version 1.3.4

Upgrades

dependency-check-ant/README.md

@@ -1,25 +1,134 @@
-Dependency-Check Ant Task
+Dependency-Check-Gradle
 =========
 
-Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+**Working in progress**
-performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
-vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
-Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
+This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
 
-Mailing List
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
-------------
 
-Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+=========
 
-Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+## What's New
+Current latest version is `0.0.8`
 
-Copyright & License
+## Usage
--------------------
 
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+### Step 1, Apply dependency check gradle plugin
 
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
+Install from Maven central repo
 
-Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.
+```groovy
+buildscript {
+    repositories {
+        mavenCentral()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:1.3.2'
+    }
+}
+
+apply plugin: 'dependency-check-gradle'
+```
+
+### Step 2, Run gradle task
+
+Once gradle plugin applied, run following gradle task to check dependencies:
+
+```
+gradle dependencyCheck --info
+```
+
+The reports will be generated automatically under `./reports` folder.
+
+If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
+
+## FAQ
+
+> **Questions List:**
+> - What if I'm behind a proxy?
+> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
+> - How to customize the report directory?
+
+### What if I'm behind a proxy?
+
+Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
+
+```groovy
+dependencyCheck {
+    proxy {
+        server = "127.0.0.1"      // required, the server name or IP address of the proxy
+        port = 3128               // required, the port number of the proxy
+
+        // optional, the proxy server might require username
+        // username = "username"
+
+        // optional, the proxy server might require password
+        // password = "password"
+    }
+}
+```
+
+In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
+ the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
+ and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
+
+```groovy
+dependencyCheck {
+    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
+}
+```
+
+### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
+
+Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
+
+(1) For all projects including root project:
+
+```groovy
+buildscript {
+  repositories {
+    mavenCentral()
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
+  }
+}
+
+allprojects {
+    apply plugin: "dependency-check"
+}
+```
+
+(2) For all sub-projects:
+
+```groovy
+buildscript {
+  repositories {
+    mavenCentral()
+  }
+  dependencies {
+    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
+  }
+}
+
+subprojects {
+    apply plugin: "dependency-check"
+}
+```
+
+In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
+
+### How to customize the report directory?
+
+By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
+
+```groovy
+subprojects {
+    apply plugin: "dependency-check"
+
+    dependencyCheck {
+        outputDirectory = "./customized-path/security-report"
+    }
+}
+```

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java

@@ -63,7 +63,9 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
 
     @Override
     public void trace(String msg) {
-        task.log(msg, Project.MSG_VERBOSE);
+        if (task != null) {
+            task.log(msg, Project.MSG_VERBOSE);
+        }
     }
 
     @Override

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -245,14 +245,14 @@ public class Check extends Update {
      * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
      * is true.
      */
-    private boolean autoUpdate = true;
+    private Boolean autoUpdate;
 
     /**
      * Get the value of autoUpdate.
      *
      * @return the value of autoUpdate
      */
-    public boolean isAutoUpdate() {
+    public Boolean isAutoUpdate() {
         return autoUpdate;
     }
 
@@ -261,19 +261,24 @@ public class Check extends Update {
      *
      * @param autoUpdate new value of autoUpdate
      */
-    public void setAutoUpdate(boolean autoUpdate) {
+    public void setAutoUpdate(Boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
     /**
      * Whether only the update phase should be executed.
+     *
+     * @deprecated Use the update task instead
      */
+    @Deprecated
     private boolean updateOnly = false;
 
     /**
      * Get the value of updateOnly.
      *
      * @return the value of updateOnly
+     * @deprecated Use the update task instead
      */
+    @Deprecated
     public boolean isUpdateOnly() {
         return updateOnly;
     }
@@ -282,7 +287,9 @@ public class Check extends Update {
      * Set the value of updateOnly.
      *
      * @param updateOnly new value of updateOnly
+     * @deprecated Use the update task instead
      */
+    @Deprecated
     public void setUpdateOnly(boolean updateOnly) {
         this.updateOnly = updateOnly;
     }
@@ -357,14 +364,14 @@ public class Check extends Update {
     /**
      * Whether or not the Jar Analyzer is enabled.
      */
-    private boolean jarAnalyzerEnabled = true;
+    private Boolean jarAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isJarAnalyzerEnabled() {
+    public Boolean isJarAnalyzerEnabled() {
         return jarAnalyzerEnabled;
     }
 
@@ -373,33 +380,33 @@ public class Check extends Update {
      *
      * @param jarAnalyzerEnabled the value of the new setting
      */
-    public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
+    public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
     }
     /**
      * Whether or not the Archive Analyzer is enabled.
      */
-    private boolean archiveAnalyzerEnabled = true;
+    private Boolean archiveAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isArchiveAnalyzerEnabled() {
+    public Boolean isArchiveAnalyzerEnabled() {
         return archiveAnalyzerEnabled;
     }
     /**
      * Whether or not the .NET Assembly Analyzer is enabled.
      */
-    private boolean assemblyAnalyzerEnabled = true;
+    private Boolean assemblyAnalyzerEnabled;
 
     /**
      * Sets whether or not the analyzer is enabled.
      *
      * @param archiveAnalyzerEnabled the value of the new setting
      */
-    public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
+    public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
         this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
     }
 
@@ -408,7 +415,7 @@ public class Check extends Update {
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isAssemblyAnalyzerEnabled() {
+    public Boolean isAssemblyAnalyzerEnabled() {
         return assemblyAnalyzerEnabled;
     }
 
@@ -417,20 +424,20 @@ public class Check extends Update {
      *
      * @param assemblyAnalyzerEnabled the value of the new setting
      */
-    public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
+    public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
     }
     /**
      * Whether or not the .NET Nuspec Analyzer is enabled.
      */
-    private boolean nuspecAnalyzerEnabled = true;
+    private Boolean nuspecAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
      *
      * @return true if the analyzer is enabled
      */
-    public boolean isNuspecAnalyzerEnabled() {
+    public Boolean isNuspecAnalyzerEnabled() {
         return nuspecAnalyzerEnabled;
     }
 
@@ -439,20 +446,20 @@ public class Check extends Update {
      *
      * @param nuspecAnalyzerEnabled the value of the new setting
      */
-    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
+    public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
     }
     /**
      * Whether or not the PHP Composer Analyzer is enabled.
      */
-    private boolean composerAnalyzerEnabled = true;
+    private Boolean composerAnalyzerEnabled;
 
     /**
      * Get the value of composerAnalyzerEnabled.
      *
      * @return the value of composerAnalyzerEnabled
      */
-    public boolean isComposerAnalyzerEnabled() {
+    public Boolean isComposerAnalyzerEnabled() {
         return composerAnalyzerEnabled;
     }
 
@@ -461,20 +468,20 @@ public class Check extends Update {
      *
      * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
      */
-    public void setComposerAnalyzerEnabled(boolean composerAnalyzerEnabled) {
+    public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
     }
     /**
      * Whether the autoconf analyzer should be enabled.
      */
-    private boolean autoconfAnalyzerEnabled = true;
+    private Boolean autoconfAnalyzerEnabled;
 
     /**
      * Get the value of autoconfAnalyzerEnabled.
      *
      * @return the value of autoconfAnalyzerEnabled
      */
-    public boolean isAutoconfAnalyzerEnabled() {
+    public Boolean isAutoconfAnalyzerEnabled() {
         return autoconfAnalyzerEnabled;
     }
 
@@ -483,20 +490,20 @@ public class Check extends Update {
      *
      * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
      */
-    public void setAutoconfAnalyzerEnabled(boolean autoconfAnalyzerEnabled) {
+    public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
     }
     /**
      * Whether the CMake analyzer should be enabled.
      */
-    private boolean cmakeAnalyzerEnabled = true;
+    private Boolean cmakeAnalyzerEnabled;
 
     /**
      * Get the value of cmakeAnalyzerEnabled.
      *
      * @return the value of cmakeAnalyzerEnabled
      */
-    public boolean isCMakeAnalyzerEnabled() {
+    public Boolean isCMakeAnalyzerEnabled() {
         return cmakeAnalyzerEnabled;
     }
 
@@ -505,20 +512,20 @@ public class Check extends Update {
      *
      * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
      */
-    public void setCMakeAnalyzerEnabled(boolean cmakeAnalyzerEnabled) {
+    public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
     }
     /**
      * Whether or not the openssl analyzer is enabled.
      */
-    private boolean opensslAnalyzerEnabled = true;
+    private Boolean opensslAnalyzerEnabled;
 
     /**
      * Get the value of opensslAnalyzerEnabled.
      *
      * @return the value of opensslAnalyzerEnabled
      */
-    public boolean isOpensslAnalyzerEnabled() {
+    public Boolean isOpensslAnalyzerEnabled() {
         return opensslAnalyzerEnabled;
     }
 
@@ -527,20 +534,20 @@ public class Check extends Update {
      *
      * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
      */
-    public void setOpensslAnalyzerEnabled(boolean opensslAnalyzerEnabled) {
+    public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
     }
     /**
      * Whether or not the Node.js Analyzer is enabled.
      */
-    private boolean nodeAnalyzerEnabled = true;
+    private Boolean nodeAnalyzerEnabled;
 
     /**
      * Get the value of nodeAnalyzerEnabled.
      *
      * @return the value of nodeAnalyzerEnabled
      */
-    public boolean isNodeAnalyzerEnabled() {
+    public Boolean isNodeAnalyzerEnabled() {
         return nodeAnalyzerEnabled;
     }
 
@@ -549,20 +556,20 @@ public class Check extends Update {
      *
      * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
      */
-    public void setNodeAnalyzerEnabled(boolean nodeAnalyzerEnabled) {
+    public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
     }
     /**
      * Whether the ruby gemspec analyzer should be enabled.
      */
-    private boolean rubygemsAnalyzerEnabled = true;
+    private Boolean rubygemsAnalyzerEnabled;
 
     /**
      * Get the value of rubygemsAnalyzerEnabled.
      *
      * @return the value of rubygemsAnalyzerEnabled
      */
-    public boolean isRubygemsAnalyzerEnabled() {
+    public Boolean isRubygemsAnalyzerEnabled() {
         return rubygemsAnalyzerEnabled;
     }
 
@@ -571,20 +578,20 @@ public class Check extends Update {
      *
      * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
      */
-    public void setRubygemsAnalyzerEnabled(boolean rubygemsAnalyzerEnabled) {
+    public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
     }
     /**
      * Whether the python package analyzer should be enabled.
      */
-    private boolean pyPackageAnalyzerEnabled = true;
+    private Boolean pyPackageAnalyzerEnabled;
 
     /**
      * Get the value of pyPackageAnalyzerEnabled.
      *
      * @return the value of pyPackageAnalyzerEnabled
      */
-    public boolean isPyPackageAnalyzerEnabled() {
+    public Boolean isPyPackageAnalyzerEnabled() {
         return pyPackageAnalyzerEnabled;
     }
 
@@ -593,21 +600,21 @@ public class Check extends Update {
      *
      * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
      */
-    public void setPyPackageAnalyzerEnabled(boolean pyPackageAnalyzerEnabled) {
+    public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
     }
 
     /**
      * Whether the python distribution analyzer should be enabled.
      */
-    private boolean pyDistributionAnalyzerEnabled = true;
+    private Boolean pyDistributionAnalyzerEnabled;
 
     /**
      * Get the value of pyDistributionAnalyzerEnabled.
      *
      * @return the value of pyDistributionAnalyzerEnabled
      */
-    public boolean isPyDistributionAnalyzerEnabled() {
+    public Boolean isPyDistributionAnalyzerEnabled() {
         return pyDistributionAnalyzerEnabled;
     }
 
@@ -616,21 +623,21 @@ public class Check extends Update {
      *
      * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled
      */
-    public void setPyDistributionAnalyzerEnabled(boolean pyDistributionAnalyzerEnabled) {
+    public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
     }
 
     /**
      * Whether or not the central analyzer is enabled.
      */
-    private boolean centralAnalyzerEnabled = false;
+    private Boolean centralAnalyzerEnabled;
 
     /**
      * Get the value of centralAnalyzerEnabled.
      *
      * @return the value of centralAnalyzerEnabled
      */
-    public boolean isCentralAnalyzerEnabled() {
+    public Boolean isCentralAnalyzerEnabled() {
         return centralAnalyzerEnabled;
     }
 
@@ -639,21 +646,21 @@ public class Check extends Update {
      *
      * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
      */
-    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
+    public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
     /**
      * Whether or not the nexus analyzer is enabled.
      */
-    private boolean nexusAnalyzerEnabled = true;
+    private Boolean nexusAnalyzerEnabled;
 
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
      * @return the value of nexusAnalyzerEnabled
      */
-    public boolean isNexusAnalyzerEnabled() {
+    public Boolean isNexusAnalyzerEnabled() {
         return nexusAnalyzerEnabled;
     }
 
@@ -662,7 +669,7 @@ public class Check extends Update {
      *
      * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
      */
-    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+    public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
@@ -691,14 +698,14 @@ public class Check extends Update {
     /**
      * Whether or not the defined proxy should be used when connecting to Nexus.
      */
-    private boolean nexusUsesProxy = true;
+    private Boolean nexusUsesProxy;
 
     /**
      * Get the value of nexusUsesProxy.
      *
      * @return the value of nexusUsesProxy
      */
-    public boolean isNexusUsesProxy() {
+    public Boolean isNexusUsesProxy() {
         return nexusUsesProxy;
     }
 
