version 1.3.3

Ruby bundler-audit Analyzer

dependency-check-ant/README.md

@@ -1,25 +1,134 @@
-Dependency-Check Ant Task
+Dependency-Check-Gradle
 =========
 
-Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+**Working in progress**
-performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
-vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
-Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
+This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
 
-Mailing List
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
-------------
 
-Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+=========
 
-Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+## What's New
+Current latest version is `0.0.8`
 
-Copyright & License
+## Usage
--------------------
 
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+### Step 1, Apply dependency check gradle plugin
 
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
+Install from Maven central repo
 
-Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.
+```groovy
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:1.3.2'
+    }
+}
+
+apply plugin: 'dependency-check-gradle'
+```
+
+### Step 2, Run gradle task
+
+Once gradle plugin applied, run following gradle task to check dependencies:
+
+```
+gradle dependencyCheck --info
+```
+
+The reports will be generated automatically under `./reports` folder.
+
+If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
+
+## FAQ
+
+> **Questions List:**
+> - What if I'm behind a proxy?
+> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
+> - How to customize the report directory?
+
+### What if I'm behind a proxy?
+
+Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
+
+```groovy
+dependencyCheck {
+    proxy {
+        server = "127.0.0.1"      // required, the server name or IP address of the proxy
+        port = 3128               // required, the port number of the proxy
+
+        // optional, the proxy server might require username
+        // username = "username"
+
+        // optional, the proxy server might require password
+        // password = "password"
+    }
+}
+```
+
+In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
+ the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
+ and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
+
+```groovy
+dependencyCheck {
+    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
+}
+```
+
+### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
+
+Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
+
+(1) For all projects including root project:
+
+```groovy
+buildscript {
+  repositories {
+    mavenCentral()
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
+  }
+}
+
+allprojects {
+    apply plugin: "dependency-check"
+}
+```
+
+(2) For all sub-projects:
+
+```groovy
+buildscript {
+  repositories {
+    mavenCentral()
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
+  }
+}
+
+subprojects {
+    apply plugin: "dependency-check"
+}
+```
+
+In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
+
+### How to customize the report directory?
+
+By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
+
+```groovy
+subprojects {
+    apply plugin: "dependency-check"
+
+    dependencyCheck {
+        outputDirectory = "./customized-path/security-report"
+    }
+}
+```

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.3</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java

@@ -63,7 +63,9 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
 
     @Override
     public void trace(String msg) {
-        task.log(msg, Project.MSG_VERBOSE);
+        if (task != null) {
+            task.log(msg, Project.MSG_VERBOSE);
+        }
     }
 
     @Override

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -245,14 +245,14 @@ public class Check extends Update {
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
      * is true.
      */
-    private boolean autoUpdate = true;
+    private Boolean autoUpdate;
 
     /**
      * Get the value of autoUpdate.
      *
      * @return the value of autoUpdate
      */
-    public boolean isAutoUpdate() {
+    public Boolean isAutoUpdate() {
         return autoUpdate;
     }
 
@@ -261,19 +261,24 @@ public class Check extends Update {
      *
      * @param autoUpdate new value of autoUpdate
      */
-    public void setAutoUpdate(boolean autoUpdate) {
+    public void setAutoUpdate(Boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
     /**
      * Whether only the update phase should be executed.
+     *
+     * @deprecated Use the update task instead
      */
+    @Deprecated
     private boolean updateOnly = false;
 
     /**
      * Get the value of updateOnly.
      *
      * @return the value of updateOnly
+     * @deprecated Use the update task instead
      */
+    @Deprecated
     public boolean isUpdateOnly() {
         return updateOnly;
     }
@@ -282,7 +287,9 @@ public class Check extends Update {
      * Set the value of updateOnly.
      *
      * @param updateOnly new value of updateOnly
+     * @deprecated Use the update task instead
      */
+    @Deprecated
     public void setUpdateOnly(boolean updateOnly) {
         this.updateOnly = updateOnly;
     }
@@ -357,14 +364,14 @@ public class Check extends Update {
     /**
      * Whether or not the Jar Analyzer is enabled.
      */
-    private boolean jarAnalyzerEnabled = true;
+    private Boolean jarAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isJarAnalyzerEnabled() {
+    public Boolean isJarAnalyzerEnabled() {
         return jarAnalyzerEnabled;
     }
 
@@ -373,33 +380,33 @@ public class Check extends Update {
      *
      * @param jarAnalyzerEnabled the value of the new setting
      */
-    public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
+    public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
     }
     /**
      * Whether or not the Archive Analyzer is enabled.
      */
-    private boolean archiveAnalyzerEnabled = true;
+    private Boolean archiveAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isArchiveAnalyzerEnabled() {
+    public Boolean isArchiveAnalyzerEnabled() {
         return archiveAnalyzerEnabled;
     }
     /**
      * Whether or not the .NET Assembly Analyzer is enabled.
      */
-    private boolean assemblyAnalyzerEnabled = true;
+    private Boolean assemblyAnalyzerEnabled;
 
     /**
      * Sets whether or not the analyzer is enabled.
      *
      * @param archiveAnalyzerEnabled the value of the new setting
      */
-    public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
+    public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
     }
 
@@ -408,7 +415,7 @@ public class Check extends Update {
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isAssemblyAnalyzerEnabled() {
+    public Boolean isAssemblyAnalyzerEnabled() {
         return assemblyAnalyzerEnabled;
     }
 
@@ -417,20 +424,20 @@ public class Check extends Update {
      *
      * @param assemblyAnalyzerEnabled the value of the new setting
      */
-    public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
+    public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
     }
     /**
      * Whether or not the .NET Nuspec Analyzer is enabled.
      */
-    private boolean nuspecAnalyzerEnabled = true;
+    private Boolean nuspecAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isNuspecAnalyzerEnabled() {
+    public Boolean isNuspecAnalyzerEnabled() {
         return nuspecAnalyzerEnabled;
     }
 
@@ -439,20 +446,20 @@ public class Check extends Update {
      *
      * @param nuspecAnalyzerEnabled the value of the new setting
      */
-    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
+    public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
     }
     /**
      * Whether or not the PHP Composer Analyzer is enabled.
      */
-    private boolean composerAnalyzerEnabled = true;
+    private Boolean composerAnalyzerEnabled;
 
     /**
      * Get the value of composerAnalyzerEnabled.
      *
      * @return the value of composerAnalyzerEnabled
      */
-    public boolean isComposerAnalyzerEnabled() {
+    public Boolean isComposerAnalyzerEnabled() {
         return composerAnalyzerEnabled;
     }
 
@@ -461,20 +468,20 @@ public class Check extends Update {
      *
      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
      */
-    public void setComposerAnalyzerEnabled(boolean composerAnalyzerEnabled) {
+    public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
     }
     /**
      * Whether the autoconf analyzer should be enabled.
      */
-    private boolean autoconfAnalyzerEnabled = true;
+    private Boolean autoconfAnalyzerEnabled;
 
     /**
      * Get the value of autoconfAnalyzerEnabled.
      *
      * @return the value of autoconfAnalyzerEnabled
      */
-    public boolean isAutoconfAnalyzerEnabled() {
+    public Boolean isAutoconfAnalyzerEnabled() {
         return autoconfAnalyzerEnabled;
     }
 
@@ -483,20 +490,20 @@ public class Check extends Update {
      *
      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
      */
-    public void setAutoconfAnalyzerEnabled(boolean autoconfAnalyzerEnabled) {
+    public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
     }
     /**
      * Whether the CMake analyzer should be enabled.
      */
-    private boolean cmakeAnalyzerEnabled = true;
+    private Boolean cmakeAnalyzerEnabled;
 
     /**
      * Get the value of cmakeAnalyzerEnabled.
      *
      * @return the value of cmakeAnalyzerEnabled
      */
-    public boolean isCMakeAnalyzerEnabled() {
+    public Boolean isCMakeAnalyzerEnabled() {
         return cmakeAnalyzerEnabled;
     }
 
@@ -505,20 +512,20 @@ public class Check extends Update {
      *
      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
      */
-    public void setCMakeAnalyzerEnabled(boolean cmakeAnalyzerEnabled) {
+    public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
     }
     /**
      * Whether or not the openssl analyzer is enabled.
      */
-    private boolean opensslAnalyzerEnabled = true;
+    private Boolean opensslAnalyzerEnabled;
 
     /**
      * Get the value of opensslAnalyzerEnabled.
      *
      * @return the value of opensslAnalyzerEnabled
      */
-    public boolean isOpensslAnalyzerEnabled() {
+    public Boolean isOpensslAnalyzerEnabled() {
         return opensslAnalyzerEnabled;
     }
 
@@ -527,20 +534,20 @@ public class Check extends Update {
      *
      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
      */
-    public void setOpensslAnalyzerEnabled(boolean opensslAnalyzerEnabled) {
+    public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
     }
     /**
      * Whether or not the Node.js Analyzer is enabled.
      */
-    private boolean nodeAnalyzerEnabled = true;
+    private Boolean nodeAnalyzerEnabled;
 
     /**
      * Get the value of nodeAnalyzerEnabled.
      *
      * @return the value of nodeAnalyzerEnabled
      */
-    public boolean isNodeAnalyzerEnabled() {
+    public Boolean isNodeAnalyzerEnabled() {
         return nodeAnalyzerEnabled;
     }
 
@@ -549,20 +556,20 @@ public class Check extends Update {
      *
      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
      */
-    public void setNodeAnalyzerEnabled(boolean nodeAnalyzerEnabled) {
+    public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
     }
     /**
      * Whether the ruby gemspec analyzer should be enabled.
      */
-    private boolean rubygemsAnalyzerEnabled = true;
+    private Boolean rubygemsAnalyzerEnabled;
 
     /**
      * Get the value of rubygemsAnalyzerEnabled.
      *
      * @return the value of rubygemsAnalyzerEnabled
      */
-    public boolean isRubygemsAnalyzerEnabled() {
+    public Boolean isRubygemsAnalyzerEnabled() {
         return rubygemsAnalyzerEnabled;
     }
 
@@ -571,20 +578,20 @@ public class Check extends Update {
      *
      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
      */
-    public void setRubygemsAnalyzerEnabled(boolean rubygemsAnalyzerEnabled) {
+    public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
     }
     /**
      * Whether the python package analyzer should be enabled.
      */
-    private boolean pyPackageAnalyzerEnabled = true;
+    private Boolean pyPackageAnalyzerEnabled;
 
     /**
      * Get the value of pyPackageAnalyzerEnabled.
      *
      * @return the value of pyPackageAnalyzerEnabled
      */
-    public boolean isPyPackageAnalyzerEnabled() {
+    public Boolean isPyPackageAnalyzerEnabled() {
         return pyPackageAnalyzerEnabled;
     }
 
@@ -593,21 +600,21 @@ public class Check extends Update {
      *
      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
      */
-    public void setPyPackageAnalyzerEnabled(boolean pyPackageAnalyzerEnabled) {
+    public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
     }
 
     /**
      * Whether the python distribution analyzer should be enabled.
      */
-    private boolean pyDistributionAnalyzerEnabled = true;
+    private Boolean pyDistributionAnalyzerEnabled;
 
     /**
      * Get the value of pyDistributionAnalyzerEnabled.
      *
      * @return the value of pyDistributionAnalyzerEnabled
      */
-    public boolean isPyDistributionAnalyzerEnabled() {
+    public Boolean isPyDistributionAnalyzerEnabled() {
         return pyDistributionAnalyzerEnabled;
     }
 
@@ -616,21 +623,21 @@ public class Check extends Update {
      *
      * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled
      */
-    public void setPyDistributionAnalyzerEnabled(boolean pyDistributionAnalyzerEnabled) {
+    public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
     }
 
     /**
      * Whether or not the central analyzer is enabled.
      */
-    private boolean centralAnalyzerEnabled = false;
+    private Boolean centralAnalyzerEnabled;
 
     /**
      * Get the value of centralAnalyzerEnabled.
      *
      * @return the value of centralAnalyzerEnabled
      */
-    public boolean isCentralAnalyzerEnabled() {
+    public Boolean isCentralAnalyzerEnabled() {
         return centralAnalyzerEnabled;
     }
 
@@ -639,21 +646,21 @@ public class Check extends Update {
      *
      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
      */
-    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
+    public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
     /**
      * Whether or not the nexus analyzer is enabled.
      */
-    private boolean nexusAnalyzerEnabled = true;
+    private Boolean nexusAnalyzerEnabled;
 
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
      * @return the value of nexusAnalyzerEnabled
      */
-    public boolean isNexusAnalyzerEnabled() {
+    public Boolean isNexusAnalyzerEnabled() {
         return nexusAnalyzerEnabled;
     }
 
@@ -662,7 +669,7 @@ public class Check extends Update {
      *
      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
      */
-    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+    public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
@@ -691,14 +698,14 @@ public class Check extends Update {
     /**
      * Whether or not the defined proxy should be used when connecting to Nexus.
      */
-    private boolean nexusUsesProxy = true;
+    private Boolean nexusUsesProxy;
 
     /**
      * Get the value of nexusUsesProxy.
      *
      * @return the value of nexusUsesProxy
      */
-    public boolean isNexusUsesProxy() {
+    public Boolean isNexusUsesProxy() {
         return nexusUsesProxy;
     }
 
@@ -707,7 +714,7 @@ public class Check extends Update {
      *
      * @param nexusUsesProxy new value of nexusUsesProxy
      */
-    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+    public void setNexusUsesProxy(Boolean nexusUsesProxy) {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
@@ -839,42 +846,32 @@ public class Check extends Update {
     /**
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
      * required to change the proxy server, port, and connection timeout.
+     *
+     * @throws BuildException thrown when an invalid setting is configured.
      */
     @Override
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
         super.populateSettings();
-        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
-        }
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
-
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
-
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        }
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
-        if (zipExtensions != null && !zipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        }
-        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
     }
 
