-
-            File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
+            File file = BaseTest.getResourceAsFile(this, "daytrader-ear-2.1.7.ear");
+            //File file = new File(this.getClass().getClassLoader().getResource("daytrader-ear-2.1.7.ear").getPath());
            Dependency dependency = new Dependency(file);
            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+            Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
            Engine engine = new Engine();

            int initial_size = engine.getDependencies().size();
@@ -161,10 +163,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
            instance.initialize();

            //File file = new File(this.getClass().getClassLoader().getResource("file.tar").getPath());
-            File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
+            //File file = new File(this.getClass().getClassLoader().getResource("stagedhttp-modified.tar").getPath());
+            File file = BaseTest.getResourceAsFile(this, "stagedhttp-modified.tar");
            Dependency dependency = new Dependency(file);
            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+            Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
            Engine engine = new Engine();

            int initial_size = engine.getDependencies().size();
@@ -189,10 +193,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        try {
            instance.initialize();

-            File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
+            //File file = new File(this.getClass().getClassLoader().getResource("file.tar.gz").getPath());
+            File file = BaseTest.getResourceAsFile(this, "file.tar.gz");
            //Dependency dependency = new Dependency(file);
            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+            Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
            Engine engine = new Engine();

            int initial_size = engine.getDependencies().size();
@@ -220,6 +226,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
 //            File file = new File(this.getClass().getClassLoader().getResource("nested.zip").getPath());
 //            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
 //            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+//            Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
 //            Engine engine = new Engine();
 //
 //            engine.scan(file);
@@ -239,9 +246,11 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        try {
            instance.initialize();

-            File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
+            //File file = new File(this.getClass().getClassLoader().getResource("file.tgz").getPath());
+            File file = BaseTest.getResourceAsFile(this, "file.tgz");
            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+            Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
            Engine engine = new Engine();

            int initial_size = engine.getDependencies().size();
@@ -265,10 +274,12 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        try {
            instance.initialize();

-            File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
+            //File file = new File(this.getClass().getClassLoader().getResource("test.zip").getPath());
+            File file = BaseTest.getResourceAsFile(this, "test.zip");
            Dependency dependency = new Dependency(file);
            Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
            Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+            Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
            Engine engine = new Engine();
            int initial_size = engine.getDependencies().size();
 //            boolean failed = false;
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -78,7 +78,8 @@ public class AssemblyAnalyzerTest extends BaseTest {

    @Test
    public void testAnalysis() throws Exception {
-        File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
+        //File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("GrokAssembly.exe").getPath());
+        File f = BaseTest.getResourceAsFile(this, "GrokAssembly.exe");
        Dependency d = new Dependency(f);
        analyzer.analyze(d, null);
        boolean foundVendor = false;
@@ -100,7 +101,9 @@ public class AssemblyAnalyzerTest extends BaseTest {

    @Test
    public void testLog4Net() throws Exception {
-        File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
+        //File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
+        File f = BaseTest.getResourceAsFile(this, "log4net.dll");
+
        Dependency d = new Dependency(f);
        analyzer.analyze(d, null);
        assertTrue(d.getVersionEvidence().getEvidence().contains(new Evidence("grokassembly", "version", "1.2.13.0", Confidence.HIGHEST)));
@@ -115,7 +118,8 @@ public class AssemblyAnalyzerTest extends BaseTest {
        // Tweak the log level so the warning doesn't show in the console
        Logger.getLogger(AssemblyAnalyzer.class.getName()).setLevel(Level.OFF);
        Logger.getLogger(Dependency.class.getName()).setLevel(Level.OFF);
-        File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
+        //File f = new File(AssemblyAnalyzerTest.class.getClassLoader().getResource("log4net.dll").getPath());
+        File f = BaseTest.getResourceAsFile(this, "log4net.dll");
        File test = new File(f.getParent(), "nonexistent.dll");
        Dependency d = new Dependency(test);

--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
@@ -25,9 +25,12 @@ import java.util.Set;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
 import org.junit.Assert;
+import static org.junit.Assert.assertTrue;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
+import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;