@@ -707,7 +714,7 @@ public class Check extends Update {
      *
      * @param nexusUsesProxy new value of nexusUsesProxy
      */
-    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+    public void setNexusUsesProxy(Boolean nexusUsesProxy) {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
@@ -839,42 +846,32 @@ public class Check extends Update {
     /**
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
      * required to change the proxy server, port, and connection timeout.
+     *
+     * @throws BuildException thrown when an invalid setting is configured.
      */
     @Override
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
         super.populateSettings();
-        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
-        }
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
-
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
-
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        }
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
-        if (zipExtensions != null && !zipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        }
-        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
     }
 
     /**

dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java

@@ -357,6 +357,29 @@ public class Update extends Purge {
         this.cveUrl20Base = cveUrl20Base;
     }
 
+    /**
+     * The number of hours to wait before re-checking for updates.
+     */
+    private Integer cveValidForHours;
+
+    /**
+     * Get the value of cveValidForHours.
+     *
+     * @return the value of cveValidForHours
+     */
+    public Integer getCveValidForHours() {
+        return cveValidForHours;
+    }
+
+    /**
+     * Set the value of cveValidForHours.
+     *
+     * @param cveValidForHours new value of cveValidForHours
+     */
+    public void setCveValidForHours(Integer cveValidForHours) {
+        this.cveValidForHours = cveValidForHours;
+    }
+
     /**
      * Executes the update by initializing the settings, downloads the NVD XML data, and then processes the data storing it in the
      * local database.
@@ -383,51 +406,32 @@ public class Update extends Purge {
     /**
      * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
      * required to change the proxy server, port, and connection timeout.
+     *
+     * @throws BuildException thrown when an invalid setting is configured.
      */
     @Override
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
         super.populateSettings();
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        if (cveValidForHours != null) {
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            if (cveValidForHours >= 0) {
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+                Settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
-        }
+            } else {
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+                throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+            }
-        }
-        if (connectionString != null && !connectionString.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
-        if (databaseUser != null && !databaseUser.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
-        }
-        if (databasePassword != null && !databasePassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
-        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
-        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        }
-        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-        }
-        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         }
     }
 }

dependency-check-ant/src/main/resources/task.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=data
+data.directory=data/3.0

dependency-check-ant/src/site/markdown/config-update.md

@@ -32,10 +32,10 @@ may be the cvedUrl properties, which can be used to host a mirror of the NVD wit
 
 Property             | Description                                                                                           | Default Value
 ---------------------|-------------------------------------------------------------------------------------------------------|------------------
-cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
-cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                              |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path.           |  

dependency-check-ant/src/site/markdown/configuration.md

@@ -29,19 +29,20 @@ Configuration: dependency-check Task
 --------------------
 The following properties can be set on the dependency-check-update task.
 
-Property              | Description                        | Default Value
+Property              | Description                                                                                                                                                                                        | Default Value
-----------------------|------------------------------------|------------------
+----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
-autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                 | true
-projectName           | The name of the project being scanned. | Dependency-Check
+cveValidForHours      | Sets the number of hours to wait before checking for new updates from the NVD                                                                                                                      | 4
-reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
-failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+projectName           | The name of the project being scanned.                                                                                                                                                             | Dependency-Check
-reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                   | HTML
-suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) |  
+reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                 | 'target'
-proxyServer           | The Proxy Server.                  |  
+suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)                                                                                       |  
-proxyPort             | The Proxy Port.                    |  
+proxyServer           | The Proxy Server.                                                                                                                                                                                  |  
-proxyUsername         | Defines the proxy user name.       |  
+proxyPort             | The Proxy Port.                                                                                                                                                                                    |  
-proxyPassword         | Defines the proxy password.        |  
+proxyUsername         | Defines the proxy user name.                                                                                                                                                                       |  
-connectionTimeout     | The URL Connection Timeout.        |  
+proxyPassword         | Defines the proxy password.                                                                                                                                                                        |  
+connectionTimeout     | The URL Connection Timeout.                                                                                                                                                                        |  
 
 Analyzer Configuration
 ====================

dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -26,7 +26,7 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 
 import static org.junit.Assert.assertTrue;

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -279,6 +279,7 @@ public class App {
         final String cveMod20 = cli.getModifiedCve20Url();
         final String cveBase12 = cli.getBaseCve12Url();
         final String cveBase20 = cli.getBaseCve20Url();
+        final Integer cveValidForHours = cli.getCveValidForHours();
 
         if (propertiesFile != null) {
             try {
@@ -308,24 +309,13 @@ public class App {
             Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
         }
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        if (proxyUser != null && !proxyUser.isEmpty()) {
+        Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
-        }
-        if (proxyPass != null && !proxyPass.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
-        }
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
 
         //File Type Analyzer Settings
         Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
@@ -336,38 +326,24 @@ public class App {
         Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
+        Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
-
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
-        if (databaseUser != null && !databaseUser.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
-        }
-        if (databasePassword != null && !databasePassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
-        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
-        }
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
         if (cveBase12 != null && !cveBase12.isEmpty()) {
             Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
             Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -90,6 +90,19 @@ public final class CliParser {
      * @throws ParseException is thrown if there is an exception parsing the command line.
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
+        if (isUpdateOnly() || isRunScan()) {
+            final String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
+            if (value != null) {
+                try {
+                    final int i = Integer.parseInt(value);
+                    if (i < 0) {
+                        throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
+                    }
+                } catch (NumberFormatException ex) {
+                    throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
+                }
+            }
+        }
         if (isRunScan()) {
             validatePathExists(getScanFiles(), ARGUMENT.SCAN);
             validatePathExists(getReportDirectory(), ARGUMENT.OUT);
@@ -255,6 +268,10 @@ public final class CliParser {
                 .desc("The file path to the suppression XML file.")
                 .build();
 
+        final Option cveValidForHours = Option.builder().argName("hours").hasArg().longOpt(ARGUMENT.CVE_VALID_FOR_HOURS)
+                .desc("The number of hours to wait before checking for new updates from the NVD.")
+                .build();
+
         //This is an option group because it can be specified more then once.
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
@@ -274,7 +291,8 @@ public final class CliParser {
                 .addOption(symLinkDepth)
                 .addOption(props)
                 .addOption(verboseLog)
-                .addOption(suppressionFile);
+                .addOption(suppressionFile)
+                .addOption(cveValidForHours);
     }
 
     /**
@@ -327,6 +345,10 @@ public final class CliParser {
                 .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
                 .build();
 
+        final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
+                .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
+                .desc("The path to bundle-audit for Gem bundle analysis.").build();
+
         final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg()
                 .longOpt(ARGUMENT.CONNECTION_TIMEOUT).desc("The connection timeout (in milliseconds) to use when downloading resources.")
                 .build();
@@ -419,11 +441,14 @@ public final class CliParser {
                 .addOption(disableJarAnalyzer)
                 .addOption(disableArchiveAnalyzer)
                 .addOption(disableAssemblyAnalyzer)
+                .addOption(pathToBundleAudit)
                 .addOption(disablePythonDistributionAnalyzer)
                 .addOption(disableCmakeAnalyzer)
                 .addOption(disablePythonPackageAnalyzer)
                 .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RUBYGEMS)
                         .desc("Disable the Ruby Gemspec Analyzer.").build())
+                .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT)
+                        .desc("Disable the Ruby Bundler-Audit Analyzer.").build())
                 .addOption(disableAutoconfAnalyzer)
                 .addOption(disableComposerAnalyzer)
                 .addOption(disableOpenSSLAnalyzer)
@@ -436,6 +461,7 @@ public final class CliParser {
                 .addOption(nexusUsesProxy)
                 .addOption(additionalZipExtensions)
                 .addOption(pathToMono)
+                .addOption(pathToBundleAudit)
                 .addOption(purge);
     }
 
@@ -541,6 +567,15 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
     }
 
+    /**
+     * Returns true if the disableBundleAudit command line argument was specified.
+     *
+     * @return true if the disableBundleAudit command line argument was specified; otherwise false
+     */
+    public boolean isBundleAuditDisabled() {
+        return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
+    }
+
     /**
      * Returns true if the disablePyDist command line argument was specified.
      *
@@ -654,7 +689,7 @@ public final class CliParser {
         // still honor the property if it's set.
         if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
             try {
-                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
+                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
             } catch (InvalidSettingException ise) {
                 return true;
             }
@@ -722,6 +757,15 @@ public final class CliParser {
         return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
     }
 
+    /**
+     * Returns the path to bundle-audit for Ruby bundle analysis.
+     *
+     * @return the path to Mono
+     */
+    public String getPathToBundleAudit() {
+        return line.getOptionValue(ARGUMENT.PATH_TO_BUNDLE_AUDIT);
+    }
+
     /**
      * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
      *
@@ -970,6 +1014,19 @@ public final class CliParser {
         return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
     }
 
+    /**
+     * Get the value of cveValidForHours.
+     *
+     * @return the value of cveValidForHours
+     */
+    public Integer getCveValidForHours() {
+        final String v = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
+        if (v != null) {
+            return Integer.parseInt(v);
+        }
+        return null;
+    }
+
     /**
      * A collection of static final strings that represent the possible command line arguments.
      */
@@ -1133,6 +1190,10 @@ public final class CliParser {
          * The CLI argument name for setting the location of the suppression file.
          */
         public static final String SUPPRESSION_FILE = "suppression";
+        /**
+         * The CLI argument name for setting the location of the suppression file.
+         */
+        public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
         /**
          * Disables the Jar Analyzer.
          */
@@ -1169,6 +1230,10 @@ public final class CliParser {
          * Disables the Assembly Analyzer.
          */
         public static final String DISABLE_ASSEMBLY = "disableAssembly";
+        /**
+         * Disables the Ruby Bundler Audit Analyzer.
+         */
+        public static final String DISABLE_BUNDLE_AUDIT = "disableBundleAudit";
         /**
          * Disables the Nuspec Analyzer.
          */
@@ -1229,5 +1294,9 @@ public final class CliParser {
          * Exclude path argument.
          */
         public static final String EXCLUDE = "exclude";
+        /**
+         * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
+         */
+        public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
     }
 }

dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java

@@ -22,7 +22,7 @@ package org.owasp.dependencycheck;
  *
  * @author Jeremy Long
  */
-class InvalidScanPathException extends Exception {
+public class InvalidScanPathException extends Exception {
 
     /**
      * The serial version UID for serialization.

dependency-check-cli/src/site/markdown/arguments.md

@@ -17,21 +17,24 @@ Short  | Argument Name   | Parameter       | Description | Requir
  \-h   | \-\-help              |                 | Print the help message. | Optional
        | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
  \-v   | \-\-version           |                 | Print the version information. | Optional
+       | \-\-cveValidForHours  | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
+
 
 Advanced Options
 ================
 Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                     | Default&nbsp;Value
 -------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
-       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | http://nvd.nist.gov/download/nvdcve-modified.xml
+       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
-       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | http://nvd.nist.gov/download/nvdcve-%d.xml
+       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
  \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
        | \-\-updateonly        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
        | \-\-disablePyDist     |                 | Sets whether the Python Distribution Analyzer will be used.                      | false
        | \-\-disablePyPkg      |                 | Sets whether the Python Package Analyzer will be used.                           | false
        | \-\-disableNodeJS     |                 | Sets whether the Node.js Package Analyzer will be used.                          | false
        | \-\-disableRubygems   |                 | Sets whether the Ruby Gemspec Analyzer will be used.                             | false
+       | \-\-disableBundleAudit |               | Sets whether the Ruby Bundler Audit Analyzer will be used.                             | false
        | \-\-disableAutoconf   |                 | Sets whether the Autoconf Analyzer will be used.                                 | false
        | \-\-disableOpenSSL    |                 | Sets whether the OpenSSL Analyzer will be used.                                  | false
        | \-\-disableCmake      |                 | Sets whether the Cmake Analyzer will be disabled.                                | false
@@ -46,6 +49,7 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
        | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
        | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
        | \-\-mono              | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
+       | \-\-bundleAudit       |                 | The path to the bundle-audit executable. | &nbsp;
        | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                              | &nbsp;
        | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                                | &nbsp;
        | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.      | &nbsp;

dependency-check-cli/src/site/markdown/index.md.vm

@@ -25,10 +25,10 @@ your homebrew installation.
 To scan a folder on the system you can run:
 
 $H$H$H Windows
-    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
+    dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"
 
 $H$H$H *nix
-    dependency-check.sh --app "My App Name" --scan "/java/application/lib"
+    dependency-check.sh --project "My App Name" --scan "/java/application/lib"
 
