version 1.2.11

Former-commit-id: a7da992577504112a168f71e0dde9364d2a68ad0

.gitignore

@@ -10,6 +10,7 @@
 .settings
 maven-eclipse.xml
 .externalToolBuilders
+.pmd
 # Netbeans configuration
 nb-configuration.xml
 /target/
@@ -22,4 +23,4 @@ _site/**
 #unknown as to why these are showing up... but need to be ignored.
 .LCKpom.xml~
 #coverity
-/cov-int/
+/cov-int/

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.8</version>
+        <version>1.2.11</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -68,7 +68,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-resources-plugin</artifactId>
-                <version>2.6</version>
                 <configuration>
                     <escapeWindowsPaths>false</escapeWindowsPaths>
                 </configuration>
@@ -191,10 +190,18 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                     </execution>
                 </executions>
             </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-compiler-plugin</artifactId>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jar-plugin</artifactId>
+            </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-shade-plugin</artifactId>
-                <version>2.1</version>
+                <version>2.3</version>
                 <configuration>
                     <transformers>
                         <transformer implementation="org.apache.maven.plugins.shade.resource.ServicesResourceTransformer" />
@@ -218,29 +225,13 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-                        </manifest>
-                    </archive>
-                    <excludes>
-                        <exclude>**/checkstyle*</exclude>
-                    </excludes>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.6</version>
                 <configuration>
-                    <instrumentation>
+                    <!--instrumentation>
                         <ignoreTrivial>true</ignoreTrivial>
-                    </instrumentation>
+                    </instrumentation-->
                     <check>
                         <branchRate>85</branchRate>
                         <lineRate>85</lineRate>
@@ -269,7 +260,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>2.16</version>
                 <configuration>
                     <systemProperties>
                         <property>
@@ -279,162 +269,139 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                     </systemProperties>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
-                <configuration>
-                    <showDeprecation>false</showDeprecation>
-                    <source>1.6</source>
-                    <target>1.6</target>
-                </configuration>
-            </plugin>
-
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.3</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>org.apache.maven.doxia</groupId>
-                        <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.5</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <skipDeploy>true</skipDeploy>
-                    <reportPlugins>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
-                            <version>2.7</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>index</report>
-                                        <report>summary</report>
-                                        <report>license</report>
-                                        <report>help</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-javadoc-plugin</artifactId>
-                            <version>2.9.1</version>
-                            <configuration>
-                                <bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
-                            </configuration>
-                            <reportSets>
-                                <reportSet>
-                                    <id>default</id>
-                                    <reports>
-                                        <report>javadoc</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>versions-maven-plugin</artifactId>
-                            <version>2.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>dependency-updates-report</report>
-                                        <report>plugin-updates-report</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-jxr-plugin</artifactId>
-                            <version>2.4</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.6</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-report-plugin</artifactId>
-                            <version>2.16</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>report-only</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>taglist-maven-plugin</artifactId>
-                            <version>2.4</version>
-                            <configuration>
-                                <tagListOptions>
-                                    <tagClasses>
-                                        <tagClass>
-                                            <displayName>Todo Work</displayName>
-                                            <tags>
-                                                <tag>
-                                                    <matchString>todo</matchString>
-                                                    <matchType>ignoreCase</matchType>
-                                                </tag>
-                                                <tag>
-                                                    <matchString>FIXME</matchString>
-                                                    <matchType>exact</matchType>
-                                                </tag>
-                                            </tags>
-                                        </tagClass>
-                                    </tagClasses>
-                                </tagListOptions>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-checkstyle-plugin</artifactId>
-                            <version>2.11</version>
-                            <configuration>
-                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.0.1</version>
-                            <configuration>
-                                <targetJdk>1.6</targetJdk>
-                                <linkXref>true</linkXref>
-                                <sourceEncoding>utf-8</sourceEncoding>
-                                <excludes>
-                                    <exclude>**/generated/*.java</exclude>
-                                </excludes>
-                                <rulesets>
-                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <ruleset>/rulesets/java/basic.xml</ruleset>
-                                    <ruleset>/rulesets/java/imports.xml</ruleset>
-                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                </rulesets>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>findbugs-maven-plugin</artifactId>
-                            <version>2.5.3</version>
-                        </plugin>
-                    </reportPlugins>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-project-info-reports-plugin</artifactId>
+                <version>2.7</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>summary</report>
+                            <report>license</report>
+                            <report>help</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.9.1</version>
+                <configuration>
+                    <failOnError>false</failOnError>
+                    <bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <id>default</id>
+                        <reports>
+                            <report>javadoc</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>versions-maven-plugin</artifactId>
+                <version>2.1</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependency-updates-report</report>
+                            <report>plugin-updates-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.4</version>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.16</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>report-only</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>taglist-maven-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <tagListOptions>
+                        <tagClasses>
+                            <tagClass>
+                                <displayName>Todo Work</displayName>
+                                <tags>
+                                    <tag>
+                                        <matchString>todo</matchString>
+                                        <matchType>ignoreCase</matchType>
+                                    </tag>
+                                    <tag>
+                                        <matchString>FIXME</matchString>
+                                        <matchType>exact</matchType>
+                                    </tag>
+                                </tags>
+                            </tagClass>
+                        </tagClasses>
+                    </tagListOptions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>2.11</version>
+                <configuration>
+                    <enableRulesSummary>false</enableRulesSummary>
+                    <enableFilesSummary>false</enableFilesSummary>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.0.1</version>
+                <configuration>
+                    <targetJdk>1.6</targetJdk>
+                    <linkXref>true</linkXref>
+                    <sourceEncoding>utf-8</sourceEncoding>
+                    <excludes>
+                        <exclude>**/generated/*.java</exclude>
+                    </excludes>
+                    <rulesets>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                    </rulesets>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>2.5.3</version>
+            </plugin>
+        </plugins>
+    </reporting>
     <dependencies>
         <dependency>
             <groupId>org.owasp</groupId>
@@ -456,12 +423,12 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.apache.ant</groupId>
             <artifactId>ant</artifactId>
-            <version>1.9.3</version>
+            <version>1.9.4</version>
         </dependency>
         <dependency>
             <groupId>org.apache.ant</groupId>
             <artifactId>ant-testutil</artifactId>
-            <version>1.9.3</version>
+            <version>1.9.4</version>
             <scope>test</scope>
         </dependency>
     </dependencies>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTask.java

@@ -46,7 +46,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * An Ant task definition to execute dependency-check during an Ant build.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DependencyCheckTask extends Task {
 
@@ -98,8 +98,8 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the
-     * path object.
+     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
+     * object.
      *
      * @return the path
      */
@@ -215,9 +215,9 @@ public class DependencyCheckTask extends Task {
         this.reportOutputDirectory = reportOutputDirectory;
     }
     /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
-     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
-     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
+     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
+     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
      */
     private float failBuildOnCVSS = 11;
 
@@ -239,8 +239,8 @@ public class DependencyCheckTask extends Task {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
     /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
-     * false. Default is true.
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
+     * is true.
      */
     private boolean autoUpdate = true;
 
@@ -262,8 +262,31 @@ public class DependencyCheckTask extends Task {
         this.autoUpdate = autoUpdate;
     }
     /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
-     * within the Site plugin unless the externalReport is set to true. Default is HTML.
+     * Whether only the update phase should be executed.
+     */
+    private boolean updateOnly = false;
+
+    /**
+     * Get the value of updateOnly.
+     *
+     * @return the value of updateOnly
+     */
+    public boolean isUpdateOnly() {
+        return updateOnly;
+    }
+
+    /**
+     * Set the value of updateOnly.
+     *
+     * @param updateOnly new value of updateOnly
+     */
+    public void setUpdateOnly(boolean updateOnly) {
+        this.updateOnly = updateOnly;
+    }
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
+     * Site plugin unless the externalReport is set to true. Default is HTML.
      */
     private String reportFormat = "HTML";
 
@@ -322,8 +345,7 @@ public class DependencyCheckTask extends Task {
      * Set the value of proxyServer.
      *
      * @param proxyUrl new value of proxyServer
-     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)}
-     * instead
+     * @deprecated use {@link org.owasp.dependencycheck.taskdefs.DependencyCheckTask#setProxyServer(java.lang.String)} instead
      */
     @Deprecated
     public void setProxyUrl(String proxyUrl) {
@@ -565,7 +587,7 @@ public class DependencyCheckTask extends Task {
     private boolean centralAnalyzerEnabled = false;
 
     /**
-     * Get the value of centralAnalyzerEnabled
+     * Get the value of centralAnalyzerEnabled.
      *
      * @return the value of centralAnalyzerEnabled
      */
@@ -574,7 +596,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Set the value of centralAnalyzerEnabled
+     * Set the value of centralAnalyzerEnabled.
      *
      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
      */
@@ -606,7 +628,7 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * The URL of the Nexus server.
+     * The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
      */
     private String nexusUrl;
 
@@ -764,8 +786,8 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
-     * like ZIP files.
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
+     * files.
      */
     private String zipExtensions;
 
@@ -913,46 +935,51 @@ public class DependencyCheckTask extends Task {
         Engine engine = null;
         try {
             engine = new Engine(DependencyCheckTask.class.getClassLoader());
-
-            for (Resource resource : path) {
-                final FileProvider provider = resource.as(FileProvider.class);
-                if (provider != null) {
-                    final File file = provider.getFile();
-                    if (file != null && file.exists()) {
-                        engine.scan(file);
-                    }
-                }
-            }
-            try {
-                engine.analyzeDependencies();
-                DatabaseProperties prop = null;
-                CveDB cve = null;
+            //todo - should this be its own task?
+            if (updateOnly) {
+                engine.doUpdates();
+            } else {
                 try {
-                    cve = new CveDB();
-                    cve.open();
-                    prop = cve.getDatabaseProperties();
-                } catch (DatabaseException ex) {
-                    LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
-                } finally {
-                    if (cve != null) {
-                        cve.close();
+                    for (Resource resource : path) {
+                        final FileProvider provider = resource.as(FileProvider.class);
+                        if (provider != null) {
+                            final File file = provider.getFile();
+                            if (file != null && file.exists()) {
+                                engine.scan(file);
+                            }
+                        }
                     }
-                }
-                final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
-                reporter.generateReports(reportOutputDirectory, reportFormat);
 
-                if (this.failBuildOnCVSS <= 10) {
-                    checkForFailure(engine.getDependencies());
+                    engine.analyzeDependencies();
+                    DatabaseProperties prop = null;
+                    CveDB cve = null;
+                    try {
+                        cve = new CveDB();
+                        cve.open();
+                        prop = cve.getDatabaseProperties();
+                    } catch (DatabaseException ex) {
+                        LOGGER.log(Level.FINE, "Unable to retrieve DB Properties", ex);
+                    } finally {
+                        if (cve != null) {
+                            cve.close();
+                        }
+                    }
+                    final ReportGenerator reporter = new ReportGenerator(applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
+                    reporter.generateReports(reportOutputDirectory, reportFormat);
+
+                    if (this.failBuildOnCVSS <= 10) {
+                        checkForFailure(engine.getDependencies());
+                    }
+                    if (this.showSummary) {
+                        showSummary(engine.getDependencies());
+                    }
+                } catch (IOException ex) {
+                    LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
+                    throw new BuildException("Unable to generate dependency-check report", ex);
+                } catch (Exception ex) {
+                    LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
+                    throw new BuildException("An exception occurred; unable to continue task", ex);
                 }
-                if (this.showSummary) {
-                    showSummary(engine.getDependencies());
-                }
-            } catch (IOException ex) {
-                LOGGER.log(Level.FINE, "Unable to generate dependency-check report", ex);
-                throw new BuildException("Unable to generate dependency-check report", ex);
-            } catch (Exception ex) {
-                LOGGER.log(Level.FINE, "An exception occurred; unable to continue task", ex);
-                throw new BuildException("An exception occurred; unable to continue task", ex);
             }
         } catch (DatabaseException ex) {
             LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
@@ -980,8 +1007,8 @@ public class DependencyCheckTask extends Task {
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
-     * properties required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
+     * required to change the proxy server, port, and connection timeout.
      */
     private void populateSettings() {
         Settings.initialize();

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/package-info.java

@@ -1,11 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.taskdefs</title>
- * </head>
- * <body>
  * This package includes the Ant task definitions.
- * </body>
- * </html>
  */
 package org.owasp.dependencycheck.taskdefs;

dependency-check-ant/src/site/markdown/configuration.md

@@ -26,6 +26,7 @@ The following properties can be set on the dependency-check-maven plugin.
 Property             | Description                        | Default Value
 ---------------------|------------------------------------|------------------
 autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+updateOnly           | If set to true only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | false
 externalReport       | When using as a Site plugin this parameter sets whether or not the external report format should be used. | false
 outputDirectory      | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
 failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
@@ -51,9 +52,9 @@ Property                | Description
 archiveAnalyzerEnabled  | Sets whether the Archive Analyzer will be used.                           | true
 zipExtensions           | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. |  
 jarAnalyzer             | Sets whether the Jar Analyzer will be used.                                   | true
-centralAnalyzerEnabled  | Sets whether the Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
+centralAnalyzerEnabled  | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
 nexusAnalyzerEnabled    | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
-nexusUrl                | Defines the Nexus Pro URL. If not set the Nexus Analyzer will be disabled. |  
+nexusUrl                | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. |  
 nexusUsesProxy          | Whether or not the defined proxy should be used when connecting to Nexus. | true
 nuspecAnalyzerEnabled   | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.          | true
 assemblyAnalyzerEnabled | Sets whether or not the .NET Assembly Analyzer should be used.            | true

dependency-check-ant/src/site/markdown/index.md.vm

@@ -1,3 +1,10 @@
+About
+====================
+OWASP dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly
+disclosed vulnerabilities associated with the project's dependencies. The task will
+generate a report listing the dependency, any identified Common Platform Enumeration (CPE)
+identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
+
 Installation
 ====================
 Download dependency-check-ant from [bintray here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-ant-${project.version}.jar).
@@ -19,7 +26,7 @@ must add the classpath to the taskdef:
 ```
 
 It is important to understand that the first time this task is executed it may
-take 20 minutes or more as it downloads and processes the data from the National
+take 10 minutes or more as it downloads and processes the data from the National
 Vulnerability Database (NVD) hosted by NIST: https://nvd.nist.gov
 
 After the first batch download, as long as the task is executed at least once every

dependency-check-ant/src/site/markdown/usage.md.vm

@@ -1,6 +1,6 @@
 Usage
 ====================
-First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html):
+First, add the dependency-check-ant taskdef to your build.xml (see the [installation guide](installation.html)):
 
 ```xml
 <taskdef name="dependency-check" classname="org.owasp.dependencycheck.taskdefs.DependencyCheckTask"/>

dependency-check-ant/src/site/site.xml

@@ -18,7 +18,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 -->
 <project name="dependency-check-ant">
     <bannerLeft>
-        <name>dependency-check-ant</name>
+        <name>OWASP dependency-check-ant</name>
+        <alt>OWASP dependency-check-ant</alt>
+        <src>./images/dc-ant.svg</src>
     </bannerLeft>
     <body>
         <breadcrumbs>
@@ -29,7 +31,6 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="Usage" href="usage.html"/>
             <item name="Configuration" href="configuration.html"/>
         </menu>
-        <menu ref="Project Documentation" />
         <menu ref="reports" />
     </body>
 </project>

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -27,9 +27,13 @@ import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DependencyCheckTaskTest extends BuildFileTest {
+    //TODO: The use of deprecated class BuildFileTestcan possibly
+    //be replaced with BuildFileRule. However, it currently isn't included in the ant-testutil jar.
+    //This should be fixed in ant-testutil 1.9.5, so we can check back once that has been released.
+    //Reference: http://mail-archives.apache.org/mod_mbox/ant-user/201406.mbox/%3C000001cf87ba$8949b690$9bdd23b0$@de%3E
 
     @Before
     @Override

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.8</version>
+        <version>1.2.11</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -60,27 +60,21 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
                 <configuration>
                     <archive>
                         <manifest>
                             <mainClass>org.owasp.dependencycheck.App</mainClass>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
                         </manifest>
                     </archive>
-                    <excludes>
-                        <exclude>**/checkstyle*</exclude>
-                    </excludes>
                 </configuration>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.6</version>
                 <configuration>
-                    <instrumentation>
+                    <!--instrumentation>
                         <ignoreTrivial>true</ignoreTrivial>
-                    </instrumentation>
+                    </instrumentation-->
                     <check>
                         <branchRate>85</branchRate>
                         <lineRate>85</lineRate>
@@ -114,7 +108,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>2.16</version>
                 <configuration>
                     <systemProperties>
                         <property>
@@ -133,160 +126,10 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
-                <configuration>
-                    <showDeprecation>false</showDeprecation>
-                    <source>1.6</source>
-                    <target>1.6</target>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.3</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>org.apache.maven.doxia</groupId>
-                        <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.5</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <skipDeploy>true</skipDeploy>
-                    <reportPlugins>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
-                            <version>2.7</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>index</report>
-                                        <report>summary</report>
-                                        <report>license</report>
-                                        <report>help</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-javadoc-plugin</artifactId>
-                            <version>2.9.1</version>
-                            <configuration>
-                                <bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
-                            </configuration>
-                            <reportSets>
-                                <reportSet>
-                                    <id>default</id>
-                                    <reports>
-                                        <report>javadoc</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>versions-maven-plugin</artifactId>
-                            <version>2.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>dependency-updates-report</report>
-                                        <report>plugin-updates-report</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-jxr-plugin</artifactId>
-                            <version>2.4</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.6</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-report-plugin</artifactId>
-                            <version>2.16</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>report-only</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>taglist-maven-plugin</artifactId>
-                            <version>2.4</version>
-                            <configuration>
-                                <tagListOptions>
-                                    <tagClasses>
-                                        <tagClass>
-                                            <displayName>Todo Work</displayName>
-                                            <tags>
-                                                <tag>
-                                                    <matchString>todo</matchString>
-                                                    <matchType>ignoreCase</matchType>
-                                                </tag>
-                                                <tag>
-                                                    <matchString>FIXME</matchString>
-                                                    <matchType>exact</matchType>
-                                                </tag>
-                                            </tags>
-                                        </tagClass>
-                                    </tagClasses>
-                                </tagListOptions>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-checkstyle-plugin</artifactId>
-                            <version>2.11</version>
-                            <configuration>
-                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.1</version>
-                            <configuration>
-                                <targetJdk>1.6</targetJdk>
-                                <linkXref>true</linkXref>
-                                <sourceEncoding>utf-8</sourceEncoding>
-                                <excludes>
-                                    <exclude>**/generated/*.java</exclude>
-                                </excludes>
-                                <rulesets>
-                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <ruleset>/rulesets/java/basic.xml</ruleset>
-                                    <ruleset>/rulesets/java/imports.xml</ruleset>
-                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                </rulesets>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>findbugs-maven-plugin</artifactId>
-                            <version>2.5.3</version>
-                        </plugin>
-                    </reportPlugins>
-                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>appassembler-maven-plugin</artifactId>
-                <version>1.8.1</version>
                 <configuration>
                     <programs>
                         <program>
@@ -332,6 +175,137 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             </plugin>
         </plugins>
     </build>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-project-info-reports-plugin</artifactId>
+                <version>2.7</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>summary</report>
+                            <report>license</report>
+                            <report>help</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.9.1</version>
+                <configuration>
+                    <failOnError>false</failOnError>
+                    <bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <id>default</id>
+                        <reports>
+                            <report>javadoc</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>versions-maven-plugin</artifactId>
+                <version>2.1</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependency-updates-report</report>
+                            <report>plugin-updates-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.4</version>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.16</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>report-only</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>taglist-maven-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <tagListOptions>
+                        <tagClasses>
+                            <tagClass>
+                                <displayName>Todo Work</displayName>
+                                <tags>
+                                    <tag>
+                                        <matchString>todo</matchString>
+                                        <matchType>ignoreCase</matchType>
+                                    </tag>
+                                    <tag>
+                                        <matchString>FIXME</matchString>
+                                        <matchType>exact</matchType>
+                                    </tag>
+                                </tags>
+                            </tagClass>
+                        </tagClasses>
+                    </tagListOptions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>2.11</version>
+                <configuration>
+                    <enableRulesSummary>false</enableRulesSummary>
+                    <enableFilesSummary>false</enableFilesSummary>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <targetJdk>1.6</targetJdk>
+                    <linkXref>true</linkXref>
+                    <sourceEncoding>utf-8</sourceEncoding>
+                    <excludes>
+                        <exclude>**/generated/*.java</exclude>
+                    </excludes>
+                    <rulesets>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                    </rulesets>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>2.5.3</version>
+            </plugin>
+        </plugins>
+    </reporting>
     <dependencies>
         <dependency>
             <groupId>commons-cli</groupId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -41,7 +41,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The command line interface for the DependencyCheck application.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class App {
 
@@ -95,12 +95,15 @@ public class App {
 
         if (cli.isGetVersion()) {
             cli.printVersionInfo();
+        } else if (cli.isUpdateOnly()) {
+            populateSettings(cli);
+            runUpdateOnly();
         } else if (cli.isRunScan()) {
             populateSettings(cli);
             try {
                 runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getApplicationName(), cli.getScanFiles(), cli.getExcludeList());
             } catch (InvalidScanPathException ex) {
-                Logger.getLogger(App.class.getName()).log(Level.SEVERE, "An invalid scan path was detected; unable to scan '//*' paths");
+                LOGGER.log(Level.SEVERE, "An invalid scan path was detected; unable to scan '//*' paths");
             }
         } else {
             cli.printHelp();
@@ -212,11 +215,29 @@ public class App {
         }
     }
 
