version 1.3.4

resolved issue with new databases not being created correctly if there was an intial download of the NVD data.
findbugs/checkstyle corrections
2026-01-16 00:33:46 +01:00 · 2016-01-31 16:50:34 -05:00 · 2016-01-31 08:26:23 -05:00 · 2016-01-30 08:57:40 -05:00 · 2016-01-30 08:07:33 -05:00 · 2016-01-24 08:40:51 -05:00
172 changed files with 2844 additions and 3145 deletions
--- a/dependency-check-ant/README.md
+++ b/dependency-check-ant/README.md
@@ -1,25 +1,134 @@
-Dependency-Check Ant Task
+Dependency-Check-Gradle
 =========
-Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+**Working in progress**
 performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/installation.html).
+This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
-Mailing List
+Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
 ------------
-Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+=========
-Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+## What's New
 Current latest version is `0.0.8`
-Copyright & License
+## Usage
 -------------------
-Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+### Step 1, Apply dependency check gradle plugin
-Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
+Install from Maven central repo
-Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.
+```groovy
 buildscript {
    repositories {
        mavenCentral()
    }
    dependencies {
        classpath 'org.owasp:dependency-check-gradle:1.3.2'
    }
 }
 apply plugin: 'dependency-check-gradle'
 ```
 ### Step 2, Run gradle task
 Once gradle plugin applied, run following gradle task to check dependencies:
 ```
 gradle dependencyCheck --info
 ```
 The reports will be generated automatically under `./reports` folder.
 If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
 ## FAQ
 > **Questions List:**
 > - What if I'm behind a proxy?
 > - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
 > - How to customize the report directory?
 ### What if I'm behind a proxy?
 Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
 ```groovy
 dependencyCheck {
    proxy {
        server = "127.0.0.1"      // required, the server name or IP address of the proxy
        port = 3128               // required, the port number of the proxy
        // optional, the proxy server might require username
        // username = "username"
        // optional, the proxy server might require password
        // password = "password"
    }
 }
 ```
 In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
 the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
 and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
 ```groovy
 dependencyCheck {
    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
 }
 ```
 ### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
 Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
 (1) For all projects including root project:
 ```groovy
 buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
  }
 }
 allprojects {
    apply plugin: "dependency-check"
 }
 ```
 (2) For all sub-projects:
 ```groovy
 buildscript {
  repositories {
    mavenCentral()
  }
  dependencies {
    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
  }
 }
 subprojects {
    apply plugin: "dependency-check"
 }
 ```
 In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
 ### How to customize the report directory?
 By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
 ```groovy
 subprojects {
    apply plugin: "dependency-check"
    dependencyCheck {
        outputDirectory = "./customized-path/security-report"
    }
 }
 ```
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.4</version>
    </parent>
    <artifactId>dependency-check-ant</artifactId>
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java
@@ -63,7 +63,9 @@ public class AntLoggerAdapter extends MarkerIgnoringBase {
    @Override
    public void trace(String msg) {
-        task.log(msg, Project.MSG_VERBOSE);
+        if (task != null) {
            task.log(msg, Project.MSG_VERBOSE);
        }
    }
    @Override
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java
@@ -245,14 +245,14 @@ public class Check extends Update {
     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
     * is true.
     */
-    private boolean autoUpdate = true;
+    private Boolean autoUpdate;
    /**
     * Get the value of autoUpdate.
     *
     * @return the value of autoUpdate
     */
-    public boolean isAutoUpdate() {
+    public Boolean isAutoUpdate() {
        return autoUpdate;
    }
@@ -261,19 +261,24 @@ public class Check extends Update {
     *
     * @param autoUpdate new value of autoUpdate
     */
-    public void setAutoUpdate(boolean autoUpdate) {
+    public void setAutoUpdate(Boolean autoUpdate) {
        this.autoUpdate = autoUpdate;
    }
    /**
     * Whether only the update phase should be executed.
     *
     * @deprecated Use the update task instead
     */
    @Deprecated
    private boolean updateOnly = false;
    /**
     * Get the value of updateOnly.
     *
     * @return the value of updateOnly
     * @deprecated Use the update task instead
     */
    @Deprecated
    public boolean isUpdateOnly() {
        return updateOnly;
    }
@@ -282,7 +287,9 @@ public class Check extends Update {
     * Set the value of updateOnly.
     *
     * @param updateOnly new value of updateOnly
     * @deprecated Use the update task instead
     */
    @Deprecated
    public void setUpdateOnly(boolean updateOnly) {
        this.updateOnly = updateOnly;
    }
@@ -357,14 +364,14 @@ public class Check extends Update {
    /**
     * Whether or not the Jar Analyzer is enabled.
     */
-    private boolean jarAnalyzerEnabled = true;
+    private Boolean jarAnalyzerEnabled;
    /**
     * Returns whether or not the analyzer is enabled.