     /**

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java

@@ -357,6 +357,29 @@ public class Update extends Purge {
         this.cveUrl20Base = cveUrl20Base;
     }
 
+    /**
+     * The number of hours to wait before re-checking for updates.
+     */
+    private Integer cveValidForHours;
+
+    /**
+     * Get the value of cveValidForHours.
+     *
+     * @return the value of cveValidForHours
+     */
+    public Integer getCveValidForHours() {
+        return cveValidForHours;
+    }
+
+    /**
+     * Set the value of cveValidForHours.
+     *
+     * @param cveValidForHours new value of cveValidForHours
+     */
+    public void setCveValidForHours(Integer cveValidForHours) {
+        this.cveValidForHours = cveValidForHours;
+    }
+
     /**
      * Executes the update by initializing the settings, downloads the NVD XML data, and then processes the data storing it in the
      * local database.
@@ -383,51 +406,32 @@ public class Update extends Purge {
     /**
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
      * required to change the proxy server, port, and connection timeout.
+     *
+     * @throws BuildException thrown when an invalid setting is configured.
      */
     @Override
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
         super.populateSettings();
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        if (cveValidForHours != null) {
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            if (cveValidForHours >= 0) {
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+                Settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
-        }
+            } else {
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+                throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+            }
-        }
-        if (connectionString != null && !connectionString.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
-        if (databaseUser != null && !databaseUser.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
-        }
-        if (databasePassword != null && !databasePassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
-        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
-        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        }
-        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-        }
-        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         }
     }
 }

dependency-check-ant/src/main/resources/task.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=data
+data.directory=data/3.0

dependency-check-ant/src/site/markdown/config-update.md

@@ -32,10 +32,10 @@ may be the cvedUrl properties, which can be used to host a mirror of the NVD wit
 
 Property             | Description                                                                                           | Default Value
 ---------------------|-------------------------------------------------------------------------------------------------------|------------------
-cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
-cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                              |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path.           |  

dependency-check-ant/src/site/markdown/configuration.md

@@ -29,19 +29,20 @@ Configuration: dependency-check Task
 --------------------
 The following properties can be set on the dependency-check-update task.
 
-Property              | Description                        | Default Value
+Property              | Description                                                                                                                                                                                        | Default Value
-----------------------|------------------------------------|------------------
+----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
-autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                 | true
-projectName           | The name of the project being scanned. | Dependency-Check
+cveValidForHours      | Sets the number of hours to wait before checking for new updates from the NVD                                                                                                                      | 4
-reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
-failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+projectName           | The name of the project being scanned.                                                                                                                                                             | Dependency-Check
-reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                   | HTML
-suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) |  
+reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                 | 'target'
-proxyServer           | The Proxy Server.                  |  
+suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)                                                                                       |  
-proxyPort             | The Proxy Port.                    |  
+proxyServer           | The Proxy Server.                                                                                                                                                                                  |  
-proxyUsername         | Defines the proxy user name.       |  
+proxyPort             | The Proxy Port.                                                                                                                                                                                    |  
-proxyPassword         | Defines the proxy password.        |  
+proxyUsername         | Defines the proxy user name.                                                                                                                                                                       |  
-connectionTimeout     | The URL Connection Timeout.        |  
+proxyPassword         | Defines the proxy password.                                                                                                                                                                        |  
+connectionTimeout     | The URL Connection Timeout.                                                                                                                                                                        |  
 
 Analyzer Configuration
 ====================

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -26,7 +26,7 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 
 import static org.junit.Assert.assertTrue;

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.3</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -27,6 +27,7 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import org.apache.commons.cli.ParseException;
+import org.apache.commons.lang.StringUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
@@ -279,6 +280,7 @@ public class App {
         final String cveMod20 = cli.getModifiedCve20Url();
         final String cveBase12 = cli.getBaseCve12Url();
         final String cveBase20 = cli.getBaseCve20Url();
+        final Integer cveValidForHours = cli.getCveValidForHours();
 
         if (propertiesFile != null) {
             try {
@@ -308,24 +310,13 @@ public class App {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
         }
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        if (proxyUser != null && !proxyUser.isEmpty()) {
+        Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
-        }
-        if (proxyPass != null && !proxyPass.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
-        }
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
 
         //File Type Analyzer Settings
         Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
@@ -336,38 +327,24 @@ public class App {
         Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
+        Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
-
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
-        if (databaseUser != null && !databaseUser.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
-        }
-        if (databasePassword != null && !databasePassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
-        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
-        }
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
         if (cveBase12 != null && !cveBase12.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -90,6 +90,19 @@ public final class CliParser {
      * @throws ParseException is thrown if there is an exception parsing the command line.
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
+        if (isUpdateOnly() || isRunScan()) {
+            final String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
+            if (value != null) {
+                try {
+                    final int i = Integer.parseInt(value);
+                    if (i < 0) {
+                        throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
+                    }
+                } catch (NumberFormatException ex) {
+                    throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
+                }
+            }
+        }
         if (isRunScan()) {
             validatePathExists(getScanFiles(), ARGUMENT.SCAN);
             validatePathExists(getReportDirectory(), ARGUMENT.OUT);
@@ -255,6 +268,10 @@ public final class CliParser {
                 .desc("The file path to the suppression XML file.")
                 .build();
 
+        final Option cveValidForHours = Option.builder().argName("hours").hasArg().longOpt(ARGUMENT.CVE_VALID_FOR_HOURS)
+                .desc("The number of hours to wait before checking for new updates from the NVD.")
+                .build();
+
         //This is an option group because it can be specified more then once.
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
@@ -274,7 +291,8 @@ public final class CliParser {
                 .addOption(symLinkDepth)
                 .addOption(props)
                 .addOption(verboseLog)
-                .addOption(suppressionFile);
+                .addOption(suppressionFile)
+                .addOption(cveValidForHours);
     }
 
     /**
@@ -326,6 +344,10 @@ public final class CliParser {
         final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
                 .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
                 .build();
+        
+        final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
+                .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
+                .desc("The path to bundle-audit for Gem bundle analysis.").build();
 
         final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg()
                 .longOpt(ARGUMENT.CONNECTION_TIMEOUT).desc("The connection timeout (in milliseconds) to use when downloading resources.")
@@ -419,11 +441,14 @@ public final class CliParser {
                 .addOption(disableJarAnalyzer)
                 .addOption(disableArchiveAnalyzer)
                 .addOption(disableAssemblyAnalyzer)
+                .addOption(pathToBundleAudit)
                 .addOption(disablePythonDistributionAnalyzer)
                 .addOption(disableCmakeAnalyzer)
                 .addOption(disablePythonPackageAnalyzer)
                 .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RUBYGEMS)
                         .desc("Disable the Ruby Gemspec Analyzer.").build())
+                .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT)
+                        .desc("Disable the Ruby Bundler-Audit Analyzer.").build())
                 .addOption(disableAutoconfAnalyzer)
                 .addOption(disableComposerAnalyzer)
                 .addOption(disableOpenSSLAnalyzer)
@@ -436,6 +461,7 @@ public final class CliParser {
                 .addOption(nexusUsesProxy)
                 .addOption(additionalZipExtensions)
                 .addOption(pathToMono)
+                .addOption(pathToBundleAudit)
                 .addOption(purge);
     }
 
@@ -541,6 +567,16 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
     }
 
+    /**
+     * Returns true if the disableBundleAudit command line argument was specified.
+     *
+     * @return true if the disableBundleAudit command line argument was specified; otherwise false
+     */
+    public boolean isBundleAuditDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
+    }
+
+
     /**
      * Returns true if the disablePyDist command line argument was specified.
      *
@@ -654,7 +690,7 @@ public final class CliParser {
         // still honor the property if it's set.
         if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
             try {
-                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
+                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
             } catch (InvalidSettingException ise) {
                 return true;
             }
@@ -722,6 +758,15 @@ public final class CliParser {
         return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
     }
 
+    /**
+     * Returns the path to bundle-audit for Ruby bundle analysis.
+     *
+     * @return the path to Mono
+     */
+    public String getPathToBundleAudit() {
+        return line.getOptionValue(ARGUMENT.PATH_TO_BUNDLE_AUDIT);
+    }
+
     /**
      * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
      *
@@ -970,6 +1015,19 @@ public final class CliParser {
         return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
     }
 
+    /**
+     * Get the value of cveValidForHours.
+     *
+     * @return the value of cveValidForHours
+     */
+    public Integer getCveValidForHours() {
+        final String v = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
+        if (v != null) {
+            return Integer.parseInt(v);
+        }
+        return null;
+    }
+
     /**
      * A collection of static final strings that represent the possible command line arguments.
      */
@@ -1133,6 +1191,10 @@ public final class CliParser {
          * The CLI argument name for setting the location of the suppression file.
          */
         public static final String SUPPRESSION_FILE = "suppression";
+        /**
+         * The CLI argument name for setting the location of the suppression file.
+         */
+        public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
         /**
          * Disables the Jar Analyzer.
          */
@@ -1169,6 +1231,10 @@ public final class CliParser {
          * Disables the Assembly Analyzer.
          */
         public static final String DISABLE_ASSEMBLY = "disableAssembly";
+        /**
+         * Disables the Ruby Bundler Audit Analyzer.
+         */
+        public static final String DISABLE_BUNDLE_AUDIT = "disableBundleAudit";
         /**
          * Disables the Nuspec Analyzer.
          */
@@ -1229,5 +1295,9 @@ public final class CliParser {
          * Exclude path argument.
          */
         public static final String EXCLUDE = "exclude";
+        /**
+         * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
+         */
+        public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java

@@ -22,7 +22,7 @@ package org.owasp.dependencycheck;
  *
  * @author Jeremy Long
  */
-class InvalidScanPathException extends Exception {
+public class InvalidScanPathException extends Exception {
 
     /**
      * The serial version UID for serialization.

dependency-check-cli/src/site/markdown/arguments.md

@@ -17,21 +17,24 @@ Short  | Argument Name   | Parameter       | Description | Requir
  \-h   | \-\-help              |                 | Print the help message. | Optional
        | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
  \-v   | \-\-version           |                 | Print the version information. | Optional
+       | \-\-cveValidForHours  | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
+
 
 Advanced Options
 ================
 Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                     | Default&nbsp;Value
 -------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
-       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | http://nvd.nist.gov/download/nvdcve-modified.xml
+       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
-       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | http://nvd.nist.gov/download/nvdcve-%d.xml
+       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
  \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
        | \-\-updateonly        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
        | \-\-disablePyDist     |                 | Sets whether the Python Distribution Analyzer will be used.                      | false
        | \-\-disablePyPkg      |                 | Sets whether the Python Package Analyzer will be used.                           | false
        | \-\-disableNodeJS     |                 | Sets whether the Node.js Package Analyzer will be used.                          | false
        | \-\-disableRubygems   |                 | Sets whether the Ruby Gemspec Analyzer will be used.                             | false
+       | \-\-disableBundleAudit |               | Sets whether the Ruby Bundler Audit Analyzer will be used.                             | false
        | \-\-disableAutoconf   |                 | Sets whether the Autoconf Analyzer will be used.                                 | false
        | \-\-disableOpenSSL    |                 | Sets whether the OpenSSL Analyzer will be used.                                  | false
        | \-\-disableCmake      |                 | Sets whether the Cmake Analyzer will be disabled.                                | false
@@ -46,6 +49,7 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
        | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
        | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
        | \-\-mono              | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
+       | \-\-bundleAudit       |                 | The path to the bundle-audit executable. | &nbsp;
        | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                              | &nbsp;
        | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                                | &nbsp;
        | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.      | &nbsp;

dependency-check-cli/src/site/markdown/index.md.vm

@@ -25,10 +25,10 @@ your homebrew installation.
 To scan a folder on the system you can run:
 
 $H$H$H Windows
-    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
+    dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"
 
 $H$H$H *nix
-    dependency-check.sh --app "My App Name" --scan "/java/application/lib"
+    dependency-check.sh --project "My App Name" --scan "/java/application/lib"
 
 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
 

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.3</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -468,7 +468,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-surefire-plugin</artifactId>
-                        <version>2.18.1</version>
                         <configuration>
                             <skip>true</skip>
                         </configuration>
@@ -476,12 +475,68 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
-                        <version>2.18.1</version>
                         <configuration>
                             <systemProperties>
                                 <property>
                                     <name>data.driver_path</name>
-                                    <value>${basedir}/${driver_path}</value>
+                                    <value>${driver_path}</value>
+                                </property>
+                                <property>
+                                    <name>data.driver_name</name>
+                                    <value>${driver_name}</value>
+                                </property>
+                                <property>
+                                    <name>data.connection_string</name>
+                                    <value>${connection_string}</value>
+                                </property>
+                            </systemProperties>
+                            <includes>
+                                <include>**/*MySQLTest.java</include>
+                            </includes>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <id>Postgresql-IntegrationTest</id>
+            <activation>
+                <property>
+                    <name>postgresql</name>
+                </property>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>org.postgresql</groupId>
+                    <artifactId>postgresql</artifactId>
+                    <version>9.4-1204-jdbc42</version>
+                </dependency>
+            </dependencies>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <skip>true</skip>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <configuration>
+                            <systemProperties>
+                                <property>
+                                    <name>data.driver_path</name>
+                                    <value>${driver_path}</value>
                                 </property>
                                 <property>
                                     <name>data.driver_name</name>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -38,6 +38,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.EnumMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -174,8 +175,7 @@ public class Engine implements FileFilter {
     public List<Dependency> scan(String[] paths) {
         final List<Dependency> deps = new ArrayList<Dependency>();
         for (String path : paths) {
-            final File file = new File(path);
+            final List<Dependency> d = scan(path);
-            final List<Dependency> d = scan(file);
             if (d != null) {
                 deps.addAll(d);
             }
@@ -215,33 +215,14 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * Scans a collection of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
      * identified are added to the dependency collection.
      *
      * @param files a set of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
      * @since v0.3.2.5
      */
-    public List<Dependency> scan(Set<File> files) {
+    public List<Dependency> scan(Collection<File> files) {
-        final List<Dependency> deps = new ArrayList<Dependency>();
-        for (File file : files) {
-            final List<Dependency> d = scan(file);
-            if (d != null) {
-                deps.addAll(d);
-            }
-        }
-        return deps;
-    }
-
-    /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
-     *
-     * @param files a set of paths to files or directories to be analyzed
-     * @return the list of dependencies scanned
-     * @since v0.3.2.5
-     */
-    public List<Dependency> scan(List<File> files) {
         final List<Dependency> deps = new ArrayList<Dependency>();
         for (File file : files) {
             final List<Dependency> d = scan(file);