+    /**
+     * Only executes the update phase of dependency-check.
+     */
+    private void runUpdateOnly() {
+        Engine engine = null;
+        try {
+            engine = new Engine();
+            engine.doUpdates();
+        } catch (DatabaseException ex) {
+            LOGGER.log(Level.SEVERE, "Unable to connect to the dependency-check database; analysis has stopped");
+            LOGGER.log(Level.FINE, "", ex);
+        } finally {
+            if (engine != null) {
+                engine.cleanup();
+            }
+        }
+    }
+
     /**
      * Updates the global Settings.
      *
-     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding
-     * settings in the core engine.
+     * @param cli a reference to the CLI Parser that contains the command line arguments used to set the corresponding settings in
+     * the core engine.
      */
     private void populateSettings(CliParser cli) {
 
@@ -231,6 +252,8 @@ public class App {
         final String suppressionFile = cli.getSuppressionFile();
         final boolean jarDisabled = cli.isJarDisabled();
         final boolean archiveDisabled = cli.isArchiveDisabled();
+        final boolean pyDistDisabled = cli.isPythonDistributionDisabled();
+        final boolean pyPkgDisabled = cli.isPythonPackageDisabled();
         final boolean assemblyDisabled = cli.isAssemblyDisabled();
         final boolean nuspecDisabled = cli.isNuspecDisabled();
         final boolean centralDisabled = cli.isCentralDisabled();
@@ -296,6 +319,8 @@ public class App {
         //File Type Analyzer Settings
         Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !jarDisabled);
         Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !archiveDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !pyDistDisabled);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !pyPkgDisabled);
         Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !nuspecDisabled);
         Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !assemblyDisabled);
 

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.util.logging.Logger;
+
 import org.apache.commons.cli.CommandLine;
 import org.apache.commons.cli.CommandLineParser;
 import org.apache.commons.cli.HelpFormatter;
@@ -36,7 +37,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * A utility to parse command line arguments for the DependencyCheck.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class CliParser {
 
@@ -84,8 +85,8 @@ public final class CliParser {
     /**
      * Validates that the command line arguments are valid.
      *
-     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that
-     * does not exist.
+     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that does not
+     * exist.
      * @throws ParseException is thrown if there is an exception parsing the command line.
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
@@ -112,8 +113,8 @@ public final class CliParser {
     }
 
     /**
-     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing
-     * file a FileNotFoundException is thrown.
+     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing file a
+     * FileNotFoundException is thrown.
      *
      * @param paths the paths to validate if they exists
      * @param optType the option being validated (e.g. scan, out, etc.)
@@ -140,7 +141,7 @@ public final class CliParser {
             throw new FileNotFoundException(msg);
         } else if (!path.contains("*") && !path.contains("?")) {
             File f = new File(path);
-            if ("o".equals(argumentName.substring(0, 1).toLowerCase()) && !"ALL".equals(this.getReportFormat().toUpperCase())) {
+            if ("o".equalsIgnoreCase(argumentName.substring(0, 1)) && !"ALL".equalsIgnoreCase(this.getReportFormat())) {
                 final String checkPath = path.toLowerCase();
                 if (checkPath.endsWith(".html") || checkPath.endsWith(".xml") || checkPath.endsWith(".htm")) {
                     if (f.getParentFile() == null) {
@@ -257,8 +258,8 @@ public final class CliParser {
     }
 
     /**
-     * Adds the advanced command line options to the given options collection. These are split out for purposes of being
-     * able to display two different help messages.
+     * Adds the advanced command line options to the given options collection. These are split out for purposes of being able to
+     * display two different help messages.
      *
      * @param options a collection of command line arguments
      * @throws IllegalArgumentException thrown if there is an exception
@@ -266,6 +267,9 @@ public final class CliParser {
     @SuppressWarnings("static-access")
     private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
 
+        final Option updateOnly = OptionBuilder.withLongOpt(ARGUMENT.UPDATE_ONLY)
+                .withDescription("Only update the local NVD data cache; no scan will be executed.").create();
+
         final Option data = OptionBuilder.withArgName("path").hasArg().withLongOpt(ARGUMENT.DATA_DIRECTORY)
                 .withDescription("The location of the H2 Database file. This option should generally not be set.")
                 .create(ARGUMENT.DATA_DIRECTORY_SHORT);
@@ -319,12 +323,20 @@ public final class CliParser {
         final Option disableNuspecAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NUSPEC)
                 .withDescription("Disable the Nuspec Analyzer.")
                 .create();
+
         final Option disableAssemblyAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_ASSEMBLY)
                 .withDescription("Disable the .NET Assembly Analyzer.")
                 .create();
 
+        final Option disablePythonDistributionAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_DIST)
+                .withDescription("Disable the Python Distribution Analyzer.").create();
+
+        final Option disablePythonPackageAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_PY_PKG)
+                .withDescription("Disable the Python Package Analyzer.").create();
+
         final Option disableCentralAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_CENTRAL)
-                .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable the Nexus Analyzer.")
+                .withDescription("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
+                        + "the Nexus Analyzer.")
                 .create();
 
         final Option disableNexusAnalyzer = OptionBuilder.withLongOpt(ARGUMENT.DISABLE_NEXUS)
@@ -332,7 +344,8 @@ public final class CliParser {
                 .create();
 
         final Option nexusUrl = OptionBuilder.withArgName("url").hasArg().withLongOpt(ARGUMENT.NEXUS_URL)
-                .withDescription("The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled.")
+                .withDescription("The url to the Nexus Server's REST API Endpoint (http://domain/nexus/service/local). "
+                        + "If not set the Nexus Analyzer will be disabled.")
                 .create();
 
         final Option nexusUsesProxy = OptionBuilder.withArgName("true/false").hasArg().withLongOpt(ARGUMENT.NEXUS_USES_PROXY)
@@ -349,7 +362,8 @@ public final class CliParser {
                 .withDescription("The path to Mono for .NET Assembly analysis on non-windows systems.")
                 .create();
 
-        options.addOption(proxyPort)
+        options.addOption(updateOnly)
+                .addOption(proxyPort)
                 .addOption(proxyServer)
                 .addOption(proxyUsername)
                 .addOption(proxyPassword)
@@ -363,6 +377,8 @@ public final class CliParser {
                 .addOption(disableJarAnalyzer)
                 .addOption(disableArchiveAnalyzer)
                 .addOption(disableAssemblyAnalyzer)
+                .addOption(disablePythonDistributionAnalyzer)
+                .addOption(disablePythonPackageAnalyzer)
                 .addOption(disableNuspecAnalyzer)
                 .addOption(disableCentralAnalyzer)
                 .addOption(disableNexusAnalyzer)
@@ -373,8 +389,8 @@ public final class CliParser {
     }
 
     /**
-     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not
-     * including them in the help message. We need to add the deprecated options so as not to break existing scripts.
+     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not including
+     * them in the help message. We need to add the deprecated options so as not to break existing scripts.
      *
      * @param options a collection of command line arguments
      * @throws IllegalArgumentException thrown if there is an exception
@@ -452,6 +468,24 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
     }
 
+    /**
+     * Returns true if the disablePyDist command line argument was specified.
+     *
+     * @return true if the disablePyDist command line argument was specified; otherwise false
+     */
+    public boolean isPythonDistributionDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_DIST);
+    }
+
+    /**
+     * Returns true if the disablePyPkg command line argument was specified.
+     *
+     * @return true if the disablePyPkg command line argument was specified; otherwise false
+     */
+    public boolean isPythonPackageDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_PKG);
+    }
+
     /**
      * Returns true if the disableNexus command line argument was specified.
      *
@@ -484,8 +518,7 @@ public final class CliParser {
     }
 
     /**
-     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is
-     * returned.
+     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is returned.
      *
      * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
      */
@@ -687,15 +720,23 @@ public final class CliParser {
     }
 
     /**
-     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will
-     * return false.
+     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will return false.
      *
-     * @return if auto-update is allowed.
+     * @return <code>true</code> if auto-update is allowed; otherwise <code>false</code>
      */
     public boolean isAutoUpdate() {
         return (line == null) || !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
     }
 
+    /**
+     * Checks if the update only flag has been set.
+     *
+     * @return <code>true</code> if the update only flag has been set; otherwise <code>false</code>.
+     */
+    public boolean isUpdateOnly() {
+        return (line == null) || line.hasOption(ARGUMENT.UPDATE_ONLY);
+    }
+
     /**
      * Returns the database driver name if specified; otherwise null is returned.
      *
@@ -771,6 +812,10 @@ public final class CliParser {
          * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
          */
         public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
+        /**
+         * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+         */
+        public static final String UPDATE_ONLY = "updateonly";
         /**
          * The long CLI argument name specifying the directory to write the reports to.
          */
@@ -882,6 +927,14 @@ public final class CliParser {
          * Disables the Archive Analyzer.
          */
         public static final String DISABLE_ARCHIVE = "disableArchive";
+        /**
+         * Disables the Python Distribution Analyzer.
+         */
+        public static final String DISABLE_PY_DIST = "disablePyDist";
+        /**
+         * Disables the Python Package Analyzer.
+         */
+        public static final String DISABLE_PY_PKG = "disablePyPkg";
         /**
          * Disables the Assembly Analyzer.
          */

dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck;
 /**
  * Thrown if an invalid path is encountered.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 class InvalidScanPathException extends Exception {
 

dependency-check-cli/src/main/java/org/owasp/dependencycheck/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck</title>
- * </head>
- * <body>
  * Includes the main entry point for the DependencyChecker.
- * </body>
- * </html>
-*/
-
+ */
 package org.owasp.dependencycheck;

dependency-check-cli/src/site/markdown/arguments.md

@@ -19,26 +19,30 @@ Short  | Argument Name   | Parameter       | Description | Requir
 
 Advanced Options
 ================
-Short  | Argument Name        | Parameter | Description                                | Default Value
--------|-----------------------|-----------------|-----------------------------------------------------------------------------|---------------
-       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                             | false
+Short  | Argument Name        | Parameter | Description                                     | Default Value
+-------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
+ \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
+       | \-\-updateonly        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
+       | \-\-disablePyDist     |                 | Sets whether the Python Distribution Analyzer will be used.                      | false
+       | \-\-disablePyPkg      |                 | Sets whether the Python Package Analyzer will be used.                           | false
+       | \-\-disableArchive    |                 | Sets whether the Archive Analyzer will be used.                                  | false
        | \-\-zipExtensions     | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
-       | \-\-disableJar        |                 | Sets whether the Jar Analyzer will be used.                                     | false
-       | \-\-disableCentral    |                 | Sets whether the Central Analyzer will be used. If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
+       | \-\-disableJar        |                 | Sets whether the Jar Analyzer will be used.                                      | false
+       | \-\-disableCentral    |                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
        | \-\-disableNexus      |                 | Sets whether the Nexus Analyzer will be used. Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
-       | \-\-nexus             | \<url\>         | The url to the Nexus Pro Server. If not set the Nexus Analyzer will be disabled. | &nbsp;
-       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.   | true
-       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.            | false
-       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.              | false
-       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.         | &nbsp;
-       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                         | &nbsp;
-       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                           | &nbsp;
-       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources. | &nbsp;
-       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources.                       | &nbsp;
-       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources.                       | &nbsp;
-       | \-\-connectionString  | \<connStr\>     | The connection string to the database.                                      | &nbsp;
-       | \-\-dbDriverName      | \<driver\>      | The database driver name.                                                   | &nbsp;
+       | \-\-nexus             | \<url\>         | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
+       | \-\-nexusUsesProxy    | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.        | true
+       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
+       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
+       | \-\-pathToMono        | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
+       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                              | &nbsp;
+       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                                | &nbsp;
+       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.      | &nbsp;
+       | \-\-proxypass         | \<pass\>        | The proxy password to use when downloading resources.                            | &nbsp;
+       | \-\-proxyuser         | \<user\>        | The proxy username to use when downloading resources.                            | &nbsp;
+       | \-\-connectionString  | \<connStr\>     | The connection string to the database.                                           | &nbsp;
+       | \-\-dbDriverName      | \<driver\>      | The database driver name.                                                        | &nbsp;
        | \-\-dbDriverPath      | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
-       | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                | &nbsp;
-       | \-\-dbUser            | \<user\>        | The username used to connect to the database.                               | &nbsp;
+       | \-\-dbPassword        | \<password\>    | The password for connecting to the database.                                     | &nbsp;
+       | \-\-dbUser            | \<user\>        | The username used to connect to the database.                                    | &nbsp;
  \-d   | \-\-data              | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;

dependency-check-cli/src/site/markdown/index.md.vm

@@ -1,3 +1,10 @@
+About
+====================
+OWASP dependency-check-cli is an command line tool that uses dependency-check-core to detect
+publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool
+will generate a report listing the dependency, any identified Common Platform Enumeration (CPE)
+identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.
+
 Installation & Usage
 ====================
 Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).

dependency-check-cli/src/site/site.xml

@@ -18,17 +18,18 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 -->
 <project name="dependency-check-cli">
     <bannerLeft>
-        <name>dependency-check-cli</name>
+        <name>OWASP dependency-check-cli</name>
+        <alt>OWASP dependency-check-cli</alt>
+        <src>./images/dc-cli.svg</src>
     </bannerLeft>
     <body>
         <breadcrumbs>
             <item name="dependency-check" href="../index.html"/>
         </breadcrumbs>
         <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
             <item name="Configuration" href="arguments.html"/>
         </menu>
-        <menu ref="Project Documentation" />
         <menu ref="reports" />
     </body>
 </project>

dependency-check-cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class CliParserTest {
 

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.8</version>
+        <version>1.2.11</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -93,7 +93,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-dependency-plugin</artifactId>
-                <version>2.8</version>
                 <executions>
                     <execution>
                         <phase>generate-resources</phase>
@@ -110,7 +109,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-jar-plugin</artifactId>
-                <version>2.4</version>
                 <executions>
                     <execution>
                         <id>jar</id>
@@ -127,24 +125,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                         </goals>
                     </execution>
                 </executions>
-                <configuration>
-                    <archive>
-                        <manifest>
-                            <addDefaultImplementationEntries>true</addDefaultImplementationEntries>
-                        </manifest>
-                    </archive>
-                    <excludes>
-                        <exclude>**/checkstyle*</exclude>
-                    </excludes>
-                </configuration>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>cobertura-maven-plugin</artifactId>
-                <version>2.6</version>
                 <configuration>
                     <instrumentation>
-                        <ignoreTrivial>true</ignoreTrivial>
+                        <!--ignoreTrivial>true</ignoreTrivial-->
                         <ignores>
                             <ignore>.*\$KEYS\.class</ignore>
                             <ignore>.*\$Element\.class</ignore>
@@ -192,7 +179,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
-                <version>2.16</version>
                 <configuration>
                     <systemProperties>
                         <property>
@@ -213,201 +199,164 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-failsafe-plugin</artifactId>
-                <version>2.16</version>
                 <configuration>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>
                             <value>${project.build.directory}/data</value>
                         </property>
-                        <property>
-                            <name>temp.directory</name>
-                            <value>${project.build.directory}/temp</value>
-                        </property>
-
                     </systemProperties>
-                    <includes>
-                        <include>**/*IntegrationTest.java</include>
-                    </includes>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>integration-test</goal>
-                            <goal>verify</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.3</version>
-                <dependencies>
-                    <dependency>
-                        <groupId>org.apache.maven.doxia</groupId>
-                        <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.5</version>
-                    </dependency>
-                </dependencies>
-                <configuration>
-                    <skipDeploy>true</skipDeploy>
-                    <reportPlugins>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-project-info-reports-plugin</artifactId>
-                            <version>2.7</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>index</report>
-                                        <report>summary</report>
-                                        <report>license</report>
-                                        <report>help</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-javadoc-plugin</artifactId>
-                            <version>2.9.1</version>
-                            <configuration>
-                                <bottom>Copyright© 2012-14 Jeremy Long. All Rights Reserved.</bottom>
-                            </configuration>
-                            <reportSets>
-                                <reportSet>
-                                    <id>default</id>
-                                    <reports>
-                                        <report>javadoc</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>versions-maven-plugin</artifactId>
-                            <version>2.1</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>dependency-updates-report</report>
-                                        <report>plugin-updates-report</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-jxr-plugin</artifactId>
-                            <version>2.4</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>cobertura-maven-plugin</artifactId>
-                            <version>2.6</version>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-surefire-report-plugin</artifactId>
-                            <version>2.16</version>
-                            <reportSets>
-                                <reportSet>
-                                    <reports>
-                                        <report>report-only</report>
-                                    </reports>
-                                </reportSet>
-                                <reportSet>
-                                    <id>integration-tests</id>
-                                    <reports>
-                                        <report>report-only</report>
-                                        <report>failsafe-report-only</report>
-                                    </reports>
-                                </reportSet>
-                            </reportSets>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>taglist-maven-plugin</artifactId>
-                            <version>2.4</version>
-                            <configuration>
-                                <tagListOptions>
-                                    <tagClasses>
-                                        <tagClass>
-                                            <displayName>Todo Work</displayName>
-                                            <tags>
-                                                <tag>
-                                                    <matchString>todo</matchString>
-                                                    <matchType>ignoreCase</matchType>
-                                                </tag>
-                                                <tag>
-                                                    <matchString>FIXME</matchString>
-                                                    <matchType>exact</matchType>
-                                                </tag>
-                                            </tags>
-                                        </tagClass>
-                                    </tagClasses>
-                                </tagListOptions>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-checkstyle-plugin</artifactId>
-                            <version>2.11</version>
-                            <configuration>
-                                <enableRulesSummary>false</enableRulesSummary>
-                                <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                                <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                                <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                                <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.apache.maven.plugins</groupId>
-                            <artifactId>maven-pmd-plugin</artifactId>
-                            <version>3.1</version>
-                            <configuration>
-                                <targetJdk>1.6</targetJdk>
-                                <linkXref>true</linkXref>
-                                <sourceEncoding>utf-8</sourceEncoding>
-                                <excludes>
-                                    <exclude>**/generated/*.java</exclude>
-                                </excludes>
-                                <rulesets>
-                                    <ruleset>../src/main/config/dcrules.xml</ruleset>
-                                    <ruleset>/rulesets/java/basic.xml</ruleset>
-                                    <ruleset>/rulesets/java/imports.xml</ruleset>
-                                    <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                                </rulesets>
-                            </configuration>
-                        </plugin>
-                        <plugin>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>findbugs-maven-plugin</artifactId>
-                            <version>2.5.3</version>
-                        </plugin>
-                        <dependency>
-                            <groupId>org.codehaus.mojo</groupId>
-                            <artifactId>javancss-maven-plugin</artifactId>
-                            <version>2.0</version>
-                        </dependency>
-                    </reportPlugins>
                 </configuration>
             </plugin>
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-compiler-plugin</artifactId>
-                <version>3.1</version>
                 <configuration>
-                    <showDeprecation>false</showDeprecation>
                     <compilerArgument>-Xlint:unchecked</compilerArgument>
-                    <source>1.6</source>
-                    <target>1.6</target>
                 </configuration>
             </plugin>
         </plugins>
     </build>
+    <reporting>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-project-info-reports-plugin</artifactId>
+                <version>2.7</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>summary</report>
+                            <report>license</report>
+                            <report>help</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-javadoc-plugin</artifactId>
+                <version>2.9.1</version>
+                <configuration>
+                    <failOnError>false</failOnError>
+                    <bottom>Copyright© 2012-15 Jeremy Long. All Rights Reserved.</bottom>
+                </configuration>
+                <reportSets>
+                    <reportSet>
+                        <id>default</id>
+                        <reports>
+                            <report>javadoc</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>versions-maven-plugin</artifactId>
+                <version>2.1</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>dependency-updates-report</report>
+                            <report>plugin-updates-report</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-jxr-plugin</artifactId>
+                <version>2.4</version>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>cobertura-maven-plugin</artifactId>
+                <version>2.6</version>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-surefire-report-plugin</artifactId>
+                <version>2.16</version>
+                <reportSets>
+                    <reportSet>
+                        <reports>
+                            <report>report-only</report>
+                        </reports>
+                    </reportSet>
+                    <reportSet>
+                        <id>integration-tests</id>
+                        <reports>
+                            <report>report-only</report>
+                            <report>failsafe-report-only</report>
+                        </reports>
+                    </reportSet>
+                </reportSets>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>taglist-maven-plugin</artifactId>
+                <version>2.4</version>
+                <configuration>
+                    <tagListOptions>
+                        <tagClasses>
+                            <tagClass>
+                                <displayName>Todo Work</displayName>
+                                <tags>
+                                    <tag>
+                                        <matchString>todo</matchString>
+                                        <matchType>ignoreCase</matchType>
+                                    </tag>
+                                    <tag>
+                                        <matchString>FIXME</matchString>
+                                        <matchType>exact</matchType>
+                                    </tag>
+                                </tags>
+                            </tagClass>
+                        </tagClasses>
+                    </tagListOptions>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-checkstyle-plugin</artifactId>
+                <version>2.11</version>
+                <configuration>
+                    <enableRulesSummary>false</enableRulesSummary>
+                    <enableFilesSummary>false</enableFilesSummary>
+                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
+                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
+                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
+                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-pmd-plugin</artifactId>
+                <version>3.1</version>
+                <configuration>
+                    <targetJdk>1.6</targetJdk>
+                    <linkXref>true</linkXref>
+                    <sourceEncoding>utf-8</sourceEncoding>
+                    <excludes>
+                        <exclude>**/generated/*.java</exclude>
+                    </excludes>
+                    <rulesets>
+                        <ruleset>../src/main/config/dcrules.xml</ruleset>
+                        <ruleset>/rulesets/java/basic.xml</ruleset>
+                        <ruleset>/rulesets/java/imports.xml</ruleset>
+                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
+                    </rulesets>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.codehaus.mojo</groupId>
+                <artifactId>findbugs-maven-plugin</artifactId>
+                <version>2.5.3</version>
+            </plugin>
+        </plugins>
+    </reporting>
     <dependencies>
+        <!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
         <dependency>
             <groupId>org.owasp</groupId>
             <artifactId>dependency-check-utils</artifactId>
@@ -416,30 +365,24 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-test-framework</artifactId>
-            <version>4.3.1</version>
+            <version>${apache.lucene.version}</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
             <artifactId>jmockit</artifactId>
-            <version>1.12</version>
             <scope>test</scope>
         </dependency>
         <dependency>
             <groupId>com.google.code.findbugs</groupId>
             <artifactId>annotations</artifactId>
-            <version>2.0.1</version>
+            <version>3.0.0</version>
             <optional>true</optional>
         </dependency>
-        <dependency>
-            <groupId>commons-cli</groupId>
-            <artifactId>commons-cli</artifactId>
-            <version>1.2</version>
-        </dependency>
         <dependency>
             <groupId>org.apache.commons</groupId>
             <artifactId>commons-compress</artifactId>
-            <version>1.8.1</version>
+            <version>1.9</version>
         </dependency>
         <dependency>
             <groupId>commons-io</groupId>
@@ -449,22 +392,22 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>commons-lang</groupId>
             <artifactId>commons-lang</artifactId>
-            <version>2.5</version>
+            <version>2.6</version>
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-core</artifactId>
-            <version>4.5.1</version>
+            <version>${apache.lucene.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-analyzers-common</artifactId>
-            <version>4.5.1</version>
+            <version>${apache.lucene.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.lucene</groupId>
             <artifactId>lucene-queryparser</artifactId>
-            <version>4.5.1</version>
+            <version>${apache.lucene.version}</version>
         </dependency>
         <dependency>
             <groupId>org.apache.velocity</groupId>
@@ -474,7 +417,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
         <dependency>
             <groupId>com.h2database</groupId>
             <artifactId>h2</artifactId>
-            <version>1.3.172</version>
+            <version>1.3.176</version>
         </dependency>
         <dependency>
             <groupId>org.jsoup</groupId>
@@ -591,6 +534,18 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>provided</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>uk.ltd.getahead</groupId>
+            <artifactId>dwr</artifactId>
+            <version>1.1.1</version>
+            <scope>provided</scope>
+            <optional>true</optional>
+        </dependency>
+        <dependency>
+            <groupId>com.sun.mail</groupId>
+            <artifactId>mailapi</artifactId>
+            <version>1.5.2</version>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>
@@ -606,7 +561,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-surefire-plugin</artifactId>
-                        <version>2.16</version>
+                        <version>2.18.1</version>
                         <configuration>
                             <skip>true</skip>
                         </configuration>
@@ -614,7 +569,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
-                        <version>2.16</version>
+                        <version>2.18.1</version>
                         <configuration>
                             <systemProperties>
                                 <property>
@@ -728,8 +683,92 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <scope>provided</scope>
                     <optional>true</optional>
                 </dependency>
+                <dependency>
+                    <groupId>com.google.inject</groupId>
+                    <artifactId>guice</artifactId>
+                    <version>3.0</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.opensaml</groupId>
+                    <artifactId>xmltooling</artifactId>
+                    <version>1.4.1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>org.springframework</groupId>
+                    <artifactId>spring-webmvc</artifactId>
+                    <version>3.2.12.RELEASE</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.google.code.gson</groupId>
+                    <artifactId>gson</artifactId>
+                    <version>2.3.1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.google.gerrit</groupId>
+                    <artifactId>gerrit-extension-api</artifactId>
+                    <version>2.11</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.google.apis</groupId>
+                    <artifactId>google-api-services-sqladmin</artifactId>
+                    <version>v1beta4-rev5-1.20.0</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.google.gwt.google-apis</groupId>
+                    <artifactId>gwt-gears</artifactId>
+                    <version>1.2.1</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
 