@@ -81,12 +84,24 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
     */
    @Test
    public void testDetermineCPE_full() throws Exception {
-        callDetermineCPE_full("hazelcast-2.5.jar", null);
-        callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5");
-        callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0");
-        callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2");
-        callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null);
-        callDetermineCPE_full("ehcache-core-2.2.0.jar", null);
+        CPEAnalyzer instance = new CPEAnalyzer();
+        instance.open();
+        FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
+        JarAnalyzer jarAnalyzer = new JarAnalyzer();
+        HintAnalyzer hAnalyzer = new HintAnalyzer();
+        FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
+
+        try {
+            //callDetermineCPE_full("struts2-core-2.3.16.3.jar", "cpe:/a:apache:struts:2.3.16.3", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            callDetermineCPE_full("hazelcast-2.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            callDetermineCPE_full("spring-context-support-2.5.5.jar", "cpe:/a:vmware:springsource_spring_framework:2.5.5", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            callDetermineCPE_full("spring-core-3.0.0.RELEASE.jar", "cpe:/a:vmware:springsource_spring_framework:3.0.0", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            callDetermineCPE_full("org.mortbay.jetty.jar", "cpe:/a:mortbay_jetty:jetty:4.2", instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            callDetermineCPE_full("jaxb-xercesImpl-1.5.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+            callDetermineCPE_full("ehcache-core-2.2.0.jar", null, instance, fnAnalyzer, jarAnalyzer, hAnalyzer, fp);
+        } finally {
+            instance.close();
+        }
    }

    /**
@@ -94,37 +109,26 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
     *
     * @throws Exception is thrown when an exception occurs
     */
-    public void callDetermineCPE_full(String depName, String expResult) throws Exception {
+    public void callDetermineCPE_full(String depName, String expResult, CPEAnalyzer instance, FileNameAnalyzer fnAnalyzer, JarAnalyzer jarAnalyzer, HintAnalyzer hAnalyzer, FalsePositiveAnalyzer fp) throws Exception {

-        File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
+        //File file = new File(this.getClass().getClassLoader().getResource(depName).getPath());
+        File file = BaseTest.getResourceAsFile(this, depName);

        Dependency dep = new Dependency(file);

-        FileNameAnalyzer fnAnalyzer = new FileNameAnalyzer();
        fnAnalyzer.analyze(dep, null);
-
-        JarAnalyzer jarAnalyzer = new JarAnalyzer();
        jarAnalyzer.analyze(dep, null);
-        HintAnalyzer hAnalyzer = new HintAnalyzer();
        hAnalyzer.analyze(dep, null);
-
-        CPEAnalyzer instance = new CPEAnalyzer();
-        instance.open();
        instance.analyze(dep, null);
-        instance.close();
-        FalsePositiveAnalyzer fp = new FalsePositiveAnalyzer();
        fp.analyze(dep, null);

-//        for (Identifier i : dep.getIdentifiers()) {
-//            System.out.println(i.getValue());
-//        }
        if (expResult != null) {
            Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
            Assert.assertTrue("Incorrect match: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().contains(expIdentifier));
-        } else if (dep.getIdentifiers().isEmpty()) {
-            Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "' }", dep.getIdentifiers().isEmpty());
        } else {
-            Assert.assertTrue("Match found when an Identifier should not have been found: { dep:'" + dep.getFileName() + "', identifier:'" + dep.getIdentifiers().iterator().next().getValue() + "' }", dep.getIdentifiers().isEmpty());
+            for (Identifier i : dep.getIdentifiers()) {
+                Assert.assertFalse(String.format("%s - found a CPE identifier when should have been none (found '%s')", dep.getFileName(), i.getValue()), "cpe".equals(i.getType()));
+            }
        }
    }

@@ -135,7 +139,8 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
     */
    @Test
    public void testDetermineCPE() throws Exception {
-        File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+        //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+        File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
        //File file = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
        Dependency struts = new Dependency(file);

@@ -145,15 +150,18 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        JarAnalyzer jarAnalyzer = new JarAnalyzer();
        jarAnalyzer.analyze(struts, null);