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -840,8 +840,7 @@ public class DependencyCheckScanAgent {
      */
     private Engine executeDependencyCheck() throws DatabaseException {
         populateSettings();
-        Engine engine = null;
+        final Engine engine = new Engine();
-        engine = new Engine();
         engine.setDependencies(this.dependencies);
         engine.analyzeDependencies();
         return engine;
@@ -898,67 +897,28 @@ public class DependencyCheckScanAgent {
         }
 
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
-        if (proxyUsername != null && !proxyUsername.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        }
-        if (proxyPassword != null && !proxyPassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        }
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        if (centralUrl != null && !centralUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
-            Settings.setString(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
-        }
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        if (databaseUser != null && !databaseUser.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
-        }
-        if (databasePassword != null && !databasePassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
-        if (zipExtensions != null && !zipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        }
-        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
-        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        }
-        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-        }
-        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -214,7 +214,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * @return a Set of strings.
      */
     protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>();
+        final Set<String> set = new HashSet<String>(strings.length);
         Collections.addAll(set, strings);
         return set;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -28,6 +28,10 @@ public enum AnalysisPhase {
      * Initialization phase.
      */
     INITIAL,
+    /**
+     * Pre information collection phase
+     */
+    PRE_INFORMATION_COLLECTION,
     /**
      * Information collection phase.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -114,8 +114,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
-            final Set<String> ext = new HashSet<String>(Collections.singletonList(additionalZipExt));
+            final String[] ext = additionalZipExt.split("\\s*,\\s*");
-            ZIPPABLES.addAll(ext);
+            Collections.addAll(ZIPPABLES, ext);
         }
         EXTENSIONS.addAll(ZIPPABLES);
     }
@@ -195,8 +195,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         if (tempFileLocation != null && tempFileLocation.exists()) {
             LOGGER.debug("Attempting to delete temporary files");
             final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
+            if (!success && tempFileLocation.exists()) {
-                LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                final String[] l = tempFileLocation.list();
+                if (l != null && l.length > 0) {
+                    LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                }
             }
         }
     }
@@ -415,11 +418,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         FileOutputStream fos = null;
         try {
             final File parent = file.getParentFile();
-            if (!parent.isDirectory()) {
+            if (!parent.isDirectory() && !parent.mkdirs()) {
-                if (!parent.mkdirs()) {
+                final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
-                    final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
+                throw new AnalysisException(msg);
-                    throw new AnalysisException(msg);
-                }
             }
             fos = new FileOutputStream(file);
             IOUtils.copy(input, fos);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -17,13 +17,13 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.output.NullOutputStream;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -115,21 +115,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         final List<String> args = buildArgumentList();
         args.add(dependency.getActualFilePath());
         final ProcessBuilder pb = new ProcessBuilder(args);
-        BufferedReader rdr = null;
         Document doc = null;
         try {
             final Process proc = pb.start();
-            // Try evacuating the error stream
+
-            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
-            String line = null;
-            // CHECKSTYLE:OFF
-            while (rdr.ready() && (line = rdr.readLine()) != null) {
-                LOGGER.warn("Error from GrokAssembly: {}", line);
-            }
-            // CHECKSTYLE:ON
-            int rc = 0;
             doc = builder.parse(proc.getInputStream());
 
+            // Try evacuating the error stream
+            final String errorStream = IOUtils.toString(proc.getErrorStream(), "UTF-8");
+            if (null != errorStream && !errorStream.isEmpty()) {
+                LOGGER.warn("Error from GrokAssembly: {}", errorStream);
+            }
+
+            int rc = 0;
             try {
                 rc = proc.waitFor();
             } catch (InterruptedException ie) {
@@ -176,14 +174,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (XPathExpressionException xpe) {
             // This shouldn't happen
             throw new AnalysisException(xpe);
-        } finally {
-            if (rdr != null) {
-                try {
-                    rdr.close();
-                } catch (IOException ex) {
-                    LOGGER.debug("ignore", ex);
-                }
-            }
         }
     }
 
@@ -200,11 +190,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         try {
             fos = new FileOutputStream(tempFile);
             is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
-            final byte[] buff = new byte[4096];
+            IOUtils.copy(is, fos);
-            int bread = -1;
+
-            while ((bread = is.read(buff)) >= 0) {
-                fos.write(buff, 0, bread);
-            }
             grokAssemblyExe = tempFile;
             // Set the temp file to get deleted when we're done
             grokAssemblyExe.deleteOnExit();
@@ -232,17 +219,12 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
 
         // Now, need to see if GrokAssembly actually runs from this location.
         final List<String> args = buildArgumentList();
-        BufferedReader rdr = null;
         try {
             final ProcessBuilder pb = new ProcessBuilder(args);
             final Process p = pb.start();
             // Try evacuating the error stream
-            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
-            // CHECKSTYLE:OFF
+
-            while (rdr.ready() && rdr.readLine() != null) {
-                // We expect this to complain
-            }
-            // CHECKSTYLE:ON
             final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final String error = xpath.evaluate("/assembly/error", doc);
@@ -263,14 +245,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                 this.setEnabled(false);
                 throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
             }
-        } finally {
-            if (rdr != null) {
-                try {
-                    rdr.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("ignore", ex);
-                }
-            }
         }
         builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -62,11 +62,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     private static final int REGEX_OPTIONS = Pattern.DOTALL
             | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
 
+    /**
+     * Regex to extract the product information.
+     */
     private static final Pattern PROJECT = Pattern.compile(
             "^ *project *\\([ \\n]*(\\w+)[ \\n]*.*?\\)", REGEX_OPTIONS);
 
-    // Group 1: Product
+    /**
-    // Group 2: Version
+     * Regex to extract product and version information.
+     *
+     * Group 1: Product
+     *
+     * Group 2: Version
+     */
     private static final Pattern SET_VERSION = Pattern
             .compile(
                     "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
@@ -172,8 +180,17 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
+    /**
+     * Extracts the version information from the contents. If more then one version is found additional dependencies are added to
+     * the dependency list.
+     *
+     * @param dependency the dependency being analyzed
+     * @param engine the dependency-check engine
+     * @param contents the version information
+     */
     private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
-        final Dependency orig = dependency;
+        Dependency currentDep = dependency;
+
         final Matcher m = SET_VERSION.matcher(contents);
         int count = 0;
         while (m.find()) {
@@ -190,19 +207,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
             }
             if (count > 1) {
                 //TODO - refactor so we do not assign to the parameter (checkstyle)
-                dependency = new Dependency(orig.getActualFile());
+                currentDep = new Dependency(dependency.getActualFile());
-                dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product));
+                currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
-                final String filePath = String.format("%s:%s", orig.getFilePath(), product);
+                final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
-                dependency.setFilePath(filePath);
+                currentDep.setFilePath(filePath);
 
                 // prevents coalescing into the dependency provided by engine
-                dependency.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
+                currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
-                engine.getDependencies().add(dependency);
+                engine.getDependencies().add(currentDep);
             }
-            final String source = dependency.getDisplayFileName();
+            final String source = currentDep.getDisplayFileName();
-            dependency.getProductEvidence().addEvidence(source, "Product",
+            currentDep.getProductEvidence().addEvidence(source, "Product",
                     product, Confidence.MEDIUM);
-            dependency.getVersionEvidence().addEvidence(source, "Version",
+            currentDep.getVersionEvidence().addEvidence(source, "Version",
                     version, Confidence.MEDIUM);
         }
         LOGGER.debug(String.format("Found %d matches.", count));

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -335,7 +335,7 @@ public class CPEAnalyzer implements Analyzer {
      * @return if the append was successful.
      */
     private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
-        sb.append(" ").append(field).append(":( ");
+        sb.append(' ').append(field).append(":( ");
 
         final String cleanText = cleanseText(searchText);
 
@@ -349,20 +349,27 @@ public class CPEAnalyzer implements Analyzer {
             final StringTokenizer tokens = new StringTokenizer(cleanText);
             while (tokens.hasMoreElements()) {
                 final String word = tokens.nextToken();
-                String temp = null;
+                StringBuilder temp = null;
                 for (String weighted : weightedText) {
                     final String weightedStr = cleanseText(weighted);
                     if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
-                        temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
+                        temp = new StringBuilder(word.length() + 2);
+                        LuceneUtils.appendEscapedLuceneQuery(temp, word);
+                        temp.append(WEIGHTING_BOOST);
                         if (!word.equalsIgnoreCase(weightedStr)) {
-                            temp += " " + LuceneUtils.escapeLuceneQuery(weightedStr) + WEIGHTING_BOOST;
+                            temp.append(' ');
+                            LuceneUtils.appendEscapedLuceneQuery(temp, weightedStr);
+                            temp.append(WEIGHTING_BOOST);
                         }
+                        break;
                     }
                 }
+                sb.append(' ');
                 if (temp == null) {
-                    temp = LuceneUtils.escapeLuceneQuery(word);
+                    LuceneUtils.appendEscapedLuceneQuery(sb, word);
+                } else {
+                    sb.append(temp);
                 }
-                sb.append(" ").append(temp);
             }
         }
         sb.append(" ) ");
@@ -515,7 +522,7 @@ public class CPEAnalyzer implements Analyzer {
                 for (VulnerableSoftware vs : cpes) {
                     DependencyVersion dbVer;
                     if (vs.getUpdate() != null && !vs.getUpdate().isEmpty()) {
-                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getUpdate());
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + '.' + vs.getUpdate());
                     } else {
                         dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -192,7 +192,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
-                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma.toString(), dependency.getFileName());
+                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
                 dependency.addAsEvidence("central", ma, confidence);
                 boolean pomAnalyzed = false;
                 for (Evidence e : dependency.getVendorEvidence()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -213,10 +213,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         //version check
         final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
         final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
-        if (version1 != null && version2 != null) {
+        if (version1 != null && version2 != null && !version1.equals(version2)) {
-            if (!version1.equals(version2)) {
+            return false;
-                return false;
-            }
         }
 
         //filename check

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -113,7 +113,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         for (Identifier i : dependency.getIdentifiers()) {
             if ("maven".contains(i.getType())) {
                 if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
-                    final int endPoint = i.getValue().indexOf(":", 19);
+                    final int endPoint = i.getValue().indexOf(':', 19);
                     if (endPoint >= 0) {
                         mustContain = i.getValue().substring(19, endPoint).toLowerCase();
                         break;
@@ -472,8 +472,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     private String trimCpeToVendor(String value) {
         //cpe:/a:jruby:jruby:1.0.8
-        final int pos1 = value.indexOf(":", 7); //right of vendor
+        final int pos1 = value.indexOf(':', 7); //right of vendor
-        final int pos2 = value.indexOf(":", pos1 + 1); //right of product
+        final int pos2 = value.indexOf(':', pos1 + 1); //right of product
         if (pos2 < 0) {
             return value;
         } else {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -18,6 +18,7 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+import org.apache.commons.io.FilenameUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -76,13 +77,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
         //strip any path information that may get added by ArchiveAnalyzer, etc.
         final File f = dependency.getActualFile();
-        String fileName = f.getName();
+        final String fileName = FilenameUtils.removeExtension(f.getName());
-
-        //remove file extension
-        final int pos = fileName.lastIndexOf(".");
-        if (pos > 0) {
-            fileName = fileName.substring(0, pos);
-        }
 
         //add version evidence
         final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -42,6 +42,7 @@ import java.util.jar.Manifest;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import org.apache.commons.compress.utils.IOUtils;
+import org.apache.commons.io.FilenameUtils;
 import org.jsoup.Jsoup;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -269,8 +270,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
         File externalPom = null;
         if (pomEntries.isEmpty()) {
-            String pomPath = dependency.getActualFilePath();
+            final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
-            pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
             externalPom = new File(pomPath);
             if (externalPom.isFile()) {
                 pomEntries.add(pomPath);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -104,7 +104,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
          */
         boolean retval = false;
         try {
-            if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
+            if (!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))
                     && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
                 LOGGER.info("Enabling Nexus analyzer");
                 retval = true;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java