 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
 

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -468,7 +468,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-surefire-plugin</artifactId>
-                        <version>2.18.1</version>
                         <configuration>
                             <skip>true</skip>
                         </configuration>
@@ -476,12 +475,68 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
-                        <version>2.18.1</version>
                         <configuration>
                             <systemProperties>
                                 <property>
                                     <name>data.driver_path</name>
-                                    <value>${basedir}/${driver_path}</value>
+                                    <value>${driver_path}</value>
+                                </property>
+                                <property>
+                                    <name>data.driver_name</name>
+                                    <value>${driver_name}</value>
+                                </property>
+                                <property>
+                                    <name>data.connection_string</name>
+                                    <value>${connection_string}</value>
+                                </property>
+                            </systemProperties>
+                            <includes>
+                                <include>**/*MySQLTest.java</include>
+                            </includes>
+                        </configuration>
+                        <executions>
+                            <execution>
+                                <goals>
+                                    <goal>integration-test</goal>
+                                    <goal>verify</goal>
+                                </goals>
+                            </execution>
+                        </executions>
+                    </plugin>
+                </plugins>
+            </build>
+        </profile>
+        <profile>
+            <id>Postgresql-IntegrationTest</id>
+            <activation>
+                <property>
+                    <name>postgresql</name>
+                </property>
+            </activation>
+            <dependencies>
+                <dependency>
+                    <groupId>org.postgresql</groupId>
+                    <artifactId>postgresql</artifactId>
+                    <version>9.4-1204-jdbc42</version>
+                </dependency>
+            </dependencies>
+            <build>
+                <plugins>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-surefire-plugin</artifactId>
+                        <configuration>
+                            <skip>true</skip>
+                        </configuration>
+                    </plugin>
+                    <plugin>
+                        <groupId>org.apache.maven.plugins</groupId>
+                        <artifactId>maven-failsafe-plugin</artifactId>
+                        <configuration>
+                            <systemProperties>
+                                <property>
+                                    <name>data.driver_path</name>
+                                    <value>${driver_path}</value>
                                 </property>
                                 <property>
                                     <name>data.driver_name</name>

dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java

@@ -38,6 +38,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.util.ArrayList;
+import java.util.Collection;
 import java.util.EnumMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -174,8 +175,7 @@ public class Engine implements FileFilter {
     public List<Dependency> scan(String[] paths) {
         final List<Dependency> deps = new ArrayList<Dependency>();
         for (String path : paths) {
-            final File file = new File(path);
+            final List<Dependency> d = scan(path);
-            final List<Dependency> d = scan(file);
             if (d != null) {
                 deps.addAll(d);
             }
@@ -215,33 +215,14 @@ public class Engine implements FileFilter {
     }
 
     /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * Scans a collection of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
      * identified are added to the dependency collection.
      *
      * @param files a set of paths to files or directories to be analyzed
      * @return the list of dependencies scanned
      * @since v0.3.2.5
      */
-    public List<Dependency> scan(Set<File> files) {
+    public List<Dependency> scan(Collection<File> files) {
-        final List<Dependency> deps = new ArrayList<Dependency>();
-        for (File file : files) {
-            final List<Dependency> d = scan(file);
-            if (d != null) {
-                deps.addAll(d);
-            }
-        }
-        return deps;
-    }
-
-    /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
-     * identified are added to the dependency collection.
-     *
-     * @param files a set of paths to files or directories to be analyzed
-     * @return the list of dependencies scanned
-     * @since v0.3.2.5
-     */
-    public List<Dependency> scan(List<File> files) {
         final List<Dependency> deps = new ArrayList<Dependency>();
         for (File file : files) {
             final List<Dependency> d = scan(file);

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -840,8 +840,7 @@ public class DependencyCheckScanAgent {
      */
     private Engine executeDependencyCheck() throws DatabaseException {
         populateSettings();
-        Engine engine = null;
+        final Engine engine = new Engine();
-        engine = new Engine();
         engine.setDependencies(this.dependencies);
         engine.analyzeDependencies();
         return engine;
@@ -898,67 +897,28 @@ public class DependencyCheckScanAgent {
         }
 
         Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
-        if (proxyUsername != null && !proxyUsername.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        }
-        if (proxyPassword != null && !proxyPassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        }
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        }
         Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        if (centralUrl != null && !centralUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
-            Settings.setString(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
-        }
         Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        if (databaseUser != null && !databaseUser.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
-        }
-        if (databasePassword != null && !databasePassword.isEmpty()) {
-            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
-        if (zipExtensions != null && !zipExtensions.isEmpty()) {
-            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        }
-        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
-        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        }
-        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-        }
-        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
-            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
-        if (pathToMono != null && !pathToMono.isEmpty()) {
-            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
-        }
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -214,7 +214,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * @return a Set of strings.
      */
     protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>();
+        final Set<String> set = new HashSet<String>(strings.length);
         Collections.addAll(set, strings);
         return set;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -28,6 +28,10 @@ public enum AnalysisPhase {
      * Initialization phase.
      */
     INITIAL,
+    /**
+     * Pre information collection phase.
+     */
+    PRE_INFORMATION_COLLECTION,
     /**
      * Information collection phase.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -114,8 +114,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     static {
         final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
         if (additionalZipExt != null) {
-            final Set<String> ext = new HashSet<String>(Collections.singletonList(additionalZipExt));
+            final String[] ext = additionalZipExt.split("\\s*,\\s*");
-            ZIPPABLES.addAll(ext);
+            Collections.addAll(ZIPPABLES, ext);
         }
         EXTENSIONS.addAll(ZIPPABLES);
     }
@@ -195,8 +195,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         if (tempFileLocation != null && tempFileLocation.exists()) {
             LOGGER.debug("Attempting to delete temporary files");
             final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
+            if (!success && tempFileLocation.exists()) {
-                LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                final String[] l = tempFileLocation.list();
+                if (l != null && l.length > 0) {
+                    LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                }
             }
         }
     }
@@ -415,11 +418,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         FileOutputStream fos = null;
         try {
             final File parent = file.getParentFile();
-            if (!parent.isDirectory()) {
+            if (!parent.isDirectory() && !parent.mkdirs()) {
-                if (!parent.mkdirs()) {
+                final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
-                    final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
+                throw new AnalysisException(msg);
-                    throw new AnalysisException(msg);
-                }
             }
             fos = new FileOutputStream(file);
             IOUtils.copy(input, fos);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -17,13 +17,13 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
+import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.output.NullOutputStream;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -115,21 +115,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         final List<String> args = buildArgumentList();
         args.add(dependency.getActualFilePath());
         final ProcessBuilder pb = new ProcessBuilder(args);
-        BufferedReader rdr = null;
         Document doc = null;
         try {
             final Process proc = pb.start();
-            // Try evacuating the error stream
+
-            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
-            String line = null;
-            // CHECKSTYLE:OFF
-            while (rdr.ready() && (line = rdr.readLine()) != null) {
-                LOGGER.warn("Error from GrokAssembly: {}", line);
-            }
-            // CHECKSTYLE:ON
-            int rc = 0;
             doc = builder.parse(proc.getInputStream());
 
+            // Try evacuating the error stream
+            final String errorStream = IOUtils.toString(proc.getErrorStream(), "UTF-8");
+            if (null != errorStream && !errorStream.isEmpty()) {
+                LOGGER.warn("Error from GrokAssembly: {}", errorStream);
+            }
+
+            int rc = 0;
             try {
                 rc = proc.waitFor();
             } catch (InterruptedException ie) {
@@ -176,14 +174,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (XPathExpressionException xpe) {
             // This shouldn't happen
             throw new AnalysisException(xpe);
-        } finally {
-            if (rdr != null) {
-                try {
-                    rdr.close();
-                } catch (IOException ex) {
-                    LOGGER.debug("ignore", ex);
-                }
-            }
         }
     }
 
@@ -200,11 +190,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
         try {
             fos = new FileOutputStream(tempFile);
             is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
-            final byte[] buff = new byte[4096];
+            IOUtils.copy(is, fos);
-            int bread = -1;
+
-            while ((bread = is.read(buff)) >= 0) {
-                fos.write(buff, 0, bread);
-            }
             grokAssemblyExe = tempFile;
             // Set the temp file to get deleted when we're done
             grokAssemblyExe.deleteOnExit();
@@ -232,17 +219,12 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
 
         // Now, need to see if GrokAssembly actually runs from this location.
         final List<String> args = buildArgumentList();
-        BufferedReader rdr = null;
         try {
             final ProcessBuilder pb = new ProcessBuilder(args);
             final Process p = pb.start();
             // Try evacuating the error stream
-            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
-            // CHECKSTYLE:OFF
+
-            while (rdr.ready() && rdr.readLine() != null) {
-                // We expect this to complain
-            }
-            // CHECKSTYLE:ON
             final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final String error = xpath.evaluate("/assembly/error", doc);
@@ -253,24 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                 this.setEnabled(false);
                 throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
             }
+        } catch (AnalysisException e) {
+            throw e;
         } catch (Throwable e) {
-            if (e instanceof AnalysisException) {
+            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
-                throw (AnalysisException) e;
+                    + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
-            } else {
+            LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+            this.setEnabled(false);
-                        + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
+            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
-                LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                this.setEnabled(false);
-                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
-            }
-        } finally {
-            if (rdr != null) {
-                try {
-                    rdr.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("ignore", ex);
-                }
-            }
         }
         builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -32,8 +32,10 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.logging.Level;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -62,11 +64,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     private static final int REGEX_OPTIONS = Pattern.DOTALL
             | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
 
+    /**
+     * Regex to extract the product information.
+     */
     private static final Pattern PROJECT = Pattern.compile(
             "^ *project *\\([ \\n]*(\\w+)[ \\n]*.*?\\)", REGEX_OPTIONS);
 
-    // Group 1: Product
+    /**
-    // Group 2: Version
+     * Regex to extract product and version information.
+     *
+     * Group 1: Product
+     *
+     * Group 2: Version
+     */
     private static final Pattern SET_VERSION = Pattern
             .compile(
                     "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
@@ -172,8 +182,17 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
         }
     }
 
+    /**
+     * Extracts the version information from the contents. If more then one version is found additional dependencies are added to
+     * the dependency list.
+     *
+     * @param dependency the dependency being analyzed
+     * @param engine the dependency-check engine
+     * @param contents the version information
+     */
     private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
-        final Dependency orig = dependency;
+        Dependency currentDep = dependency;
+
         final Matcher m = SET_VERSION.matcher(contents);
         int count = 0;
         while (m.find()) {
@@ -190,19 +209,24 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
             }
             if (count > 1) {
                 //TODO - refactor so we do not assign to the parameter (checkstyle)
-                dependency = new Dependency(orig.getActualFile());
+                currentDep = new Dependency(dependency.getActualFile());
-                dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product));
+                currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
-                final String filePath = String.format("%s:%s", orig.getFilePath(), product);
+                final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
-                dependency.setFilePath(filePath);
+                currentDep.setFilePath(filePath);
 
-                // prevents coalescing into the dependency provided by engine
+                byte[] path;
-                dependency.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
+                try {
-                engine.getDependencies().add(dependency);
+                    path = filePath.getBytes("UTF-8");
+                } catch (UnsupportedEncodingException ex) {
+                    path = filePath.getBytes();
+                }
+                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
+                engine.getDependencies().add(currentDep);
             }
-            final String source = dependency.getDisplayFileName();
+            final String source = currentDep.getDisplayFileName();
-            dependency.getProductEvidence().addEvidence(source, "Product",
+            currentDep.getProductEvidence().addEvidence(source, "Product",
                     product, Confidence.MEDIUM);
-            dependency.getVersionEvidence().addEvidence(source, "Version",
+            currentDep.getVersionEvidence().addEvidence(source, "Version",
                     version, Confidence.MEDIUM);
         }
         LOGGER.debug(String.format("Found %d matches.", count));

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
      * process.
      */
     public void open() throws IOException, DatabaseException {
-        cve = new CveDB();
+        if (!isOpen()) {
-        cve.open();
+            cve = new CveDB();
-        cpe = CpeMemoryIndex.getInstance();
+            cve.open();
-        try {
+            cpe = CpeMemoryIndex.getInstance();
-            LOGGER.info("Creating the CPE Index");
+            try {
-            final long creationStart = System.currentTimeMillis();
+                LOGGER.info("Creating the CPE Index");
-            cpe.open(cve);
+                final long creationStart = System.currentTimeMillis();
-            LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
+                cpe.open(cve);
-        } catch (IndexException ex) {
+                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-            LOGGER.debug("IndexException", ex);
+            } catch (IndexException ex) {
-            throw new DatabaseException(ex);
+                LOGGER.debug("IndexException", ex);
+                throw new DatabaseException(ex);
+            }
         }
     }
 
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
             }
             return ret;
         } catch (ParseException ex) {
-            LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
             LOGGER.info("Unable to parse: {}", searchString, ex);
         } catch (IOException ex) {
-            LOGGER.warn("An error occured reading CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
             LOGGER.info("IO Error with search string: {}", searchString, ex);
         }
         return null;
@@ -335,7 +337,7 @@ public class CPEAnalyzer implements Analyzer {
      * @return if the append was successful.
      */
     private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
-        sb.append(" ").append(field).append(":( ");
+        sb.append(' ').append(field).append(":( ");
 
         final String cleanText = cleanseText(searchText);
 
@@ -349,20 +351,27 @@ public class CPEAnalyzer implements Analyzer {
             final StringTokenizer tokens = new StringTokenizer(cleanText);
             while (tokens.hasMoreElements()) {
                 final String word = tokens.nextToken();
-                String temp = null;
+                StringBuilder temp = null;
                 for (String weighted : weightedText) {
                     final String weightedStr = cleanseText(weighted);
                     if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
-                        temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
+                        temp = new StringBuilder(word.length() + 2);
+                        LuceneUtils.appendEscapedLuceneQuery(temp, word);
+                        temp.append(WEIGHTING_BOOST);
                         if (!word.equalsIgnoreCase(weightedStr)) {
-                            temp += " " + LuceneUtils.escapeLuceneQuery(weightedStr) + WEIGHTING_BOOST;
+                            temp.append(' ');
+                            LuceneUtils.appendEscapedLuceneQuery(temp, weightedStr);
+                            temp.append(WEIGHTING_BOOST);
                         }
+                        break;
                     }
                 }
+                sb.append(' ');
                 if (temp == null) {
-                    temp = LuceneUtils.escapeLuceneQuery(word);
+                    LuceneUtils.appendEscapedLuceneQuery(sb, word);
+                } else {
+                    sb.append(temp);
                 }
-                sb.append(" ").append(temp);
             }
         }
         sb.append(" ) ");
@@ -515,7 +524,7 @@ public class CPEAnalyzer implements Analyzer {
                 for (VulnerableSoftware vs : cpes) {
                     DependencyVersion dbVer;
                     if (vs.getUpdate() != null && !vs.getUpdate().isEmpty()) {
-                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getUpdate());
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + '.' + vs.getUpdate());
                     } else {
                         dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -192,7 +192,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
             final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
-                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma.toString(), dependency.getFileName());
+                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
                 dependency.addAsEvidence("central", ma, confidence);
                 boolean pomAnalyzed = false;
                 for (Evidence e : dependency.getVendorEvidence()) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java