+                <dependency>
+                    <groupId>org.mozilla</groupId>
+                    <artifactId>rhino</artifactId>
+                    <version>1.7.6</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+
+
+                <dependency>
+                    <groupId>com.microsoft.windowsazure</groupId>
+                    <artifactId>microsoft-azure-api-media</artifactId>
+                    <version>0.5.0</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.microsoft.windowsazure</groupId>
+                    <artifactId>microsoft-azure-api-management-sql</artifactId>
+                    <version>0.5.0</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
+                <dependency>
+                    <groupId>com.microsoft.bingads</groupId>
+                    <artifactId>microsoft.bingads</artifactId>
+                    <version>9.3.4</version>
+                    <scope>provided</scope>
+                    <optional>true</optional>
+                </dependency>
             </dependencies>
         </profile>
     </profiles>
+    <properties>
+        <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
+        this, we cannot upgrade beyond 4.7.2 -->
+        <apache.lucene.version>4.7.2</apache.lucene.version>
+    </properties>
 </project>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -44,11 +44,10 @@ import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the
- * scan, if a file is encountered and an Analyzer is associated with the file type then the file is turned into a
- * dependency.
+ * Scans files, directories, etc. for Dependencies. Analyzers are loaded and used to process the files found by the scan, if a
+ * file is encountered and an Analyzer is associated with the file type then the file is turned into a dependency.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class Engine {
 
@@ -116,7 +115,7 @@ public class Engine {
      * Loads the analyzers specified in the configuration file (or system properties).
      */
     private void loadAnalyzers() {
-        if (analyzers.size() > 0) {
+        if (!analyzers.isEmpty()) {
             return;
         }
         for (AnalysisPhase phase : AnalysisPhase.values()) {
@@ -163,8 +162,8 @@ public class Engine {
     }
 
     /**
-     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
-     * dependencies identified are added to the dependency collection.
+     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
      *
      * @param paths an array of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
@@ -184,8 +183,8 @@ public class Engine {
     }
 
     /**
-     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
+     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies identified
+     * are added to the dependency collection.
      *
      * @param path the path to a file or directory to be analyzed
      * @return the list of dependencies scanned
@@ -196,8 +195,8 @@ public class Engine {
     }
 
     /**
-     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any
-     * dependencies identified are added to the dependency collection.
+     * Scans an array of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
      *
      * @param files an array of paths to files or directories to be analyzed.
      * @return the list of dependencies
@@ -216,8 +215,8 @@ public class Engine {
     }
 
     /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
-     * dependencies identified are added to the dependency collection.
+     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
      *
      * @param files a set of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
@@ -236,8 +235,8 @@ public class Engine {
     }
 
     /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any
-     * dependencies identified are added to the dependency collection.
+     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * identified are added to the dependency collection.
      *
      * @param files a set of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
@@ -256,8 +255,8 @@ public class Engine {
     }
 
     /**
-     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
+     * Scans a given file or directory. If a directory is specified, it will be scanned recursively. Any dependencies identified
+     * are added to the dependency collection.
      *
      * @param file the path to a file or directory to be analyzed
      * @return the list of dependencies scanned
@@ -319,16 +318,17 @@ public class Engine {
             return null;
         }
         final String fileName = file.getName();
-        final String extension = FileUtils.getFileExtension(fileName);
+        String extension = FileUtils.getFileExtension(fileName);
+        if (null == extension) {
+            extension = fileName;
+        }
         Dependency dependency = null;
-        if (extension != null) {
-            if (supportsExtension(extension)) {
-                dependency = new Dependency(file);
-                dependencies.add(dependency);
+        if (supportsExtension(extension)) {
+            dependency = new Dependency(file);
+            if (extension == null ? fileName == null : extension.equals(fileName)) {
+                dependency.setFileExtension(extension);
             }
-        } else {
-            final String msg = String.format("No file extension found on file '%s'. The file was not analyzed.", file.toString());
-            LOGGER.log(Level.FINE, msg);
+            dependencies.add(dependency);
         }
         return dependency;
     }
@@ -468,7 +468,7 @@ public class Engine {
     /**
      * Cycles through the cached web data sources and calls update on all of them.
      */
-    private void doUpdates() {
+    public void doUpdates() {
         LOGGER.info("Checking for updates");
         final UpdateService service = new UpdateService(serviceClassLoader);
         final Iterator<CachedWebDataSource> iterator = service.getDataSources();

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -34,10 +34,10 @@ import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting
- * evidence from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it
- * takes a list of dependencies that can be programmatically added from data in a spreadsheet, database or some other
- * datasource and conduct a scan based on this pre-defined evidence.
+ * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting evidence
+ * from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it takes a list of
+ * dependencies that can be programmatically added from data in a spreadsheet, database or some other datasource and conduct a
+ * scan based on this pre-defined evidence.
  *
  * <h2>Example:</h2>
  * <pre>
@@ -161,9 +161,9 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11
-     * which means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11.
-     * The valid range for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
+     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
+     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
+     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
      */
     private float failBuildOnCVSS = 11;
 
@@ -186,8 +186,8 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to
-     * false. Default is true.
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
+     * is true.
      */
     private boolean autoUpdate = true;
 
@@ -210,8 +210,31 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this
-     * within the Site plugin unless the externalReport is set to true. Default is HTML.
+     * flag indicating whether or not to generate a report of findings.
+     */
+    private boolean generateReport = true;
+
+    /**
+     * Get the value of generateReport.
+     *
+     * @return the value of generateReport
+     */
+    public boolean isGenerateReport() {
+        return generateReport;
+    }
+
+    /**
+     * Set the value of generateReport.
+     *
+     * @param generateReport new value of generateReport
+     */
+    public void setGenerateReport(boolean generateReport) {
+        this.generateReport = generateReport;
+    }
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
+     * Site plugin unless the externalReport is set to true. Default is HTML.
      */
     private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
 
@@ -671,8 +694,8 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat
-     * like ZIP files.
+     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
+     * files.
      */
     private String zipExtensions;
 
@@ -813,8 +836,7 @@ public class DependencyCheckScanAgent {
      * Executes the Dependency-Check on the dependent libraries.
      *
      * @return the Engine used to scan the dependencies.
-     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the
-     * database
+     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the database
      */
     private Engine executeDependencyCheck() throws DatabaseException {
         populateSettings();
@@ -860,8 +882,8 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system
-     * properties required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
+     * required to change the proxy server, port, and connection timeout.
      */
     private void populateSettings() {
         Settings.initialize();
@@ -942,14 +964,16 @@ public class DependencyCheckScanAgent {
     /**
      * Executes the dependency-check and generates the report.
      *
-     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
-     * scan.
+     * @return a reference to the engine used to perform the scan.
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the scan.
      */
-    public void execute() throws ScanAgentException {
+    public Engine execute() throws ScanAgentException {
         Engine engine = null;
         try {
             engine = executeDependencyCheck();
-            generateExternalReports(engine, new File(this.reportOutputDirectory));
+            if (this.generateReport) {
+                generateExternalReports(engine, new File(this.reportOutputDirectory));
+            }
             if (this.showSummary) {
                 showSummary(engine.getDependencies());
             }
@@ -966,6 +990,7 @@ public class DependencyCheckScanAgent {
                 engine.cleanup();
             }
         }
+        return engine;
     }
 
     /**
@@ -973,8 +998,7 @@ public class DependencyCheckScanAgent {
      * configuration.
      *
      * @param dependencies the list of dependency objects
-     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the
-     * scan.
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the scan.
      */
     private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
         final StringBuilder ids = new StringBuilder();

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/package-info.java

@@ -1,13 +1,6 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.agent</title>
- * </head>
- * <body>
- * The agent package holds an agent API that can be used by other applications that have information about dependencies;
- * but would rather implement something in their code directly rather then spawn a process to run the entire
- * dependency-check engine. This basically provides programmatic access to running a scan.
- * </body>
- * </html>
+ * The agent package holds an agent API that can be used by other applications that have information about dependencies; but would
+ * rather implement something in their code directly rather then spawn a process to run the entire dependency-check engine. This
+ * basically provides programmatic access to running a scan.
  */
 package org.owasp.dependencycheck.agent;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public abstract class AbstractAnalyzer implements Analyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -31,7 +31,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The base FileTypeAnalyzer that all analyzers that have specific file types they analyze should extend.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * Abstract base suppression analyzer that contains methods for parsing the suppression xml file.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An enumeration defining the phases of analysis.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public enum AnalysisPhase {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -25,7 +25,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
  * An interface that defines an Analyzer that is used to identify Dependencies. An analyzer will collect information
  * about the dependency in the form of Evidence.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public interface Analyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -24,7 +24,7 @@ import java.util.ServiceLoader;
  * The Analyzer Service Loader. This class loads all services that implement
  * org.owasp.dependencycheck.analyzer.Analyzer.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class AnalyzerService {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -54,7 +54,7 @@ import org.owasp.dependencycheck.utils.Settings;
  * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added
  * to the dependency list.</p>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -110,7 +110,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
-            final HashSet<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
+            final Set<String> ext = new HashSet<String>(Arrays.asList(additionalZipExt));
             ZIPPABLES.addAll(ext);
         }
         EXTENSIONS.addAll(ZIPPABLES);
@@ -382,7 +382,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                             fos = new FileOutputStream(file);
                             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
                             int count;
-                            final byte data[] = new byte[BUFFER_SIZE];
+                            final byte[] data = new byte[BUFFER_SIZE];
                             while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                                 bos.write(data, 0, count);
                             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -51,10 +51,10 @@ import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 
 /**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE.
- * It uses the evidence contained within the dependency to search the Lucene index.
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
+ * the evidence contained within the dependency to search the Lucene index.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class CPEAnalyzer implements Analyzer {
 
@@ -130,8 +130,8 @@ public class CPEAnalyzer implements Analyzer {
      * Opens the data source.
      *
      * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
-     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use
-     * by another process.
+     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
+     * process.
      */
     public void open() throws IOException, DatabaseException {
         LOGGER.log(Level.FINE, "Opening the CVE Database");
@@ -160,9 +160,13 @@ public class CPEAnalyzer implements Analyzer {
         }
     }
 
+    public boolean isOpen() {
+        return cpe != null && cpe.isOpen();
+    }
+
     /**
-     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence
-     * contained within. The dependency passed in is updated with any identified CPE values.
+     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
+     * within. The dependency passed in is updated with any identified CPE values.
      *
      * @param dependency the dependency to search for CPE entries on.
      * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -176,15 +180,12 @@ public class CPEAnalyzer implements Analyzer {
         for (Confidence confidence : Confidence.values()) {
             if (dependency.getVendorEvidence().contains(confidence)) {
                 vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
+                LOGGER.fine(String.format("vendor search: %s", vendors));
             }
             if (dependency.getProductEvidence().contains(confidence)) {
                 products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
+                LOGGER.fine(String.format("product search: %s", products));
             }
-            /* bug fix for #40 - version evidence is not showing up as "used" in the reports if there is no
-             * CPE identified. As such, we are "using" the evidence and ignoring the results. */
-//            if (dependency.getVersionEvidence().contains(confidence)) {
-//                addEvidenceWithoutDuplicateTerms("", dependency.getVersionEvidence(), confidence);
-//            }
             if (!vendors.isEmpty() && !products.isEmpty()) {
                 final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
                         dependency.getVendorEvidence().getWeighting());
@@ -193,9 +194,11 @@ public class CPEAnalyzer implements Analyzer {
                 }
                 boolean identifierAdded = false;
                 for (IndexEntry e : entries) {
+                    LOGGER.fine(String.format("Verifying entry: %s", e.toString()));
                     if (verifyEntry(e, dependency)) {
                         final String vendor = e.getVendor();
                         final String product = e.getProduct();
+                        LOGGER.fine(String.format("identified vendor/product: %s/%s", vendor, product));
                         identifierAdded |= determineIdentifiers(dependency, vendor, product, confidence);
                     }
                 }
@@ -207,9 +210,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a
-     * specific confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence
-     * is longer then 200 characters it will be truncated.
+     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
+     * confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence is longer then 200
+     * characters it will be truncated.
      *
      * @param text the base text.
      * @param ec an EvidenceCollection
@@ -244,8 +247,8 @@ public class CPEAnalyzer implements Analyzer {
      * version.</p>
      *
      * <p>
-     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting
-     * factors to the search.</p>
+     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
+     * the search.</p>
      *
      * @param vendor the text used to search the vendor field
      * @param product the text used to search the product field
@@ -256,7 +259,7 @@ public class CPEAnalyzer implements Analyzer {
     protected List<IndexEntry> searchCPE(String vendor, String product,
             Set<String> vendorWeightings, Set<String> productWeightings) {
 
-        final ArrayList<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
 
         final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
         if (searchString == null) {
@@ -270,13 +273,6 @@ public class CPEAnalyzer implements Analyzer {
                     final IndexEntry entry = new IndexEntry();
                     entry.setVendor(doc.get(Fields.VENDOR));
                     entry.setProduct(doc.get(Fields.PRODUCT));
-//                if (d.score < 0.08) {
-//                    System.out.print(entry.getVendor());
-//                    System.out.print(":");
-//                    System.out.print(entry.getProduct());
-//                    System.out.print(":");
-//                    System.out.println(d.score);
-//                }
                     entry.setSearchScore(d.score);
                     if (!ret.contains(entry)) {
                         ret.add(entry);
@@ -301,8 +297,8 @@ public class CPEAnalyzer implements Analyzer {
      * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
      *
      * <p>
-     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting
-     * factors to the search string generated.</p>
+     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
+     * the search string generated.</p>
      *
      * @param vendor text to search the vendor field
      * @param product text to search the product field
@@ -328,9 +324,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the
-     * word is within the list of weighted words then an additional weighting is applied to the term as it is appended
-     * into the query.
+     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
+     * within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
      *
      * @param sb a StringBuilder that the query text will be appended to.
      * @param field the field within the Lucene index that the query is searching.
@@ -401,8 +396,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version
-     * information for the CPE are contained within the dependencies evidence.
+     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
+     * for the CPE are contained within the dependencies evidence.
      *
      * @param entry a CPE entry.
      * @param dependency the dependency that the CPE entries could be for.
@@ -427,17 +422,6 @@ public class CPEAnalyzer implements Analyzer {
      * @return whether or not the EvidenceCollection contains the string
      */
     private boolean collectionContainsString(EvidenceCollection ec, String text) {
-
-        //<editor-fold defaultstate="collapsed" desc="This code fold contains an old version of the code, delete once more testing is done">
-        //        String[] splitText = text.split("[\\s_-]");
-        //
-        //        for (String search : splitText) {
-        //            //final String search = text.replaceAll("[\\s_-]", "").toLowerCase();
-        //            if (ec.containsUsedString(search)) {
-        //                return true;
-        //            }
-        //        }
-        //</editor-fold>
         //TODO - likely need to change the split... not sure if this will work for CPE with special chars
         if (text == null) {
             return false;
@@ -459,9 +443,16 @@ public class CPEAnalyzer implements Analyzer {
                 list.add(word);
             }
         }
-        if (tempWord != null && !list.isEmpty()) {
-            final String tmp = list.get(list.size() - 1) + tempWord;
-            list.add(tmp);
+        if (tempWord != null) {
+            if (!list.isEmpty()) {
+                final String tmp = list.get(list.size() - 1) + tempWord;
+                list.add(tmp);
+            } else {
+                list.add(tempWord);
+            }
+        }
+        if (list.isEmpty()) {
+            return false;
         }
         boolean contains = true;
         for (String word : list) {
@@ -491,9 +482,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then
-     * validated to find only CPEs that are valid for the given dependency. It is possible that the CPE identified is a
-     * best effort "guess" based on the vendor, product, and version information.
+     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
+     * only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
+     * the vendor, product, and version information.
      *
      * @param dependency the Dependency being analyzed
      * @param vendor the vendor for the CPE being analyzed
@@ -601,8 +592,8 @@ public class CPEAnalyzer implements Analyzer {
          */
         BEST_GUESS,
         /**
-         * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS
-         * that only specifies vendor/product.
+         * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
+         * specifies vendor/product.
          */
         BROAD_MATCH
     }
@@ -750,8 +741,7 @@ public class CPEAnalyzer implements Analyzer {
         //</editor-fold>
 
         /**
-         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the
-         * identifier.
+         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
          *
          * @param o the IdentifierMatch to compare to
          * @return the natural ordering of IdentifierMatch

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URL;
@@ -24,18 +25,23 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.xml.pom.PomUtils;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
- * SHA-1 digest.
+ * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
+ * digest.
  *
  * @author colezlaw
  */
@@ -62,8 +68,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
 
     /**
-     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
-     * occurred.
+     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
      */
     private boolean errorFlag = false;
 