-        File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
+        //File fileCommonValidator = new File(this.getClass().getClassLoader().getResource("commons-validator-1.4.0.jar").getPath());
+        File fileCommonValidator = BaseTest.getResourceAsFile(this, "commons-validator-1.4.0.jar");
        Dependency commonValidator = new Dependency(fileCommonValidator);
        jarAnalyzer.analyze(commonValidator, null);

-        File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
+        //File fileSpring = new File(this.getClass().getClassLoader().getResource("spring-core-2.5.5.jar").getPath());
+        File fileSpring = BaseTest.getResourceAsFile(this, "spring-core-2.5.5.jar");
        Dependency spring = new Dependency(fileSpring);
        jarAnalyzer.analyze(spring, null);

-        File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+        //File fileSpring3 = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+        File fileSpring3 = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
        Dependency spring3 = new Dependency(fileSpring3);
        jarAnalyzer.analyze(spring3, null);

@@ -170,7 +178,10 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        String expResultSpring = "cpe:/a:springsource:spring_framework:2.5.5";
        String expResultSpring3 = "cpe:/a:vmware:springsource_spring_framework:3.0.0";

-        Assert.assertTrue("Apache Common Validator - found an identifier?", commonValidator.getIdentifiers().isEmpty());
+        for (Identifier i : commonValidator.getIdentifiers()) {
+            Assert.assertFalse("Apache Common Validator - found a CPE identifier?", "cpe".equals(i.getType()));
+        }
+
        Assert.assertTrue("Incorrect match size - struts", struts.getIdentifiers().size() >= 1);
        Assert.assertTrue("Incorrect match - struts", struts.getIdentifiers().contains(expIdentifier));
        Assert.assertTrue("Incorrect match size - spring3 - " + spring3.getIdentifiers().size(), spring3.getIdentifiers().size() >= 1);
@@ -180,6 +191,30 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        //Assert.assertTrue("Incorrect match - spring", spring.getIdentifiers().get(0).getValue().equals(expResultSpring));
    }

+    /**
+     * Test of determineIdentifiers method, of class CPEAnalyzer.
+     *
+     * @throws Exception is thrown when an exception occurs
+     */
+    @Test
+    public void testDetermineIdentifiers() throws Exception {
+        Dependency openssl = new Dependency();
+        openssl.getVendorEvidence().addEvidence("test", "vendor", "openssl", Confidence.HIGHEST);
+        openssl.getProductEvidence().addEvidence("test", "product", "openssl", Confidence.HIGHEST);
+        openssl.getVersionEvidence().addEvidence("test", "version", "1.0.1c", Confidence.HIGHEST);
+
+        CPEAnalyzer instance = new CPEAnalyzer();
+        instance.open();
+        instance.determineIdentifiers(openssl, "openssl", "openssl", Confidence.HIGHEST);
+        instance.close();
+
+        String expResult = "cpe:/a:openssl:openssl:1.0.1c";
+        Identifier expIdentifier = new Identifier("cpe", expResult, expResult);
+
+        assertTrue(openssl.getIdentifiers().contains(expIdentifier));
+
+    }
+
    /**
     * Test of searchCPE method, of class CPEAnalyzer.
     *
@@ -190,12 +225,12 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        String vendor = "apache software foundation";
        String product = "struts 2 core";
        String version = "2.1.2";
-        String expResult = "cpe:/a:apache:struts:2.1.2";
+        String expVendor = "apache";
+        String expProduct = "struts";

        CPEAnalyzer instance = new CPEAnalyzer();
        instance.open();

-        //TODO - yeah, not a very good test as the results are the same with or without weighting...
        Set<String> productWeightings = new HashSet<String>(1);
        productWeightings.add("struts2");

@@ -203,9 +238,16 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        vendorWeightings.add("apache");

        List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
-        //TODO fix this assert
-        //Assert.assertEquals(expResult, result.get(0).getName());
-
        instance.close();
+
+        boolean found = false;
+        for (IndexEntry entry : result) {
+            if (expVendor.equals(entry.getVendor()) && expProduct.equals(entry.getProduct())) {
+                found = true;
+                break;
+            }
+        }
+        assertTrue("apache:struts was not identified", found);
+
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerTest.java
@@ -86,4 +86,40 @@ public class DependencyBundlingAnalyzerTest extends BaseTest {
        assertEquals(expResult, result);
    }