@@ -126,7 +126,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        LOGGER.debug("Checking Nuspec file {}", dependency.toString());
+        LOGGER.debug("Checking Nuspec file {}", dependency);
         try {
             final NuspecParser parser = new XPathNuspecParser();
             NugetPackage np = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -73,7 +73,7 @@ public class NvdCveAnalyzer implements Analyzer {
      * @return true or false.
      */
     public boolean isOpen() {
-        return (cveDB != null);
+        return cveDB != null;
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -164,7 +164,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
-     * @param engine     the engine being used to perform the scan
+     * @param engine the engine being used to perform the scan
      * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
      */
     @Override
@@ -175,8 +175,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         final String parentName = parent.getName();
         boolean found = false;
         if (INIT_PY_FILTER.accept(file)) {
-            for (final File sourceFile : parent.listFiles(PY_FILTER)) {
+            final File[] fileList = parent.listFiles(PY_FILTER);
-                found |= analyzeFileContents(dependency, sourceFile);
+            if (fileList != null) {
+                for (final File sourceFile : fileList) {
+                    found |= analyzeFileContents(dependency, sourceFile);
+                }
             }
         }
         if (found) {
@@ -197,7 +200,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents.
      *
      * @param dependency the dependency being analyzed
-     * @param file       the file name to analyze
+     * @param file the file name to analyze
      * @return whether evidence was found
      * @throws AnalysisException thrown if there is an unrecoverable error
      */
@@ -241,15 +244,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * Adds summary information to the dependency
      *
      * @param dependency the dependency being analyzed
-     * @param pattern    the pattern used to perform analysis
+     * @param pattern the pattern used to perform analysis
-     * @param group      the group from the pattern that indicates the data to use
+     * @param group the group from the pattern that indicates the data to use
-     * @param contents   the data being analyzed
+     * @param contents the data being analyzed
-     * @param source     the source name to use when recording the evidence
+     * @param source the source name to use when recording the evidence
-     * @param key        the key name to use when recording the evidence
+     * @param key the key name to use when recording the evidence
      * @return true if evidence was collected; otherwise false
      */
     private boolean addSummaryInfo(Dependency dependency, Pattern pattern,
-                                   int group, String contents, String source, String key) {
+            int group, String contents, String source, String key) {
         final Matcher matcher = pattern.matcher(contents);
         final boolean found = matcher.find();
         if (found) {
@@ -262,16 +265,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Collects evidence from the home page URL.
      *
-     * @param pattern  the pattern to match
+     * @param pattern the pattern to match
      * @param evidence the evidence collection to add the evidence to
-     * @param source   the source of the evidence
+     * @param source the source of the evidence
-     * @param name     the name of the evidence
+     * @param name the name of the evidence
      * @param contents the home page URL
      * @return true if evidence was collected; otherwise false
      */
     private boolean gatherHomePageEvidence(Pattern pattern,
-                                           EvidenceCollection evidence, String source, String name,
+            EvidenceCollection evidence, String source, String name,
-                                           String contents) {
+            String contents) {
         final Matcher matcher = pattern.matcher(contents);
         boolean found = false;
         if (matcher.find()) {
@@ -287,17 +290,17 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Gather evidence from a Python source file using the given string assignment regex pattern.
      *
-     * @param pattern    to scan contents with
+     * @param pattern to scan contents with
-     * @param contents   of Python source file
+     * @param contents of Python source file
-     * @param source     for storing evidence
+     * @param source for storing evidence
-     * @param evidence   to store evidence in
+     * @param evidence to store evidence in
-     * @param name       of evidence
+     * @param name of evidence
      * @param confidence in evidence
      * @return whether evidence was found
      */
     private boolean gatherEvidence(Pattern pattern, String contents,
-                                   String source, EvidenceCollection evidence, String name,
+            String source, EvidenceCollection evidence, String name,
-                                   Confidence confidence) {
+            Confidence confidence) {
         final Matcher matcher = pattern.matcher(contents);
         final boolean found = matcher.find();
         if (found) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -0,0 +1,326 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Reference;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.*;
+import java.util.*;
+
+/**
+ * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Ruby Bundle Audit Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
+
+    private static final FileFilter FILTER =
+            FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+    public static final String NAME = "Name: ";
+    public static final String VERSION = "Version: ";
+    public static final String ADVISORY = "Advisory: ";
+    public static final String CRITICALITY = "Criticality: ";
+
+    /**
+     * @return a filter that accepts files named Gemfile.lock
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
+    /**
+     * Launch bundle-audit.
+     *
+     * @return a handle to the process
+     */
+    private Process launchBundleAudit(File folder) throws AnalysisException {
+        if (!folder.isDirectory()) {
+            throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
+        }
+        final List<String> args = new ArrayList<String>();
+        final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
+        args.add(null == bundleAuditPath ? "bundle-audit" : bundleAuditPath);
+        args.add("check");
+        args.add("--verbose");
+        final ProcessBuilder builder = new ProcessBuilder(args);
+        builder.directory(folder);
+        try {
+            return builder.start();
+        } catch (IOException ioe) {
+            throw new AnalysisException("bundle-audit failure", ioe);
+        }
+    }
+
+    /**
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     *
+     * @throws Exception if anything goes wrong
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        // Now, need to see if bundle-audit actually runs from this location.
+        Process process = launchBundleAudit(Settings.getTempDirectory());
+        int exitValue = process.waitFor();
+        if (0 == exitValue) {
+            LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
+            setEnabled(false);
+            throw new AnalysisException("Unexpected exit code from bundle-audit process.");
+        } else {
+            BufferedReader reader = null;
+            try {
+                reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+                if (!reader.ready()) {
+                    LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME);
+                    setEnabled(false);
+                    throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
+                } else {
+                    final String line = reader.readLine();
+                    if (!line.contains("Errno::ENOENT")) {
+                        LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
+                        setEnabled(false);
+                        throw new AnalysisException("Unexpected bundle-audit output.");
+                    }
+                }
+            } finally {
+                if (null != reader) {
+                    reader.close();
+                }
+            }
+        }
+        if (isEnabled()) {
+            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " +
+                    "occasionally to keep its database up to date.");
+        }
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
+    }
+
+    /**
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
+     * be necessary to disable {@link RubyGemspecAnalyzer}.
+     */
+    private boolean needToDisableGemspecAnalyzer = true;
+
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        if (needToDisableGemspecAnalyzer) {
+            boolean failed = true;
+            final String className = RubyGemspecAnalyzer.class.getName();
+            for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
+                if (analyzer instanceof RubyGemspecAnalyzer) {
+                    ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
+                    LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
+                    failed = false;
+                }
+            }
+            if (failed) {
+                LOGGER.warn("Did not find" + className + '.');
+            }
+            needToDisableGemspecAnalyzer = false;
+        }
+        final File parentFile = dependency.getActualFile().getParentFile();
+        final Process process = launchBundleAudit(parentFile);
+        try {
+            process.waitFor();
+        } catch (InterruptedException ie) {
+            throw new AnalysisException("bundle-audit process interrupted", ie);
+        }
+        BufferedReader rdr = null;
+        try {
+            rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
+            processBundlerAuditOutput(dependency, engine, rdr);
+        } catch (IOException ioe) {
+            LOGGER.warn("bundle-audit failure", ioe);
+        } finally {
+            if (null != rdr) {
+                try {
+                    rdr.close();
+                } catch (IOException ioe) {
+                    LOGGER.warn("bundle-audit close failure", ioe);
+                }
+            }
+        }
+
+    }
+
+    private void processBundlerAuditOutput(Dependency original, Engine engine, BufferedReader rdr) throws IOException {
+        final String parentName = original.getActualFile().getParentFile().getName();
+        final String fileName = original.getFileName();
+        Dependency dependency = null;
+        Vulnerability vulnerability = null;
+        String gem = null;
+        final Map<String, Dependency> map = new HashMap<String, Dependency>();
+        boolean appendToDescription = false;
+        while (rdr.ready()) {
+            final String nextLine = rdr.readLine();
+            if (null == nextLine) {
+                break;
+            } else if (nextLine.startsWith(NAME)) {
+                appendToDescription = false;
+                gem = nextLine.substring(NAME.length());
+                if (!map.containsKey(gem)) {
+                    map.put(gem, createDependencyForGem(engine, parentName, fileName, gem));
+                }
+                dependency = map.get(gem);
+                LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+            } else if (nextLine.startsWith(VERSION)) {
+                vulnerability = createVulnerability(parentName, dependency, vulnerability, gem, nextLine);
+            } else if (nextLine.startsWith(ADVISORY)) {
+                setVulnerabilityName(parentName, dependency, vulnerability, nextLine);
+            } else if (nextLine.startsWith(CRITICALITY)) {
+                addCriticalityToVulnerability(parentName, vulnerability, nextLine);
+            } else if (nextLine.startsWith("URL: ")) {
+                addReferenceToVulnerability(parentName, vulnerability, nextLine);
+            } else if (nextLine.startsWith("Description:")) {
+                appendToDescription = true;
+                if (null != vulnerability) {
+                    vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 indicates unknown). See link below for full details. *** ");
+                }
+            } else if (appendToDescription) {
+                if (null != vulnerability) {
+                    vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
+                }
+            }
+        }
+    }
+
+    private void setVulnerabilityName(String parentName, Dependency dependency, Vulnerability vulnerability, String nextLine) {
+        final String advisory = nextLine.substring((ADVISORY.length()));
+        if (null != vulnerability) {
+            vulnerability.setName(advisory);
+        }
+        if (null != dependency) {
+            dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private void addReferenceToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
+        final String url = nextLine.substring(("URL: ").length());
+        if (null != vulnerability) {
+            Reference ref = new Reference();
+            ref.setName(vulnerability.getName());
+            ref.setSource("bundle-audit");
+            ref.setUrl(url);
+            vulnerability.getReferences().add(ref);
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
+        if (null != vulnerability) {
+            final String criticality = nextLine.substring(CRITICALITY.length()).trim();
+            if ("High".equals(criticality)) {
+                vulnerability.setCvssScore(8.5f);
+            } else if ("Medium".equals(criticality)) {
+                vulnerability.setCvssScore(5.5f);
+            } else if ("Low".equals(criticality)) {
+                vulnerability.setCvssScore(2.0f);
+            } else {
+                vulnerability.setCvssScore(-1.0f);
+            }
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private Vulnerability createVulnerability(String parentName, Dependency dependency, Vulnerability vulnerability, String gem, String nextLine) {
+        if (null != dependency) {
+            final String version = nextLine.substring(VERSION.length());
+            dependency.getVersionEvidence().addEvidence(
+                    "bundler-audit",
+                    "Version",
+                    version,
+                    Confidence.HIGHEST);
+            vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
+            vulnerability.setMatchedCPE(
+                    String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
+                    null);
+            vulnerability.setCvssAccessVector("-");
+            vulnerability.setCvssAccessComplexity("-");
+            vulnerability.setCvssAuthentication("-");
+            vulnerability.setCvssAvailabilityImpact("-");
+            vulnerability.setCvssConfidentialityImpact("-");
+            vulnerability.setCvssIntegrityImpact("-");
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+        return vulnerability;
+    }
+
+    private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String gem) throws IOException {
+        final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
+        final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
+        FileUtils.write(tempFile, displayFileName); // unique contents to avoid dependency bundling
+        final Dependency dependency = new Dependency(tempFile);
+        dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
+        dependency.setDisplayFileName(displayFileName);
+        engine.getDependencies().add(dependency);
+        return dependency;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -49,11 +49,12 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
+    private static final String GEMSPEC = "gemspec";
+
     private static final FileFilter FILTER =
-            FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build();
+            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
 
     private static final String EMAIL = "email";
-    private static final String GEMSPEC = "gemspec";
 
     /**
      * @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -90,7 +90,7 @@ public class CentralSearch {
 
         final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
 
-        LOGGER.debug("Searching Central url {}", url.toString());
+        LOGGER.debug("Searching Central url {}", url);
 
         // Determine if we need to use a proxy. The rules:
         // 1) If the proxy is set, AND the setting is set to true, use the proxy

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java

@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.composer;
  */
 public class ComposerException extends RuntimeException {
 
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
     /**
      * Creates a ComposerException with default message.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -149,7 +149,6 @@ public final class CpeMemoryIndex {
      *
      * @return the CPE Analyzer.
      */
-    @SuppressWarnings("unchecked")
     private Analyzer createIndexingAnalyzer() {
         final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
         fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
@@ -161,7 +160,6 @@ public final class CpeMemoryIndex {
      *
      * @return the CPE Analyzer.
      */
-    @SuppressWarnings("unchecked")
     private Analyzer createSearchingAnalyzer() {
         final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
         fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
@@ -173,24 +171,6 @@ public final class CpeMemoryIndex {
         return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
     }
 