@@ -71,7 +76,6 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
      * The searcher itself.
      */
     private CentralSearch searcher;
-
     /**
      * Field indicating if the analyzer is enabled.
      */
@@ -188,6 +192,39 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
             for (MavenArtifact ma : mas) {
                 LOGGER.fine(String.format("Central analyzer found artifact (%s) for dependency (%s)", ma.toString(), dependency.getFileName()));
                 dependency.addAsEvidence("central", ma, confidence);
+                boolean pomAnalyzed = false;
+                for (Evidence e : dependency.getVendorEvidence()) {
+                    if ("pom".equals(e.getSource())) {
+                        pomAnalyzed = true;
+                        break;
+                    }
+                }
+                if (!pomAnalyzed && ma.getPomUrl() != null) {
+                    File pomFile = null;
+                    try {
+                        final File baseDir = Settings.getTempDirectory();
+                        pomFile = File.createTempFile("pom", ".xml", baseDir);
+                        if (!pomFile.delete()) {
+                            final String msg = String.format("Unable to fetch pom.xml for %s from Central; "
+                                    + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                            LOGGER.warning(msg);
+                            LOGGER.fine("Unable to delete temp file");
+                        }
+                        LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
+                        Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
+                        PomUtils.analyzePOM(dependency, pomFile);
+
+                    } catch (DownloadFailedException ex) {
+                        final String msg = String.format("Unable to download pom.xml for %s from Central; "
+                                + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                        LOGGER.warning(msg);
+                    } finally {
+                        if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                            pomFile.deleteOnExit();
+                        }
+                    }
+                }
+
             }
         } catch (IllegalArgumentException iae) {
             LOGGER.info(String.format("invalid sha1-hash on %s", dependency.getFileName()));
@@ -198,4 +235,5 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
             errorFlag = true;
         }
     }
+
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -26,7 +26,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
  * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
  * Any identified CPE entries within the dependencies that match will be removed.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -36,13 +36,13 @@ import org.owasp.dependencycheck.utils.LogUtils;
 
 /**
  * <p>
- * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are
- * grouped. An example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the
- * same relative path then these should be grouped into a single dependency under the core/main library.</p>
+ * This analyzer ensures dependencies that should be grouped together, to remove excess noise from the report, are grouped. An
+ * example would be Spring, Spring Beans, Spring MVC, etc. If they are all for the same version and have the same relative path
+ * then these should be grouped into a single dependency under the core/main library.</p>
  * <p>
  * Note, this grouping only works on dependencies with identified CVE entries</p>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Analyzer {
 
@@ -91,8 +91,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     //</editor-fold>
 
     /**
-     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of
-     * identifiers they are likely related. The related dependencies are bundled into a single reportable item.
+     * Analyzes a set of dependencies. If they have been found to have the same base path and the same set of identifiers they are
+     * likely related. The related dependencies are bundled into a single reportable item.
      *
      * @param ignore this analyzer ignores the dependency being analyzed
      * @param engine the engine that is scanning the dependencies
@@ -130,7 +130,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
                         } else if (cpeIdentifiersMatch(dependency, nextDependency)
                                 && hasSameBasePath(dependency, nextDependency)
                                 && fileNameMatch(dependency, nextDependency)) {
-
                             if (isCore(dependency, nextDependency)) {
                                 mergeDependencies(dependency, nextDependency, dependenciesToRemove);
                             } else {
@@ -151,10 +150,10 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
      * Adds the relatedDependency to the dependency's related dependencies.
      *
      * @param dependency the main dependency
-     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the
-     * source of dependencies to remove
-     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this
-     * function adds to this collection
+     * @param relatedDependency a collection of dependencies to be removed from the main analysis loop, this is the source of
+     * dependencies to remove
+     * @param dependenciesToRemove a collection of dependencies that will be removed from the main analysis loop, this function
+     * adds to this collection
      */
     private void mergeDependencies(final Dependency dependency, final Dependency relatedDependency, final Set<Dependency> dependenciesToRemove) {
         dependency.addRelatedDependency(relatedDependency);
@@ -163,12 +162,14 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
             dependency.addRelatedDependency(i.next());
             i.remove();
         }
+        if (dependency.getSha1sum().equals(relatedDependency.getSha1sum())) {
+            dependency.addAllProjectReferences(relatedDependency.getProjectReferences());
+        }
         dependenciesToRemove.add(relatedDependency);
     }
 
     /**
-     * Attempts to trim a maven repo to a common base path. This is typically
-     * [drive]\[repo_location]\repository\[path1]\[path2].
+     * Attempts to trim a maven repo to a common base path. This is typically [drive]\[repo_location]\repository\[path1]\[path2].
      *
      * @param path the path to trim
      * @return a string representing the base path.
@@ -207,21 +208,6 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         final String fileName1 = dependency1.getActualFile().getName();
         final String fileName2 = dependency2.getActualFile().getName();
 
-//        //REMOVED because this is attempting to duplicate what is in the hasSameBasePath function.
-//        final File one = new File(fileName1);
-//        final File two = new File(fileName2);
-//        final String oneParent = one.getParent();
-//        final String twoParent = two.getParent();
-//        if (oneParent != null) {
-//            if (oneParent.equals(twoParent)) {
-//                fileName1 = one.getName();
-//                fileName2 = two.getName();
-//            } else {
-//                return false;
-//            }
-//        } else if (twoParent != null) {
-//            return false;
-//        }
         //version check
         final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
         final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
@@ -321,8 +307,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison
-     * to the 'right' library.
+     * This is likely a very broken attempt at determining if the 'left' dependency is the 'core' library in comparison to the
+     * 'right' library.
      *
      * @param left the dependency to test
      * @param right the dependency to test against
@@ -379,13 +365,12 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml
-     * dependency should be removed.
+     * Determines if the jar is shaded and the created pom.xml identified the same CPE as the jar - if so, the pom.xml dependency
+     * should be removed.
      *
      * @param dependency a dependency to check
      * @param nextDependency another dependency to check
-     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match;
-     * otherwise false
+     * @return true if on of the dependencies is a pom.xml and the identifiers between the two collections match; otherwise false
      */
     private boolean isShadedJar(Dependency dependency, Dependency nextDependency) {
         final String mainName = dependency.getFileName().toLowerCase();
@@ -399,8 +384,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
     }
 
     /**
-     * Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to
-     * determine if the first path is smaller.
+     * Determines which path is shortest; if path lengths are equal then we use compareTo of the string method to determine if the
+     * first path is smaller.
      *
      * @param left the first path to compare
      * @param right the second path to compare

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 /**
  * This analyzer attempts to remove some well known false positives - specifically regarding the java runtime.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class FalsePositiveAnalyzer extends AbstractAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -29,7 +29,7 @@ import org.owasp.dependencycheck.utils.DependencyVersionUtil;
  *
  * Takes a dependency and analyzes the filename and determines the hashes.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileTypeAnalyzer.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer;
 /**
  * An Analyzer that scans specific file types.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public interface FileTypeAnalyzer extends Analyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/HintAnalyzer.java

@@ -19,6 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.List;
 import java.util.Set;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -28,7 +29,7 @@ import org.owasp.dependencycheck.dependency.Evidence;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
 
@@ -64,8 +65,8 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
     //</editor-fold>
 
     /**
-     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of
-     * identifiers or vulnerabilities.
+     * The HintAnalyzer uses knowledge about a dependency to add additional information to help in identification of identifiers
+     * or vulnerabilities.
      *
      * @param dependency The dependency being analyzed
      * @param engine The scanning engine
@@ -84,24 +85,39 @@ public class HintAnalyzer extends AbstractAnalyzer implements Analyzer {
                 Confidence.HIGH);
 
         final Evidence springTest3 = new Evidence("Manifest",
+                "Implementation-Title",
+                "spring-core",
+                Confidence.HIGH);
+
+        final Evidence springTest4 = new Evidence("Manifest",
                 "Bundle-Vendor",
                 "SpringSource",
                 Confidence.HIGH);
 
-        Set<Evidence> evidence = dependency.getProductEvidence().getEvidence();
-        if (evidence.contains(springTest1) || evidence.contains(springTest2)) {
-            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
+        final Evidence springTest5 = new Evidence("jar",
+                "package name",
+                "springframework",
+                Confidence.LOW);
+
+        //springsource/vware problem
+        final Set<Evidence> product = dependency.getProductEvidence().getEvidence();
+        final Set<Evidence> vendor = dependency.getVendorEvidence().getEvidence();
+
+        if (product.contains(springTest1) || product.contains(springTest2) || product.contains(springTest3)
+                || (dependency.getFileName().contains("spring") && (product.contains(springTest5) || vendor.contains(springTest5)))) {
+            dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource spring framework", Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "SpringSource", Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
 
-        evidence = dependency.getVendorEvidence().getEvidence();
-        if (evidence.contains(springTest3)) {
+        if (vendor.contains(springTest4)) {
             dependency.getProductEvidence().addEvidence("hint analyzer", "product", "springsource_spring_framework", Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("hint analyzer", "vendor", "vmware", Confidence.HIGH);
         }
+
+        //sun/oracle problem
         final Iterator<Evidence> itr = dependency.getVendorEvidence().iterator();
-        final ArrayList<Evidence> newEntries = new ArrayList<Evidence>();
+        final List<Evidence> newEntries = new ArrayList<Evidence>();
         while (itr.hasNext()) {
             final Evidence e = itr.next();
             if ("sun".equalsIgnoreCase(e.getValue(false))) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -19,15 +19,12 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.io.BufferedOutputStream;
 import java.io.File;
-import java.io.FileInputStream;
-import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.io.OutputStream;
 import java.io.Reader;
-import java.io.UnsupportedEncodingException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
@@ -46,36 +43,22 @@ import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
-import javax.xml.bind.JAXBContext;
-import javax.xml.bind.JAXBElement;
-import javax.xml.bind.JAXBException;
-import javax.xml.bind.Unmarshaller;
-import javax.xml.parsers.ParserConfigurationException;
-import javax.xml.parsers.SAXParser;
-import javax.xml.parsers.SAXParserFactory;
-import javax.xml.transform.sax.SAXSource;
 import org.jsoup.Jsoup;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.EvidenceCollection;
-import org.owasp.dependencycheck.jaxb.pom.MavenNamespaceFilter;
-import org.owasp.dependencycheck.jaxb.pom.generated.License;
-import org.owasp.dependencycheck.jaxb.pom.generated.Model;
-import org.owasp.dependencycheck.jaxb.pom.generated.Organization;
+import org.owasp.dependencycheck.xml.pom.License;
+import org.owasp.dependencycheck.xml.pom.PomUtils;
+import org.owasp.dependencycheck.xml.pom.Model;
 import org.owasp.dependencycheck.utils.FileUtils;
-import org.owasp.dependencycheck.utils.NonClosingStream;
 import org.owasp.dependencycheck.utils.Settings;
-import org.xml.sax.InputSource;
-import org.xml.sax.SAXException;
-import org.xml.sax.XMLFilter;
-import org.xml.sax.XMLReader;
 
 /**
  * Used to load a JAR file and collect information that can be used to determine the associated CPE.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -158,24 +141,12 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * A pattern to detect HTML within text.
      */
     private static final Pattern HTML_DETECTION_PATTERN = Pattern.compile("\\<[a-z]+.*/?\\>", Pattern.CASE_INSENSITIVE);
-    /**
-     * The unmarshaller used to parse the pom.xml from a JAR file.
-     */
-    private Unmarshaller pomUnmarshaller;
-    //</editor-fold>
 
+    //</editor-fold>
     /**
      * Constructs a new JarAnalyzer.
      */
     public JarAnalyzer() {
-        try {
-            //final JAXBContext jaxbContext = JAXBContext.newInstance("org.owasp.dependencycheck.jaxb.pom.generated");
-            final JAXBContext jaxbContext = JAXBContext.newInstance(Model.class);
-            pomUnmarshaller = jaxbContext.createUnmarshaller();
-        } catch (JAXBException ex) { //guess we will just have a null pointer exception later...
-            LOGGER.log(Level.SEVERE, "Unable to load parser. See the log for more details.");
-            LOGGER.log(Level.FINE, null, ex);
-        }
     }
 
     //<editor-fold defaultstate="collapsed" desc="All standard implmentation details of Analyzer">
@@ -243,7 +214,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
         try {
-            final ArrayList<ClassNameInformation> classNames = collectClassNames(dependency);
+            final List<ClassNameInformation> classNames = collectClassNames(dependency);
             final String fileName = dependency.getFileName().toLowerCase();
             if (classNames.isEmpty()
                     && (fileName.endsWith("-sources.jar")
@@ -262,8 +233,8 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence.
-     * This will attempt to interpolate the strings contained within the pom.properties if one exists.
+     * Attempts to find a pom.xml within the JAR file. If found it extracts information and adds it to the evidence. This will
+     * attempt to interpolate the strings contained within the pom.properties if one exists.
      *
      * @param dependency the dependency being analyzed
      * @param classes a collection of class name information
@@ -271,7 +242,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException is thrown if there is an exception parsing the pom
      * @return whether or not evidence was added to the dependency
      */
-    protected boolean analyzePOM(Dependency dependency, ArrayList<ClassNameInformation> classes, Engine engine) throws AnalysisException {
+    protected boolean analyzePOM(Dependency dependency, List<ClassNameInformation> classes, Engine engine) throws AnalysisException {
         boolean foundSomething = false;
         final JarFile jar;
         try {
@@ -295,20 +266,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
         File externalPom = null;
         if (pomEntries.isEmpty()) {
-            if (dependency.getActualFilePath().matches(".*\\.m2.repository\\b.*")) {
-                String pomPath = dependency.getActualFilePath();
-                pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
-                externalPom = new File(pomPath);
-                if (externalPom.isFile()) {
-                    pomEntries.add(pomPath);
-                } else {
-                    return false;
-                }
+            String pomPath = dependency.getActualFilePath();
+            pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
+            externalPom = new File(pomPath);
+            if (externalPom.isFile()) {
+                pomEntries.add(pomPath);
             } else {
                 return false;
             }
         }
         for (String path : pomEntries) {
+            LOGGER.fine(String.format("Reading pom entry: %s", path));
             Properties pomProperties = null;
             try {
                 if (externalPom == null) {
@@ -335,16 +303,18 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 
                     newDependency.setFileName(displayName);
                     newDependency.setFilePath(displayPath);
-                    setPomEvidence(newDependency, pom, pomProperties, null);
+                    pom.processProperties(pomProperties);
+                    setPomEvidence(newDependency, pom, null);
                     engine.getDependencies().add(newDependency);
                     Collections.sort(engine.getDependencies());
                 } else {
                     if (externalPom == null) {
-                        pom = retrievePom(path, jar);
+                        pom = PomUtils.readPom(path, jar);
                     } else {
-                        pom = retrievePom(externalPom);
+                        pom = PomUtils.readPom(externalPom);
                     }
-                    foundSomething |= setPomEvidence(dependency, pom, pomProperties, classes);
+                    pom.processProperties(pomProperties);
+                    foundSomething |= setPomEvidence(dependency, pom, classes);
                 }
             } catch (AnalysisException ex) {
                 final String msg = String.format("An error occured while analyzing '%s'.", dependency.getActualFilePath());
@@ -373,6 +343,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 reader = new InputStreamReader(jar.getInputStream(propEntry), "UTF-8");
                 pomProperties = new Properties();
                 pomProperties.load(reader);
+                LOGGER.fine(String.format("Read pom.properties: %s", propPath));
             } finally {
                 if (reader != null) {
                     try {
@@ -400,6 +371,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             final JarEntry entry = entries.nextElement();
             final String entryName = (new File(entry.getName())).getName().toLowerCase();
             if (!entry.isDirectory() && "pom.xml".equals(entryName)) {
+                LOGGER.fine(String.format("POM Entry found: %s", entry.getName()));
                 pomEntries.add(entry.getName());
             }
         }
@@ -428,7 +400,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             fos = new FileOutputStream(file);
             bos = new BufferedOutputStream(fos, BUFFER_SIZE);
             int count;
-            final byte data[] = new byte[BUFFER_SIZE];
+            final byte[] data = new byte[BUFFER_SIZE];
             while ((count = input.read(data, 0, BUFFER_SIZE)) != -1) {
                 bos.write(data, 0, count);
             }
@@ -443,33 +415,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             closeStream(fos);
             closeStream(input);
         }
-        Model model = null;
-        FileInputStream fis = null;
-        try {
-            fis = new FileInputStream(file);
-            final InputStreamReader reader = new InputStreamReader(fis, "UTF-8");
-            final InputSource xml = new InputSource(reader);
-            final SAXSource source = new SAXSource(xml);
-            model = readPom(source);
-        } catch (FileNotFoundException ex) {
-            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (File Not Found)", path, jar.getName());
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, "", ex);
-            throw new AnalysisException(ex);
-        } catch (UnsupportedEncodingException ex) {
-            final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, "", ex);
-            throw new AnalysisException(ex);
-        } catch (AnalysisException ex) {
-            final String msg = String.format("Unable to parse pom '%s' in jar '%s'", path, jar.getName());
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, "", ex);
-            throw ex;
-        } finally {
-            closeStream(fis);
-        }
-        return model;
+        return PomUtils.readPom(file);
     }
 
     /**
@@ -502,138 +448,55 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
-    /**
-     * Retrieves the specified POM from a jar file and converts it to a Model.
-     *
-     * @param path the path to the pom.xml file within the jar file
-     * @param jar the jar file to extract the pom from
-     * @return returns a
-     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
-     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
-     */
-    private Model retrievePom(String path, JarFile jar) throws AnalysisException {
-        final ZipEntry entry = jar.getEntry(path);
-        Model model = null;
-        if (entry != null) { //should never be null
-            try {
-                final NonClosingStream stream = new NonClosingStream(jar.getInputStream(entry));
-                final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
-                final InputSource xml = new InputSource(reader);
-                final SAXSource source = new SAXSource(xml);
-                model = readPom(source);
-            } catch (SecurityException ex) {
-                final String msg = String.format("Unable to parse pom '%s' in jar '%s'; invalid signature", path, jar.getName());
-                LOGGER.log(Level.WARNING, msg);
-                LOGGER.log(Level.FINE, null, ex);
-                throw new AnalysisException(ex);
-            } catch (IOException ex) {
-                final String msg = String.format("Unable to parse pom '%s' in jar '%s' (IO Exception)", path, jar.getName());
-                LOGGER.log(Level.WARNING, msg);
-                LOGGER.log(Level.FINE, "", ex);
-                throw new AnalysisException(ex);
-            } catch (Throwable ex) {
-                final String msg = String.format("Unexpected error during parsing of the pom '%s' in jar '%s'", path, jar.getName());
-                LOGGER.log(Level.WARNING, msg);
-                LOGGER.log(Level.FINE, "", ex);
-                throw new AnalysisException(ex);
-            }
-        }
-        return model;
-    }
-
-    /**
-     * Reads in the specified POM and converts it to a Model.
-     *
-     * @param file the pom.xml file
-     * @return returns a
-     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
-     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
-     */
-    private Model retrievePom(File file) throws AnalysisException {
-        Model model = null;
-        try {
-            final FileInputStream stream = new FileInputStream(file);
-            final InputStreamReader reader = new InputStreamReader(stream, "UTF-8");
-            final InputSource xml = new InputSource(reader);
-            final SAXSource source = new SAXSource(xml);
-            model = readPom(source);
-        } catch (SecurityException ex) {
-            final String msg = String.format("Unable to parse pom '%s'; invalid signature", file.getPath());
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, null, ex);
-            throw new AnalysisException(ex);
-        } catch (IOException ex) {
-            final String msg = String.format("Unable to parse pom '%s'(IO Exception)", file.getPath());
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, "", ex);
-            throw new AnalysisException(ex);
-        } catch (Throwable ex) {
-            final String msg = String.format("Unexpected error during parsing of the pom '%s'", file.getPath());
-            LOGGER.log(Level.WARNING, msg);
-            LOGGER.log(Level.FINE, "", ex);
-            throw new AnalysisException(ex);
-        }
-        return model;
-    }
-
-    /**
-     * Retrieves the specified POM from a jar file and converts it to a Model.
-     *
-     * @param source the SAXSource input stream to read the POM from
-     * @return returns the POM object
-     * @throws AnalysisException is thrown if there is an exception extracting or parsing the POM
-     * {@link org.owasp.dependencycheck.jaxb.pom.generated.Model} object
-     */
-    private Model readPom(SAXSource source) throws AnalysisException {
-        Model model = null;
-        try {
-            final XMLFilter filter = new MavenNamespaceFilter();
-            final SAXParserFactory spf = SAXParserFactory.newInstance();
-            final SAXParser sp = spf.newSAXParser();
-            final XMLReader xr = sp.getXMLReader();
-            filter.setParent(xr);
-            final JAXBElement<Model> el = pomUnmarshaller.unmarshal(source, Model.class);
-            model = el.getValue();
-        } catch (SecurityException ex) {
-            throw new AnalysisException(ex);
-        } catch (ParserConfigurationException ex) {
-            throw new AnalysisException(ex);
-        } catch (SAXException ex) {
-            throw new AnalysisException(ex);
-        } catch (JAXBException ex) {
-            throw new AnalysisException(ex);
-        } catch (Throwable ex) {
-            throw new AnalysisException(ex);
-        }
-        return model;
-    }
-
     /**
      * Sets evidence from the pom on the supplied dependency.
      *
      * @param dependency the dependency to set data on
      * @param pom the information from the pom
-     * @param pomProperties the pom properties file (null if none exists)
-     * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names
-     * within the JAR file being analyzed
+     * @param classes a collection of ClassNameInformation - containing data about the fully qualified class names within the JAR
+     * file being analyzed
      * @return true if there was evidence within the pom that we could use; otherwise false
      */
-    private boolean setPomEvidence(Dependency dependency, Model pom, Properties pomProperties, ArrayList<ClassNameInformation> classes) {
+    public static boolean setPomEvidence(Dependency dependency, Model pom, List<ClassNameInformation> classes) {
         boolean foundSomething = false;
         boolean addAsIdentifier = true;
         if (pom == null) {
             return foundSomething;
         }
-        String groupid = interpolateString(pom.getGroupId(), pomProperties);
-        String parentGroupId = null;
+        String groupid = pom.getGroupId();
+        String parentGroupId = pom.getParentGroupId();
+        String artifactid = pom.getArtifactId();
+        String parentArtifactId = pom.getParentArtifactId();
+        String version = pom.getVersion();
+        String parentVersion = pom.getParentVersion();
 