+    @Test
+    public void testFirstPathIsShortest() {
+        DependencyBundlingAnalyzer instance = new DependencyBundlingAnalyzer();
+
+        String left = "./a/c.jar";
+        String right = "./d/e/f.jar";
+        boolean expResult = true;
+        boolean result = instance.firstPathIsShortest(left, right);
+        assertEquals(expResult, result);
+
+        left = "./a/b/c.jar";
+        right = "./d/e/f.jar";
+        expResult = true;
+        result = instance.firstPathIsShortest(left, right);
+        assertEquals(expResult, result);
+
+        left = "./d/b/c.jar";
+        right = "./a/e/f.jar";
+        expResult = false;
+        result = instance.firstPathIsShortest(left, right);
+        assertEquals(expResult, result);
+
+        left = "./a/b/c.jar";
+        right = "./d/f.jar";
+        expResult = false;
+        result = instance.firstPathIsShortest(left, right);
+        assertEquals(expResult, result);
+
+        left = "./a/b/c.jar";
+        right = "./a/b/c.jar";
+        expResult = true;
+        result = instance.firstPathIsShortest(left, right);
+        assertEquals(expResult, result);
+
+    }
+
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzerTest.java
@@ -21,6 +21,7 @@ import java.io.File;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.dependency.Dependency;

 /**
@@ -56,9 +57,11 @@ public class FileNameAnalyzerTest {
     */
    @Test
    public void testAnalyze() throws Exception {
-        File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+        //File struts = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+        File struts = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
        Dependency resultStruts = new Dependency(struts);
-        File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
+        //File axis = new File(this.getClass().getClassLoader().getResource("axis2-adb-1.4.1.jar").getPath());
+        File axis = BaseTest.getResourceAsFile(this, "axis2-adb-1.4.1.jar");
        Dependency resultAxis = new Dependency(axis);
        FileNameAnalyzer instance = new FileNameAnalyzer();
        instance.analyze(resultStruts, null);
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
@@ -69,12 +69,15 @@ public class HintAnalyzerTest extends BaseTest {
    public void testAnalyze() throws Exception {
        HintAnalyzer instance = new HintAnalyzer();

-        File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
+        //File guice = new File(this.getClass().getClassLoader().getResource("guice-3.0.jar").getPath());
+        File guice = BaseTest.getResourceAsFile(this, "guice-3.0.jar");
        //Dependency guice = new Dependency(fileg);
-        File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+        //File spring = new File(this.getClass().getClassLoader().getResource("spring-core-3.0.0.RELEASE.jar").getPath());
+        File spring = BaseTest.getResourceAsFile(this, "spring-core-3.0.0.RELEASE.jar");
        //Dependency spring = new Dependency(files);
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
        Engine engine = new Engine();

        engine.scan(guice);
@@ -85,7 +88,7 @@ public class HintAnalyzerTest extends BaseTest {
        for (Dependency d : engine.getDependencies()) {
            if (d.getActualFile().equals(guice)) {
                gdep = d;
-            } else {
+            } else if (d.getActualFile().equals(spring)) {
                sdep = d;
            }
        }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
@@ -41,14 +41,16 @@ public class JarAnalyzerTest extends BaseTest {
     */
    @Test
    public void testAnalyze() throws Exception {
-        File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+        //File file = new File(this.getClass().getClassLoader().getResource("struts2-core-2.1.2.jar").getPath());
+        File file = BaseTest.getResourceAsFile(this, "struts2-core-2.1.2.jar");
        Dependency result = new Dependency(file);
        JarAnalyzer instance = new JarAnalyzer();
        instance.analyze(result, null);
        assertTrue(result.getVendorEvidence().toString().toLowerCase().contains("apache"));
        assertTrue(result.getVendorEvidence().getWeighting().contains("apache"));