@@ -213,10 +213,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
         //version check
         final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
         final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
-        if (version1 != null && version2 != null) {
+        if (version1 != null && version2 != null && !version1.equals(version2)) {
-            if (!version1.equals(version2)) {
+            return false;
-                return false;
-            }
         }
 
         //filename check

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java

@@ -113,7 +113,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
         for (Identifier i : dependency.getIdentifiers()) {
             if ("maven".contains(i.getType())) {
                 if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
-                    final int endPoint = i.getValue().indexOf(":", 19);
+                    final int endPoint = i.getValue().indexOf(':', 19);
                     if (endPoint >= 0) {
                         mustContain = i.getValue().substring(19, endPoint).toLowerCase();
                         break;
@@ -472,8 +472,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
      */
     private String trimCpeToVendor(String value) {
         //cpe:/a:jruby:jruby:1.0.8
-        final int pos1 = value.indexOf(":", 7); //right of vendor
+        final int pos1 = value.indexOf(':', 7); //right of vendor
-        final int pos2 = value.indexOf(":", pos1 + 1); //right of product
+        final int pos2 = value.indexOf(':', pos1 + 1); //right of product
         if (pos2 < 0) {
             return value;
         } else {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -18,6 +18,7 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+import org.apache.commons.io.FilenameUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -76,13 +77,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
 
         //strip any path information that may get added by ArchiveAnalyzer, etc.
         final File f = dependency.getActualFile();
-        String fileName = f.getName();
+        final String fileName = FilenameUtils.removeExtension(f.getName());
-
-        //remove file extension
-        final int pos = fileName.lastIndexOf(".");
-        if (pos > 0) {
-            fileName = fileName.substring(0, pos);
-        }
 
         //add version evidence
         final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -42,6 +42,7 @@ import java.util.jar.Manifest;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import org.apache.commons.compress.utils.IOUtils;
+import org.apache.commons.io.FilenameUtils;
 import org.jsoup.Jsoup;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -269,8 +270,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         }
         File externalPom = null;
         if (pomEntries.isEmpty()) {
-            String pomPath = dependency.getActualFilePath();
+            final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
-            pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
             externalPom = new File(pomPath);
             if (externalPom.isFile()) {
                 pomEntries.add(pomPath);
@@ -320,7 +320,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     foundSomething |= setPomEvidence(dependency, pom, classes);
                 }
             } catch (AnalysisException ex) {
-                LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
+                LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
                 LOGGER.trace("", ex);
             }
         }
@@ -835,10 +835,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             }
 
             if (pos > 0) {
-                final StringBuilder sb = new StringBuilder(pos + 3);
+                desc = desc.substring(0, pos) + "...";
-                sb.append(desc.substring(0, pos));
-                sb.append("...");
-                desc = sb.toString();
             }
             dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
             dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java

@@ -104,7 +104,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
          */
         boolean retval = false;
         try {
-            if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
+            if (!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))
                     && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
                 LOGGER.info("Enabling Nexus analyzer");
                 retval = true;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java

@@ -126,7 +126,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
      */
     @Override
     public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        LOGGER.debug("Checking Nuspec file {}", dependency.toString());
+        LOGGER.debug("Checking Nuspec file {}", dependency);
         try {
             final NuspecParser parser = new XPathNuspecParser();
             NugetPackage np = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java

@@ -73,7 +73,7 @@ public class NvdCveAnalyzer implements Analyzer {
      * @return true or false.
      */
     public boolean isOpen() {
-        return (cveDB != null);
+        return cveDB != null;
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -164,7 +164,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * Analyzes python packages and adds evidence to the dependency.
      *
      * @param dependency the dependency being analyzed
-     * @param engine     the engine being used to perform the scan
+     * @param engine the engine being used to perform the scan
      * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
      */
     @Override
@@ -175,8 +175,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         final String parentName = parent.getName();
         boolean found = false;
         if (INIT_PY_FILTER.accept(file)) {
-            for (final File sourceFile : parent.listFiles(PY_FILTER)) {
+            final File[] fileList = parent.listFiles(PY_FILTER);
-                found |= analyzeFileContents(dependency, sourceFile);
+            if (fileList != null) {
+                for (final File sourceFile : fileList) {
+                    found |= analyzeFileContents(dependency, sourceFile);
+                }
             }
         }
         if (found) {
@@ -197,7 +200,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents.
      *
      * @param dependency the dependency being analyzed
-     * @param file       the file name to analyze
+     * @param file the file name to analyze
      * @return whether evidence was found
      * @throws AnalysisException thrown if there is an unrecoverable error
      */
@@ -241,15 +244,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
      * Adds summary information to the dependency
      *
      * @param dependency the dependency being analyzed
-     * @param pattern    the pattern used to perform analysis
+     * @param pattern the pattern used to perform analysis
-     * @param group      the group from the pattern that indicates the data to use
+     * @param group the group from the pattern that indicates the data to use
-     * @param contents   the data being analyzed
+     * @param contents the data being analyzed
-     * @param source     the source name to use when recording the evidence
+     * @param source the source name to use when recording the evidence
-     * @param key        the key name to use when recording the evidence
+     * @param key the key name to use when recording the evidence
      * @return true if evidence was collected; otherwise false
      */
     private boolean addSummaryInfo(Dependency dependency, Pattern pattern,
-                                   int group, String contents, String source, String key) {
+            int group, String contents, String source, String key) {
         final Matcher matcher = pattern.matcher(contents);
         final boolean found = matcher.find();
         if (found) {
@@ -262,16 +265,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Collects evidence from the home page URL.
      *
-     * @param pattern  the pattern to match
+     * @param pattern the pattern to match
      * @param evidence the evidence collection to add the evidence to
-     * @param source   the source of the evidence
+     * @param source the source of the evidence
-     * @param name     the name of the evidence
+     * @param name the name of the evidence
      * @param contents the home page URL
      * @return true if evidence was collected; otherwise false
      */
     private boolean gatherHomePageEvidence(Pattern pattern,
-                                           EvidenceCollection evidence, String source, String name,
+            EvidenceCollection evidence, String source, String name,
-                                           String contents) {
+            String contents) {
         final Matcher matcher = pattern.matcher(contents);
         boolean found = false;
         if (matcher.find()) {
@@ -287,17 +290,17 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Gather evidence from a Python source file using the given string assignment regex pattern.
      *
-     * @param pattern    to scan contents with
+     * @param pattern to scan contents with
-     * @param contents   of Python source file
+     * @param contents of Python source file
-     * @param source     for storing evidence
+     * @param source for storing evidence
-     * @param evidence   to store evidence in
+     * @param evidence to store evidence in
-     * @param name       of evidence
+     * @param name of evidence
      * @param confidence in evidence
      * @return whether evidence was found
      */
     private boolean gatherEvidence(Pattern pattern, String contents,
-                                   String source, EvidenceCollection evidence, String name,
+            String source, EvidenceCollection evidence, String name,
-                                   Confidence confidence) {
+            Confidence confidence) {
         final Matcher matcher = pattern.matcher(contents);
         final boolean found = matcher.find();
         if (found) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -0,0 +1,326 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.Reference;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.*;
+import java.util.*;
+
+/**
+ * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);
+
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "Ruby Bundle Audit Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
+
+    private static final FileFilter FILTER
+            = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+    public static final String NAME = "Name: ";
+    public static final String VERSION = "Version: ";
+    public static final String ADVISORY = "Advisory: ";
+    public static final String CRITICALITY = "Criticality: ";
+
+    /**
+     * @return a filter that accepts files named Gemfile.lock
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return FILTER;
+    }
+
+    /**
+     * Launch bundle-audit.
+     *
+     * @return a handle to the process
+     */
+    private Process launchBundleAudit(File folder) throws AnalysisException {
+        if (!folder.isDirectory()) {
+            throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
+        }
+        final List<String> args = new ArrayList<String>();
+        final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
+        args.add(null == bundleAuditPath ? "bundle-audit" : bundleAuditPath);
+        args.add("check");
+        args.add("--verbose");
+        final ProcessBuilder builder = new ProcessBuilder(args);
+        builder.directory(folder);
+        try {
+            return builder.start();
+        } catch (IOException ioe) {
+            throw new AnalysisException("bundle-audit failure", ioe);
+        }
+    }
+
+    /**
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     *
+     * @throws Exception if anything goes wrong
+     */
+    @Override
+    public void initializeFileTypeAnalyzer() throws Exception {
+        // Now, need to see if bundle-audit actually runs from this location.
+        Process process = launchBundleAudit(Settings.getTempDirectory());
+        int exitValue = process.waitFor();
+        if (0 == exitValue) {
+            LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
+            setEnabled(false);
+            throw new AnalysisException("Unexpected exit code from bundle-audit process.");
+        } else {
+            BufferedReader reader = null;
+            try {
+                reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+                if (!reader.ready()) {
+                    LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME);
+                    setEnabled(false);
+                    throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
+                } else {
+                    final String line = reader.readLine();
+                    if (line == null || !line.contains("Errno::ENOENT")) {
+                        LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
+                        setEnabled(false);
+                        throw new AnalysisException("Unexpected bundle-audit output.");
+                    }
+                }
+            } finally {
+                if (null != reader) {
+                    reader.close();
+                }
+            }
+        }
+        if (isEnabled()) {
+            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
+                    + "occasionally to keep its database up to date.");
+        }
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
+    }
+
+    /**
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
+     * to disable {@link RubyGemspecAnalyzer}.
+     */
+    private boolean needToDisableGemspecAnalyzer = true;
+
+    @Override
+    protected void analyzeFileType(Dependency dependency, Engine engine)
+            throws AnalysisException {
+        if (needToDisableGemspecAnalyzer) {
+            boolean failed = true;
+            final String className = RubyGemspecAnalyzer.class.getName();
+            for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
+                if (analyzer instanceof RubyGemspecAnalyzer) {
+                    ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
+                    LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
+                    failed = false;
+                }
+            }
+            if (failed) {
+                LOGGER.warn("Did not find" + className + '.');
+            }
+            needToDisableGemspecAnalyzer = false;
+        }
+        final File parentFile = dependency.getActualFile().getParentFile();
+        final Process process = launchBundleAudit(parentFile);
+        try {
+            process.waitFor();
+        } catch (InterruptedException ie) {
+            throw new AnalysisException("bundle-audit process interrupted", ie);
+        }
+        BufferedReader rdr = null;
+        try {
+            rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
+            processBundlerAuditOutput(dependency, engine, rdr);
+        } catch (IOException ioe) {
+            LOGGER.warn("bundle-audit failure", ioe);
+        } finally {
+            if (null != rdr) {
+                try {
+                    rdr.close();
+                } catch (IOException ioe) {
+                    LOGGER.warn("bundle-audit close failure", ioe);
+                }
+            }
+        }
+
+    }
+
+    private void processBundlerAuditOutput(Dependency original, Engine engine, BufferedReader rdr) throws IOException {
+        final String parentName = original.getActualFile().getParentFile().getName();
+        final String fileName = original.getFileName();
+        Dependency dependency = null;
+        Vulnerability vulnerability = null;
+        String gem = null;
+        final Map<String, Dependency> map = new HashMap<String, Dependency>();
+        boolean appendToDescription = false;
+        while (rdr.ready()) {
+            final String nextLine = rdr.readLine();
+            if (null == nextLine) {
+                break;
+            } else if (nextLine.startsWith(NAME)) {
+                appendToDescription = false;
+                gem = nextLine.substring(NAME.length());
+                if (!map.containsKey(gem)) {
+                    map.put(gem, createDependencyForGem(engine, parentName, fileName, gem));
+                }
+                dependency = map.get(gem);
+                LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+            } else if (nextLine.startsWith(VERSION)) {
+                vulnerability = createVulnerability(parentName, dependency, vulnerability, gem, nextLine);
+            } else if (nextLine.startsWith(ADVISORY)) {
+                setVulnerabilityName(parentName, dependency, vulnerability, nextLine);
+            } else if (nextLine.startsWith(CRITICALITY)) {
+                addCriticalityToVulnerability(parentName, vulnerability, nextLine);
+            } else if (nextLine.startsWith("URL: ")) {
+                addReferenceToVulnerability(parentName, vulnerability, nextLine);
+            } else if (nextLine.startsWith("Description:")) {
+                appendToDescription = true;
+                if (null != vulnerability) {
+                    vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 indicates unknown). See link below for full details. *** ");
+                }
+            } else if (appendToDescription) {
+                if (null != vulnerability) {
+                    vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
+                }
+            }
+        }
+    }
+
+    private void setVulnerabilityName(String parentName, Dependency dependency, Vulnerability vulnerability, String nextLine) {
+        final String advisory = nextLine.substring((ADVISORY.length()));
+        if (null != vulnerability) {
+            vulnerability.setName(advisory);
+        }
+        if (null != dependency) {
+            dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private void addReferenceToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
+        final String url = nextLine.substring(("URL: ").length());
+        if (null != vulnerability) {
+            Reference ref = new Reference();
+            ref.setName(vulnerability.getName());
+            ref.setSource("bundle-audit");
+            ref.setUrl(url);
+            vulnerability.getReferences().add(ref);
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
+        if (null != vulnerability) {
+            final String criticality = nextLine.substring(CRITICALITY.length()).trim();
+            if ("High".equals(criticality)) {
+                vulnerability.setCvssScore(8.5f);
+            } else if ("Medium".equals(criticality)) {
+                vulnerability.setCvssScore(5.5f);
+            } else if ("Low".equals(criticality)) {
+                vulnerability.setCvssScore(2.0f);
+            } else {
+                vulnerability.setCvssScore(-1.0f);
+            }
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+    }
+
+    private Vulnerability createVulnerability(String parentName, Dependency dependency, Vulnerability vulnerability, String gem, String nextLine) {
+        if (null != dependency) {
+            final String version = nextLine.substring(VERSION.length());
+            dependency.getVersionEvidence().addEvidence(
+                    "bundler-audit",
+                    "Version",
+                    version,
+                    Confidence.HIGHEST);
+            vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
+            vulnerability.setMatchedCPE(
+                    String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
+                    null);
+            vulnerability.setCvssAccessVector("-");
+            vulnerability.setCvssAccessComplexity("-");
+            vulnerability.setCvssAuthentication("-");
+            vulnerability.setCvssAvailabilityImpact("-");
+            vulnerability.setCvssConfidentialityImpact("-");
+            vulnerability.setCvssIntegrityImpact("-");
+        }
+        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
+        return vulnerability;
+    }
+
+    private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String gem) throws IOException {
+        final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
+        final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
+        FileUtils.write(tempFile, displayFileName); // unique contents to avoid dependency bundling
+        final Dependency dependency = new Dependency(tempFile);
+        dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
+        dependency.setDisplayFileName(displayFileName);
+        engine.getDependencies().add(dependency);
+        return dependency;
+    }
+}