-    /**
-     * Saves a CPE IndexEntry into the Lucene index.
-     *
-     * @param vendor the vendor to index
-     * @param product the product to index
-     * @param indexWriter the index writer to write the entry into
-     * @throws CorruptIndexException is thrown if the index is corrupt
-     * @throws IOException is thrown if an IOException occurs
-     */
-    public void saveEntry(String vendor, String product, IndexWriter indexWriter) throws CorruptIndexException, IOException {
-        final Document doc = new Document();
-        final Field v = new TextField(Fields.VENDOR, vendor, Field.Store.YES);
-        final Field p = new TextField(Fields.PRODUCT, product, Field.Store.YES);
-        doc.add(v);
-        doc.add(p);
-        indexWriter.addDocument(doc);
-    }
-
     /**
      * Closes the CPE Index.
      */
@@ -230,9 +210,20 @@ public final class CpeMemoryIndex {
             final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
             indexWriter = new IndexWriter(index, conf);
             try {
+                // Tip: reuse the Document and Fields for performance...
+                // See "Re-use Document and Field instances" from
+                // http://wiki.apache.org/lucene-java/ImproveIndexingSpeed
+                final Document doc = new Document();
+                final Field v = new TextField(Fields.VENDOR, Fields.VENDOR, Field.Store.YES);
+                final Field p = new TextField(Fields.PRODUCT, Fields.PRODUCT, Field.Store.YES);
+                doc.add(v);
+                doc.add(p);
+
                 final Set<Pair<String, String>> data = cve.getVendorProductList();
                 for (Pair<String, String> pair : data) {
-                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
+                    v.setStringValue(pair.getLeft());
+                    p.setStringValue(pair.getRight());
+                    indexWriter.addDocument(doc);
                 }
             } catch (DatabaseException ex) {
                 LOGGER.debug("", ex);
@@ -287,8 +278,9 @@ public final class CpeMemoryIndex {
         if (searchString == null || searchString.trim().isEmpty()) {
             throw new ParseException("Query is null or empty");
         }
+        LOGGER.debug(searchString);
         final Query query = queryParser.parse(searchString);
-        return indexSearcher.search(query, maxQueryResults);
+        return search(query, maxQueryResults);
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -48,7 +48,7 @@ public class IndexEntry implements Serializable {
      */
     public String getDocumentId() {
         if (documentId == null && vendor != null && product != null) {
-            documentId = vendor + ":" + product;
+            documentId = vendor + ':' + product;
         }
         return documentId;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -77,6 +77,7 @@ public final class LuceneUtils {
                 case '*':
                 case '?':
                 case ':':
+                case '/':
                 case '\\': //it is supposed to fall through here
                     buf.append('\\');
                 default:

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -94,13 +94,13 @@ public class MavenArtifact {
         }
         if (jarAvailable) {
             //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
-            this.artifactUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+            this.artifactUrl = base + groupId.replace('.', '/') + '/' + artifactId + '/'
-                    + version + "/" + artifactId + "-" + version + ".jar";
+                    + version + '/' + artifactId + '-' + version + ".jar";
         }
         if (pomAvailable) {
             //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
-            this.pomUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+            this.pomUrl = base + groupId.replace('.', '/') + '/' + artifactId + '/'
-                    + version + "/" + artifactId + "-" + version + ".pom";
+                    + version + '/' + artifactId + '-' + version + ".pom";
         }
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -63,7 +63,7 @@ public class NexusSearch {
         this.rootURL = rootURL;
         try {
             if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
-                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY)) {
                 useProxy = true;
                 LOGGER.debug("Using proxy");
             } else {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -17,11 +17,9 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.Driver;
@@ -29,7 +27,10 @@ import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+import org.apache.commons.io.IOUtils;
 import org.owasp.dependencycheck.utils.DBUtils;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -58,6 +59,10 @@ public final class ConnectionFactory {
      * Resource location for SQL file used to create the database schema.
      */
     public static final String DB_STRUCTURE_UPDATE_RESOURCE = "data/upgrade_%s.sql";
+    /**
+     * The URL that discusses upgrading non-H2 databases.
+     */
+    public static final String UPGRADE_HELP_URL = "http://jeremylong.github.io/DependencyCheck/data/upgrade.html";
     /**
      * The database driver used to connect to the database.
      */
@@ -243,22 +248,15 @@ public final class ConnectionFactory {
      */
     private static void createTables(Connection conn) throws DatabaseException {
         LOGGER.debug("Creating database structure");
-        InputStream is;
+        InputStream is = null;
-        InputStreamReader reader;
-        BufferedReader in = null;
         try {
             is = ConnectionFactory.class.getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE);
-            reader = new InputStreamReader(is, "UTF-8");
+            final String dbStructure = IOUtils.toString(is, "UTF-8");
-            in = new BufferedReader(reader);
+
-            final StringBuilder sb = new StringBuilder(2110);
-            String tmp;
-            while ((tmp = in.readLine()) != null) {
-                sb.append(tmp);
-            }
             Statement statement = null;
             try {
                 statement = conn.createStatement();
-                statement.execute(sb.toString());
+                statement.execute(dbStructure);
             } catch (SQLException ex) {
                 LOGGER.debug("", ex);
                 throw new DatabaseException("Unable to create database statement", ex);
@@ -268,13 +266,7 @@ public final class ConnectionFactory {
         } catch (IOException ex) {
             throw new DatabaseException("Unable to create database schema", ex);
         } finally {
-            if (in != null) {
+            IOUtils.closeQuietly(is);
-                try {
-                    in.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("", ex);
-                }
-            }
         }
     }
 
@@ -288,48 +280,54 @@ public final class ConnectionFactory {
      * @throws DatabaseException thrown if there is an exception upgrading the database schema
      */
     private static void updateSchema(Connection conn, String schema) throws DatabaseException {
-        LOGGER.debug("Updating database structure");
+        final String databaseProductName;
-        InputStream is;
-        InputStreamReader reader;
-        BufferedReader in = null;
-        String updateFile = null;
         try {
-            updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+            databaseProductName = conn.getMetaData().getDatabaseProductName();
-            is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
+        } catch (SQLException ex) {
-            if (is == null) {
+            throw new DatabaseException("Unable to get the database product name");
-                throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
+        }
-            }
+        if ("h2".equalsIgnoreCase(databaseProductName)) {
-            reader = new InputStreamReader(is, "UTF-8");
+            LOGGER.debug("Updating database structure");
-            in = new BufferedReader(reader);
+            InputStream is = null;
-            final StringBuilder sb = new StringBuilder(2110);
+            String updateFile = null;
-            String tmp;
-            while ((tmp = in.readLine()) != null) {
-                sb.append(tmp);
-            }
-            Statement statement = null;
             try {
-                statement = conn.createStatement();
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
-                statement.execute(sb.toString());
+                is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
-            } catch (SQLException ex) {
+                if (is == null) {
-                LOGGER.debug("", ex);
+                    throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
-                throw new DatabaseException("Unable to update database schema", ex);
-            } finally {
-                DBUtils.closeStatement(statement);
-            }
-        } catch (IOException ex) {
-            final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
-            throw new DatabaseException(msg, ex);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("", ex);
                 }
+                final String dbStructureUpdate = IOUtils.toString(is, "UTF-8");
+
+                Statement statement = null;
+                try {
+                    statement = conn.createStatement();
+                    final boolean success = statement.execute(dbStructureUpdate);
+                    if (!success && statement.getUpdateCount() <= 0) {
+                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
+                    }
+                } catch (SQLException ex) {
+                    LOGGER.debug("", ex);
+                    throw new DatabaseException("Unable to update database schema", ex);
+                } finally {
+                    DBUtils.closeStatement(statement);
+                }
+            } catch (IOException ex) {
+                final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
+                throw new DatabaseException(msg, ex);
+            } finally {
+                IOUtils.closeQuietly(is);
             }
+        } else {
+            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
+            throw new DatabaseException("Database schema is out of date");
         }
     }
 
+    /**
+     * Counter to ensure that calls to ensureSchemaVersion does not end up in an endless loop.
+     */
+    private static int callDepth = 0;
+
     /**
      * Uses the provided connection to check the specified schema version within the database.
      *
@@ -344,10 +342,15 @@ public final class ConnectionFactory {
             cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
             rs = cs.executeQuery();
             if (rs.next()) {
-                if (!DB_SCHEMA_VERSION.equals(rs.getString(1))) {
+                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
+                final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
+                if (current.compareTo(db) > 0) {
                     LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
                     LOGGER.debug("DB Schema: " + rs.getString(1));
                     updateSchema(conn, rs.getString(1));
+                    if (++callDepth < 10) {
+                        ensureSchemaVersion(conn);
+                    }
                 }
             } else {
                 throw new DatabaseException("Database schema is missing");

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -18,12 +18,11 @@
 package org.owasp.dependencycheck.data.nvdcve;
 
 /**
- * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
+ * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure of the db.
- * of the db.
  *
  * @author Jeremy Long
  */
-class CorruptDatabaseException extends DatabaseException {
+public class CorruptDatabaseException extends DatabaseException {
 
     /**
      * the serial version uid.
@@ -31,7 +30,7 @@ class CorruptDatabaseException extends DatabaseException {
     private static final long serialVersionUID = 1L;
 
     /**
-     * Creates an CorruptDatabaseException
+     * Creates an CorruptDatabaseException.
      *
      * @param msg the exception message
      */
@@ -40,7 +39,7 @@ class CorruptDatabaseException extends DatabaseException {
     }
 
     /**
-     * Creates an CorruptDatabaseException
+     * Creates an CorruptDatabaseException.
      *
      * @param msg the exception message
      * @param ex the cause of the exception

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -29,8 +29,10 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.MissingResourceException;
 import java.util.Properties;
 import java.util.ResourceBundle;
 import java.util.Set;
@@ -74,9 +76,17 @@ public class CveDB {
      */
     public CveDB() throws DatabaseException {
         super();
-        statementBundle = ResourceBundle.getBundle("data/dbStatements");
         try {
             open();
+            try {
+                final String databaseProductName = conn.getMetaData().getDatabaseProductName();
+                LOGGER.debug("Database dialect: {}", databaseProductName);
+                final Locale dbDialect = new Locale(databaseProductName);
+                statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect);
+            } catch (SQLException se) {
+                LOGGER.warn("Problem loading database specific dialect!", se);
+                statementBundle = ResourceBundle.getBundle("data/dbStatements");
+            }
             databaseProperties = new DatabaseProperties(this);
         } catch (DatabaseException ex) {
             throw ex;
@@ -252,44 +262,6 @@ public class CveDB {
         return prop;
     }
 
-    /**
-     * Saves a set of properties to the database.
-     *
-     * @param props a collection of properties
-     */
-    void saveProperties(Properties props) {
-        PreparedStatement updateProperty = null;
-        PreparedStatement insertProperty = null;
-        try {
-            try {
-                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
-                insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
-            } catch (SQLException ex) {
-                LOGGER.warn("Unable to save properties to the database");
-                LOGGER.debug("Unable to save properties to the database", ex);
-                return;
-            }
-            for (Entry<Object, Object> entry : props.entrySet()) {
-                final String key = entry.getKey().toString();
-                final String value = entry.getValue().toString();
-                try {
-                    updateProperty.setString(1, value);
-                    updateProperty.setString(2, key);
-                    if (updateProperty.executeUpdate() == 0) {
-                        insertProperty.setString(1, key);
-                        insertProperty.setString(2, value);
-                    }
-                } catch (SQLException ex) {
-                    LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-                    LOGGER.debug("", ex);
-                }
-            }
-        } finally {
-            DBUtils.closeStatement(updateProperty);
-            DBUtils.closeStatement(insertProperty);
-        }
-    }
-
     /**
      * Saves a property to the database.
      *
@@ -297,38 +269,38 @@ public class CveDB {
      * @param value the property value
      */
     void saveProperty(String key, String value) {
-        PreparedStatement updateProperty = null;
-        PreparedStatement insertProperty = null;
         try {
             try {
-                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
+                final PreparedStatement mergeProperty = getConnection().prepareStatement(statementBundle.getString("MERGE_PROPERTY"));
-            } catch (SQLException ex) {
+                try {
-                LOGGER.warn("Unable to save properties to the database");
+                    mergeProperty.setString(1, key);
-                LOGGER.debug("Unable to save properties to the database", ex);
+                    mergeProperty.setString(2, value);
-                return;
+                    mergeProperty.executeUpdate();
-            }
+                } finally {
-            try {
+                    DBUtils.closeStatement(mergeProperty);
-                updateProperty.setString(1, value);
+                }
-                updateProperty.setString(2, key);
+            } catch (MissingResourceException mre) {
-                if (updateProperty.executeUpdate() == 0) {
+                // No Merge statement, so doing an Update/Insert...
-                    try {
+                PreparedStatement updateProperty = null;
-                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
+                PreparedStatement insertProperty = null;
-                    } catch (SQLException ex) {
+                try {
-                        LOGGER.warn("Unable to save properties to the database");
+                    updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
-                        LOGGER.debug("Unable to save properties to the database", ex);
+                    updateProperty.setString(1, value);
-                        return;
+                    updateProperty.setString(2, key);
-                    }
+                    if (updateProperty.executeUpdate() == 0) {
-                    insertProperty.setString(1, key);
+                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
-                    insertProperty.setString(2, value);
+                        insertProperty.setString(1, key);
-                    insertProperty.execute();
+                        insertProperty.setString(2, value);
+                        insertProperty.executeUpdate();
+                    }
+                } finally {
+                    DBUtils.closeStatement(updateProperty);
+                    DBUtils.closeStatement(insertProperty);
                 }
-            } catch (SQLException ex) {
-                LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-                LOGGER.debug("", ex);
             }
-        } finally {
+        } catch (SQLException ex) {
-            DBUtils.closeStatement(updateProperty);
+            LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-            DBUtils.closeStatement(insertProperty);
+            LOGGER.debug("", ex);
         }
     }
 
@@ -420,7 +392,7 @@ public class CveDB {
                 if (cwe != null) {
                     final String name = CweDB.getCweName(cwe);
                     if (name != null) {
-                        cwe += " " + name;
+                        cwe += ' ' + name;
                     }
                 }
                 final int cveId = rsV.getInt(1);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -45,6 +45,10 @@ public class DatabaseProperties {
      * updates)..
      */
     public static final String MODIFIED = "Modified";
+    /**
+     * The properties file key for the last checked field - used to store the last check time of the Modified NVD CVE xml file.
+     */
+    public static final String LAST_CHECKED = "NVD CVE Checked";
     /**
      * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -63,15 +63,13 @@ public final class DriverLoader {
     }
 