-        file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
+        //file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jetty.jar").getPath());
+        file = BaseTest.getResourceAsFile(this, "org.mortbay.jetty.jar");
        result = new Dependency(file);
        instance.analyze(result, null);
        boolean found = false;
@@ -81,7 +83,8 @@ public class JarAnalyzerTest extends BaseTest {
        }
        assertTrue("implementation-version of 4.2.27 not found in org.mortbay.jetty.jar", found);

-        file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
+        //file = new File(this.getClass().getClassLoader().getResource("org.mortbay.jmx.jar").getPath());
+        file = BaseTest.getResourceAsFile(this, "org.mortbay.jmx.jar");
        result = new Dependency(file);
        instance.analyze(result, null);
        assertEquals("org.mortbar,jmx.jar has version evidence?", result.getVersionEvidence().size(), 0);
@@ -93,7 +96,7 @@ public class JarAnalyzerTest extends BaseTest {
    @Test
    public void testGetSupportedExtensions() {
        JarAnalyzer instance = new JarAnalyzer();
-        Set expResult = new HashSet();
+        Set<String> expResult = new HashSet<String>();
        expResult.add("jar");
        expResult.add("war");
        Set result = instance.getSupportedExtensions();
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
@@ -38,7 +38,7 @@ public class JavaScriptAnalyzerTest extends BaseTest {
    @Test
    public void testGetSupportedExtensions() {
        JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
-        Set expResult = new HashSet<String>();
+        Set<String> expResult = new HashSet<String>();
        expResult.add("js");
        Set result = instance.getSupportedExtensions();
        assertEquals(expResult, result);
@@ -84,9 +84,12 @@ public class JavaScriptAnalyzerTest extends BaseTest {
     */
    @Test
    public void testAnalyze() throws Exception {
-        File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
-        File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
-        File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
+        //File jq6 = new File(this.getClass().getClassLoader().getResource("jquery-1.6.2.min.js").getPath());
+        File jq6 = BaseTest.getResourceAsFile(this, "jquery-1.6.2.min.js");
+        //File jq10 = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.js").getPath());
+        File jq10 = BaseTest.getResourceAsFile(this, "jquery-1.10.2.js");
+        //File jq10min = new File(this.getClass().getClassLoader().getResource("jquery-1.10.2.min.js").getPath());
+        File jq10min = BaseTest.getResourceAsFile(this, "jquery-1.10.2.min.js");
        Dependency depJQ6 = new Dependency(jq6);
        Dependency depJQ10 = new Dependency(jq10);
        Dependency depJQ10min = new Dependency(jq10min);
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
@@ -21,6 +21,7 @@ import java.io.File;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -61,10 +62,13 @@ public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDat
    @Test
    public void testAnalyze() throws Exception {