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -49,11 +49,12 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
 
+    private static final String GEMSPEC = "gemspec";
+
     private static final FileFilter FILTER =
-            FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build();
+            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
 
     private static final String EMAIL = "email";
-    private static final String GEMSPEC = "gemspec";
 
     /**
      * @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java

@@ -90,7 +90,7 @@ public class CentralSearch {
 
         final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
 
-        LOGGER.debug("Searching Central url {}", url.toString());
+        LOGGER.debug("Searching Central url {}", url);
 
         // Determine if we need to use a proxy. The rules:
         // 1) If the proxy is set, AND the setting is set to true, use the proxy

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java

@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.composer;
  */
 public class ComposerException extends RuntimeException {
 
+    /**
+     * The serial version UID for serialization.
+     */
+    private static final long serialVersionUID = 1L;
+
     /**
      * Creates a ComposerException with default message.
      */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java

@@ -149,7 +149,6 @@ public final class CpeMemoryIndex {
      *
      * @return the CPE Analyzer.
      */
-    @SuppressWarnings("unchecked")
     private Analyzer createIndexingAnalyzer() {
         final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
         fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
@@ -161,7 +160,6 @@ public final class CpeMemoryIndex {
      *
      * @return the CPE Analyzer.
      */
-    @SuppressWarnings("unchecked")
     private Analyzer createSearchingAnalyzer() {
         final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
         fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
@@ -173,24 +171,6 @@ public final class CpeMemoryIndex {
         return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
     }
 
-    /**
-     * Saves a CPE IndexEntry into the Lucene index.
-     *
-     * @param vendor the vendor to index
-     * @param product the product to index
-     * @param indexWriter the index writer to write the entry into
-     * @throws CorruptIndexException is thrown if the index is corrupt
-     * @throws IOException is thrown if an IOException occurs
-     */
-    public void saveEntry(String vendor, String product, IndexWriter indexWriter) throws CorruptIndexException, IOException {
-        final Document doc = new Document();
-        final Field v = new TextField(Fields.VENDOR, vendor, Field.Store.YES);
-        final Field p = new TextField(Fields.PRODUCT, product, Field.Store.YES);
-        doc.add(v);
-        doc.add(p);
-        indexWriter.addDocument(doc);
-    }
-
     /**
      * Closes the CPE Index.
      */
@@ -230,9 +210,20 @@ public final class CpeMemoryIndex {
             final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
             indexWriter = new IndexWriter(index, conf);
             try {
+                // Tip: reuse the Document and Fields for performance...
+                // See "Re-use Document and Field instances" from
+                // http://wiki.apache.org/lucene-java/ImproveIndexingSpeed
+                final Document doc = new Document();
+                final Field v = new TextField(Fields.VENDOR, Fields.VENDOR, Field.Store.YES);
+                final Field p = new TextField(Fields.PRODUCT, Fields.PRODUCT, Field.Store.YES);
+                doc.add(v);
+                doc.add(p);
+
                 final Set<Pair<String, String>> data = cve.getVendorProductList();
                 for (Pair<String, String> pair : data) {
-                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
+                    v.setStringValue(pair.getLeft());
+                    p.setStringValue(pair.getRight());
+                    indexWriter.addDocument(doc);
                 }
             } catch (DatabaseException ex) {
                 LOGGER.debug("", ex);
@@ -287,8 +278,9 @@ public final class CpeMemoryIndex {
         if (searchString == null || searchString.trim().isEmpty()) {
             throw new ParseException("Query is null or empty");
         }
+        LOGGER.debug(searchString);
         final Query query = queryParser.parse(searchString);
-        return indexSearcher.search(query, maxQueryResults);
+        return search(query, maxQueryResults);
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java

@@ -48,7 +48,7 @@ public class IndexEntry implements Serializable {
      */
     public String getDocumentId() {
         if (documentId == null && vendor != null && product != null) {
-            documentId = vendor + ":" + product;
+            documentId = vendor + ':' + product;
         }
         return documentId;
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java

@@ -77,6 +77,7 @@ public final class LuceneUtils {
                 case '*':
                 case '?':
                 case ':':
+                case '/':
                 case '\\': //it is supposed to fall through here
                     buf.append('\\');
                 default:

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java

@@ -94,13 +94,13 @@ public class MavenArtifact {
         }
         if (jarAvailable) {
             //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
-            this.artifactUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+            this.artifactUrl = base + groupId.replace('.', '/') + '/' + artifactId + '/'
-                    + version + "/" + artifactId + "-" + version + ".jar";
+                    + version + '/' + artifactId + '-' + version + ".jar";
         }
         if (pomAvailable) {
             //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
-            this.pomUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+            this.pomUrl = base + groupId.replace('.', '/') + '/' + artifactId + '/'
-                    + version + "/" + artifactId + "-" + version + ".pom";
+                    + version + '/' + artifactId + '-' + version + ".pom";
         }
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java

@@ -63,7 +63,7 @@ public class NexusSearch {
         this.rootURL = rootURL;
         try {
             if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
-                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY)) {
                 useProxy = true;
                 LOGGER.debug("Using proxy");
             } else {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -17,11 +17,9 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
-import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
 import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.Driver;
@@ -29,7 +27,10 @@ import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
+import org.apache.commons.io.IOUtils;
 import org.owasp.dependencycheck.utils.DBUtils;
+import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -58,6 +59,10 @@ public final class ConnectionFactory {
      * Resource location for SQL file used to create the database schema.
      */
     public static final String DB_STRUCTURE_UPDATE_RESOURCE = "data/upgrade_%s.sql";
+    /**
+     * The URL that discusses upgrading non-H2 databases.
+     */
+    public static final String UPGRADE_HELP_URL = "http://jeremylong.github.io/DependencyCheck/data/upgrade.html";
     /**
      * The database driver used to connect to the database.
      */
@@ -243,22 +248,15 @@ public final class ConnectionFactory {
      */
     private static void createTables(Connection conn) throws DatabaseException {
         LOGGER.debug("Creating database structure");
-        InputStream is;
+        InputStream is = null;
-        InputStreamReader reader;
-        BufferedReader in = null;
         try {
             is = ConnectionFactory.class.getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE);
-            reader = new InputStreamReader(is, "UTF-8");
+            final String dbStructure = IOUtils.toString(is, "UTF-8");
-            in = new BufferedReader(reader);
+
-            final StringBuilder sb = new StringBuilder(2110);
-            String tmp;
-            while ((tmp = in.readLine()) != null) {
-                sb.append(tmp);
-            }
             Statement statement = null;
             try {
                 statement = conn.createStatement();
-                statement.execute(sb.toString());
+                statement.execute(dbStructure);
             } catch (SQLException ex) {
                 LOGGER.debug("", ex);
                 throw new DatabaseException("Unable to create database statement", ex);
@@ -268,13 +266,7 @@ public final class ConnectionFactory {
         } catch (IOException ex) {
             throw new DatabaseException("Unable to create database schema", ex);
         } finally {
-            if (in != null) {
+            IOUtils.closeQuietly(is);
-                try {
-                    in.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("", ex);
-                }
-            }
         }
     }
 
@@ -288,48 +280,54 @@ public final class ConnectionFactory {
      * @throws DatabaseException thrown if there is an exception upgrading the database schema
      */
     private static void updateSchema(Connection conn, String schema) throws DatabaseException {
-        LOGGER.debug("Updating database structure");
+        final String databaseProductName;
-        InputStream is;
-        InputStreamReader reader;
-        BufferedReader in = null;
-        String updateFile = null;
         try {
-            updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+            databaseProductName = conn.getMetaData().getDatabaseProductName();
-            is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
+        } catch (SQLException ex) {
-            if (is == null) {
+            throw new DatabaseException("Unable to get the database product name");
-                throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
+        }
-            }
+        if ("h2".equalsIgnoreCase(databaseProductName)) {
-            reader = new InputStreamReader(is, "UTF-8");
+            LOGGER.debug("Updating database structure");
-            in = new BufferedReader(reader);
+            InputStream is = null;
-            final StringBuilder sb = new StringBuilder(2110);
+            String updateFile = null;
-            String tmp;
-            while ((tmp = in.readLine()) != null) {
-                sb.append(tmp);
-            }
-            Statement statement = null;
             try {
-                statement = conn.createStatement();
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
-                statement.execute(sb.toString());
+                is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
-            } catch (SQLException ex) {
+                if (is == null) {
-                LOGGER.debug("", ex);
+                    throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
-                throw new DatabaseException("Unable to update database schema", ex);
-            } finally {
-                DBUtils.closeStatement(statement);
-            }
-        } catch (IOException ex) {
-            final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
-            throw new DatabaseException(msg, ex);
-        } finally {
-            if (in != null) {
-                try {
-                    in.close();
-                } catch (IOException ex) {
-                    LOGGER.trace("", ex);
                 }
+                final String dbStructureUpdate = IOUtils.toString(is, "UTF-8");
+
+                Statement statement = null;
+                try {
+                    statement = conn.createStatement();
+                    final boolean success = statement.execute(dbStructureUpdate);
+                    if (!success && statement.getUpdateCount() <= 0) {
+                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
+                    }
+                } catch (SQLException ex) {
+                    LOGGER.debug("", ex);
+                    throw new DatabaseException("Unable to update database schema", ex);
+                } finally {
+                    DBUtils.closeStatement(statement);
+                }
+            } catch (IOException ex) {
+                final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
+                throw new DatabaseException(msg, ex);
+            } finally {
+                IOUtils.closeQuietly(is);
             }
+        } else {
+            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
+            throw new DatabaseException("Database schema is out of date");
         }
     }
 
+    /**
+     * Counter to ensure that calls to ensureSchemaVersion does not end up in an endless loop.
+     */
+    private static int callDepth = 0;
+
     /**
      * Uses the provided connection to check the specified schema version within the database.
      *
@@ -344,10 +342,15 @@ public final class ConnectionFactory {
             cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
             rs = cs.executeQuery();
             if (rs.next()) {
-                if (!DB_SCHEMA_VERSION.equals(rs.getString(1))) {
+                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
-                    LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
+                final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
-                    LOGGER.debug("DB Schema: " + rs.getString(1));
+                if (current.compareTo(db) > 0) {
+                    LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
+                    LOGGER.debug("DB Schema: {}", rs.getString(1));
                     updateSchema(conn, rs.getString(1));
+                    if (++callDepth < 10) {
+                        ensureSchemaVersion(conn);
+                    }
                 }
             } else {
                 throw new DatabaseException("Database schema is missing");

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java

@@ -18,12 +18,11 @@
 package org.owasp.dependencycheck.data.nvdcve;
 
 /**
- * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
+ * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure of the db.
- * of the db.
  *
  * @author Jeremy Long
  */
-class CorruptDatabaseException extends DatabaseException {
+public class CorruptDatabaseException extends DatabaseException {
 
     /**
      * the serial version uid.
@@ -31,7 +30,7 @@ class CorruptDatabaseException extends DatabaseException {
     private static final long serialVersionUID = 1L;
 
     /**
-     * Creates an CorruptDatabaseException
+     * Creates an CorruptDatabaseException.
      *
      * @param msg the exception message
      */
@@ -40,7 +39,7 @@ class CorruptDatabaseException extends DatabaseException {
     }
 
     /**
-     * Creates an CorruptDatabaseException
+     * Creates an CorruptDatabaseException.
      *
      * @param msg the exception message
      * @param ex the cause of the exception