     /**
-     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver
+     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver with the
-     * with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
+     * driver manager. The pathToDriver argument is added to the class loader so that an external driver can be loaded. Note, the
-     * loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
+     * pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added as needed. If a path in the
-     * as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
+     * pathToDriver argument is a directory all files in the directory are added to the class path.
-     * class path.
      *
      * @param className the fully qualified name of the desired class
-     * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list
+     * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list of paths
-     * of paths
      * @return the loaded Driver
      * @throws DriverLoadException thrown if the driver cannot be loaded
      */
@@ -83,14 +81,15 @@ public final class DriverLoader {
             final File file = new File(path);
             if (file.isDirectory()) {
                 final File[] files = file.listFiles();
-
+                if (files != null) {
-                for (File f : files) {
+                    for (File f : files) {
-                    try {
+                        try {
-                        urls.add(f.toURI().toURL());
+                            urls.add(f.toURI().toURL());
-                    } catch (MalformedURLException ex) {
+                        } catch (MalformedURLException ex) {
-                        LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
+                            LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
-                            className, f.getAbsoluteFile(), ex);
+                                    className, f.getAbsoluteFile(), ex);
-                        throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
+                            throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
+                        }
                     }
                 }
             } else if (file.exists()) {
@@ -98,7 +97,7 @@ public final class DriverLoader {
                     urls.add(file.toURI().toURL());
                 } catch (MalformedURLException ex) {
                     LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
-                        className, file.getAbsoluteFile(), ex);
+                            className, file.getAbsoluteFile(), ex);
                     throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
                 }
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java

@@ -137,7 +137,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
      */
     private boolean updateNeeded() {
         final long now = System.currentTimeMillis();
-        final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
+        final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
         long timestamp = 0;
         final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
         if (ts != null && ts.matches("^[0-9]+$")) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -66,9 +66,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            final UpdateableNvdCve updateable = getUpdatesNeeded();
+            if (checkUpdate()) {
-            if (updateable.isUpdateNeeded()) {
+                final UpdateableNvdCve updateable = getUpdatesNeeded();
-                performUpdate(updateable);
+                if (updateable.isUpdateNeeded()) {
+                    performUpdate(updateable);
+                }
             }
         } catch (MalformedURLException ex) {
             LOGGER.warn(
@@ -87,6 +89,35 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         }
     }
 
+    /**
+     * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the
+     * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property
+     * stores the timestamp of the last check.
+     *
+     * @return true to proceed with the check, or false to skip.
+     * @throws UpdateException thrown when there is an issue checking for updates.
+     */
+    private boolean checkUpdate() throws UpdateException {
+        boolean proceed = true;
+        // If the valid setting has not been specified, then we proceed to check...
+        final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
+        if (0 < validForHours) {
+            // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
+            final long msValid = validForHours * 60L * 60L * 1000L;
+            final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
+            final long now = System.currentTimeMillis();
+            proceed = (now - lastChecked) > msValid;
+            if (proceed) {
+                getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(now));
+            } else {
+                LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
+                LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
+                        lastChecked, now, msValid);
+            }
+        }
+        return proceed;
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -68,8 +68,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         final File file2;
 
         try {
-            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
-            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
         } catch (IOException ex) {
             throw new UpdateException("Unable to create temporary files", ex);
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java

@@ -114,10 +114,10 @@ public class NvdCve12Handler extends DefaultHandler {
                  in the nvd cve 2.0. */
                 String cpe = "cpe:/a:" + vendor + ":" + product;
                 if (num != null) {
-                    cpe += ":" + num;
+                    cpe += ':' + num;
                 }
                 if (edition != null) {
-                    cpe += ":" + edition;
+                    cpe += ':' + edition;
                 }
                 final VulnerableSoftware vs = new VulnerableSoftware();
                 vs.setCpe(cpe);

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -341,7 +341,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
                 }
             }
             if (!found) {
-                LOGGER.debug("Adding new maven identifier {}", mavenArtifact.toString());
+                LOGGER.debug("Adding new maven identifier {}", mavenArtifact);
                 this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
             }
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -20,6 +20,7 @@ package org.owasp.dependencycheck.suppression;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
+import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -381,30 +382,7 @@ public class SuppressionRule {
      * @return true if the property type does not specify a version; otherwise false
      */
     boolean cpeHasNoVersion(PropertyType c) {
-        if (c.isRegex()) {
+        return !c.isRegex() && StringUtils.countMatches(c.getValue(), ':') == 3;
-            return false;
-        }
-        if (countCharacter(c.getValue(), ':') == 3) {
-            return true;
-        }
-        return false;
-    }
-
-    /**
-     * Counts the number of occurrences of the character found within the string.
-     *
-     * @param str the string to check
-     * @param c the character to count
-     * @return the number of times the character is found in the string
-     */
-    int countCharacter(String str, char c) {
-        int count = 0;
-        int pos = str.indexOf(c) + 1;
-        while (pos > 0) {
-            count += 1;
-            pos = str.indexOf(c, pos) + 1;
-        }
-        return count;
     }
 
     /**
@@ -442,43 +420,43 @@ public class SuppressionRule {
         final StringBuilder sb = new StringBuilder();
         sb.append("SuppressionRule{");
         if (filePath != null) {
-            sb.append("filePath=").append(filePath).append(",");
+            sb.append("filePath=").append(filePath).append(',');
         }
         if (sha1 != null) {
-            sb.append("sha1=").append(sha1).append(",");
+            sb.append("sha1=").append(sha1).append(',');
         }
         if (gav != null) {
-            sb.append("gav=").append(gav).append(",");
+            sb.append("gav=").append(gav).append(',');
         }
         if (cpe != null && !cpe.isEmpty()) {
             sb.append("cpe={");
             for (PropertyType pt : cpe) {
-                sb.append(pt).append(",");
+                sb.append(pt).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
         if (cwe != null && !cwe.isEmpty()) {
             sb.append("cwe={");
             for (String s : cwe) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
         if (cve != null && !cve.isEmpty()) {
             sb.append("cve={");
             for (String s : cve) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
         if (cvssBelow != null && !cvssBelow.isEmpty()) {
             sb.append("cvssBelow={");
             for (Float s : cvssBelow) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
-        sb.append("}");
+        sb.append('}');
         return sb.toString();
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java

@@ -36,11 +36,12 @@ public final class DateUtil {
      *
      * @param date the date to be checked.
      * @param compareTo the date to compare to.
-     * @param range the range in days to be considered valid.
+     * @param dayRange the range in days to be considered valid.
      * @return whether or not the date is within the range.
      */
-    public static boolean withinDateRange(long date, long compareTo, int range) {
+    public static boolean withinDateRange(long date, long compareTo, int dayRange) {
-        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
+        // ms = dayRange x 24 hours/day x 60 min/hour x 60 sec/min x 1000 ms/sec
-        return differenceInDays < range;
+        final long msRange = dayRange * 24L * 60L * 60L * 1000L;
+        return (compareTo - date) < msRange;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -115,7 +115,7 @@ public class DependencyVersion implements Iterable<String>, Comparable<Dependenc
      */
     @Override
     public String toString() {
-        return StringUtils.join(versionParts.toArray(), ".");
+        return StringUtils.join(versionParts, '.');
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java

@@ -182,13 +182,11 @@ public final class ExtractionUtil {
             while ((entry = input.getNextEntry()) != null) {
                 if (entry.isDirectory()) {
                     final File dir = new File(destination, entry.getName());
-                    if (!dir.exists()) {
+                    if (!dir.exists() && !dir.mkdirs()) {
-                        if (!dir.mkdirs()) {
+                        final String msg = String.format(
-                            final String msg = String.format(
+                                "Unable to create directory '%s'.",
-                                    "Unable to create directory '%s'.",
+                                dir.getAbsolutePath());
-                                    dir.getAbsolutePath());
+                        throw new AnalysisException(msg);
-                            throw new AnalysisException(msg);
-                        }
                     }
                 } else {
                     extractFile(input, destination, filter, entry);
@@ -264,13 +262,11 @@ public final class ExtractionUtil {
     private static void createParentFile(final File file)
             throws ExtractionException {
         final File parent = file.getParentFile();
-        if (!parent.isDirectory()) {
+        if (!parent.isDirectory() && !parent.mkdirs()) {
-            if (!parent.mkdirs()) {
+            final String msg = String.format(
-                final String msg = String.format(
+                    "Unable to build directory '%s'.",
-                        "Unable to build directory '%s'.",
+                    parent.getAbsolutePath());
-                        parent.getAbsolutePath());
+            throw new ExtractionException(msg);
-                throw new ExtractionException(msg);
-            }
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java

@@ -1,47 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.utils;
-
-import java.io.FilterInputStream;
-import java.io.InputStream;
-
-/**
- * NonClosingStream is a stream filter which prevents another class that processes the stream from closing it. This is
- * necessary when dealing with things like JAXB and zipInputStreams.
- *
- * @author Jeremy Long
- */
-public class NonClosingStream extends FilterInputStream {
-
-    /**
-     * Constructs a new NonClosingStream.
-     *
-     * @param in an input stream.
-     */
-    public NonClosingStream(InputStream in) {
-        super(in);
-    }
-
-    /**
-     * Prevents closing of the stream.
-     */
-    @Override
-    public void close() {
-        // don't close the stream.
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java

@@ -21,6 +21,9 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 
+import org.apache.commons.lang3.text.StrLookup;
+import org.apache.commons.lang3.text.StrSubstitutor;
+
 /**
  * A simple pojo to hold data related to a Maven POM file.
  *
@@ -307,33 +310,41 @@ public class Model {
      * @return the interpolated text.
      */
     public static String interpolateString(String text, Properties properties) {
-        final Properties props = properties;
+        if (null == text || null == properties) {
-        if (text == null) {
             return text;
         }
-        if (props == null) {
+        final StrSubstitutor substitutor = new StrSubstitutor(new PropertyLookup(properties));
-            return text;
+        return substitutor.replace(text);
-        }
-
-        final int pos = text.indexOf("${");
-        if (pos < 0) {
-            return text;
-        }
-        final int end = text.indexOf("}");
-        if (end < pos) {
-            return text;
-        }
-
-        final String propName = text.substring(pos + 2, end);
-        String propValue = interpolateString(props.getProperty(propName), props);
-        if (propValue == null) {
-            propValue = "";
-        }
-        final StringBuilder sb = new StringBuilder(propValue.length() + text.length());
-        sb.append(text.subSequence(0, pos));
-        sb.append(propValue);
-        sb.append(text.substring(end + 1));
-        return interpolateString(sb.toString(), props); //yes yes, this should be a loop...
     }
 
+    /**
+     * Utility class that can provide values from a Properties object to a StrSubstitutor.
+     */
+    private static class PropertyLookup extends StrLookup {
+
+        /**
+         * Reference to the properties to lookup.
+         */
+        private final Properties props;
+
+        /**
+         * Constructs a new property lookup.
+         *
+         * @param props the properties to wrap.
+         */
+        PropertyLookup(Properties props) {
+            this.props = props;
+        }
+
+        /**
+         * Looks up the given property.
+         *
+         * @param key the key to the property
+         * @return the value of the property specified by the key
+         */
+        @Override
+        public String lookup(String key) {
+            return props.getProperty(key);
+        }
+    }
 }

dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -19,4 +19,5 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
 org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
+org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
 org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer

dependency-check-core/src/main/resources/data/dbStatements_h2.properties

@@ -1,19 +1,15 @@
-#
+# Copyright 2015 OWASP.
-# This file is part of dependency-check-gradle.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
-# Copyright (c) 2015 Wei Ma. All Rights Reserved.
-#
 
-implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin
+MERGE_PROPERTY=MERGE INTO properties (id, value) KEY(id) VALUES(?, ?)

dependency-check-core/src/main/resources/data/dbStatements_mysql.properties

@@ -0,0 +1,15 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=CALL save_property(?, ?)

dependency-check-core/src/main/resources/data/dbStatements_postgreSQL.properties

@@ -0,0 +1,16 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=CALL save_property(?, ?)
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL);

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -37,4 +37,20 @@ CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
 INSERT INTO properties(id,value) VALUES ('version','2.9');
 
 CREATE USER 'dcuser' IDENTIFIED BY 'DC-Pass1337!';
-GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
+GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
+
+
+DROP PROCEDURE IF EXISTS save_property;
+
+DELIMITER //
+CREATE PROCEDURE save_property
+(IN prop varchar(50), IN val varchar(500))
+BEGIN
+INSERT INTO properties (`id`, `value`) VALUES (prop, val)
+	ON DUPLICATE KEY UPDATE `value`=val;
+END //
+DELIMITER ;
+
+GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/initialize_postgres.sql

@@ -0,0 +1,53 @@
+CREATE USER dcuser WITH PASSWORD 'DC-Pass1337!';
+
+DROP TABLE IF EXISTS software;
+DROP TABLE IF EXISTS cpeEntry;
+DROP TABLE IF EXISTS reference;
+DROP TABLE IF EXISTS vulnerability;
+DROP TABLE IF EXISTS properties;
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+	description VARCHAR(8000), cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+	cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+	cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+	CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id SERIAL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+INSERT INTO properties(id,value) VALUES ('version','2.9');
+
+GRANT SELECT, INSERT, DELETE, UPDATE ON ALL TABLES IN SCHEMA public TO dcuser;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public to dcuser;
+
+DROP FUNCTION IF EXISTS save_property(varchar(50),varchar(500));
+
+CREATE FUNCTION save_property (IN prop varchar(50), IN val varchar(500))
+RETURNS void
+AS
+$$
+UPDATE properties SET "value"=val WHERE id=prop;
+
+INSERT INTO properties (id, value)
+	SELECT prop, val
+	WHERE NOT EXISTS (SELECT 1 FROM properties WHERE id=prop);
+$$ LANGUAGE sql;
+
+
+GRANT EXECUTE ON FUNCTION public.save_property(varchar(50),varchar(500)) TO dcuser;
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_2.9.sql