-        if (pom.getParent() != null) {
-            parentGroupId = interpolateString(pom.getParent().getGroupId(), pomProperties);
-            if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
-                groupid = parentGroupId;
-            }
+        if ("org.sonatype.oss".equals(parentGroupId) && "oss-parent".equals(parentArtifactId)) {
+            parentGroupId = null;
+            parentArtifactId = null;
+            parentVersion = null;
         }
+
+        if ((groupid == null || groupid.isEmpty()) && parentGroupId != null && !parentGroupId.isEmpty()) {
+            groupid = parentGroupId;
+        }
+
         final String originalGroupID = groupid;
+        if (groupid.startsWith("org.") || groupid.startsWith("com.")) {
+            groupid = groupid.substring(4);
+        }
+
+        if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
+            artifactid = parentArtifactId;
+        }
+
+        final String originalArtifactID = artifactid;
+        if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
+            artifactid = artifactid.substring(4);
+        }
+
+        if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
+            version = parentVersion;
+        }
 
         if (groupid != null && !groupid.isEmpty()) {
             foundSomething = true;
@@ -651,20 +514,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             addAsIdentifier = false;
         }
 
-        String artifactid = interpolateString(pom.getArtifactId(), pomProperties);
-        String parentArtifactId = null;
-
-        if (pom.getParent() != null) {
-            parentArtifactId = interpolateString(pom.getParent().getArtifactId(), pomProperties);
-            if ((artifactid == null || artifactid.isEmpty()) && parentArtifactId != null && !parentArtifactId.isEmpty()) {
-                artifactid = parentArtifactId;
-            }
-        }
-        final String originalArtifactID = artifactid;
         if (artifactid != null && !artifactid.isEmpty()) {
-            if (artifactid.startsWith("org.") || artifactid.startsWith("com.")) {
-                artifactid = artifactid.substring(4);
-            }
             foundSomething = true;
             dependency.getProductEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.HIGHEST);
             dependency.getVendorEvidence().addEvidence("pom", "artifactid", artifactid, Confidence.LOW);
@@ -679,16 +529,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         } else {
             addAsIdentifier = false;
         }
-        //version
-        String version = interpolateString(pom.getVersion(), pomProperties);
-        String parentVersion = null;
-
-        if (pom.getParent() != null) {
-            parentVersion = interpolateString(pom.getParent().getVersion(), pomProperties);
-            if ((version == null || version.isEmpty()) && parentVersion != null && !parentVersion.isEmpty()) {
-                version = parentVersion;
-            }
-        }
 
         if (version != null && !version.isEmpty()) {
             foundSomething = true;
@@ -701,22 +541,21 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
 
         if (addAsIdentifier) {
-            dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.LOW);
+            dependency.addIdentifier("maven", String.format("%s:%s:%s", originalGroupID, originalArtifactID, version), null, Confidence.HIGH);
         }
 
         // org name
-        final Organization org = pom.getOrganization();
-        if (org != null && org.getName() != null) {
-            foundSomething = true;
-            final String orgName = interpolateString(org.getName(), pomProperties);
-            if (orgName != null && !orgName.isEmpty()) {
-                dependency.getVendorEvidence().addEvidence("pom", "organization name", orgName, Confidence.HIGH);
-                addMatchingValues(classes, orgName, dependency.getVendorEvidence());
-            }
+        final String org = pom.getOrganization();
+        if (org != null && !org.isEmpty()) {
+            dependency.getVendorEvidence().addEvidence("pom", "organization name", org, Confidence.HIGH);
+            dependency.getProductEvidence().addEvidence("pom", "organization name", org, Confidence.LOW);
+            addMatchingValues(classes, org, dependency.getVendorEvidence());
+            addMatchingValues(classes, org, dependency.getProductEvidence());
         }
         //pom name
-        final String pomName = interpolateString(pom.getName(), pomProperties);
-        if (pomName != null && !pomName.isEmpty()) {
+        final String pomName = pom.getName();
+        if (pomName
+                != null && !pomName.isEmpty()) {
             foundSomething = true;
             dependency.getProductEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("pom", "name", pomName, Confidence.HIGH);
@@ -725,31 +564,30 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
 
         //Description
-        if (pom.getDescription() != null) {
+        final String description = pom.getDescription();
+        if (description != null && !description.isEmpty()) {
             foundSomething = true;
-            final String description = interpolateString(pom.getDescription(), pomProperties);
-            if (description != null && !description.isEmpty()) {
-                final String trimmedDescription = addDescription(dependency, description, "pom", "description");
-                addMatchingValues(classes, trimmedDescription, dependency.getVendorEvidence());
-                addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence());
-            }
+            final String trimmedDescription = addDescription(dependency, description, "pom", "description");
+            addMatchingValues(classes, trimmedDescription, dependency.getVendorEvidence());
+            addMatchingValues(classes, trimmedDescription, dependency.getProductEvidence());
         }
-        extractLicense(pom, pomProperties, dependency);
+
+        extractLicense(pom, dependency);
         return foundSomething;
     }
 
     /**
-     * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible
-     * vendor or product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
+     * Analyzes the path information of the classes contained within the JarAnalyzer to try and determine possible vendor or
+     * product names. If any are found they are stored in the packageVendor and packageProduct hashSets.
      *
      * @param classNames a list of class names
      * @param dependency a dependency to analyze
      * @param addPackagesAsEvidence a flag indicating whether or not package names should be added as evidence.
      */
-    protected void analyzePackageNames(ArrayList<ClassNameInformation> classNames,
+    protected void analyzePackageNames(List<ClassNameInformation> classNames,
             Dependency dependency, boolean addPackagesAsEvidence) {
-        final HashMap<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
-        final HashMap<String, Integer> productIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> vendorIdentifiers = new HashMap<String, Integer>();
+        final Map<String, Integer> productIdentifiers = new HashMap<String, Integer>();
         analyzeFullyQualifiedClassNames(classNames, vendorIdentifiers, productIdentifiers);
 
         final int classCount = classNames.size();
@@ -791,7 +629,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * @return whether evidence was identified parsing the manifest
      * @throws IOException if there is an issue reading the JAR file
      */
-    protected boolean parseManifest(Dependency dependency, ArrayList<ClassNameInformation> classInformation) throws IOException {
+    protected boolean parseManifest(Dependency dependency, List<ClassNameInformation> classInformation) throws IOException {
         boolean foundSomething = false;
         JarFile jar = null;
         try {
@@ -948,18 +786,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Adds a description to the given dependency. If the description contains one of the following strings beyond 100
-     * characters, then the description used will be trimmed to that position:
+     * Adds a description to the given dependency. If the description contains one of the following strings beyond 100 characters,
+     * then the description used will be trimmed to that position:
      * <ul><li>"such as"</li><li>"like "</li><li>"will use "</li><li>"* uses "</li></ul>
      *
      * @param dependency a dependency
      * @param description the description
      * @param source the source of the evidence
      * @param key the "name" of the evidence
-     * @return if the description is trimmed, the trimmed version is returned; otherwise the original description is
-     * returned
+     * @return if the description is trimmed, the trimmed version is returned; otherwise the original description is returned
      */
-    private String addDescription(Dependency dependency, String description, String source, String key) {
+    public static String addDescription(Dependency dependency, String description, String source, String key) {
         if (dependency.getDescription() == null) {
             dependency.setDescription(description);
         }
@@ -1062,63 +899,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
-    /**
-     * <p>
-     * A utility function that will interpolate strings based on values given in the properties file. It will also
-     * interpolate the strings contained within the properties file so that properties can reference other
-     * properties.</p>
-     * <p>
-     * <b>Note:</b> if there is no property found the reference will be removed. In other words, if the interpolated
-     * string will be replaced with an empty string.
-     * </p>
-     * <p>
-     * Example:</p>
-     * <code>
-     * Properties p = new Properties();
-     * p.setProperty("key", "value");
-     * String s = interpolateString("'${key}' and '${nothing}'", p);
-     * System.out.println(s);
-     * </code>
-     * <p>
-     * Will result in:</p>
-     * <code>
-     * 'value' and ''
-     * </code>
-     *
-     * @param text the string that contains references to properties.
-     * @param properties a collection of properties that may be referenced within the text.
-     * @return the interpolated text.
-     */
-    protected String interpolateString(String text, Properties properties) {
-        Properties props = properties;
-        if (text == null) {
-            return text;
-        }
-        if (props == null) {
-            props = new Properties();
-        }
-
-        final int pos = text.indexOf("${");
-        if (pos < 0) {
-            return text;
-        }
-        final int end = text.indexOf("}");
-        if (end < pos) {
-            return text;
-        }
-
-        final String propName = text.substring(pos + 2, end);
-        String propValue = interpolateString(props.getProperty(propName), props);
-        if (propValue == null) {
-            propValue = "";
-        }
-        final StringBuilder sb = new StringBuilder(propValue.length() + text.length());
-        sb.append(text.subSequence(0, pos));
-        sb.append(propValue);
-        sb.append(text.substring(end + 1));
-        return interpolateString(sb.toString(), props); //yes yes, this should be a loop...
-    }
-
     /**
      * Determines if the key value pair from the manifest is for an "import" type entry for package names.
      *
@@ -1133,14 +913,14 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class
-     * names. This does not include core Java package names (i.e. java.* or javax.*).
+     * Cycles through an enumeration of JarEntries, contained within the dependency, and returns a list of the class names. This
+     * does not include core Java package names (i.e. java.* or javax.*).
      *
      * @param dependency the dependency being analyzed
      * @return an list of fully qualified class names
      */
-    private ArrayList<ClassNameInformation> collectClassNames(Dependency dependency) {
-        final ArrayList<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
+    private List<ClassNameInformation> collectClassNames(Dependency dependency) {
+        final List<ClassNameInformation> classNames = new ArrayList<ClassNameInformation>();
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
@@ -1171,17 +951,17 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and
-     * product. This is helpful when analyzing vendor/product as many times this is included in the package name.
+     * Cycles through the list of class names and places the package levels 0-3 into the provided maps for vendor and product.
+     * This is helpful when analyzing vendor/product as many times this is included in the package name.
      *
      * @param classNames a list of class names
      * @param vendor HashMap of possible vendor names from package names (e.g. owasp)
      * @param product HashMap of possible product names from package names (e.g. dependencycheck)
      */
-    private void analyzeFullyQualifiedClassNames(ArrayList<ClassNameInformation> classNames,
-            HashMap<String, Integer> vendor, HashMap<String, Integer> product) {
+    private void analyzeFullyQualifiedClassNames(List<ClassNameInformation> classNames,
+            Map<String, Integer> vendor, Map<String, Integer> product) {
         for (ClassNameInformation entry : classNames) {
-            final ArrayList<String> list = entry.getPackageStructure();
+            final List<String> list = entry.getPackageStructure();
             addEntry(vendor, list.get(0));
 
             if (list.size() == 2) {
@@ -1203,13 +983,13 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists
-     * in the collection then the Integer is incremented by 1.
+     * Adds an entry to the specified collection and sets the Integer (e.g. the count) to 1. If the entry already exists in the
+     * collection then the Integer is incremented by 1.
      *
      * @param collection a collection of strings and their occurrence count
      * @param key the key to add to the collection
      */
-    private void addEntry(HashMap<String, Integer> collection, String key) {
+    private void addEntry(Map<String, Integer> collection, String key) {
         if (collection.containsKey(key)) {
             collection.put(key, collection.get(key) + 1);
         } else {
@@ -1218,15 +998,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Cycles through the collection of class name information to see if parts of the package names are contained in the
-     * provided value. If found, it will be added as the HIGHEST confidence evidence because we have more then one
-     * source corroborating the value.
+     * Cycles through the collection of class name information to see if parts of the package names are contained in the provided
+     * value. If found, it will be added as the HIGHEST confidence evidence because we have more then one source corroborating the
+     * value.
      *
      * @param classes a collection of class name information
      * @param value the value to check to see if it contains a package name
      * @param evidence the evidence collection to add new entries too
      */
-    private void addMatchingValues(ArrayList<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
+    private static void addMatchingValues(List<ClassNameInformation> classes, String value, EvidenceCollection evidence) {
         if (value == null || value.isEmpty() || classes == null || classes.isEmpty()) {
             return;
         }
@@ -1258,23 +1038,22 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
      * Extracts the license information from the pom and adds it to the dependency.
      *
      * @param pom the pom object
-     * @param pomProperties the properties, used for string interpolation
      * @param dependency the dependency to add license information too
      */
-    private void extractLicense(Model pom, Properties pomProperties, Dependency dependency) {
+    public static void extractLicense(Model pom, Dependency dependency) {
         //license
         if (pom.getLicenses() != null) {
             String license = null;
-            for (License lic : pom.getLicenses().getLicense()) {
+            for (License lic : pom.getLicenses()) {
                 String tmp = null;
                 if (lic.getName() != null) {
-                    tmp = interpolateString(lic.getName(), pomProperties);
+                    tmp = lic.getName();
                 }
                 if (lic.getUrl() != null) {
                     if (tmp == null) {
-                        tmp = interpolateString(lic.getUrl(), pomProperties);
+                        tmp = lic.getUrl();
                     } else {
-                        tmp += ": " + interpolateString(lic.getUrl(), pomProperties);
+                        tmp += ": " + lic.getUrl();
                     }
                 }
                 if (tmp == null) {
@@ -1291,6 +1070,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             }
             if (license != null) {
                 dependency.setLicense(license);
+
             }
         }
     }
@@ -1302,9 +1082,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 
         /**
          * <p>
-         * Stores information about a given class name. This class will keep the fully qualified class name and a list
-         * of the important parts of the package structure. Up to the first four levels of the package structure are
-         * stored, excluding a leading "org" or "com". Example:</p>
+         * Stores information about a given class name. This class will keep the fully qualified class name and a list of the
+         * important parts of the package structure. Up to the first four levels of the package structure are stored, excluding a
+         * leading "org" or "com". Example:</p>
          * <code>ClassNameInformation obj = new ClassNameInformation("org.owasp.dependencycheck.analyzer.JarAnalyzer");
          * System.out.println(obj.getName());
          * for (String p : obj.getPackageStructure())

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzer.java

@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * Used to analyze a JavaScript file to gather information to aid in identification of a CPE identifier.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class JavaScriptAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.MalformedURLException;
@@ -24,13 +25,18 @@ import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nexus.NexusSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Evidence;
+import org.owasp.dependencycheck.xml.pom.PomUtils;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
@@ -39,10 +45,10 @@ import org.owasp.dependencycheck.utils.Settings;
  * There are two settings which govern this behavior:
  *
  * <ul>
- * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is
- * even enabled. This can be overridden by setting the system property.</li>
- * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by
- * SHA-1. There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_ENABLED} determines whether this analyzer is even
+ * enabled. This can be overridden by setting the system property.</li>
+ * <li>{@link org.owasp.dependencycheck.utils.Settings.KEYS#ANALYZER_NEXUS_URL} the URL to a Nexus service to search by SHA-1.
+ * There is an expected <code>%s</code> in this where the SHA-1 will get entered.</li>
  * </ul>
  *
  * @author colezlaw
@@ -202,6 +208,38 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
         try {
             final MavenArtifact ma = searcher.searchSha1(dependency.getSha1sum());
             dependency.addAsEvidence("nexus", ma, Confidence.HIGH);
+            boolean pomAnalyzed = false;
+            LOGGER.fine("POM URL " + ma.getPomUrl());
+            for (Evidence e : dependency.getVendorEvidence()) {
+                if ("pom".equals(e.getSource())) {
+                    pomAnalyzed = true;
+                    break;
+                }
+            }
+            if (!pomAnalyzed && ma.getPomUrl() != null) {
+                File pomFile = null;
+                try {
+                    final File baseDir = Settings.getTempDirectory();
+                    pomFile = File.createTempFile("pom", ".xml", baseDir);
+                    if (!pomFile.delete()) {
+                        final String msg = String.format("Unable to fetch pom.xml for %s from Nexus repository; "
+                                + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                        LOGGER.warning(msg);
+                        LOGGER.fine("Unable to delete temp file");
+                    }
+                    LOGGER.fine(String.format("Downloading %s", ma.getPomUrl()));
+                    Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
+                    PomUtils.analyzePOM(dependency, pomFile);
+                } catch (DownloadFailedException ex) {
+                    final String msg = String.format("Unable to download pom.xml for %s from Nexus repository; "
+                            + "this could result in undetected CPE/CVEs.", dependency.getFileName());
+                    LOGGER.warning(msg);
+                } finally {
+                    if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                        pomFile.deleteOnExit();
+                    }
+                }
+            }
         } catch (IllegalArgumentException iae) {
             //dependency.addAnalysisException(new AnalysisException("Invalid SHA-1"));
             LOGGER.info(String.format("invalid sha-1 hash on %s", dependency.getFileName()));