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java

@@ -29,8 +29,10 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
+import java.util.Locale;
 import java.util.Map;
 import java.util.Map.Entry;
+import java.util.MissingResourceException;
 import java.util.Properties;
 import java.util.ResourceBundle;
 import java.util.Set;
@@ -74,9 +76,17 @@ public class CveDB {
      */
     public CveDB() throws DatabaseException {
         super();
-        statementBundle = ResourceBundle.getBundle("data/dbStatements");
         try {
             open();
+            try {
+                final String databaseProductName = conn.getMetaData().getDatabaseProductName();
+                LOGGER.debug("Database dialect: {}", databaseProductName);
+                final Locale dbDialect = new Locale(databaseProductName);
+                statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect);
+            } catch (SQLException se) {
+                LOGGER.warn("Problem loading database specific dialect!", se);
+                statementBundle = ResourceBundle.getBundle("data/dbStatements");
+            }
             databaseProperties = new DatabaseProperties(this);
         } catch (DatabaseException ex) {
             throw ex;
@@ -252,44 +262,6 @@ public class CveDB {
         return prop;
     }
 
-    /**
-     * Saves a set of properties to the database.
-     *
-     * @param props a collection of properties
-     */
-    void saveProperties(Properties props) {
-        PreparedStatement updateProperty = null;
-        PreparedStatement insertProperty = null;
-        try {
-            try {
-                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
-                insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
-            } catch (SQLException ex) {
-                LOGGER.warn("Unable to save properties to the database");
-                LOGGER.debug("Unable to save properties to the database", ex);
-                return;
-            }
-            for (Entry<Object, Object> entry : props.entrySet()) {
-                final String key = entry.getKey().toString();
-                final String value = entry.getValue().toString();
-                try {
-                    updateProperty.setString(1, value);
-                    updateProperty.setString(2, key);
-                    if (updateProperty.executeUpdate() == 0) {
-                        insertProperty.setString(1, key);
-                        insertProperty.setString(2, value);
-                    }
-                } catch (SQLException ex) {
-                    LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-                    LOGGER.debug("", ex);
-                }
-            }
-        } finally {
-            DBUtils.closeStatement(updateProperty);
-            DBUtils.closeStatement(insertProperty);
-        }
-    }
-
     /**
      * Saves a property to the database.
      *
@@ -297,38 +269,38 @@ public class CveDB {
      * @param value the property value
      */
     void saveProperty(String key, String value) {
-        PreparedStatement updateProperty = null;
-        PreparedStatement insertProperty = null;
         try {
             try {
-                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
+                final PreparedStatement mergeProperty = getConnection().prepareStatement(statementBundle.getString("MERGE_PROPERTY"));
-            } catch (SQLException ex) {
+                try {
-                LOGGER.warn("Unable to save properties to the database");
+                    mergeProperty.setString(1, key);
-                LOGGER.debug("Unable to save properties to the database", ex);
+                    mergeProperty.setString(2, value);
-                return;
+                    mergeProperty.executeUpdate();
-            }
+                } finally {
-            try {
+                    DBUtils.closeStatement(mergeProperty);
-                updateProperty.setString(1, value);
+                }
-                updateProperty.setString(2, key);
+            } catch (MissingResourceException mre) {
-                if (updateProperty.executeUpdate() == 0) {
+                // No Merge statement, so doing an Update/Insert...
-                    try {
+                PreparedStatement updateProperty = null;
-                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
+                PreparedStatement insertProperty = null;
-                    } catch (SQLException ex) {
+                try {
-                        LOGGER.warn("Unable to save properties to the database");
+                    updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
-                        LOGGER.debug("Unable to save properties to the database", ex);
+                    updateProperty.setString(1, value);
-                        return;
+                    updateProperty.setString(2, key);
-                    }
+                    if (updateProperty.executeUpdate() == 0) {
-                    insertProperty.setString(1, key);
+                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
-                    insertProperty.setString(2, value);
+                        insertProperty.setString(1, key);
-                    insertProperty.execute();
+                        insertProperty.setString(2, value);
+                        insertProperty.executeUpdate();
+                    }
+                } finally {
+                    DBUtils.closeStatement(updateProperty);
+                    DBUtils.closeStatement(insertProperty);
                 }
-            } catch (SQLException ex) {
-                LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-                LOGGER.debug("", ex);
             }
-        } finally {
+        } catch (SQLException ex) {
-            DBUtils.closeStatement(updateProperty);
+            LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-            DBUtils.closeStatement(insertProperty);
+            LOGGER.debug("", ex);
         }
     }
 
@@ -420,7 +392,7 @@ public class CveDB {
                 if (cwe != null) {
                     final String name = CweDB.getCweName(cwe);
                     if (name != null) {
-                        cwe += " " + name;
+                        cwe += ' ' + name;
                     }
                 }
                 final int cveId = rsV.getInt(1);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -45,6 +45,10 @@ public class DatabaseProperties {
      * updates)..
      */
     public static final String MODIFIED = "Modified";
+    /**
+     * The properties file key for the last checked field - used to store the last check time of the Modified NVD CVE xml file.
+     */
+    public static final String LAST_CHECKED = "NVD CVE Checked";
     /**
      * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
      */
@@ -66,11 +70,11 @@ public class DatabaseProperties {
     /**
      * A collection of properties about the data.
      */
-    private Properties properties;
+    private final Properties properties;
     /**
      * A reference to the database.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
 
     /**
      * Constructs a new data properties object.
@@ -79,13 +83,6 @@ public class DatabaseProperties {
      */
     DatabaseProperties(CveDB cveDB) {
         this.cveDB = cveDB;
-        loadProperties();
-    }
-
-    /**
-     * Loads the properties from the database.
-     */
-    private void loadProperties() {
         this.properties = cveDB.getProperties();
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java

@@ -63,15 +63,13 @@ public final class DriverLoader {
     }
 
     /**
-     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver
+     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver with the
-     * with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
+     * driver manager. The pathToDriver argument is added to the class loader so that an external driver can be loaded. Note, the
-     * loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
+     * pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added as needed. If a path in the
-     * as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
+     * pathToDriver argument is a directory all files in the directory are added to the class path.
-     * class path.
      *
      * @param className the fully qualified name of the desired class
-     * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list
+     * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list of paths
-     * of paths
      * @return the loaded Driver
      * @throws DriverLoadException thrown if the driver cannot be loaded
      */
@@ -83,14 +81,15 @@ public final class DriverLoader {
             final File file = new File(path);
             if (file.isDirectory()) {
                 final File[] files = file.listFiles();
-
+                if (files != null) {
-                for (File f : files) {
+                    for (File f : files) {
-                    try {
+                        try {
-                        urls.add(f.toURI().toURL());
+                            urls.add(f.toURI().toURL());
-                    } catch (MalformedURLException ex) {
+                        } catch (MalformedURLException ex) {
-                        LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
+                            LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
-                            className, f.getAbsoluteFile(), ex);
+                                    className, f.getAbsoluteFile(), ex);
-                        throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
+                            throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
+                        }
                     }
                 }
             } else if (file.exists()) {
@@ -98,7 +97,7 @@ public final class DriverLoader {
                     urls.add(file.toURI().toURL());
                 } catch (MalformedURLException ex) {
                     LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
-                        className, file.getAbsoluteFile(), ex);
+                            className, file.getAbsoluteFile(), ex);
                     throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
                 }
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java

@@ -137,7 +137,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
      */
     private boolean updateNeeded() {
         final long now = System.currentTimeMillis();
-        final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
+        final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
         long timestamp = 0;
         final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
         if (ts != null && ts.matches("^[0-9]+$")) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java

@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
 
     @Override
     public void update() throws UpdateException {
+
         try {
-            openDatabase();
+            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
-            LOGGER.debug("Begin Engine Version Check");
+                openDatabase();
-            final DatabaseProperties properties = cveDB.getDatabaseProperties();
+                LOGGER.debug("Begin Engine Version Check");
-            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+                final DatabaseProperties properties = cveDB.getDatabaseProperties();
-            final long now = System.currentTimeMillis();
+                final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
-            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+                final long now = System.currentTimeMillis();
-            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+                updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
-            LOGGER.debug("Last checked: {}", lastChecked);
+                final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
-            LOGGER.debug("Now: {}", now);
+                LOGGER.debug("Last checked: {}", lastChecked);
-            LOGGER.debug("Current version: {}", currentVersion);
+                LOGGER.debug("Now: {}", now);
-            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+                LOGGER.debug("Current version: {}", currentVersion);
-            if (updateNeeded) {
+                final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
-                LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                if (updateNeeded) {
-                        updateToVersion);
+                    LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                            updateToVersion);
+                }
             }
         } catch (DatabaseException ex) {
             LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
             throw new UpdateException("Error occured updating database properties.");
+        } catch (InvalidSettingException ex) {
+            LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
         } finally {
             closeDatabase();
+
         }
     }
 
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
     protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
             String currentVersion) throws UpdateException {
         //check every 30 days if we know there is an update, otherwise check every 7 days
-        int checkRange = 30;
+        final int checkRange = 30;
-        if (updateToVersion.isEmpty()) {
-            checkRange = 7;
-        }
         if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
             LOGGER.debug("Checking web for new version.");
             final String currentRelease = getCurrentReleaseVersion();
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
                     updateToVersion = v.toString();
                     if (!currentRelease.equals(updateToVersion)) {
                         properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
-                    } else {
-                        properties.save(CURRENT_ENGINE_RELEASE, "");
                     }
                     properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
                 }
             }
             LOGGER.debug("Current Release: {}", updateToVersion);
         }
+        if (updateToVersion == null) {
+            LOGGER.debug("Unable to obtain current release");
+            return false;
+        }
         final DependencyVersion running = new DependencyVersion(currentVersion);
         final DependencyVersion released = new DependencyVersion(updateToVersion);
         if (running.compareTo(released) < 0) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -33,6 +35,7 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
 import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
+import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -66,9 +69,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            final UpdateableNvdCve updateable = getUpdatesNeeded();
+            if (checkUpdate()) {
-            if (updateable.isUpdateNeeded()) {
+                final UpdateableNvdCve updateable = getUpdatesNeeded();
-                performUpdate(updateable);
+                if (updateable.isUpdateNeeded()) {
+                    performUpdate(updateable);
+                }
             }
         } catch (MalformedURLException ex) {
             LOGGER.warn(
@@ -87,6 +92,53 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         }
     }
 
+    /**
+     * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the
+     * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property
+     * stores the timestamp of the last check.
+     *
+     * @return true to proceed with the check, or false to skip.
+     * @throws UpdateException thrown when there is an issue checking for updates.
+     */
+    private boolean checkUpdate() throws UpdateException {
+        boolean proceed = true;
+        // If the valid setting has not been specified, then we proceed to check...
+        final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
+        if (dataExists() && 0 < validForHours) {
+            // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
+            final long msValid = validForHours * 60L * 60L * 1000L;
+            final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
+            final long now = System.currentTimeMillis();
+            proceed = (now - lastChecked) > msValid;
+            if (proceed) {
+                getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(now));
+            } else {
+                LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
+                LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
+                        lastChecked, now, msValid);
+            }
+        }
+        return proceed;
+    }
+
+    /**
+     * Checks the CPE Index to ensure documents exists.
+     */
+    private boolean dataExists() {
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            return cve.dataExists();
+        } catch (DatabaseException ex) {
+            return false;
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java

@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * A reference to the current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * The logger.
      */
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * The list of CPE values.
      */
-    private List<Cpe> data = new ArrayList<Cpe>();
+    private final List<Cpe> data = new ArrayList<Cpe>();
 
     /**
      * Returns the list of CPE values.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -68,8 +68,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         final File file2;
 
         try {
-            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
-            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
         } catch (IOException ex) {
             throw new UpdateException("Unable to create temporary files", ex);
         }
@@ -80,11 +80,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * The CVE DB to use when processing the files.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
     /**
      * The processor service to pass the results of the download to.
      */
-    private ExecutorService processorService;
+    private final ExecutorService processorService;
     /**
      * The NVD CVE Meta Data.
      */
@@ -92,7 +92,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Get the value of nvdCveInfo.
@@ -155,28 +155,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setSecond(File second) {
         this.second = second;
     }
-    /**
-     * A placeholder for an exception.
-     */
-    private Exception exception = null;
-
-    /**
-     * Get the value of exception.
-     *
-     * @return the value of exception
-     */
-    public Exception getException() {
-        return exception;
-    }
-
-    /**
-     * returns whether or not an exception occurred during download.
-     *
-     * @return whether or not an exception occurred during download
-     */
-    public boolean hasException() {
-        return exception != null;
-    }
 
     @Override
     public Future<ProcessTask> call() throws Exception {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java

@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
                 software = null;
             }
         } else if (!skip && current.isProdNode()) {
-
             vendor = attributes.getValue("vendor");
             product = attributes.getValue("name");
         } else if (!skip && current.isVersNode()) {
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
                 /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
                  purposes this is good enough as we won't use this if we don't find a corresponding "a"
                  in the nvd cve 2.0. */
-                String cpe = "cpe:/a:" + vendor + ":" + product;
+                final int cpeLen = 8 + vendor.length() + product.length()
+                    + (null != num ? (1 + num.length()) : 0)
+                    + (null != edition ? (1 + edition.length()) : 0);
+                final StringBuilder cpe = new StringBuilder(cpeLen);
+                cpe.append("cpe:/a:").append(vendor).append(':').append(product);
                 if (num != null) {
-                    cpe += ":" + num;
+                    cpe.append(':').append(num);
                 }
                 if (edition != null) {
-                    cpe += ":" + edition;
+                    cpe.append(':').append(edition);
                 }
                 final VulnerableSoftware vs = new VulnerableSoftware();
-                vs.setCpe(cpe);
+                vs.setCpe(cpe.toString());
                 vs.setPreviousVersion(prev);
                 software.add(vs);
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java

@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Constructs a new ProcessTask used to process an NVD CVE update.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java

@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
  *
  * @author Jeremy Long
  */
-public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
+public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
 
     /**
      * A collection of sources of data.
      */
-    private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
+    private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
 
     /**
      * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -341,7 +341,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
                 }
             }
             if (!found) {
-                LOGGER.debug("Adding new maven identifier {}", mavenArtifact.toString());
+                LOGGER.debug("Adding new maven identifier {}", mavenArtifact);
                 this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
             }
         }

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java

@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
 
     /**
      * Get the value of suppressionRules.