@@ -1,7 +1 @@
-
+UPDATE Properties SET value='3.0' WHERE ID='version';
---the following is not currently used.
---ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
---ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
---UPDATE cpeEntry SET dictionaryEntry=false;
-
---UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_3.0.sql

@@ -0,0 +1,7 @@
+
+--the following is not currently used.
+--ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
+--ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
+--UPDATE cpeEntry SET dictionaryEntry=false;
+
+--UPDATE Properties SET value='3.1' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql

@@ -0,0 +1,15 @@
+
+DROP PROCEDURE IF EXISTS save_property;
+
+DELIMITER //
+CREATE PROCEDURE save_property
+(IN prop varchar(50), IN val varchar(500))
+BEGIN
+INSERT INTO properties (`id`, `value`) VALUES (prop, val)
+	ON DUPLICATE KEY UPDATE `value`=val;
+END //
+DELIMITER ;
+
+GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,4 +161,32 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
+        ]]></notes>
+        <gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
+        <cpe>cpe:/a:apache:camel</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Mina gets flagged as apache-ssl
+        ]]></notes>
+        <gav regex="true">org.apache.mina:mina.*</gav>
+        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Woden gets flagged as apache-ssl
+        ]]></notes>
+        <gav regex="true">org.apache.woden:woden.*</gav>
+        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        spec gets flagged as the implementation.
+        ]]></notes>
+        <gav regex="true">org.apache.geronimo.specs:.*</gav>
+        <cpe>cpe:/a:apache:geronimo</cpe>
+    </suppress>
 </suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -18,7 +18,12 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
-data.version=2.9
+
+### if you increment the DB version then you must increment the database file path
+### in the mojo.properties, task.properties (maven and ant respectively), and
+### the gradle PurgeDataExtension.
+data.version=3.0
+
 data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
@@ -41,13 +46,15 @@ data.driver_path=
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
-
+# the number of hours to wait before checking if updates are available from the NVD.
+cve.check.validforhours=4
+#first year to pull data from the URLs below
+cve.startyear=2002
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cve.startyear=2002
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
@@ -79,3 +86,22 @@ archive.scan.depth=3
 
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
+
+
+analyzer.jar.enabled=true
+analyzer.archive.enabled=true
+analyzer.node.package.enabled=true
+analyzer.composer.lock.enabled=true
+analyzer.python.distribution.enabled=true
+analyzer.python.package.enabled=true
+analyzer.ruby.gemspec.enabled=true
+analyzer.autoconf.enabled=true
+analyzer.cmake.enabled=true
+analyzer.assembly.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.openssl.enabled=true
+analyzer.central.enabled=true
+analyzer.nexus.enabled=false
+#whether the nexus analyzer uses the proxy
+analyzer.nexus.proxy=true
+

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -578,6 +578,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                         <td data-sort-value="$sortValue">
                         #set($sortValue="")
                         #foreach($id in $dependency.getIdentifiers())
+                            #set($cpeSort=0)
                             #if ($id.type=="maven")
                                 #if ($mavenlink=="" || !$mavenlink.url)
                                     #set($mavenlink=$id)
@@ -591,7 +592,6 @@ arising out of or in connection with the use of this tool, the analysis performe
                                 #else
                                     $enc.html($id.value)
                                 #end
-                                #set($cpeSort=0)
                                 #if ($cpeIdConf == "")
                                     #set($cpeIdConf=$id.confidence)
                                     #set($cpeSort=$id.confidence.ordinal())

dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java

@@ -15,7 +15,7 @@
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.data.nvdcve;
+package org.owasp.dependencycheck;
 
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
@@ -31,6 +31,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
+ * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the data
+ * contained within.
  *
  * @author Jeremy Long
  */

dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java

@@ -34,7 +34,7 @@ public class EngineIntegrationTest extends BaseTest {
 
     @Before
     public void setUp() throws Exception {
-        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+        org.owasp.dependencycheck.BaseDBTestCase.ensureDBExists();
     }
 
     @After

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java

@@ -34,7 +34,7 @@ public class AbstractFileTypeAnalyzerTest extends BaseTest {
      */
     @Test
     public void testNewHashSet() {
-        Set result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
+        Set<String> result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
         assertEquals(2, result.size());
         assertTrue(result.contains("one"));
         assertTrue(result.contains("two"));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java

@@ -24,7 +24,7 @@ import static org.junit.Assert.*;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of getSupportedExtensions method, of class ArchiveAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2015 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeNotNull;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ArchiveAnalyzerTest extends BaseTest {
+
+    @Before
+    public void setUp() {
+        Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, "z2, z3");
+    }
+
+    /**
+     * Test of analyzeFileType method, of class ArchiveAnalyzer.
+     */
+    @Test
+    public void testZippableExtensions() throws Exception {
+        assumeFalse(isPreviouslyLoaded("org.owasp.dependencycheck.analyzer.ArchiveAnalyzer"));
+        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        assertTrue(instance.getFileFilter().accept(new File("c:/test.zip")));
+        assertTrue(instance.getFileFilter().accept(new File("c:/test.z2")));
+        assertTrue(instance.getFileFilter().accept(new File("c:/test.z3")));
+        assertFalse(instance.getFileFilter().accept(new File("c:/test.z4")));
+    }
+
+    private boolean isPreviouslyLoaded(String className) {
+        try {
+            Method m = ClassLoader.class.getDeclaredMethod("findLoadedClass", new Class[]{String.class});
+            m.setAccessible(true);
+            Object t = m.invoke(Thread.currentThread().getContextClassLoader(), className);
+            return t != null;
+        } catch (NoSuchMethodException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (SecurityException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (IllegalAccessException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (IllegalArgumentException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (InvocationTargetException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        }
+        return false;
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -33,7 +33,7 @@ import java.util.regex.Pattern;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.*;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  * Unit tests for CmakeAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java

@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.HashSet;
+import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import org.apache.lucene.index.CorruptIndexException;
@@ -28,7 +28,7 @@ import org.junit.Assert;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
  *
  * @author Jeremy Long
  */
-public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class CPEAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Tests of buildSearch of class CPEAnalyzer.
@@ -49,11 +49,9 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
      */
     @Test
     public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
-        Set<String> productWeightings = new HashSet<String>(1);
+        Set<String> productWeightings = Collections.singleton("struts2");
-        productWeightings.add("struts2");
 
-        Set<String> vendorWeightings = new HashSet<String>(1);
+        Set<String> vendorWeightings = Collections.singleton("apache");
-        vendorWeightings.add("apache");
 
         String vendor = "apache software foundation";
         String product = "struts 2 core";
@@ -238,11 +236,9 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
 
-        Set<String> productWeightings = new HashSet<String>(1);
+        Set<String> productWeightings = Collections.singleton("struts2");
-        productWeightings.add("struts2");
 
-        Set<String> vendorWeightings = new HashSet<String>(1);
+        Set<String> vendorWeightings = Collections.singleton("apache");
-        vendorWeightings.add("apache");
 
         List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
         instance.close();

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -34,13 +34,14 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
+import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  * Unit tests for NodePackageAnalyzer.
  *
  * @author Dale Visser <dvisser@ida.org>
  */
-public class ComposerLockAnalyzerTest extends BaseTest {
+public class ComposerLockAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIntegrationTest.java

@@ -18,13 +18,13 @@
 package org.owasp.dependencycheck.analyzer;
 
 import org.junit.Test;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyBundlingAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class DependencyBundlingAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of analyze method, of class DependencyBundlingAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java

@@ -24,6 +24,7 @@ import org.junit.Before;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -33,12 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class HintAnalyzerTest extends BaseTest {
+public class HintAnalyzerTest extends BaseDBTestCase {
-
-    @Before
-    public void setUp() throws Exception {
-        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
-    }
 
     /**
      * Test of getName method, of class HintAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -0,0 +1,109 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.junit.After;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.junit.Assert.assertThat;
+
+/**
+ * Unit tests for {@link RubyBundleAuditAnalyzer}.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class RubyBundleAuditAnalyzerTest extends BaseTest {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerTest.class);
+
+    /**
+     * The analyzer to test.
+     */
+    RubyBundleAuditAnalyzer analyzer;
+
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        try {
+            analyzer = new RubyBundleAuditAnalyzer();
+            analyzer.setFilesMatched(true);
+            analyzer.initialize();
+        } catch (Exception e) {
+            //LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Tests will be incomplete", e);
+            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed. Tests will be incomplete", e);
+        }
+    }
+
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
+
+    /**
+     * Test Ruby Gemspec name.
+     */
+    @Test
+    public void testGetName() {
+        assertThat(analyzer.getName(), is("Ruby Bundle Audit Analyzer"));
+    }
+
+    /**
+     * Test Ruby Bundler Audit file support.
+     */
+    @Test
+    public void testSupportsFiles() {
+        assertThat(analyzer.accept(new File("Gemfile.lock")), is(true));
+    }
+
+    /**
+     * Test Ruby BundlerAudit analysis.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalysis() throws AnalysisException, DatabaseException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+                "ruby/vulnerable/Gemfile.lock"));
+        final Engine engine = new Engine();
+        analyzer.analyze(result, engine);
+        assertThat(engine.getDependencies().size(), is(not(0)));
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java

@@ -66,7 +66,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
     }
 
     /**
-     * Test of getName method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec name.
      */
     @Test
     public void testGetName() {
@@ -74,7 +74,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
     }
 
     /**
-     * Test of supportsExtension method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec file support.
      */
     @Test
     public void testSupportsFiles() {
@@ -83,14 +83,14 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
     }
 
     /**
-     * Test of inspect method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec analysis.
      *
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
     public void testAnalyzePackageJson() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-                "ruby/gems/specifications/rest-client-1.7.2.gemspec"));
+                "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec"));
         analyzer.analyze(result, null);
         final String vendorString = result.getVendorEvidence().toString();
         assertThat(vendorString, containsString("REST Client Team"));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java

@@ -21,9 +21,9 @@ import java.io.File;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class VulnerabilitySuppressionAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of getName method, of class VulnerabilitySuppressionAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java

@@ -1,37 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.cpe;
-
-import org.junit.Before;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
-
-/**
- * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the
- * data contained within.
- *
- * @author Jeremy Long
- */
-public abstract class AbstractDatabaseTestCase extends BaseTest {
-
-    @Before
-    public void setUp() throws Exception {
-        BaseDBTestCase.ensureDBExists();
-    }
-
-}

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2015 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.BaseDBTestCase;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ConnectionFactoryTest extends BaseDBTestCase {
+
+    /**
+     * Test of initialize method, of class ConnectionFactory.
+     *
+     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException
+     */
+    @Test
+    public void testInitialize() throws DatabaseException, SQLException {
+        ConnectionFactory.initialize();
+        Connection result = ConnectionFactory.getConnection();
+        assertNotNull(result);
+        result.close();
+        ConnectionFactory.cleanup();
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java

@@ -25,7 +25,9 @@ import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
@@ -35,10 +37,12 @@ public class CveDBMySQLTest {
 
     @BeforeClass
     public static void setUpClass() {
+        Settings.initialize();
     }
 
     @AfterClass
     public static void tearDownClass() {
+        Settings.cleanup();
     }
 
     @Before
@@ -93,7 +97,7 @@ public class CveDBMySQLTest {
         CveDB instance = new CveDB();
         try {
             instance.open();
-            List result = instance.getVulnerabilities(cpeStr);
+            List<Vulnerability> result = instance.getVulnerabilities(cpeStr);
             assertTrue(result.size() > 5);
         } catch (Exception ex) {
             System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.Properties;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java

@@ -18,7 +18,7 @@
 package org.owasp.dependencycheck.data.update;
 
 import org.junit.Test;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;

dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -185,7 +185,6 @@ public class DependencyTest {
     @Test
     public void testGetIdentifiers() {
         Dependency instance = new Dependency();
-        List expResult = null;
         Set<Identifier> result = instance.getIdentifiers();
 
         assertTrue(true); //this is just a getter setter pair.

dependency-check-core/src/test/java/org/owasp/dependencycheck/reporting/ReportGeneratorIntegrationTest.java

@@ -40,7 +40,7 @@ public class ReportGeneratorIntegrationTest extends BaseTest {
 
     @Before
     public void setUp() throws Exception {
-        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+        org.owasp.dependencycheck.BaseDBTestCase.ensureDBExists();
     }
 
     /**

dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionParserTest.java

@@ -61,7 +61,7 @@ public class SuppressionParserTest {
         //File file = new File(this.getClass().getClassLoader().getResource("suppressions.xml").getPath());
         File file = BaseTest.getResourceAsFile(this, "suppressions.xml");
         SuppressionParser instance = new SuppressionParser();
-        List result = instance.parseSuppressionRules(file);
+        List<SuppressionRule> result = instance.parseSuppressionRules(file);
         assertTrue(result.size() > 3);
     }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/suppression/SuppressionRuleTest.java

@@ -306,27 +306,6 @@ public class SuppressionRuleTest {
         assertTrue(instance.cpeHasNoVersion(c));
     }
 