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.dependency.Vulnerability;
  * NvdCveAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated
  * CVEs. It uses the the identifiers found by other analyzers to lookup the CVE data.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class NvdCveAnalyzer implements Analyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -0,0 +1,368 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.BufferedInputStream;
+import java.io.File;
+import java.io.FileInputStream;
+import java.io.FileNotFoundException;
+import java.io.FilenameFilter;
+import java.util.Set;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import java.util.regex.Pattern;
+
+import javax.mail.MessagingException;
+import javax.mail.internet.InternetHeaders;
+
+import org.apache.commons.io.filefilter.NameFileFilter;
+import org.apache.commons.io.filefilter.SuffixFileFilter;
+import org.apache.commons.io.input.AutoCloseInputStream;
+import org.apache.commons.lang.StringUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.utils.ExtractionException;
+import org.owasp.dependencycheck.utils.ExtractionUtil;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.UrlStringUtils;
+
+/**
+ * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
+ * to determine the associated CPE.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * Name of egg metatdata files to analyze.
+     */
+    private static final String PKG_INFO = "PKG-INFO";
+
+    /**
+     * Name of wheel metadata files to analyze.
+     */
+    private static final String METADATA = "METADATA";
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger
+            .getLogger(PythonDistributionAnalyzer.class.getName());
+
+    /**
+     * The count of directories created during analysis. This is used for creating temporary directories.
+     */
+    private static int dirCount = 0;
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Python Distribution Analyzer";
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The set of file extensions supported by this analyzer.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("whl", "egg",
+            "zip", METADATA, PKG_INFO);
+
+    /**
+     * Used to match on egg archive candidate extenssions.
+     */
+    private static final Pattern EGG_OR_ZIP = Pattern.compile("egg|zip");
+
+    /**
+     * The parent directory for the individual directories per archive.
+     */
+    private File tempFileLocation;
+
+    /**
+     * Filter that detects *.dist-info files (but doesn't verify they are directories.
+     */
+    private static final FilenameFilter DIST_INFO_FILTER = new SuffixFileFilter(
+            ".dist-info");
+
+    /**
+     * Filter that detects files named "METADATA".
+     */
+    private static final FilenameFilter EGG_INFO_FILTER = new NameFileFilter(
+            "EGG-INFO");
+
+    /**
+     * Filter that detects files named "METADATA".
+     */
+    private static final FilenameFilter METADATA_FILTER = new NameFileFilter(
+            METADATA);
+
+    /**
+     * Filter that detects files named "PKG-INFO".
+     */
+    private static final FilenameFilter PKG_INFO_FILTER = new NameFileFilter(
+            PKG_INFO);
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    @Override
+    public Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED;
+    }
+
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        if ("whl".equals(dependency.getFileExtension())) {
+            collectMetadataFromArchiveFormat(dependency, DIST_INFO_FILTER,
+                    METADATA_FILTER);
+        } else if (EGG_OR_ZIP.matcher(
+                StringUtils.stripToEmpty(dependency.getFileExtension()))
+                .matches()) {
+            collectMetadataFromArchiveFormat(dependency, EGG_INFO_FILTER,
+                    PKG_INFO_FILTER);
+        } else {
+            final File actualFile = dependency.getActualFile();
+            final String name = actualFile.getName();
+            final boolean metadata = METADATA.equals(name);
+            if (metadata || PKG_INFO.equals(name)) {
+                final File parent = actualFile.getParentFile();
+                final String parentName = parent.getName();
+                dependency.setDisplayFileName(parentName + "/" + name);
+                if (parent.isDirectory()
+                        && (metadata && parentName.endsWith(".dist-info")
+                        || parentName.endsWith(".egg-info") || "EGG-INFO"
+                        .equals(parentName))) {
+                    collectWheelMetadata(dependency, actualFile);
+                }
+            }
+        }
+    }
+
+    /**
+     * Collects the meta data from an archive.
+     *
+     * @param dependency the archive being scanned
+     * @param folderFilter the filter to apply to the folder
+     * @param metadataFilter the filter to apply to the meta data
+     * @throws AnalysisException thrown when there is a problem analyzing the dependency
+     */
+    private void collectMetadataFromArchiveFormat(Dependency dependency,
+            FilenameFilter folderFilter, FilenameFilter metadataFilter)
+            throws AnalysisException {
+        final File temp = getNextTempDirectory();
+        LOGGER.fine(String.format("%s exists? %b", temp, temp.exists()));
+        try {
+            ExtractionUtil.extractFilesUsingFilter(
+                    new File(dependency.getActualFilePath()), temp,
+                    metadataFilter);
+        } catch (ExtractionException ex) {
+            throw new AnalysisException(ex);
+        }
+
+        collectWheelMetadata(
+                dependency,
+                getMatchingFile(getMatchingFile(temp, folderFilter),
+                        metadataFilter));
+    }
+
+    /**
+     * Makes sure a usable temporary directory is available.
+     *
+     * @throws Exception an AnalyzeException is thrown when the temp directory cannot be created
+     */
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+        final File baseDir = Settings.getTempDirectory();
+        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
+        if (!tempFileLocation.delete()) {
+            final String msg = String.format(
+                    "Unable to delete temporary file '%s'.",
+                    tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+        if (!tempFileLocation.mkdirs()) {
+            final String msg = String.format(
+                    "Unable to create directory '%s'.",
+                    tempFileLocation.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+    }
+
+    /**
+     * Deletes any files extracted from the Wheel during analysis.
+     */
+    @Override
+    public void close() {
+        if (tempFileLocation != null && tempFileLocation.exists()) {
+            LOGGER.log(Level.FINE, "Attempting to delete temporary files");
+            final boolean success = FileUtils.delete(tempFileLocation);
+            if (!success) {
+                LOGGER.log(Level.WARNING,
+                        "Failed to delete some temporary files, see the log for more details");
+            }
+        }
+    }
+
+    /**
+     * Gathers evidence from the METADATA file.
+     *
+     * @param dependency the dependency being analyzed
+     * @param file a reference to the manifest/properties file
+     * @throws AnalysisException thrown when there is an error
+     */
+    private static void collectWheelMetadata(Dependency dependency, File file)
+            throws AnalysisException {
+        final InternetHeaders headers = getManifestProperties(file);
+        addPropertyToEvidence(headers, dependency.getVersionEvidence(),
+                "Version", Confidence.HIGHEST);
+        addPropertyToEvidence(headers, dependency.getProductEvidence(), "Name",
+                Confidence.HIGHEST);
+        final String url = headers.getHeader("Home-page", null);
+        final EvidenceCollection vendorEvidence = dependency
+                .getVendorEvidence();
+        if (StringUtils.isNotBlank(url)) {
+            if (UrlStringUtils.isUrl(url)) {
+                vendorEvidence.addEvidence(METADATA, "vendor", url,
+                        Confidence.MEDIUM);
+            }
+        }
+        addPropertyToEvidence(headers, vendorEvidence, "Author", Confidence.LOW);
+        final String summary = headers.getHeader("Summary", null);
+        if (StringUtils.isNotBlank(summary)) {
+            JarAnalyzer
+                    .addDescription(dependency, summary, METADATA, "summary");
+        }
+    }
+
+    /**
+     * Adds a value to the evidence collection.
+     *
+     * @param headers the properties collection
+     * @param evidence the evidence collection to add the value
+     * @param property the property name
+     * @param confidence the confidence of the evidence
+     */
+    private static void addPropertyToEvidence(InternetHeaders headers,
+            EvidenceCollection evidence, String property, Confidence confidence) {
+        final String value = headers.getHeader(property, null);
+        LOGGER.fine(String.format("Property: %s, Value: %s", property, value));
+        if (StringUtils.isNotBlank(value)) {
+            evidence.addEvidence(METADATA, property, value, confidence);
+        }
+    }
+
+    /**
+     * Returns a list of files that match the given filter, this does not recursively scan the directory.
+     *
+     * @param folder the folder to filter
+     * @param filter the filter to apply to the files in the directory
+     * @return the list of Files in the directory that match the provided filter
+     */
+    private static File getMatchingFile(File folder, FilenameFilter filter) {
+        File result = null;
+        final File[] matches = folder.listFiles(filter);
+        if (null != matches && 1 == matches.length) {
+            result = matches[0];
+        }
+        return result;
+    }
+
+    /**
+     * Reads the manifest entries from the provided file.
+     *
+     * @param manifest the manifest
+     * @return the manifest entries
+     */
+    private static InternetHeaders getManifestProperties(File manifest) {
+        final InternetHeaders result = new InternetHeaders();
+        if (null == manifest) {
+            LOGGER.fine("Manifest file not found.");
+        } else {
+            try {
+                result.load(new AutoCloseInputStream(new BufferedInputStream(
+                        new FileInputStream(manifest))));
+            } catch (MessagingException e) {
+                LOGGER.log(Level.WARNING, e.getMessage(), e);
+            } catch (FileNotFoundException e) {
+                LOGGER.log(Level.WARNING, e.getMessage(), e);
+            }
+        }
+        return result;
+    }
+
+    /**
+     * Retrieves the next temporary destingation directory for extracting an archive.
+     *
+     * @return a directory
+     * @throws AnalysisException thrown if unable to create temporary directory
+     */
+    private File getNextTempDirectory() throws AnalysisException {
+        File directory;
+
+        // getting an exception for some directories not being able to be
+        // created; might be because the directory already exists?
+        do {
+            dirCount += 1;
+            directory = new File(tempFileLocation, String.valueOf(dirCount));
+        } while (directory.exists());
+        if (!directory.mkdirs()) {
+            throw new AnalysisException(String.format(
+                    "Unable to create temp directory '%s'.",
+                    directory.getAbsolutePath()));
+        }
+        return directory;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -0,0 +1,323 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.net.MalformedURLException;
+import java.util.ArrayList;
+import java.util.Collections;
+import java.util.List;
+import java.util.Set;
+import java.util.logging.Logger;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+
+import org.apache.commons.io.FileUtils;
+import org.apache.commons.io.filefilter.NameFileFilter;
+import org.apache.commons.io.filefilter.SuffixFileFilter;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.UrlStringUtils;
+
+/**
+ * Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * Used when compiling file scanning regex patterns.
+     */
+    private static final int REGEX_OPTIONS = Pattern.DOTALL
+            | Pattern.CASE_INSENSITIVE;
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = Logger
+            .getLogger(PythonDistributionAnalyzer.class.getName());
+
+    /**
+     * Filename extensions for files to be analyzed.
+     */
+    private static final Set<String> EXTENSIONS = Collections
+            .unmodifiableSet(Collections.singleton("py"));
+
+    /**
+     * Pattern for matching the module docstring in a source file.
+     */
+    private static final Pattern MODULE_DOCSTRING = Pattern.compile(
+            "^(['\\\"]{3})(.*?)\\1", REGEX_OPTIONS);
+
+    /**
+     * Matches assignments to version variables in Python source code.
+     */
+    private static final Pattern VERSION_PATTERN = Pattern.compile(
+            "\\b(__)?version(__)? *= *(['\"]+)(\\d+\\.\\d+.*?)\\3",
+            REGEX_OPTIONS);
+
+    /**
+     * Matches assignments to title variables in Python source code.
+     */
+    private static final Pattern TITLE_PATTERN = compileAssignPattern("title");
+
+    /**
+     * Matches assignments to summary variables in Python source code.
+     */
+    private static final Pattern SUMMARY_PATTERN = compileAssignPattern("summary");
+
+    /**
+     * Matches assignments to URL/URL variables in Python source code.
+     */
+    private static final Pattern URI_PATTERN = compileAssignPattern("ur[il]");
+
+    /**
+     * Matches assignments to home page variables in Python source code.
+     */
+    private static final Pattern HOMEPAGE_PATTERN = compileAssignPattern("home_?page");
+
+    /**
+     * Matches assignments to author variables in Python source code.
+     */
+    private static final Pattern AUTHOR_PATTERN = compileAssignPattern("author");
+
+    /**
+     * Filter that detects files named "__init__.py".
+     */
+    private static final FileFilter INIT_PY_FILTER = new NameFileFilter("__init__.py");
+
+    /**
+     * The file filter for python files.
+     */
+    private static final FileFilter PY_FILTER = new SuffixFileFilter(".py");
+
+    /**
+     * Returns the name of the Python Package Analyzer.
+     *
+     * @return the name of the analyzer
+     */
+    @Override
+    public String getName() {
+        return "Python Package Analyzer";
+    }
+
+    /**
+     * Tell that we are used for information collection.
+     *
+     * @return INFORMATION_COLLECTION
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.INFORMATION_COLLECTION;
+    }
+
+    /**
+     * Returns the set of supported file extensions.
+     *
+     * @return the set of supported file extensions
+     */
+    @Override
+    protected Set<String> getSupportedExtensions() {
+        return EXTENSIONS;
+    }
+
+    /**
+     * No-op initializer implementation.
+     *
+     * @throws Exception never thrown
+     */
+    @Override
+    protected void initializeFileTypeAnalyzer() throws Exception {
+        // Nothing to do here.
+    }
+
+    /**
+     * Utility function to create a regex pattern matcher.
+     *
+     * @param name the value to use when constructing the assignment pattern
+     * @return the compiled Pattern
+     */
+    private static Pattern compileAssignPattern(String name) {
+        return Pattern.compile(
+                String.format("\\b(__)?%s(__)?\\b *= *(['\"]+)(.*?)\\3", name),
+                REGEX_OPTIONS);
+    }
+
+    /**
+     * Analyzes python packages and adds evidence to the dependency.
+     *
+     * @param dependency the dependency being analyzed
+     * @param engine the engine being used to perform the scan
+     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
+     */
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        final File file = dependency.getActualFile();
+        final File parent = file.getParentFile();
+        final String parentName = parent.getName();
+        boolean found = false;
+        if (INIT_PY_FILTER.accept(file)) {
+            for (final File sourcefile : parent.listFiles(PY_FILTER)) {
+                found |= analyzeFileContents(dependency, sourcefile);
+            }
+        }
+        if (found) {
+            dependency.setDisplayFileName(parentName + "/__init__.py");
+            dependency.getProductEvidence().addEvidence(file.getName(),
+                    "PackageName", parentName, Confidence.MEDIUM);
+        } else {
+            // copy, alter and set in case some other thread is iterating over
+            final List<Dependency> deps = new ArrayList<Dependency>(
+                    engine.getDependencies());
+            deps.remove(dependency);
+            engine.setDependencies(deps);
+        }
+    }
+
+    /**
+     * This should gather information from leading docstrings, file comments, and assignments to __version__, __title__,
+     * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents.
+     *
+     * @param dependency the dependency being analyzed
+     * @param file the file name to analyze
+     * @return whether evidence was found
+     * @throws AnalysisException thrown if there is an unrecoverable error
+     */
+    private boolean analyzeFileContents(Dependency dependency, File file)
+            throws AnalysisException {
+        String contents = "";
+        try {
+            contents = FileUtils.readFileToString(file).trim();
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occured while reading dependency file.", e);
+        }
+        boolean found = false;
+        if (!contents.isEmpty()) {
+            final String source = file.getName();
+            found = gatherEvidence(VERSION_PATTERN, contents, source,
+                    dependency.getVersionEvidence(), "SourceVersion",
+                    Confidence.MEDIUM);
+            found |= addSummaryInfo(dependency, SUMMARY_PATTERN, 4, contents,
+                    source, "summary");
+            if (INIT_PY_FILTER.accept(file)) {
+                found |= addSummaryInfo(dependency, MODULE_DOCSTRING, 2,
+                        contents, source, "docstring");
+            }
+            found |= gatherEvidence(TITLE_PATTERN, contents, source,
+                    dependency.getProductEvidence(), "SourceTitle",
+                    Confidence.LOW);
+            final EvidenceCollection vendorEvidence = dependency
+                    .getVendorEvidence();
+            found |= gatherEvidence(AUTHOR_PATTERN, contents, source,
+                    vendorEvidence, "SourceAuthor", Confidence.MEDIUM);
+            try {
+                found |= gatherHomePageEvidence(URI_PATTERN, vendorEvidence,
+                        source, "URL", contents);
+                found |= gatherHomePageEvidence(HOMEPAGE_PATTERN,
+                        vendorEvidence, source, "HomePage", contents);
+            } catch (MalformedURLException e) {
+                LOGGER.warning(e.getMessage());
+            }
+        }
+        return found;
+    }
+
+    /**
+     * Adds summary information to the dependency
+     *
+     * @param dependency the dependency being analyzed
+     * @param pattern the pattern used to perform analysis
+     * @param group the group from the pattern that indicates the data to use
+     * @param contents the data being analyzed
+     * @param source the source name to use when recording the evidence
+     * @param key the key name to use when recording the evidence
+     * @return true if evidence was collected; otherwise false
+     */
+    private boolean addSummaryInfo(Dependency dependency, Pattern pattern,
+            int group, String contents, String source, String key) {
+        final Matcher matcher = pattern.matcher(contents);
+        final boolean found = matcher.find();
+        if (found) {
+            JarAnalyzer.addDescription(dependency, matcher.group(group),
+                    source, key);
+        }
+        return found;
+    }
+
+    /**
+     * Collects evidence from the home page URL.
+     *
+     * @param pattern the pattern to match
+     * @param evidence the evidence collection to add the evidence to
+     * @param source the source of the evidence
+     * @param name the name of the evidence
+     * @param contents the home page URL
+     * @return true if evidence was collected; otherwise false
+     * @throws MalformedURLException thrown if the URL is malformed
+     */
+    private boolean gatherHomePageEvidence(Pattern pattern,
+            EvidenceCollection evidence, String source, String name,
+            String contents) throws MalformedURLException {
+        final Matcher matcher = pattern.matcher(contents);
+        boolean found = false;
+        if (matcher.find()) {
+            final String url = matcher.group(4);
+            if (UrlStringUtils.isUrl(url)) {
+                found = true;
+                evidence.addEvidence(source, name, url, Confidence.MEDIUM);
+            }
+        }
+        return found;
+    }
+
+    /**
+     * Gather evidence from a Python source file usin the given string assignment regex pattern.
+     *
+     * @param pattern to scan contents with
+     * @param contents of Python source file
+     * @param source for storing evidence
+     * @param evidence to store evidence in
+     * @param name of evidence
+     * @param confidence in evidence
+     * @return whether evidence was found
+     */
+    private boolean gatherEvidence(Pattern pattern, String contents,
+            String source, EvidenceCollection evidence, String name,
+            Confidence confidence) {
+        final Matcher matcher = pattern.matcher(contents);
+        final boolean found = matcher.find();
+        if (found) {
+            evidence.addEvidence(source, name, matcher.group(4), confidence);
+        }
+        return found;
+    }
+
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzer.java

@@ -26,7 +26,7 @@ import org.owasp.dependencycheck.suppression.SuppressionRule;
  * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
  * Any identified Vulnerability entries within the dependencies that match will be removed.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class VulnerabilitySuppressionAnalyzer extends AbstractSuppressionAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/AnalysisException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer.exception;
 /**
  * An exception thrown when the analysis of a dependency fails.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class AnalysisException extends Exception {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/ArchiveExtractionException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.analyzer.exception;
 /**
  * An exception thrown when files in an archive cannot be extracted.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class ArchiveExtractionException extends Exception {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/exception/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.analyzer.exception</title>
- * </head>
- * <body>
- * <p>
- * A collection of exception classes used within the analyzers.</p>
- * </body>
- * </html>
+ * A collection of exception classes used within the analyzers.
  */
 package org.owasp.dependencycheck.analyzer.exception;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/package-info.java

@@ -1,13 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.analyzer</title>
- * </head>
- * <body>
- * Analyzers are used to inspect the identified dependencies, collect Evidence,
- * and process the dependencies.
- * </body>
- * </html>
-*/
-
+ * Analyzers are used to inspect the identified dependencies, collect Evidence, and process the dependencies.
+ */
 package org.owasp.dependencycheck.analyzer;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -60,8 +60,8 @@ public class CentralSearch {
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so
-     * it should end in /select)
+     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so it should
+     * end in /select)
      */
     public CentralSearch(URL rootURL) {
         this.rootURL = rootURL;
@@ -75,13 +75,12 @@ public class CentralSearch {
     }
 
     /**
-     * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a
-     * <code>MavenArtifact</code> is populated with the GAV.
+     * Searches the configured Central URL for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
+     * populated with the GAV.
      *
      * @param sha1 the SHA-1 hash string for which to search
      * @return the populated Maven GAV.
-     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
-     * found.
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
      */
     public List<MavenArtifact> searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -124,8 +123,29 @@ public class CentralSearch {
                         final String a = xpath.evaluate("./str[@name='a']", docs.item(i));
                         LOGGER.finest(String.format("ArtifactId: %s", a));
                         final String v = xpath.evaluate("./str[@name='v']", docs.item(i));
+                        NodeList atts = (NodeList) xpath.evaluate("./arr[@name='ec']/str", docs.item(i), XPathConstants.NODESET);
+                        boolean pomAvailable = false;
+                        boolean jarAvailable = false;
+                        for (int x = 0; x < atts.getLength(); x++) {
+                            final String tmp = xpath.evaluate(".", atts.item(x));
+                            if (".pom".equals(tmp)) {
+                                pomAvailable = true;
+                            } else if (".jar".equals(tmp)) {
+                                jarAvailable = true;
+                            }
+                        }
+
+                        atts = (NodeList) xpath.evaluate("./arr[@name='tags']/str", docs.item(i), XPathConstants.NODESET);
+                        boolean useHTTPS = false;
+                        for (int x = 0; x < atts.getLength(); x++) {
+                            final String tmp = xpath.evaluate(".", atts.item(x));
+                            if ("https".equals(tmp)) {
+                                useHTTPS = true;
+                            }
+                        }
+
                         LOGGER.finest(String.format("Version: %s", v));
-                        result.add(new MavenArtifact(g, a, v, url.toString()));
+                        result.add(new MavenArtifact(g, a, v, jarAvailable, pomAvailable, useHTTPS));
                     }
 
                     return result;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java

@@ -1,14 +1,7 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.central</title>
- * </head>
- * <body>
- * <p>
- * Contains classes related to searching Maven Central.</p>
- * <p>
- * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
- * </body>
- * </html>
+ *
+ * Contains classes related to searching Maven Central.<br/><br/>
+ *
+ * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
  */
 package org.owasp.dependencycheck.data.central;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -48,10 +48,10 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.utils.Pair;
 
 /**
- * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within
- * the NVD CVE data.
+ * An in memory lucene index that contains the vendor/product combinations from the CPE (application) identifiers within the NVD
+ * CVE data.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class CpeMemoryIndex {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/Fields.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.cpe;
 /**
  * Fields is a collection of field names used within the Lucene index for CPE entries.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class Fields {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -24,7 +24,7 @@ import java.net.URLDecoder;
 /**
  * A CPE entry containing the name, vendor, product, and version.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class IndexEntry implements Serializable {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.cpe;
 /**
  * An exception thrown when the there is an issue using the in-memory CPE Index.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class IndexException extends Exception {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.cpe</title>
- * </head>
- * <body>
  * Contains classes for working with the CPE Lucene Index.
- * </body>
- * </html>
-*/
-
+ */
 package org.owasp.dependencycheck.data.cpe;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweDB.java

@@ -26,7 +26,7 @@ import java.util.logging.Logger;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class CweDB {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -25,7 +25,7 @@ import org.xml.sax.helpers.DefaultHandler;
 /**
  * A SAX Handler that will parse the CWE XML.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class CweHandler extends DefaultHandler {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.cwe</title>
- * </head>
- * <body>
  * Contains classes for working with the CWE Database.
- * </body>
- * </html>
-*/
-
+ */
 package org.owasp.dependencycheck.data.cwe;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AbstractTokenizingFilter.java

@@ -25,7 +25,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
 /**
  * An abstract tokenizing filter that can be used as the base for a tokenizing filter.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public abstract class AbstractTokenizingFilter extends TokenFilter {
 
@@ -72,7 +72,7 @@ public abstract class AbstractTokenizingFilter extends TokenFilter {
      * @return whether or not a new term was added
      */
     protected boolean addTerm() {
-        final boolean termAdded = tokens.size() > 0;
+        final boolean termAdded = !tokens.isEmpty();
         if (termAdded) {
             final String term = tokens.pop();
             clearAttributes();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/AlphaNumericTokenizer.java

@@ -24,7 +24,7 @@ import org.apache.lucene.util.Version;
 /**
  * Tokenizes the input breaking it into tokens when non-alpha/numeric characters are found.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class AlphaNumericTokenizer extends CharTokenizer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/DependencySimilarity.java

@@ -21,7 +21,7 @@ import org.apache.lucene.search.similarities.DefaultSimilarity;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DependencySimilarity extends DefaultSimilarity {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/FieldAnalyzer.java

@@ -29,10 +29,10 @@ import org.apache.lucene.util.Version;
 
 /**
  * <p>
- * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The
- * intended purpose of this Analyzer is to index the CPE fields vendor and product.</p>
+ * A Lucene Analyzer that utilizes the WhitespaceTokenizer, WordDelimiterFilter, LowerCaseFilter, and StopFilter. The intended
+ * purpose of this Analyzer is to index the CPE fields vendor and product.</p>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class FieldAnalyzer extends Analyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -17,21 +17,22 @@
  */
 package org.owasp.dependencycheck.data.lucene;
 
+import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
 import org.apache.lucene.util.Version;
 
 /**
  * <p>
  * Lucene utils is a set of utilize written to make constructing Lucene queries simpler.</p>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class LuceneUtils {
 
     /**
-     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through
-     * the code base.
+     * The current version of Lucene being used. Declaring this one place so an upgrade doesn't require hunting through the code
+     * base.
      */
-    public static final Version CURRENT_VERSION = Version.LUCENE_45;
+    public static final Version CURRENT_VERSION = Version.LUCENE_47;
 
     /**
      * Private constructor as this is a utility class.
@@ -46,7 +47,7 @@ public final class LuceneUtils {
      * @param text the data to be escaped
      */
     @SuppressWarnings("fallthrough")
-    @edu.umd.cs.findbugs.annotations.SuppressWarnings(
+    @SuppressFBWarnings(
             value = "SF_SWITCH_NO_DEFAULT",
             justification = "The switch below does have a default.")
     public static void appendEscapedLuceneQuery(StringBuilder buf,