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -267,8 +267,8 @@ public class SuppressionRule {
     }
 
     /**
-     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
-     * resulting report in the "suppressed" section.
+     * report in the "suppressed" section.
      */
     private boolean base;
 
@@ -291,8 +291,8 @@ public class SuppressionRule {
     }
 
     /**
-     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
+     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
-     * should be, they are removed from the dependency.
+     * are removed from the dependency.
      *
      * @param dependency a project dependency to analyze
      */
@@ -381,13 +381,7 @@ public class SuppressionRule {
      * @return true if the property type does not specify a version; otherwise false
      */
     boolean cpeHasNoVersion(PropertyType c) {
-        if (c.isRegex()) {
+        return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
-            return false;
-        }
-        if (countCharacter(c.getValue(), ':') == 3) {
-            return true;
-        }
-        return false;
     }
 
     /**
@@ -439,46 +433,46 @@ public class SuppressionRule {
      */
     @Override
     public String toString() {
-        final StringBuilder sb = new StringBuilder();
+        final StringBuilder sb = new StringBuilder(64);
         sb.append("SuppressionRule{");
         if (filePath != null) {
-            sb.append("filePath=").append(filePath).append(",");
+            sb.append("filePath=").append(filePath).append(',');
         }
         if (sha1 != null) {
-            sb.append("sha1=").append(sha1).append(",");
+            sb.append("sha1=").append(sha1).append(',');
         }
         if (gav != null) {
-            sb.append("gav=").append(gav).append(",");
+            sb.append("gav=").append(gav).append(',');
         }
         if (cpe != null && !cpe.isEmpty()) {
             sb.append("cpe={");
             for (PropertyType pt : cpe) {
-                sb.append(pt).append(",");
+                sb.append(pt).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
         if (cwe != null && !cwe.isEmpty()) {
             sb.append("cwe={");
             for (String s : cwe) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
         if (cve != null && !cve.isEmpty()) {
             sb.append("cve={");
             for (String s : cve) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
         if (cvssBelow != null && !cvssBelow.isEmpty()) {
             sb.append("cvssBelow={");
             for (Float s : cvssBelow) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
             }
-            sb.append("}");
+            sb.append('}');
         }
-        sb.append("}");
+        sb.append('}');
         return sb.toString();
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java

@@ -36,11 +36,12 @@ public final class DateUtil {
      *
      * @param date the date to be checked.
      * @param compareTo the date to compare to.
-     * @param range the range in days to be considered valid.
+     * @param dayRange the range in days to be considered valid.
      * @return whether or not the date is within the range.
      */
-    public static boolean withinDateRange(long date, long compareTo, int range) {
+    public static boolean withinDateRange(long date, long compareTo, int dayRange) {
-        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
+        // ms = dayRange x 24 hours/day x 60 min/hour x 60 sec/min x 1000 ms/sec
-        return differenceInDays < range;
+        final long msRange = dayRange * 24L * 60L * 60L * 1000L;
+        return (compareTo - date) < msRange;
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java

@@ -115,7 +115,7 @@ public class DependencyVersion implements Iterable<String>, Comparable<Dependenc
      */
     @Override
     public String toString() {
-        return StringUtils.join(versionParts.toArray(), ".");
+        return StringUtils.join(versionParts, '.');
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java

@@ -182,13 +182,11 @@ public final class ExtractionUtil {
             while ((entry = input.getNextEntry()) != null) {
                 if (entry.isDirectory()) {
                     final File dir = new File(destination, entry.getName());
-                    if (!dir.exists()) {
+                    if (!dir.exists() && !dir.mkdirs()) {
-                        if (!dir.mkdirs()) {
+                        final String msg = String.format(
-                            final String msg = String.format(
+                                "Unable to create directory '%s'.",
-                                    "Unable to create directory '%s'.",
+                                dir.getAbsolutePath());
-                                    dir.getAbsolutePath());
+                        throw new AnalysisException(msg);
-                            throw new AnalysisException(msg);
-                        }
                     }
                 } else {
                     extractFile(input, destination, filter, entry);
@@ -264,13 +262,11 @@ public final class ExtractionUtil {
     private static void createParentFile(final File file)
             throws ExtractionException {
         final File parent = file.getParentFile();
-        if (!parent.isDirectory()) {
+        if (!parent.isDirectory() && !parent.mkdirs()) {
-            if (!parent.mkdirs()) {
+            final String msg = String.format(
-                final String msg = String.format(
+                    "Unable to build directory '%s'.",
-                        "Unable to build directory '%s'.",
+                    parent.getAbsolutePath());
-                        parent.getAbsolutePath());
+            throw new ExtractionException(msg);
-                throw new ExtractionException(msg);
-            }
         }
     }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java

@@ -50,7 +50,7 @@ public abstract class Filter<T> {
             if (next == null) {
                 throw new NoSuchElementException();
             }
-            T returnValue = next;
+            final T returnValue = next;
             toNext();
             return returnValue;
         }
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
         private void toNext() {
             next = null;
             while (iterator.hasNext()) {
-                T item = iterator.next();
+                final T item = iterator.next();
                 if (item != null && passes(item)) {
                     next = item;
                     break;

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java

@@ -1,47 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.utils;
-
-import java.io.FilterInputStream;
-import java.io.InputStream;
-
-/**
- * NonClosingStream is a stream filter which prevents another class that processes the stream from closing it. This is
- * necessary when dealing with things like JAXB and zipInputStreams.
- *
- * @author Jeremy Long
- */
-public class NonClosingStream extends FilterInputStream {
-
-    /**
-     * Constructs a new NonClosingStream.
-     *
-     * @param in an input stream.
-     */
-    public NonClosingStream(InputStream in) {
-        super(in);
-    }
-
-    /**
-     * Prevents closing of the stream.
-     */
-    @Override
-    public void close() {
-        // don't close the stream.
-    }
-}

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java

@@ -21,6 +21,9 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 
+import org.apache.commons.lang3.text.StrLookup;
+import org.apache.commons.lang3.text.StrSubstitutor;
+
 /**
  * A simple pojo to hold data related to a Maven POM file.
  *
@@ -238,7 +241,7 @@ public class Model {
     /**
      * The list of licenses.
      */
-    private List<License> licenses = new ArrayList<License>();
+    private final List<License> licenses = new ArrayList<License>();
 
     /**
      * Returns the list of licenses.
@@ -307,33 +310,41 @@ public class Model {
      * @return the interpolated text.
      */
     public static String interpolateString(String text, Properties properties) {
-        final Properties props = properties;
+        if (null == text || null == properties) {
-        if (text == null) {
             return text;
         }
-        if (props == null) {
+        final StrSubstitutor substitutor = new StrSubstitutor(new PropertyLookup(properties));
-            return text;
+        return substitutor.replace(text);
-        }
-
-        final int pos = text.indexOf("${");
-        if (pos < 0) {
-            return text;
-        }
-        final int end = text.indexOf("}");
-        if (end < pos) {
-            return text;
-        }
-
-        final String propName = text.substring(pos + 2, end);
-        String propValue = interpolateString(props.getProperty(propName), props);
-        if (propValue == null) {
-            propValue = "";
-        }
-        final StringBuilder sb = new StringBuilder(propValue.length() + text.length());
-        sb.append(text.subSequence(0, pos));
-        sb.append(propValue);
-        sb.append(text.substring(end + 1));
-        return interpolateString(sb.toString(), props); //yes yes, this should be a loop...
     }
 
+    /**
+     * Utility class that can provide values from a Properties object to a StrSubstitutor.
+     */
+    private static class PropertyLookup extends StrLookup {
+
+        /**
+         * Reference to the properties to lookup.
+         */
+        private final Properties props;
+
+        /**
+         * Constructs a new property lookup.
+         *
+         * @param props the properties to wrap.
+         */
+        PropertyLookup(Properties props) {
+            this.props = props;
+        }
+
+        /**
+         * Looks up the given property.
+         *
+         * @param key the key to the property
+         * @return the value of the property specified by the key
+         */
+        @Override
+        public String lookup(String key) {
+            return props.getProperty(key);
+        }
+    }
 }

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java

@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
     /**
      * The pom model.
      */
-    private Model model = new Model();
+    private final Model model = new Model();
 
     /**
      * Returns the model obtained from the pom.xml.

dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -19,4 +19,5 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
 org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
+org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
 org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer

dependency-check-core/src/main/resources/data/dbStatements_h2.properties

@@ -1,19 +1,15 @@
-#
+# Copyright 2015 OWASP.
-# This file is part of dependency-check-gradle.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-#
-# Copyright (c) 2015 Wei Ma. All Rights Reserved.
-#
 
-implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin
+MERGE_PROPERTY=MERGE INTO properties (id, value) KEY(id) VALUES(?, ?)

dependency-check-core/src/main/resources/data/dbStatements_mysql.properties

@@ -0,0 +1,15 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=CALL save_property(?, ?)

dependency-check-core/src/main/resources/data/dbStatements_postgreSQL.properties

@@ -0,0 +1,16 @@
+# Copyright 2015 OWASP.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+MERGE_PROPERTY=CALL save_property(?, ?)
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL);

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -38,3 +38,19 @@ INSERT INTO properties(id,value) VALUES ('version','2.9');
 
 CREATE USER 'dcuser' IDENTIFIED BY 'DC-Pass1337!';
 GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
+
+
+DROP PROCEDURE IF EXISTS save_property;
+
+DELIMITER //
+CREATE PROCEDURE save_property
+(IN prop varchar(50), IN val varchar(500))
+BEGIN
+INSERT INTO properties (`id`, `value`) VALUES (prop, val)
+	ON DUPLICATE KEY UPDATE `value`=val;
+END //
+DELIMITER ;
+
+GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/initialize_postgres.sql

@@ -0,0 +1,53 @@
+CREATE USER dcuser WITH PASSWORD 'DC-Pass1337!';
+
+DROP TABLE IF EXISTS software;
+DROP TABLE IF EXISTS cpeEntry;
+DROP TABLE IF EXISTS reference;
+DROP TABLE IF EXISTS vulnerability;
+DROP TABLE IF EXISTS properties;
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+	description VARCHAR(8000), cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+	cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+	cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+	CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id SERIAL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+INSERT INTO properties(id,value) VALUES ('version','2.9');
+
+GRANT SELECT, INSERT, DELETE, UPDATE ON ALL TABLES IN SCHEMA public TO dcuser;
+GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public to dcuser;
+
+DROP FUNCTION IF EXISTS save_property(varchar(50),varchar(500));
+
+CREATE FUNCTION save_property (IN prop varchar(50), IN val varchar(500))
+RETURNS void
+AS
+$$
+UPDATE properties SET "value"=val WHERE id=prop;
+
+INSERT INTO properties (id, value)
+	SELECT prop, val
+	WHERE NOT EXISTS (SELECT 1 FROM properties WHERE id=prop);
+$$ LANGUAGE sql;
+
+
+GRANT EXECUTE ON FUNCTION public.save_property(varchar(50),varchar(500)) TO dcuser;
+
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_2.9.sql

@@ -1,7 +1 @@
-
+UPDATE Properties SET value='3.0' WHERE ID='version';
---the following is not currently used.
---ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
---ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
---UPDATE cpeEntry SET dictionaryEntry=false;
-
---UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_3.0.sql

@@ -0,0 +1,7 @@
+
+--the following is not currently used.
+--ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
+--ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
+--UPDATE cpeEntry SET dictionaryEntry=false;
+
+--UPDATE Properties SET value='3.1' WHERE ID='version';

dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql

@@ -0,0 +1,15 @@
+
+DROP PROCEDURE IF EXISTS save_property;
+
+DELIMITER //
+CREATE PROCEDURE save_property
+(IN prop varchar(50), IN val varchar(500))
+BEGIN
+INSERT INTO properties (`id`, `value`) VALUES (prop, val)
+	ON DUPLICATE KEY UPDATE `value`=val;
+END //
+DELIMITER ;
+
+GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
+
+UPDATE properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,4 +161,78 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
+        ]]></notes>
+        <gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
+        <cpe>cpe:/a:apache:camel</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Mina gets flagged as apache-ssl
+        ]]></notes>
+        <gav regex="true">org.apache.mina:mina.*</gav>
+        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        Woden gets flagged as apache-ssl
+        ]]></notes>
+        <gav regex="true">org.apache.woden:woden.*</gav>
+        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        spec gets flagged as the implementation.
+        ]]></notes>
+        <gav regex="true">org.apache.geronimo.specs:.*</gav>
+        <cpe>cpe:/a:apache:geronimo</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-embed-el.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-jdbc.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-juli.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positive per issue #433
+        ]]></notes>
+        <gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
+        <cpe>cpe:/a:google:google_apps:-</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #437
+        ]]></notes>
+        <gav regex="true">.*mongodb.*:.*:.*</gav>
+        <cpe>cpe:/a:mongodb:mongodb</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #438
+            Note, there will be more false positives for Netty. Trying to figure out a better suppression.
+        ]]></notes>
+        <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
+        <cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
+    </suppress>
 </suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -18,7 +18,12 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
-data.version=2.9
+
+### if you increment the DB version then you must increment the database file path
+### in the mojo.properties, task.properties (maven and ant respectively), and
+### the gradle PurgeDataExtension.
+data.version=3.0
+
 data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
@@ -41,13 +46,15 @@ data.driver_path=
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
-
+# the number of hours to wait before checking if updates are available from the NVD.
+cve.check.validforhours=4
+#first year to pull data from the URLs below
+cve.startyear=2002
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
-cve.startyear=2002
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
@@ -79,3 +86,22 @@ archive.scan.depth=3
 