-        File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
-        File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
+        //File file = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.jar").getPath());
+        File file = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.jar");
+        //File suppression = new File(this.getClass().getClassLoader().getResource("commons-fileupload-1.2.1.suppression.xml").getPath());
+        File suppression = BaseTest.getResourceAsFile(this, "commons-fileupload-1.2.1.suppression.xml");
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, false);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, false);
        Engine engine = new Engine();
        engine.scan(file);
        engine.analyzeDependencies();
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/central/CentralSearchTest.java
@@ -0,0 +1,63 @@
+package org.owasp.dependencycheck.data.central;
+
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.data.nexus.MavenArtifact;
+import org.owasp.dependencycheck.utils.Settings;
+
+import java.io.FileNotFoundException;
+import java.net.URL;
+import java.util.List;
+import java.util.logging.Logger;
+
+import static org.junit.Assert.*;
+
+/**
+ * Created by colezlaw on 10/13/14.
+ */
+public class CentralSearchTest extends BaseTest {
+    private static final Logger LOGGER = Logger.getLogger(CentralSearchTest.class.getName());
+    private CentralSearch searcher;
+
+    @Before
+    public void setUp() throws Exception {
+        String centralUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
+        LOGGER.fine(centralUrl);
+        searcher = new CentralSearch(new URL(centralUrl));
+    }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testNullSha1() throws Exception { searcher.searchSha1(null); }
+
+    @Test(expected = IllegalArgumentException.class)
+    public void testMalformedSha1() throws Exception {
+        searcher.searchSha1("invalid");
+    }
+
+    // This test does generate network traffic and communicates with a host
+    // you may not be able to reach. Remove the @Ignore annotation if you want to
+    // test it anyway
+    @Test
+    public void testValidSha1() throws Exception {
+        List<MavenArtifact> ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
+        assertEquals("Incorrect group", "org.apache.maven.plugins", ma.get(0).getGroupId());
+        assertEquals("Incorrect artifact", "maven-compiler-plugin", ma.get(0).getArtifactId());
+        assertEquals("Incorrect version", "3.1", ma.get(0).getVersion());
+    }
+
+    // This test does generate network traffic and communicates with a host
+    // you may not be able to reach. Remove the @Ignore annotation if you want to
+    // test it anyway
+    @Test(expected = FileNotFoundException.class)
+    public void testMissingSha1() throws Exception {
+        searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
+    }
+
+    // This test should give us multiple results back from Central
+    @Test
+    public void testMultipleReturns() throws Exception {
+        List<MavenArtifact> ma = searcher.searchSha1("94A9CE681A42D0352B3AD22659F67835E560D107");
+        assertTrue(ma.size() > 1);
+    }
+}
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilterTest.java
@@ -20,16 +20,10 @@ package org.owasp.dependencycheck.data.lucene;
 import java.io.IOException;
 import java.io.Reader;
 import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.Analyzer.TokenStreamComponents;
 import org.apache.lucene.analysis.BaseTokenStreamTestCase;
-import static org.apache.lucene.analysis.BaseTokenStreamTestCase.checkOneTerm;
 import org.apache.lucene.analysis.MockTokenizer;
 import org.apache.lucene.analysis.Tokenizer;
 import org.apache.lucene.analysis.core.KeywordTokenizer;
-import org.junit.After;
-import org.junit.AfterClass;
-import org.junit.Before;
-import org.junit.BeforeClass;

 /**
 *
@@ -50,24 +44,6 @@ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
        };
    }

-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() throws Exception {
-        super.setUp();
-    }
-
-    @After
-    public void tearDown() throws Exception {
-        super.tearDown();
-    }
-
    /**
     * test some example domains
     */
@@ -102,6 +78,6 @@ public class UrlTokenizingFilterTest extends BaseTokenStreamTestCase {
                return new TokenStreamComponents(tokenizer, new UrlTokenizingFilter(tokenizer));
            }
        };
-        checkOneTermReuse(a, "", "");
+        checkOneTerm(a, "", "");
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nexus/NexusSearchTest.java
@@ -24,6 +24,7 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertNotNull;
 import org.junit.Assume;
 import org.junit.Before;
+import org.junit.Ignore;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.utils.Settings;
@@ -42,11 +43,13 @@ public class NexusSearchTest extends BaseTest {
    }

    @Test(expected = IllegalArgumentException.class)
+    @Ignore
    public void testNullSha1() throws Exception {
        searcher.searchSha1(null);
    }

    @Test(expected = IllegalArgumentException.class)
+    @Ignore
    public void testMalformedSha1() throws Exception {
        searcher.searchSha1("invalid");
    }
@@ -55,6 +58,7 @@ public class NexusSearchTest extends BaseTest {
    // you may not be able to reach. Remove the @Ignore annotation if you want to
    // test it anyway
    @Test
+    @Ignore
    public void testValidSha1() throws Exception {
        MavenArtifact ma = searcher.searchSha1("9977a8d04e75609cf01badc4eb6a9c7198c4c5ea");
        assertEquals("Incorrect group", "org.apache.maven.plugins", ma.getGroupId());
@@ -67,6 +71,7 @@ public class NexusSearchTest extends BaseTest {
    // you may not be able to reach. Remove the @Ignore annotation if you want to
    // test it anyway
    @Test(expected = FileNotFoundException.class)
+    @Ignore
    public void testMissingSha1() throws Exception {
        searcher.searchSha1("AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA");
    }
--- a/Show More
+++ b/Show More