-    /**
-     * Test of countCharacter method, of class SuppressionRule.
-     */
-    @Test
-    public void testCountCharacter() {
-        String str = "cpe:/a:microsoft:.net_framework:4.5";
-        char c = ':';
-        SuppressionRule instance = new SuppressionRule();
-        int expResult = 4;
-        int result = instance.countCharacter(str, c);
-        assertEquals(expResult, result);
-        str = "::";
-        expResult = 2;
-        result = instance.countCharacter(str, c);
-        assertEquals(expResult, result);
-        str = "these are not the characters you are looking for";
-        expResult = 0;
-        result = instance.countCharacter(str, c);
-        assertEquals(expResult, result);
-    }
-
     /**
      * Test of identifierMatches method, of class SuppressionRule.
      */

dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java

@@ -61,11 +61,11 @@ public class DependencyVersionTest {
     @Test
     public void testIterator() {
         DependencyVersion instance = new DependencyVersion("1.2.3");
-        Iterator result = instance.iterator();
+        Iterator<String> result = instance.iterator();
         assertTrue(result.hasNext());
         int count = 1;
         while (result.hasNext()) {
-            String v = (String) result.next();
+            String v = result.next();
             assertTrue(String.valueOf(count++).equals(v));
         }
     }

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -16,11 +16,9 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 # will not be used. The data.directory will be resolved and if the connection string
 # below contains a %s then the data.directory will replace the %s.
 data.directory=[JAR]/data
-# if the filename has a %s it will be replaced with the current expected version. For file
+#if the filename has a %s it will be replaced with the current expected version
-# based databases the below filename will be added to the data directory above and then
-# if the connection string has a %s it will be replaced by the directory/filename path.
 data.file_name=dc.h2.db
-data.version=2.9
+data.version=3.0
 data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
@@ -39,19 +37,15 @@ data.password=DC-Pass1337!
 data.driver_name=org.h2.Driver
 data.driver_path=
 
-# the path to the cpe xml file
-#cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.xml.gz
-cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
-# the path to the cpe meta data file.
-cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.2.meta
-
 # the number of days that the modified nvd cve data holds data for. We don't need
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
-
+# the number of hours to wait before checking if updates are available from the NVD.
-# the path to the modified nvd cve xml file.
+cve.check.validforhours=0
+#first year to pull data from the URLs below
 cve.startyear=2014
+# the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
@@ -62,6 +56,14 @@ cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 
 cpe.validfordays=30
+cpe.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-dictionary_v2.3.xml.gz
+
+# file type analyzer settings:
+analyzer.archive.enabled=true
+analyzer.jar.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.assembly.enabled=true
+analyzer.composer.lock.enabled=true
 
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
@@ -74,5 +76,27 @@ analyzer.nexus.proxy=true
 analyzer.central.enabled=true
 analyzer.central.url=http://search.maven.org/solrsearch/select
 
+# the number of nested archives that will be searched.
+archive.scan.depth=3
+
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
+
+
+analyzer.jar.enabled=true
+analyzer.archive.enabled=true
+analyzer.node.package.enabled=true
+analyzer.composer.lock.enabled=true
+analyzer.python.distribution.enabled=true
+analyzer.python.package.enabled=true
+analyzer.ruby.gemspec.enabled=true
+analyzer.autoconf.enabled=true
+analyzer.cmake.enabled=true
+analyzer.assembly.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.openssl.enabled=true
+analyzer.central.enabled=true
+analyzer.nexus.enabled=false
+#whether the nexus analyzer uses the proxy
+analyzer.nexus.proxy=true
+

dependency-check-core/src/test/resources/ruby/gems/specifications/mime-types-2.6.1.gemspec

@@ -1,72 +0,0 @@
-# -*- encoding: utf-8 -*-
-# stub: mime-types 2.6.1 ruby lib
-
-Gem::Specification.new do |s|
-  s.name = "mime-types"
-  s.version = "2.6.1"
-
-  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
-  s.require_paths = ["lib"]
-  s.authors = ["Austin Ziegler"]
-  s.date = "2015-05-25"
-  s.description = "The mime-types library provides a library and registry for information about\nMIME content type definitions. It can be used to determine defined filename\nextensions for MIME types, or to use filename extensions to look up the likely\nMIME type definitions.\n\nMIME content types are used in MIME-compliant communications, as in e-mail or\nHTTP traffic, to indicate the type of content which is transmitted. The\nmime-types library provides the ability for detailed information about MIME\nentities (provided as an enumerable collection of MIME::Type objects) to be\ndetermined and used. There are many types defined by RFCs and vendors, so the\nlist is long but by definition incomplete; don't hesitate to add additional\ntype definitions. MIME type definitions found in mime-types are from RFCs, W3C\nrecommendations, the {IANA Media Types\nregistry}[https://www.iana.org/assignments/media-types/media-types.xhtml], and\nuser contributions. It conforms to RFCs 2045 and 2231.\n\nThis is release 2.6 with two new experimental features. The first new feature\nis a new default registry storage format that greatly reduces the initial\nmemory use of the mime-types library. This feature is enabled by requiring\n+mime/types/columnar+ instead of +mime/types+ with a small performance cost and\nno change in *total* memory use if certain methods are called (see {Columnar\nStore}[#columnar-store] for more details). The second new feature is a logger\ninterface that conforms to the expectations of an ActiveSupport::Logger so that\nwarnings can be written to an application's log rather than the default\nlocation for +warn+. This interface may be used for other logging purposes in\nthe future.\n\nmime-types 2.6 is the last planned version of mime-types 2.x, so deprecation\nwarnings are no longer cached but provided every time the method is called.\nmime-types 2.6 supports Ruby 1.9.2 or later."
-  s.email = ["halostatue@gmail.com"]
-  s.extra_rdoc_files = ["Contributing.rdoc", "History-Types.rdoc", "History.rdoc", "Licence.rdoc", "Manifest.txt", "README.rdoc", "docs/COPYING.txt", "docs/artistic.txt"]
-  s.files = ["Contributing.rdoc", "History-Types.rdoc", "History.rdoc", "Licence.rdoc", "Manifest.txt", "README.rdoc", "docs/COPYING.txt", "docs/artistic.txt"]
-  s.homepage = "https://github.com/mime-types/ruby-mime-types/"
-  s.licenses = ["MIT", "Artistic 2.0", "GPL-2"]
-  s.rdoc_options = ["--main", "README.rdoc"]
-  s.required_ruby_version = Gem::Requirement.new(">= 1.9.2")
-  s.rubygems_version = "2.2.2"
-  s.summary = "The mime-types library provides a library and registry for information about MIME content type definitions"
-
-  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
-
-  if s.respond_to? :specification_version then
-    s.specification_version = 4
-
-    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
-      s.add_development_dependency(%q<minitest>, ["~> 5.6"])
-      s.add_development_dependency(%q<rdoc>, ["~> 4.0"])
-      s.add_development_dependency(%q<hoe-doofus>, ["~> 1.0"])
-      s.add_development_dependency(%q<hoe-gemspec2>, ["~> 1.1"])
-      s.add_development_dependency(%q<hoe-git>, ["~> 1.6"])
-      s.add_development_dependency(%q<hoe-rubygems>, ["~> 1.0"])
-      s.add_development_dependency(%q<hoe-travis>, ["~> 1.2"])
-      s.add_development_dependency(%q<minitest-autotest>, ["~> 1.0"])
-      s.add_development_dependency(%q<minitest-focus>, ["~> 1.0"])
-      s.add_development_dependency(%q<rake>, ["~> 10.0"])
-      s.add_development_dependency(%q<simplecov>, ["~> 0.7"])
-      s.add_development_dependency(%q<coveralls>, ["~> 0.8"])
-      s.add_development_dependency(%q<hoe>, ["~> 3.13"])
-    else
-      s.add_dependency(%q<minitest>, ["~> 5.6"])
-      s.add_dependency(%q<rdoc>, ["~> 4.0"])
-      s.add_dependency(%q<hoe-doofus>, ["~> 1.0"])
-      s.add_dependency(%q<hoe-gemspec2>, ["~> 1.1"])
-      s.add_dependency(%q<hoe-git>, ["~> 1.6"])
-      s.add_dependency(%q<hoe-rubygems>, ["~> 1.0"])
-      s.add_dependency(%q<hoe-travis>, ["~> 1.2"])
-      s.add_dependency(%q<minitest-autotest>, ["~> 1.0"])
-      s.add_dependency(%q<minitest-focus>, ["~> 1.0"])
-      s.add_dependency(%q<rake>, ["~> 10.0"])
-      s.add_dependency(%q<simplecov>, ["~> 0.7"])
-      s.add_dependency(%q<coveralls>, ["~> 0.8"])
-      s.add_dependency(%q<hoe>, ["~> 3.13"])
-    end
-  else
-    s.add_dependency(%q<minitest>, ["~> 5.6"])
-    s.add_dependency(%q<rdoc>, ["~> 4.0"])
-    s.add_dependency(%q<hoe-doofus>, ["~> 1.0"])
-    s.add_dependency(%q<hoe-gemspec2>, ["~> 1.1"])
-    s.add_dependency(%q<hoe-git>, ["~> 1.6"])
-    s.add_dependency(%q<hoe-rubygems>, ["~> 1.0"])
-    s.add_dependency(%q<hoe-travis>, ["~> 1.2"])
-    s.add_dependency(%q<minitest-autotest>, ["~> 1.0"])
-    s.add_dependency(%q<minitest-focus>, ["~> 1.0"])
-    s.add_dependency(%q<rake>, ["~> 10.0"])
-    s.add_dependency(%q<simplecov>, ["~> 0.7"])
-    s.add_dependency(%q<coveralls>, ["~> 0.8"])
-    s.add_dependency(%q<hoe>, ["~> 3.13"])
-  end
-end

dependency-check-core/src/test/resources/ruby/vulnerable/gems/specifications/activerecord-oracle_enhanced-adapter-1.1.7.gemspec

@@ -0,0 +1,24 @@
+# -*- encoding: utf-8 -*-
+# stub: activerecord-oracle_enhanced-adapter 1.1.7 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "activerecord-oracle_enhanced-adapter"
+  s.version = "1.1.7"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Raimonds Simanovskis"]
+  s.date = "2008-08-20"
+  s.description = "Oracle enhaced adapter for Active Record"
+  s.email = ["raymonds72@gmail.com"]
+  s.extra_rdoc_files = ["History.txt", "License.txt", "README.txt"]
+  s.files = ["History.txt", "License.txt", "README.txt"]
+  s.homepage = "http://oracle-enhanced.rubyforge.org"
+  s.post_install_message = ""
+  s.rdoc_options = ["--main", "README.txt"]
+  s.rubyforge_project = "oracle-enhanced"
+  s.rubygems_version = "2.2.2"
+  s.summary = "Oracle enhaced adapter for Active Record"
+
+  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
+end

dependency-check-core/src/test/resources/ruby/vulnerable/gems/specifications/i18n-0.7.0.gemspec

@@ -0,0 +1,22 @@
+# -*- encoding: utf-8 -*-
+# stub: i18n 0.7.0 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "i18n"
+  s.version = "0.7.0"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 1.3.5") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Sven Fuchs", "Joshua Harvey", "Matt Aimonetti", "Stephan Soller", "Saimon Moore"]
+  s.date = "2014-12-19"
+  s.description = "New wave Internationalization support for Ruby."
+  s.email = "rails-i18n@googlegroups.com"
+  s.homepage = "http://github.com/svenfuchs/i18n"
+  s.licenses = ["MIT"]
+  s.required_ruby_version = Gem::Requirement.new(">= 1.9.3")
+  s.rubyforge_project = "[none]"
+  s.rubygems_version = "2.2.2"
+  s.summary = "New wave Internationalization support for Ruby"
+
+  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
+end

dependency-check-core/src/test/resources/ruby/vulnerable/gems/specifications/mail-2.4.3.gemspec

@@ -0,0 +1,39 @@
+# -*- encoding: utf-8 -*-
+# stub: mail 2.4.3 ruby lib
+
+Gem::Specification.new do |s|
+  s.name = "mail"
+  s.version = "2.4.3"
+
+  s.required_rubygems_version = Gem::Requirement.new(">= 0") if s.respond_to? :required_rubygems_version=
+  s.require_paths = ["lib"]
+  s.authors = ["Mikel Lindsaar"]
+  s.date = "2012-03-05"
+  s.description = "A really Ruby Mail handler."
+  s.email = "raasdnil@gmail.com"
+  s.extra_rdoc_files = ["README.md", "CONTRIBUTING.md", "CHANGELOG.rdoc", "TODO.rdoc"]
+  s.files = ["CHANGELOG.rdoc", "CONTRIBUTING.md", "README.md", "TODO.rdoc"]
+  s.homepage = "http://github.com/mikel/mail"
+  s.rubygems_version = "2.2.2"
+  s.summary = "Mail provides a nice Ruby DSL for making, sending and reading emails."
+
+  s.installed_by_version = "2.2.2" if s.respond_to? :installed_by_version
+
+  if s.respond_to? :specification_version then
+    s.specification_version = 3
+
+    if Gem::Version.new(Gem::VERSION) >= Gem::Version.new('1.2.0') then
+      s.add_runtime_dependency(%q<mime-types>, ["~> 1.16"])
+      s.add_runtime_dependency(%q<treetop>, ["~> 1.4.8"])
+      s.add_runtime_dependency(%q<i18n>, [">= 0.4.0"])
+    else
+      s.add_dependency(%q<mime-types>, ["~> 1.16"])
+      s.add_dependency(%q<treetop>, ["~> 1.4.8"])
+      s.add_dependency(%q<i18n>, [">= 0.4.0"])
+    end
+  else
+    s.add_dependency(%q<mime-types>, ["~> 1.16"])
+    s.add_dependency(%q<treetop>, ["~> 1.4.8"])
+    s.add_dependency(%q<i18n>, [">= 0.4.0"])
+  end
+end