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
+
+
+analyzer.jar.enabled=true
+analyzer.archive.enabled=true
+analyzer.node.package.enabled=true
+analyzer.composer.lock.enabled=true
+analyzer.python.distribution.enabled=true
+analyzer.python.package.enabled=true
+analyzer.ruby.gemspec.enabled=true
+analyzer.autoconf.enabled=true
+analyzer.cmake.enabled=true
+analyzer.assembly.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.openssl.enabled=true
+analyzer.central.enabled=true
+analyzer.nexus.enabled=false
+#whether the nexus analyzer uses the proxy
+analyzer.nexus.proxy=true
+

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <body>
         <div id="modal-background"></div>
         <div id="modal-content">
-            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
+            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                 <textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
                 <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
         </div>
@@ -578,6 +578,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                         <td data-sort-value="$sortValue">
                         #set($sortValue="")
                         #foreach($id in $dependency.getIdentifiers())
+                            #set($cpeSort=0)
                             #if ($id.type=="maven")
                                 #if ($mavenlink=="" || !$mavenlink.url)
                                     #set($mavenlink=$id)
@@ -591,7 +592,6 @@ arising out of or in connection with the use of this tool, the analysis performe
                                 #else
                                     $enc.html($id.value)
                                 #end
-                                #set($cpeSort=0)
                                 #if ($cpeIdConf == "")
                                     #set($cpeIdConf=$id.confidence)
                                     #set($cpeSort=$id.confidence.ordinal())

dependency-check-core/src/test/java/org/owasp/dependencycheck/BaseDBTestCase.java

@@ -15,7 +15,7 @@
  *
  * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
  */
-package org.owasp.dependencycheck.data.nvdcve;
+package org.owasp.dependencycheck;
 
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
@@ -31,6 +31,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
+ * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the data
+ * contained within.
  *
  * @author Jeremy Long
  */

dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java

@@ -34,7 +34,7 @@ public class EngineIntegrationTest extends BaseTest {
 
     @Before
     public void setUp() throws Exception {
-        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+        org.owasp.dependencycheck.BaseDBTestCase.ensureDBExists();
     }
 
     @After

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java

@@ -34,7 +34,7 @@ public class AbstractFileTypeAnalyzerTest extends BaseTest {
      */
     @Test
     public void testNewHashSet() {
-        Set result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
+        Set<String> result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
         assertEquals(2, result.size());
         assertTrue(result.contains("one"));
         assertTrue(result.contains("two"));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java

@@ -24,7 +24,7 @@ import static org.junit.Assert.*;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of getSupportedExtensions method, of class ArchiveAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java

@@ -0,0 +1,80 @@
+/*
+ * Copyright 2015 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.lang.reflect.InvocationTargetException;
+import java.lang.reflect.Method;
+import java.util.logging.Level;
+import java.util.logging.Logger;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import static org.junit.Assume.assumeFalse;
+import static org.junit.Assume.assumeNotNull;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ArchiveAnalyzerTest extends BaseTest {
+
+    @Before
+    public void setUp() {
+        Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, "z2, z3");
+    }
+
+    /**
+     * Test of analyzeFileType method, of class ArchiveAnalyzer.
+     */
+    @Test
+    public void testZippableExtensions() throws Exception {
+        assumeFalse(isPreviouslyLoaded("org.owasp.dependencycheck.analyzer.ArchiveAnalyzer"));
+        ArchiveAnalyzer instance = new ArchiveAnalyzer();
+        assertTrue(instance.getFileFilter().accept(new File("c:/test.zip")));
+        assertTrue(instance.getFileFilter().accept(new File("c:/test.z2")));
+        assertTrue(instance.getFileFilter().accept(new File("c:/test.z3")));
+        assertFalse(instance.getFileFilter().accept(new File("c:/test.z4")));
+    }
+
+    private boolean isPreviouslyLoaded(String className) {
+        try {
+            Method m = ClassLoader.class.getDeclaredMethod("findLoadedClass", new Class[]{String.class});
+            m.setAccessible(true);
+            Object t = m.invoke(Thread.currentThread().getContextClassLoader(), className);
+            return t != null;
+        } catch (NoSuchMethodException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (SecurityException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (IllegalAccessException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (IllegalArgumentException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        } catch (InvocationTargetException ex) {
+            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
+        }
+        return false;
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java

@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
             aanalyzer.initialize();
             fail("Expected an AnalysisException");
         } catch (AnalysisException ae) {
-            assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
+            assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
         } finally {
             System.setProperty(LOG_KEY, oldProp);
             // Recover the logger

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -33,7 +33,7 @@ import java.util.regex.Pattern;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.*;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  * Unit tests for CmakeAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java

@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
 import java.io.IOException;
-import java.util.HashSet;
+import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import org.apache.lucene.index.CorruptIndexException;
@@ -28,7 +28,7 @@ import org.junit.Assert;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
  *
  * @author Jeremy Long
  */
-public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class CPEAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Tests of buildSearch of class CPEAnalyzer.
@@ -49,11 +49,9 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
      */
     @Test
     public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
-        Set<String> productWeightings = new HashSet<String>(1);
+        Set<String> productWeightings = Collections.singleton("struts2");
-        productWeightings.add("struts2");
 
-        Set<String> vendorWeightings = new HashSet<String>(1);
+        Set<String> vendorWeightings = Collections.singleton("apache");
-        vendorWeightings.add("apache");
 
         String vendor = "apache software foundation";
         String product = "struts 2 core";
@@ -238,11 +236,9 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
         CPEAnalyzer instance = new CPEAnalyzer();
         instance.open();
 
-        Set<String> productWeightings = new HashSet<String>(1);
+        Set<String> productWeightings = Collections.singleton("struts2");
-        productWeightings.add("struts2");
 
-        Set<String> vendorWeightings = new HashSet<String>(1);
+        Set<String> vendorWeightings = Collections.singleton("apache");
-        vendorWeightings.add("apache");
 
         List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
         instance.close();

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -34,13 +34,14 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
+import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  * Unit tests for NodePackageAnalyzer.
  *
  * @author Dale Visser <dvisser@ida.org>
  */
-public class ComposerLockAnalyzerTest extends BaseTest {
+public class ComposerLockAnalyzerTest extends BaseDBTestCase {
 
     /**
      * The analyzer to test.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIntegrationTest.java

@@ -18,13 +18,13 @@
 package org.owasp.dependencycheck.analyzer;
 
 import org.junit.Test;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DependencyBundlingAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class DependencyBundlingAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of analyze method, of class DependencyBundlingAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java

@@ -24,6 +24,7 @@ import org.junit.Before;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -33,12 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class HintAnalyzerTest extends BaseTest {
+public class HintAnalyzerTest extends BaseDBTestCase {
-
-    @Before
-    public void setUp() throws Exception {
-        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
-    }
 
     /**
      * Test of getName method, of class HintAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -0,0 +1,109 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.junit.After;
+import org.junit.Assume;
+import org.junit.Before;
+import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+
+import static org.hamcrest.CoreMatchers.is;
+import static org.hamcrest.CoreMatchers.not;
+import static org.junit.Assert.assertThat;
+
+/**
+ * Unit tests for {@link RubyBundleAuditAnalyzer}.
+ *
+ * @author Dale Visser <dvisser@ida.org>
+ */
+public class RubyBundleAuditAnalyzerTest extends BaseTest {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerTest.class);
+
+    /**
+     * The analyzer to test.
+     */
+    RubyBundleAuditAnalyzer analyzer;
+
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        try {
+            analyzer = new RubyBundleAuditAnalyzer();
+            analyzer.setFilesMatched(true);
+            analyzer.initialize();
+        } catch (Exception e) {
+            //LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Tests will be incomplete", e);
+            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed. Tests will be incomplete", e);
+        }
+    }
+
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
+
+    /**
+     * Test Ruby Gemspec name.
+     */
+    @Test
+    public void testGetName() {
+        assertThat(analyzer.getName(), is("Ruby Bundle Audit Analyzer"));
+    }
+
+    /**
+     * Test Ruby Bundler Audit file support.
+     */
+    @Test
+    public void testSupportsFiles() {
+        assertThat(analyzer.accept(new File("Gemfile.lock")), is(true));
+    }
+
+    /**
+     * Test Ruby BundlerAudit analysis.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalysis() throws AnalysisException, DatabaseException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+                "ruby/vulnerable/Gemfile.lock"));
+        final Engine engine = new Engine();
+        analyzer.analyze(result, engine);
+        assertThat(engine.getDependencies().size(), is(not(0)));
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java

@@ -66,7 +66,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
     }
 
     /**
-     * Test of getName method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec name.
      */
     @Test
     public void testGetName() {
@@ -74,7 +74,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
     }
 
     /**
-     * Test of supportsExtension method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec file support.
      */
     @Test
     public void testSupportsFiles() {
@@ -83,14 +83,14 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
     }
 
     /**
-     * Test of inspect method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec analysis.
      *
      * @throws AnalysisException is thrown when an exception occurs.
      */
     @Test
     public void testAnalyzePackageJson() throws AnalysisException {
         final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-                "ruby/gems/specifications/rest-client-1.7.2.gemspec"));
+                "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec"));
         analyzer.analyze(result, null);
         final String vendorString = result.getVendorEvidence().toString();
         assertThat(vendorString, containsString("REST Client Team"));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java

@@ -21,9 +21,9 @@ import java.io.File;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class VulnerabilitySuppressionAnalyzerIntegrationTest extends BaseDBTestCase {
 
     /**
      * Test of getName method, of class VulnerabilitySuppressionAnalyzer.

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java

@@ -1,37 +0,0 @@
-/*
- * This file is part of dependency-check-core.
- *
- * Licensed under the Apache License, Version 2.0 (the "License");
- * you may not use this file except in compliance with the License.
- * You may obtain a copy of the License at
- *
- *     http://www.apache.org/licenses/LICENSE-2.0
- *
- * Unless required by applicable law or agreed to in writing, software
- * distributed under the License is distributed on an "AS IS" BASIS,
- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- * See the License for the specific language governing permissions and
- * limitations under the License.
- *
- * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
- */
-package org.owasp.dependencycheck.data.cpe;
-
-import org.junit.Before;
-import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
-
-/**
- * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the
- * data contained within.
- *
- * @author Jeremy Long
- */
-public abstract class AbstractDatabaseTestCase extends BaseTest {
-
-    @Before
-    public void setUp() throws Exception {
-        BaseDBTestCase.ensureDBExists();
-    }
-
-}

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java

@@ -0,0 +1,47 @@
+/*
+ * Copyright 2015 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.data.nvdcve;
+
+import java.sql.Connection;
+import java.sql.SQLException;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.BaseDBTestCase;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ConnectionFactoryTest extends BaseDBTestCase {
+
+    /**
+     * Test of initialize method, of class ConnectionFactory.
+     *
+     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException
+     */
+    @Test
+    public void testInitialize() throws DatabaseException, SQLException {
+        ConnectionFactory.initialize();
+        Connection result = ConnectionFactory.getConnection();
+        assertNotNull(result);
+        result.close();
+        ConnectionFactory.cleanup();
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java

@@ -25,7 +25,9 @@ import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
@@ -35,10 +37,12 @@ public class CveDBMySQLTest {
 
     @BeforeClass
     public static void setUpClass() {
+        Settings.initialize();
     }
 
     @AfterClass
     public static void tearDownClass() {
+        Settings.cleanup();
     }
 
     @Before
@@ -93,7 +97,7 @@ public class CveDBMySQLTest {
         CveDB instance = new CveDB();
         try {
             instance.open();
-            List result = instance.getVulnerabilities(cpeStr);
+            List<Vulnerability> result = instance.getVulnerabilities(cpeStr);
             assertTrue(result.size() > 5);
         } catch (Exception ex) {
             System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java

@@ -17,6 +17,7 @@
  */
 package org.owasp.dependencycheck.data.nvdcve;
 
+import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.Properties;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java

@@ -18,7 +18,7 @@
 package org.owasp.dependencycheck.data.update;
 
 import org.junit.Test;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java

@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
         updateToVersion = "";
         currentVersion = "1.2.5";
         lastChecked = df.parse("2014-12-01").getTime();
-        now = df.parse("2014-12-08").getTime();
+        now = df.parse("2015-12-08").getTime();
         expResult = true;
         instance.setUpdateToVersion(updateToVersion);
         result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);

dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java

@@ -185,7 +185,6 @@ public class DependencyTest {
     @Test
     public void testGetIdentifiers() {
         Dependency instance = new Dependency();
-        List expResult = null;
         Set<Identifier> result = instance.getIdentifiers();
 
         assertTrue(true); //this is just a getter setter pair.