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchFieldAnalyzer.java

@@ -30,7 +30,7 @@ import org.apache.lucene.util.Version;
 /**
  * A Lucene field analyzer used to analyzer queries against the CPE data.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class SearchFieldAnalyzer extends Analyzer {
 
@@ -39,8 +39,7 @@ public class SearchFieldAnalyzer extends Analyzer {
      */
     private final Version version;
     /**
-     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer
-     * is re-used.
+     * A local reference to the TokenPairConcatenatingFilter so that we can clear any left over state if this analyzer is re-used.
      */
     private TokenPairConcatenatingFilter concatenatingFilter;
 
@@ -85,8 +84,7 @@ public class SearchFieldAnalyzer extends Analyzer {
 
     /**
      * <p>
-     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the
-     * analyzer.</p>
+     * Resets the analyzer and clears any internal state data that may have been left-over from previous uses of the analyzer.</p>
      * <p>
      * <b>If this analyzer is re-used this method must be called between uses.</b></p>
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/SearchVersionAnalyzer.java

@@ -1,72 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.lucene;
-
-import java.io.Reader;
-import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.TokenStream;
-import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.LowerCaseFilter;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
-import org.apache.lucene.util.Version;
-
-/**
- * SearchVersionAnalyzer is a Lucene Analyzer used to analyze version information.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- * @deprecated version information is no longer stored in lucene
- */
-@Deprecated
-public class SearchVersionAnalyzer extends Analyzer {
-    //TODO consider implementing payloads/custom attributes...
-    // use custom attributes for major, minor, x, x, x, rcx
-    // these can then be used to weight the score for searches on the version.
-    // see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
-    // look at this article to implement
-    // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
-
-    /**
-     * The Lucene Version used.
-     */
-    private final Version version;
-
-    /**
-     * Creates a new SearchVersionAnalyzer.
-     *
-     * @param version the Lucene version
-     */
-    public SearchVersionAnalyzer(Version version) {
-        this.version = version;
-    }
-
-    /**
-     * Creates the TokenStreamComponents
-     *
-     * @param fieldName the field name being analyzed
-     * @param reader the reader containing the input
-     * @return the TokenStreamComponents
-     */
-    @Override
-    protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
-        TokenStream stream = source;
-        stream = new LowerCaseFilter(version, stream);
-        stream = new VersionTokenizingFilter(stream);
-        return new TokenStreamComponents(source, stream);
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -29,7 +29,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p>
  * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class TokenPairConcatenatingFilter extends TokenFilter {
 
@@ -92,7 +92,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
 
         //if we have a previousTerm - write it out as its own token concatenated
         // with the current word (if one is available).
-        if (previousWord != null && words.size() > 0) {
+        if (previousWord != null && !words.isEmpty()) {
             final String word = words.getFirst();
             clearAttributes();
             termAtt.append(previousWord).append(word);
@@ -100,7 +100,7 @@ public final class TokenPairConcatenatingFilter extends TokenFilter {
             return true;
         }
         //if we have words, write it out as a single token
-        if (words.size() > 0) {
+        if (!words.isEmpty()) {
             final String word = words.removeFirst();
             clearAttributes();
             termAtt.append(word);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -33,7 +33,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
  * <p>
  * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     /**
@@ -60,7 +60,7 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     public boolean incrementToken() throws IOException {
         final LinkedList<String> tokens = getTokens();
         final CharTermAttribute termAtt = getTermAtt();
-        if (tokens.size() == 0 && input.incrementToken()) {
+        if (tokens.isEmpty() && input.incrementToken()) {
             final String text = new String(termAtt.buffer(), 0, termAtt.length());
             if (UrlStringUtils.containsUrl(text)) {
                 final String[] parts = text.split("\\s");

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionAnalyzer.java

@@ -1,71 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.lucene;
-
-import java.io.Reader;
-import org.apache.lucene.analysis.Analyzer;
-import org.apache.lucene.analysis.TokenStream;
-import org.apache.lucene.analysis.Tokenizer;
-import org.apache.lucene.analysis.core.LowerCaseFilter;
-import org.apache.lucene.analysis.core.WhitespaceTokenizer;
-import org.apache.lucene.util.Version;
-
-/**
- * VersionAnalyzer is a Lucene Analyzer used to analyze version information.
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- * @deprecated version information is no longer stored in lucene
- */
-@Deprecated
-public class VersionAnalyzer extends Analyzer {
-    //TODO consider implementing payloads/custom attributes...
-    // use custom attributes for major, minor, x, x, x, rcx
-    // these can then be used to weight the score for searches on the version.
-    // see http://lucene.apache.org/core/3_6_1/api/core/org/apache/lucene/analysis/package-summary.html#package_description
-    // look at this article to implement
-    // http://www.codewrecks.com/blog/index.php/2012/08/25/index-your-blog-using-tags-and-lucene-net/
-
-    /**
-     * The Lucene Version used.
-     */
-    private final Version version;
-
-    /**
-     * Creates a new VersionAnalyzer.
-     *
-     * @param version the Lucene version
-     */
-    public VersionAnalyzer(Version version) {
-        this.version = version;
-    }
-
-    /**
-     * Creates the TokenStreamComponents
-     *
-     * @param fieldName the field name being analyzed
-     * @param reader the reader containing the input
-     * @return the TokenStreamComponents
-     */
-    @Override
-    protected TokenStreamComponents createComponents(String fieldName, Reader reader) {
-        final Tokenizer source = new WhitespaceTokenizer(version, reader);
-        TokenStream stream = source;
-        stream = new LowerCaseFilter(version, stream);
-        return new TokenStreamComponents(source, stream);
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/VersionTokenizingFilter.java

@@ -1,98 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.lucene;
-
-import java.io.IOException;
-import java.util.LinkedList;
-import org.apache.lucene.analysis.TokenStream;
-import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
-
-/**
- * <p>
- * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
- * <p>
- * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
- *
- * @author Jeremy Long <jeremy.long@owasp.org>
- * @deprecated version information is no longer stored in lucene
- */
-@Deprecated
-public final class VersionTokenizingFilter extends AbstractTokenizingFilter {
-
-    /**
-     * Constructs a new VersionTokenizingFilter.
-     *
-     * @param stream the TokenStream that this filter will process
-     */
-    public VersionTokenizingFilter(TokenStream stream) {
-        super(stream);
-    }
-
-    /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * concatenating tokens with the previous token.
-     *
-     * @return whether or not we have hit the end of the TokenStream
-     * @throws IOException is thrown when an IOException occurs
-     */
-    @Override
-    public boolean incrementToken() throws IOException {
-        final LinkedList<String> tokens = getTokens();
-        final CharTermAttribute termAtt = getTermAtt();
-        if (tokens.size() == 0 && input.incrementToken()) {
-            final String version = new String(termAtt.buffer(), 0, termAtt.length());
-            final String[] toAnalyze = version.split("[_-]");
-            //ensure we analyze the whole string as one too
-            analyzeVersion(version);
-            for (String str : toAnalyze) {
-                analyzeVersion(str);
-            }
-        }
-        return addTerm();
-    }
-
-    /**
-     * <p>
-     * Analyzes the version and adds several copies of the version as different tokens. For example, the version 1.2.7
-     * would create the tokens 1 1.2 1.2.7. This is useful in discovering the correct version - sometimes a maintenance
-     * or build number will throw off the version identification.</p>
-     *
-     * <p>
-     * expected&nbsp;format:&nbps;major.minor[.maintenance[.build]]</p>
-     *
-     * @param version the version to analyze
-     */
-    private void analyzeVersion(String version) {
-        //todo should we also be splitting on dash or underscore? we would need
-        //  to incorporate the dash or underscore back in...
-        final LinkedList<String> tokens = getTokens();
-        final String[] versionParts = version.split("\\.");
-        String dottedVersion = null;
-        for (String current : versionParts) {
-            if (!current.matches("^/d+$")) {
-                tokens.add(current);
-            }
-            if (dottedVersion == null) {
-                dottedVersion = current;
-            } else {
-                dottedVersion = dottedVersion + "." + current;
-            }
-            tokens.add(dottedVersion);
-        }
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.lucene</title>
- * </head>
- * <body>
  * Contains classes used to work with the Lucene Indexes.
- * </body>
- * </html>
-*/
-
+ */
 package org.owasp.dependencycheck.data.lucene;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.nexus;
  */
 public class MavenArtifact {
 
+    /**
+     * The base URL for download artifacts from Central.
+     */
+    private static final String CENTRAL_CONTENT_URL = "//search.maven.org/remotecontent?filepath=";
+
     /**
      * The groupId
      */
@@ -43,6 +48,10 @@ public class MavenArtifact {
      * The artifact url. This may change depending on which Nexus server the search took place.
      */
     private String artifactUrl;
+    /**
+     * The url to download the POM from.
+     */
+    private String pomUrl;
 
     /**
      * Creates an empty MavenArtifact.
@@ -58,9 +67,41 @@ public class MavenArtifact {
      * @param version the version
      */
     public MavenArtifact(String groupId, String artifactId, String version) {
-        setGroupId(groupId);
-        setArtifactId(artifactId);
-        setVersion(version);
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+    }
+
+    /**
+     * Creates a MavenArtifact with the given attributes.
+     *
+     * @param groupId the groupId
+     * @param artifactId the artifactId
+     * @param version the version
+     * @param jarAvailable if the jar file is available from central
+     * @param pomAvailable if the pom file is available from central
+     * @param secureDownload if the jar and pom files should be downloaded using HTTPS.
+     */
+    public MavenArtifact(String groupId, String artifactId, String version, boolean jarAvailable, boolean pomAvailable, boolean secureDownload) {
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+        String base;
+        if (secureDownload) {
+            base = "https:" + CENTRAL_CONTENT_URL;
+        } else {
+            base = "http:" + CENTRAL_CONTENT_URL;
+        }
+        if (jarAvailable) {
+            //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
+            this.artifactUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+                    + version + "/" + artifactId + "-" + version + ".jar";
+        }
+        if (pomAvailable) {
+            //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
+            this.pomUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+                    + version + "/" + artifactId + "-" + version + ".pom";
+        }
     }
 
     /**
@@ -72,10 +113,10 @@ public class MavenArtifact {
      * @param url the artifactLink url
      */
     public MavenArtifact(String groupId, String artifactId, String version, String url) {
-        setGroupId(groupId);
-        setArtifactId(artifactId);
-        setVersion(version);
-        setArtifactUrl(url);
+        this.groupId = groupId;
+        this.artifactId = artifactId;
+        this.version = version;
+        this.artifactUrl = url;
     }
 
     /**
@@ -159,6 +200,25 @@ public class MavenArtifact {
     public String getArtifactUrl() {
         return artifactUrl;
     }
+
+    /**
+     * Get the value of pomUrl.
+     *
+     * @return the value of pomUrl
+     */
+    public String getPomUrl() {
+        return pomUrl;
+    }
+
+    /**
+     * Set the value of pomUrl.
+     *
+     * @param pomUrl new value of pomUrl
+     */
+    public void setPomUrl(String pomUrl) {
+        this.pomUrl = pomUrl;
+    }
+
 }
 
 // vim: cc=120:sw=4:ts=4:sts=4

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -40,26 +40,32 @@ import org.w3c.dom.Document;
 public class NexusSearch {
 
     /**
-     * The root URL for the Nexus repository service
+     * The root URL for the Nexus repository service.
      */
     private final URL rootURL;
 
     /**
-     * Whether to use the Proxy when making requests
+     * Whether to use the Proxy when making requests.
      */
     private boolean useProxy;
-
+    /**
+     * The username to use if the Nexus requires authentication.
+     */
+    private String userName = null;
+    /**
+     * The password to use if the Nexus requires authentication.
+     */
+    private char[] password;
     /**
      * Used for logging.
      */
-    private static final Logger LOGGER = Logger.getLogger(NexusSearch.class
-            .getName());
+    private static final Logger LOGGER = Logger.getLogger(NexusSearch.class.getName());
 
     /**
      * Creates a NexusSearch for the given repository URL.
      *
-     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated
-     * relative to this URL, so it should end with a /
+     * @param rootURL the root URL of the repository on which searches should execute. full URL's are calculated relative to this
+     * URL, so it should end with a /
      */
     public NexusSearch(URL rootURL) {
         this.rootURL = rootURL;
@@ -78,13 +84,12 @@ public class NexusSearch {
     }
 
     /**
-     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a
-     * <code>MavenArtifact</code> is populated with the coordinate information.
+     * Searches the configured Nexus repository for the given sha1 hash. If the artifact is found, a <code>MavenArtifact</code> is
+     * populated with the coordinate information.
      *
      * @param sha1 The SHA-1 hash string for which to search
      * @return the populated Maven coordinates
-     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
-     * found.
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not found.
      */
     public MavenArtifact searchSha1(String sha1) throws IOException {
         if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -99,10 +104,9 @@ public class NexusSearch {
         // Determine if we need to use a proxy. The rules:
         // 1) If the proxy is set, AND the setting is set to true, use the proxy
         // 2) Otherwise, don't use the proxy (either the proxy isn't configured,
-        // or proxy is specifically
-        // set to false
-        final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
-
+        // or proxy is specifically set to false
+        HttpURLConnection conn;
+        conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
         conn.setDoOutput(true);
 
         // JSON would be more elegant, but there's not currently a dependency
@@ -131,7 +135,18 @@ public class NexusSearch {
                         .evaluate(
                                 "/org.sonatype.nexus.rest.model.NexusArtifact/artifactLink",
                                 doc);
-                return new MavenArtifact(groupId, artifactId, version, link);
+                final String pomLink = xpath
+                        .evaluate(
+                                "/org.sonatype.nexus.rest.model.NexusArtifact/pomLink",
+                                doc);
+                final MavenArtifact ma = new MavenArtifact(groupId, artifactId, version);
+                if (link != null && !"".equals(link)) {
+                    ma.setArtifactUrl(link);
+                }
+                if (pomLink != null && !"".equals(pomLink)) {
+                    ma.setPomUrl(pomLink);
+                }
+                return ma;
             } catch (Throwable e) {
                 // Anything else is jacked-up XML stuff that we really can't recover
                 // from well
@@ -153,8 +168,10 @@ public class NexusSearch {
      * @return whether the repository is listening and returns the /status URL correctly
      */
     public boolean preflightRequest() {
+        HttpURLConnection conn;
         try {
-            final HttpURLConnection conn = URLConnectionFactory.createHttpURLConnection(new URL(rootURL, "status"), useProxy);
+            final URL url = new URL(rootURL, "status");
+            conn = URLConnectionFactory.createHttpURLConnection(url, useProxy);
             conn.addRequestProperty("Accept", "application/xml");
             conn.connect();
             if (conn.getResponseCode() != 200) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -1,14 +1,6 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.nexus</title>
- * </head>
- * <body>
- * <p>
- * Contains classes related to searching a Nexus repository.</p>
- * <p>
- * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
- * </body>
- * </html>
+ * Contains classes related to searching a Nexus repository.<br/><br/>
+ *
+ * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
  */
 package org.owasp.dependencycheck.data.nexus;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -1,15 +1,5 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.nuget</title>
- * </head>
- * <body>
- * <p>
- * Contains classes related to parsing Nuget related files</p>
- * <p>
- * These are used to abstract away Nuget-related handling from Dependency Check
- * so they can be used elsewhere.</p>
- * </body>
- * </html>
+ * Contains classes related to parsing Nuget related files<br/><br/>
+ * These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
  */
 package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.utils.Settings;
  * obtaining a connection will ensure the database file exists and that the appropriate table structure has been
  * created.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class ConnectionFactory {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -21,7 +21,7 @@ package org.owasp.dependencycheck.data.nvdcve;
  * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
  * of the db.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 class CorruptDatabaseException extends DatabaseException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -25,10 +25,13 @@ import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import java.util.ArrayList;
+import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
 import java.util.Map.Entry;
 import java.util.Properties;
+import java.util.ResourceBundle;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
@@ -45,7 +48,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * The database holding information about the NVD CVE data.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class CveDB {
 
@@ -57,15 +60,20 @@ public class CveDB {
      * Database connection
      */
     private Connection conn;
+    /**
+     * The bundle of statements used when accessing the database.
+     */
+    private ResourceBundle statementBundle = null;
 
     /**
-     * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller
-     * by calling the close method.
+     * Creates a new CveDB object and opens the database connection. Note, the connection must be closed by the caller by calling
+     * the close method.
      *
      * @throws DatabaseException thrown if there is an exception opening the database.
      */
     public CveDB() throws DatabaseException {
         super();
+        statementBundle = java.util.ResourceBundle.getBundle("data/dbStatements");
         try {
             open();
             databaseProperties = new DatabaseProperties(this);
@@ -160,118 +168,10 @@ public class CveDB {
     public DatabaseProperties getDatabaseProperties() {
         return databaseProperties;
     }
-    //<editor-fold defaultstate="collapsed" desc="Constants to create, maintain, and retrieve data from the CVE Database">
-    /**
-     * SQL Statement to delete references by vulnerability ID.
-     */
-    private static final String DELETE_REFERENCE = "DELETE FROM reference WHERE cveid = ?";
-    /**
-     * SQL Statement to delete software by vulnerability ID.
-     */
-    private static final String DELETE_SOFTWARE = "DELETE FROM software WHERE cveid = ?";
-    /**
-     * SQL Statement to delete a vulnerability by CVE.
-     */
-    private static final String DELETE_VULNERABILITY = "DELETE FROM vulnerability WHERE id = ?";
-    /**
-     * SQL Statement to cleanup orphan entries. Yes, the db schema could be a little tighter, but what we have works
-     * well to keep the data file size down a bit.
-     */
-    private static final String CLEANUP_ORPHANS = "DELETE FROM CpeEntry WHERE id not in (SELECT CPEEntryId FROM Software); ";
-    /**
-     * SQL Statement to insert a new reference.
-     */
-    private static final String INSERT_REFERENCE = "INSERT INTO reference (cveid, name, url, source) VALUES (?, ?, ?, ?)";
-    /**
-     * SQL Statement to insert a new software.
-     */
-    private static final String INSERT_SOFTWARE = "INSERT INTO software (cveid, cpeEntryId, previousVersion) VALUES (?, ?, ?)";
-    /**
-     * SQL Statement to insert a new cpe.
-     */
-    private static final String INSERT_CPE = "INSERT INTO cpeEntry (cpe, vendor, product) VALUES (?, ?, ?)";
-    /**
-     * SQL Statement to get a CPEProductID.
-     */
-    private static final String SELECT_CPE_ID = "SELECT id FROM cpeEntry WHERE cpe = ?";
-    /**
-     * SQL Statement to insert a new vulnerability.
-     */
-    private static final String INSERT_VULNERABILITY = "INSERT INTO vulnerability (cve, description, cwe, cvssScore, cvssAccessVector, "
-            + "cvssAccessComplexity, cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact) "
-            + "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)";
-    /**
-     * SQL Statement to update a vulnerability.
-     */
-    private static final String UPDATE_VULNERABILITY = "UPDATE vulnerability SET description=?, cwe=?, cvssScore=?, cvssAccessVector=?, "
-            + "cvssAccessComplexity=?, cvssAuthentication=?, cvssConfidentialityImpact=?, cvssIntegrityImpact=?, cvssAvailabilityImpact=? "
-            + "WHERE id=?";
-    /**
-     * SQL Statement to find CVE entries based on CPE data.
-     */
-    private static final String SELECT_CVE_FROM_SOFTWARE = "SELECT cve, cpe, previousVersion "
-            + "FROM software INNER JOIN vulnerability ON vulnerability.id = software.cveId "
-            + "INNER JOIN cpeEntry ON cpeEntry.id = software.cpeEntryId "
-            + "WHERE vendor = ? AND product = ?";
-    //unfortunately, the version info is too complicated to do in a select. Need to filter this afterwards
-    //        + " AND (version = '-' OR previousVersion IS NOT NULL OR version=?)";
-    //
-    /**
-     * SQL Statement to find the CPE entry based on the vendor and product.
-     */
-    private static final String SELECT_CPE_ENTRIES = "SELECT cpe FROM cpeEntry WHERE vendor = ? AND product = ?";
-    /**
-     * SQL Statement to select references by CVEID.
-     */
-    private static final String SELECT_REFERENCE = "SELECT source, name, url FROM reference WHERE cveid = ?";
-    /**
-     * SQL Statement to select vendor and product for lucene index.
-     */
-    private static final String SELECT_VENDOR_PRODUCT_LIST = "SELECT vendor, product FROM cpeEntry GROUP BY vendor, product";
-    /**
-     * SQL Statement to select software by CVEID.
-     */
-    private static final String SELECT_SOFTWARE = "SELECT cpe, previousVersion "
-            + "FROM software INNER JOIN cpeEntry ON software.cpeEntryId = cpeEntry.id WHERE cveid = ?";
-//    public static final String SELECT_SOFTWARE = "SELECT part, vendor, product, version, revision, previousVersion "
-//            + "FROM software INNER JOIN cpeProduct ON cpeProduct.id = software.cpeProductId LEFT JOIN cpeVersion ON "
-//            + "software.cpeVersionId = cpeVersion.id LEFT JOIN Version ON cpeVersion.versionId = version.id WHERE cveid = ?";
-    /**
-     * SQL Statement to select a vulnerability by CVEID.
-     */
-    private static final String SELECT_VULNERABILITY = "SELECT id, description, cwe, cvssScore, cvssAccessVector, cvssAccessComplexity, "
-            + "cvssAuthentication, cvssConfidentialityImpact, cvssIntegrityImpact, cvssAvailabilityImpact FROM vulnerability WHERE cve = ?";
-    /**
-     * SQL Statement to select a vulnerability's primary key.
-     */
-    private static final String SELECT_VULNERABILITY_ID = "SELECT id FROM vulnerability WHERE cve = ?";
-    /**
-     * SQL Statement to retrieve the properties from the database.
-     */
-    private static final String SELECT_PROPERTIES = "SELECT id, value FROM properties";
-    /**
-     * SQL Statement to retrieve a property from the database.
-     */
-    @SuppressWarnings("unused")
-    private static final String SELECT_PROPERTY = "SELECT id, value FROM properties WHERE id = ?";
-    /**
-     * SQL Statement to insert a new property.
-     */
-    private static final String INSERT_PROPERTY = "INSERT INTO properties (id, value) VALUES (?, ?)";
-    /**
-     * SQL Statement to update a property.
-     */
-    private static final String UPDATE_PROPERTY = "UPDATE properties SET value = ? WHERE id = ?";
-    /**
-     * SQL Statement to delete a property.
-     */
-    @SuppressWarnings("unused")
-    private static final String DELETE_PROPERTY = "DELETE FROM properties WHERE id = ?";
 
-    //</editor-fold>
     /**
-     * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination.
-     * The returned list will include all versions of the product that are registered in the NVD CVE data.
+     * Searches the CPE entries in the database and retrieves all entries for a given vendor and product combination. The returned
+     * list will include all versions of the product that are registered in the NVD CVE data.
      *
      * @param vendor the identified vendor name of the dependency being analyzed
      * @param product the identified name of the product of the dependency being analyzed
@@ -282,7 +182,7 @@ public class CveDB {
         ResultSet rs = null;
         PreparedStatement ps = null;
         try {
-            ps = getConnection().prepareStatement(SELECT_CPE_ENTRIES);
+            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CPE_ENTRIES"));
             ps.setString(1, vendor);
             ps.setString(2, product);
             rs = ps.executeQuery();
@@ -314,7 +214,7 @@ public class CveDB {
         ResultSet rs = null;
         PreparedStatement ps = null;
         try {
-            ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
+            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_VENDOR_PRODUCT_LIST"));
             rs = ps.executeQuery();
             while (rs.next()) {
                 data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
@@ -339,7 +239,7 @@ public class CveDB {
         PreparedStatement ps = null;
         ResultSet rs = null;
         try {
-            ps = getConnection().prepareStatement(SELECT_PROPERTIES);
+            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_PROPERTIES"));
             rs = ps.executeQuery();
             while (rs.next()) {
                 prop.setProperty(rs.getString(1), rs.getString(2));
@@ -365,8 +265,8 @@ public class CveDB {
         PreparedStatement insertProperty = null;
         try {
             try {
-                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
-                insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
+                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
+                insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
             } catch (SQLException ex) {
                 LOGGER.log(Level.WARNING, "Unable to save properties to the database");
                 LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
@@ -405,7 +305,7 @@ public class CveDB {
         PreparedStatement insertProperty = null;
         try {
             try {
-                updateProperty = getConnection().prepareStatement(UPDATE_PROPERTY);
+                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
             } catch (SQLException ex) {
                 LOGGER.log(Level.WARNING, "Unable to save properties to the database");
                 LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
@@ -416,7 +316,7 @@ public class CveDB {
                 updateProperty.setString(2, key);
                 if (updateProperty.executeUpdate() == 0) {
                     try {
-                        insertProperty = getConnection().prepareStatement(INSERT_PROPERTY);
+                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
                     } catch (SQLException ex) {
                         LOGGER.log(Level.WARNING, "Unable to save properties to the database");
                         LOGGER.log(Level.FINE, "Unable to save properties to the database", ex);
@@ -456,30 +356,41 @@ public class CveDB {
         final List<Vulnerability> vulnerabilities = new ArrayList<Vulnerability>();
 
         PreparedStatement ps;
-        final HashSet<String> cveEntries = new HashSet<String>();
         try {
-            ps = getConnection().prepareStatement(SELECT_CVE_FROM_SOFTWARE);
+            ps = getConnection().prepareStatement(statementBundle.getString("SELECT_CVE_FROM_SOFTWARE"));
             ps.setString(1, cpe.getVendor());
             ps.setString(2, cpe.getProduct());
             rs = ps.executeQuery();
+            String currentCVE = "";
+
+            final Map<String, Boolean> vulnSoftware = new HashMap<String, Boolean>();
             while (rs.next()) {
                 final String cveId = rs.getString(1);
+                if (!currentCVE.equals(cveId)) { //check for match and add
+                    final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
+                    if (matchedCPE != null) {
+                        final Vulnerability v = getVulnerability(currentCVE);
+                        v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
+                        vulnerabilities.add(v);
+                    }
+                    vulnSoftware.clear();
+                    currentCVE = cveId;
+                }
+
                 final String cpeId = rs.getString(2);
                 final String previous = rs.getString(3);
-                if (!cveEntries.contains(cveId) && isAffected(cpe.getVendor(), cpe.getProduct(), detectedVersion, cpeId, previous)) {
-                    cveEntries.add(cveId);
-                    final Vulnerability v = getVulnerability(cveId);
-                    v.setMatchedCPE(cpeId, previous);
-                    vulnerabilities.add(v);
-                }
+                final Boolean p = previous != null && !previous.isEmpty();
+                vulnSoftware.put(cpeId, p);
+            }
+            //remember to process the last set of CVE/CPE entries
+            final Entry<String, Boolean> matchedCPE = getMatchingSoftware(vulnSoftware, cpe.getVendor(), cpe.getProduct(), detectedVersion);
+            if (matchedCPE != null) {
+                final Vulnerability v = getVulnerability(currentCVE);
+                v.setMatchedCPE(matchedCPE.getKey(), matchedCPE.getValue() ? "Y" : null);
+                vulnerabilities.add(v);
             }
             DBUtils.closeResultSet(rs);
             DBUtils.closeStatement(ps);
-//            for (String cve : cveEntries) {
-//                final Vulnerability v = getVulnerability(cve);
-//                vulnerabilities.add(v);
-//            }
-
         } catch (SQLException ex) {
             throw new DatabaseException("Exception retrieving vulnerability for " + cpeStr, ex);
         } finally {
@@ -504,7 +415,7 @@ public class CveDB {
         ResultSet rsS = null;
         Vulnerability vuln = null;
         try {
-            psV = getConnection().prepareStatement(SELECT_VULNERABILITY);
+            psV = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY"));
             psV.setString(1, cve);
             rsV = psV.executeQuery();
             if (rsV.next()) {
@@ -528,13 +439,13 @@ public class CveDB {
                 vuln.setCvssIntegrityImpact(rsV.getString(9));
                 vuln.setCvssAvailabilityImpact(rsV.getString(10));
 
-                psR = getConnection().prepareStatement(SELECT_REFERENCE);
+                psR = getConnection().prepareStatement(statementBundle.getString("SELECT_REFERENCES"));
                 psR.setInt(1, cveId);
                 rsR = psR.executeQuery();
                 while (rsR.next()) {
                     vuln.addReference(rsR.getString(1), rsR.getString(2), rsR.getString(3));
                 }
-                psS = getConnection().prepareStatement(SELECT_SOFTWARE);
+                psS = getConnection().prepareStatement(statementBundle.getString("SELECT_SOFTWARE"));
                 psS.setInt(1, cveId);
                 rsS = psS.executeQuery();
                 while (rsS.next()) {
@@ -579,16 +490,18 @@ public class CveDB {
         PreparedStatement insertSoftware = null;
 
         try {
-            selectVulnerabilityId = getConnection().prepareStatement(SELECT_VULNERABILITY_ID);
-            deleteVulnerability = getConnection().prepareStatement(DELETE_VULNERABILITY);
-            deleteReferences = getConnection().prepareStatement(DELETE_REFERENCE);
-            deleteSoftware = getConnection().prepareStatement(DELETE_SOFTWARE);
-            updateVulnerability = getConnection().prepareStatement(UPDATE_VULNERABILITY);
-            insertVulnerability = getConnection().prepareStatement(INSERT_VULNERABILITY, Statement.RETURN_GENERATED_KEYS);
-            insertReference = getConnection().prepareStatement(INSERT_REFERENCE);
-            selectCpeId = getConnection().prepareStatement(SELECT_CPE_ID);
-            insertCpe = getConnection().prepareStatement(INSERT_CPE, Statement.RETURN_GENERATED_KEYS);
-            insertSoftware = getConnection().prepareStatement(INSERT_SOFTWARE);
+            selectVulnerabilityId = getConnection().prepareStatement(statementBundle.getString("SELECT_VULNERABILITY_ID"));
+            deleteVulnerability = getConnection().prepareStatement(statementBundle.getString("DELETE_VULNERABILITY"));
+            deleteReferences = getConnection().prepareStatement(statementBundle.getString("DELETE_REFERENCE"));
+            deleteSoftware = getConnection().prepareStatement(statementBundle.getString("DELETE_SOFTWARE"));
+            updateVulnerability = getConnection().prepareStatement(statementBundle.getString("UPDATE_VULNERABILITY"));
+            insertVulnerability = getConnection().prepareStatement(statementBundle.getString("INSERT_VULNERABILITY"),
+                    Statement.RETURN_GENERATED_KEYS);
+            insertReference = getConnection().prepareStatement(statementBundle.getString("INSERT_REFERENCE"));
+            selectCpeId = getConnection().prepareStatement(statementBundle.getString("SELECT_CPE_ID"));
+            insertCpe = getConnection().prepareStatement(statementBundle.getString("INSERT_CPE"),
+                    Statement.RETURN_GENERATED_KEYS);
+            insertSoftware = getConnection().prepareStatement(statementBundle.getString("INSERT_SOFTWARE"));
             int vulnerabilityId = 0;
             selectVulnerabilityId.setString(1, vuln.getName());
             ResultSet rs = selectVulnerabilityId.executeQuery();
@@ -742,13 +655,13 @@ public class CveDB {
     }
 
     /**
-     * It is possible that orphaned rows may be generated during database updates. This should be called after all
-     * updates have been completed to ensure orphan entries are removed.
+     * It is possible that orphaned rows may be generated during database updates. This should be called after all updates have
+     * been completed to ensure orphan entries are removed.
      */
     public void cleanupDatabase() {
         PreparedStatement ps = null;
         try {
-            ps = getConnection().prepareStatement(CLEANUP_ORPHANS);
+            ps = getConnection().prepareStatement(statementBundle.getString("CLEANUP_ORPHANS"));
             if (ps != null) {
                 ps.executeUpdate();
             }
@@ -762,46 +675,80 @@ public class CveDB {
     }
 
     /**
-     * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null,
-     * non-empty string passed to the previous version argument indicates that all previous versions are affected.
+     * Determines if the given identifiedVersion is affected by the given cpeId and previous version flag. A non-null, non-empty
+     * string passed to the previous version argument indicates that all previous versions are affected.
      *
      * @param vendor the vendor of the dependency being analyzed
      * @param product the product name of the dependency being analyzed
+     * @param vulnerableSoftware a map of the vulnerable software with a boolean indicating if all previous versions are affected
      * @param identifiedVersion the identified version of the dependency being analyzed
-     * @param cpeId the cpe identifier of software that has a known vulnerability
-     * @param previous a flag indicating if previous versions of the product are vulnerable
      * @return true if the identified version is affected, otherwise false
      */
-    protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
-        boolean affected = false;
-        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
-        final DependencyVersion v = parseDependencyVersion(cpeId);
-        final boolean prevAffected = previous != null && !previous.isEmpty();
-        if (v == null || "-".equals(v.toString())) { //all versions
-            affected = true;
-        } else if (identifiedVersion == null || "-".equals(identifiedVersion.toString())) {
-            if (prevAffected) {
-                affected = true;
+    Entry<String, Boolean> getMatchingSoftware(Map<String, Boolean> vulnerableSoftware, String vendor, String product,
+            DependencyVersion identifiedVersion) {
+
+        final boolean isVersionTwoADifferentProduct = "apache".equals(vendor) && "struts".equals(product);
+
+        final Set<String> majorVersionsAffectingAllPrevious = new HashSet<String>();
+        final boolean matchesAnyPrevious = identifiedVersion == null || "-".equals(identifiedVersion.toString());
+        String majorVersionMatch = null;
+        for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
+            final DependencyVersion v = parseDependencyVersion(entry.getKey());
+            if (v == null || "-".equals(v.toString())) { //all versions
+                return entry;
             }
-        } else if (identifiedVersion.equals(v) || (prevAffected && identifiedVersion.compareTo(v) < 0)) {
-            if (isStruts) { //struts 2 vulns don't affect struts 1
-                if (identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
-                    affected = true;
+            if (entry.getValue()) {
+                if (matchesAnyPrevious) {
+                    return entry;
                 }
-            } else {
-                affected = true;
+                if (identifiedVersion != null && identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0))) {
+                    majorVersionMatch = v.getVersionParts().get(0);
+                }
+                majorVersionsAffectingAllPrevious.add(v.getVersionParts().get(0));
             }
         }
-        /*
-         * TODO consider utilizing the matchThreeVersion method to get additional results. However, this
-         *      might also introduce false positives.
-         */
-        return affected;
+        if (matchesAnyPrevious) {
+            return null;
+        }
+
+        final boolean canSkipVersions = majorVersionMatch != null && majorVersionsAffectingAllPrevious.size() > 1;
+        //yes, we are iterating over this twice. The first time we are skipping versions those that affect all versions
+        //then later we process those that affect all versions. This could be done with sorting...
+        for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
+            if (!entry.getValue()) {
+                final DependencyVersion v = parseDependencyVersion(entry.getKey());
+                //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
+                if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
+                    continue;
+                }
+                //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
+                //in the above loop or just after loop (if matchesAnyPrevious return null).
+                if (identifiedVersion.equals(v)) {
+                    return entry;
+                }
+            }
+        }
+        for (Entry<String, Boolean> entry : vulnerableSoftware.entrySet()) {
+            if (entry.getValue()) {
+                final DependencyVersion v = parseDependencyVersion(entry.getKey());
+                //this can't dereference a null 'majorVersionMatch' as canSkipVersions accounts for this.
+                if (canSkipVersions && !majorVersionMatch.equals(v.getVersionParts().get(0))) {
+                    continue;
+                }
+                //this can't dereference a null 'identifiedVersion' because if it was null we would have exited
+                //in the above loop or just after loop (if matchesAnyPrevious return null).
+                if (entry.getValue() && identifiedVersion.compareTo(v) <= 0) {
+                    if (!(isVersionTwoADifferentProduct && !identifiedVersion.getVersionParts().get(0).equals(v.getVersionParts().get(0)))) {
+                        return entry;
+                    }
+                }
+            }
+        }
+        return null;
     }
 
     /**
-     * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is
-     * returned.
+     * Parses the version (including revision) from a CPE identifier. If no version is identified then a '-' is returned.
      *
      * @param cpeStr a cpe identifier
      * @return a dependency version
@@ -825,9 +772,9 @@ public class CveDB {
      */
     private DependencyVersion parseDependencyVersion(VulnerableSoftware cpe) {
         DependencyVersion cpeVersion;
-        if (cpe.getVersion() != null && cpe.getVersion().length() > 0) {
+        if (cpe.getVersion() != null && !cpe.getVersion().isEmpty()) {
             String versionText;
-            if (cpe.getRevision() != null && cpe.getRevision().length() > 0) {
+            if (cpe.getRevision() != null && !cpe.getRevision().isEmpty()) {
                 versionText = String.format("%s.%s", cpe.getVersion(), cpe.getRevision());
             } else {
                 versionText = cpe.getVersion();

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.nvdcve;
 /**
  * An exception thrown if an operation against the database fails.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DatabaseException extends Exception {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
 /**
  * This is a wrapper around a set of properties that are stored in the database.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DatabaseProperties {
 
@@ -154,7 +154,7 @@ public class DatabaseProperties {
      * @return a map of the database meta data
      */
     public Map<String, String> getMetaData() {
-        final TreeMap<String, String> map = new TreeMap<String, String>();
+        final Map<String, String> map = new TreeMap<String, String>();
         for (Entry<Object, Object> entry : properties.entrySet()) {
             final String key = (String) entry.getKey();
             if (!"version".equals(key)) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoadException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.nvdcve;
 /**
  * An exception thrown the database driver is unable to be loaded.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DriverLoadException extends Exception {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -27,13 +27,14 @@ import java.sql.Driver;
 import java.sql.DriverManager;
 import java.sql.SQLException;
 import java.util.ArrayList;
+import java.util.List;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 
 /**
  * DriverLoader is a utility class that is used to load database drivers.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public final class DriverLoader {
 
@@ -75,7 +76,7 @@ public final class DriverLoader {
      */
     public static Driver load(String className, String pathToDriver) throws DriverLoadException {
         final URLClassLoader parent = (URLClassLoader) ClassLoader.getSystemClassLoader();
-        final ArrayList<URL> urls = new ArrayList<URL>();
+        final List<URL> urls = new ArrayList<URL>();
         final String[] paths = pathToDriver.split(File.pathSeparator);
         for (String path : paths) {
             final File file = new File(path);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverShim.java

@@ -34,7 +34,7 @@ import java.util.logging.Logger;
  * copy (with more comments and a few more methods implemented) of the DriverShim from:</p>
  * <blockquote>http://www.kfu.com/~nsayer/Java/dyn-jdbc.html</blockquote>
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  * @see java.sql.Driver
  */
 class DriverShim implements Driver {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.nvdcve</title>
- * </head>
- * <body>
  * Contains classes used to work with the NVD CVE data.
- * </body>
- * </html>
-*/
-
+ */
 package org.owasp.dependencycheck.data.nvdcve;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CachedWebDataSource.java

@@ -23,7 +23,7 @@ import org.owasp.dependencycheck.data.update.exception.UpdateException;
  * Defines a data source who's data is retrieved from the Internet. This data can be downloaded and the local cache
  * updated.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public interface CachedWebDataSource {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java

@@ -37,7 +37,7 @@ import org.owasp.dependencycheck.utils.URLConnectionFailureException;
 
 /**
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class EngineVersionCheck implements CachedWebDataSource {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveInfo.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.update;
 /**
  * A pojo that contains the Url and timestamp of the current NvdCve XML files.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class NvdCveInfo {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -27,7 +27,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * Class responsible for updating the NVD CVE and CPE data stores.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class NvdCveUpdater implements CachedWebDataSource {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/StandardUpdate.java

@@ -44,7 +44,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * Class responsible for updating the NVDCVE data store.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class StandardUpdate {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateService.java

@@ -24,7 +24,7 @@ import java.util.ServiceLoader;
  * The CachedWebDataSource Service Loader. This class loads all services that implement
  * org.owasp.dependencycheck.data.update.CachedWebDataSource.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class UpdateService {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/UpdateableNvdCve.java

@@ -30,7 +30,7 @@ import org.owasp.dependencycheck.utils.Downloader;
  * Contains a collection of updateable NvdCveInfo objects. This is used to determine which files need to be downloaded
  * and processed.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/InvalidDataException.java

@@ -20,7 +20,7 @@ package org.owasp.dependencycheck.data.update.exception;
 /**
  * An InvalidDataDataException is a generic exception used when trying to load the NVD CVE meta data.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class InvalidDataException extends Exception {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/UpdateException.java

@@ -22,7 +22,7 @@ import java.io.IOException;
 /**
  * An exception used when an error occurs reading a setting.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class UpdateException extends IOException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/exception/package-info.java

@@ -1,11 +1,5 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.update.exception</title>
- * </head>
- * <body>
- * <p>A collection of exception classes used within the application.</p>
- * </body>
- * </html>
+ *
+ * A collection of exception classes used within the application.
  */
 package org.owasp.dependencycheck.data.update.exception;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/package-info.java

@@ -1,15 +1,9 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.update</title>
- * </head>
- * <body>
- * <p>Contains classes used to update the data stores.</p>
- * <p>The UpdateService will load, any correctly defined CachedWebDataSource(s)
- * and call update() on them. The Cached Data Source must determine if it needs
- * to be updated and if so perform the update. The sub packages contain classes
- * used to perform the actual updates.</p>
- * </body>
- * </html>
+ *
+ * Contains classes used to update the data stores.<br/><br/>
+ *
+ * The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
+ * must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the
+ * actual updates.
  */
 package org.owasp.dependencycheck.data.update;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java

@@ -40,7 +40,7 @@ import org.owasp.dependencycheck.utils.Settings;
 /**
  * A callable object to download two files.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class DownloadTask implements Callable<Future<ProcessTask>> {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/ProcessTask.java

@@ -42,7 +42,7 @@ import org.xml.sax.SAXException;
 /**
  * A callable task that will process a given set of NVD CVE xml files and update the Cve Database accordingly.
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class ProcessTask implements Callable<ProcessTask> {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/package-info.java

@@ -1,12 +1,4 @@
 /**
- * <html>
- * <head>
- * <title>org.owasp.dependencycheck.data.update.task</title>
- * </head>
- * <body>
- * <p>A collection of callable/runnable tasks used to speed up the update
- * process.</p>
- * </body>
- * </html>
+ * A collection of callable/runnable tasks used to speed up the update process.
  */
 package org.owasp.dependencycheck.data.update.task;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/xml/NvdCve12Handler.java

@@ -32,7 +32,7 @@ import org.xml.sax.helpers.DefaultHandler;
  * CPEs that have previous versions specified. The previous version information is not in the 2.0 version of the schema
  * and is useful to ensure accurate identification (or at least complete).
  *
- * @author Jeremy Long <jeremy.long@owasp.org>
+ * @author Jeremy Long
  */
 public class NvdCve12Handler extends DefaultHandler {