     *
     * @return true if the analyzer is enabled
     */
-    public boolean isJarAnalyzerEnabled() {
+    public Boolean isJarAnalyzerEnabled() {
        return jarAnalyzerEnabled;
    }
@@ -373,33 +380,33 @@ public class Check extends Update {
     *
     * @param jarAnalyzerEnabled the value of the new setting
     */
-    public void setJarAnalyzerEnabled(boolean jarAnalyzerEnabled) {
+    public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
        this.jarAnalyzerEnabled = jarAnalyzerEnabled;
    }
    /**
     * Whether or not the Archive Analyzer is enabled.
     */
-    private boolean archiveAnalyzerEnabled = true;
+    private Boolean archiveAnalyzerEnabled;
    /**
     * Returns whether or not the analyzer is enabled.
     *
     * @return true if the analyzer is enabled
     */
-    public boolean isArchiveAnalyzerEnabled() {
+    public Boolean isArchiveAnalyzerEnabled() {
        return archiveAnalyzerEnabled;
    }
    /**
     * Whether or not the .NET Assembly Analyzer is enabled.
     */
-    private boolean assemblyAnalyzerEnabled = true;
+    private Boolean assemblyAnalyzerEnabled;
    /**
     * Sets whether or not the analyzer is enabled.
     *
     * @param archiveAnalyzerEnabled the value of the new setting
     */
-    public void setArchiveAnalyzerEnabled(boolean archiveAnalyzerEnabled) {
+    public void setArchiveAnalyzerEnabled(Boolean archiveAnalyzerEnabled) {
        this.archiveAnalyzerEnabled = archiveAnalyzerEnabled;
    }
@@ -408,7 +415,7 @@ public class Check extends Update {
     *
     * @return true if the analyzer is enabled
     */
-    public boolean isAssemblyAnalyzerEnabled() {
+    public Boolean isAssemblyAnalyzerEnabled() {
        return assemblyAnalyzerEnabled;
    }
@@ -417,20 +424,20 @@ public class Check extends Update {
     *
     * @param assemblyAnalyzerEnabled the value of the new setting
     */
-    public void setAssemblyAnalyzerEnabled(boolean assemblyAnalyzerEnabled) {
+    public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
        this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
    }
    /**
     * Whether or not the .NET Nuspec Analyzer is enabled.
     */
-    private boolean nuspecAnalyzerEnabled = true;
+    private Boolean nuspecAnalyzerEnabled;
    /**
     * Returns whether or not the analyzer is enabled.
     *
     * @return true if the analyzer is enabled
     */
-    public boolean isNuspecAnalyzerEnabled() {
+    public Boolean isNuspecAnalyzerEnabled() {
        return nuspecAnalyzerEnabled;
    }
@@ -439,20 +446,20 @@ public class Check extends Update {
     *
     * @param nuspecAnalyzerEnabled the value of the new setting
     */
-    public void setNuspecAnalyzerEnabled(boolean nuspecAnalyzerEnabled) {
+    public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
        this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
    }
    /**
     * Whether or not the PHP Composer Analyzer is enabled.
     */
-    private boolean composerAnalyzerEnabled = true;
+    private Boolean composerAnalyzerEnabled;
    /**
     * Get the value of composerAnalyzerEnabled.
     *
     * @return the value of composerAnalyzerEnabled
     */
-    public boolean isComposerAnalyzerEnabled() {
+    public Boolean isComposerAnalyzerEnabled() {
        return composerAnalyzerEnabled;
    }
@@ -461,20 +468,20 @@ public class Check extends Update {
     *
     * @param composerAnalyzerEnabled new value of composerAnalyzerEnabled
     */
-    public void setComposerAnalyzerEnabled(boolean composerAnalyzerEnabled) {
+    public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
        this.composerAnalyzerEnabled = composerAnalyzerEnabled;
    }
    /**
     * Whether the autoconf analyzer should be enabled.
     */
-    private boolean autoconfAnalyzerEnabled = true;
+    private Boolean autoconfAnalyzerEnabled;
    /**
     * Get the value of autoconfAnalyzerEnabled.
     *
     * @return the value of autoconfAnalyzerEnabled
     */
-    public boolean isAutoconfAnalyzerEnabled() {
+    public Boolean isAutoconfAnalyzerEnabled() {
        return autoconfAnalyzerEnabled;
    }
@@ -483,20 +490,20 @@ public class Check extends Update {
     *
     * @param autoconfAnalyzerEnabled new value of autoconfAnalyzerEnabled
     */
-    public void setAutoconfAnalyzerEnabled(boolean autoconfAnalyzerEnabled) {
+    public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
        this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
    }
    /**
     * Whether the CMake analyzer should be enabled.
     */
-    private boolean cmakeAnalyzerEnabled = true;
+    private Boolean cmakeAnalyzerEnabled;
    /**
     * Get the value of cmakeAnalyzerEnabled.
     *
     * @return the value of cmakeAnalyzerEnabled
     */
-    public boolean isCMakeAnalyzerEnabled() {
+    public Boolean isCMakeAnalyzerEnabled() {
        return cmakeAnalyzerEnabled;
    }
@@ -505,20 +512,20 @@ public class Check extends Update {
     *
     * @param cmakeAnalyzerEnabled new value of cmakeAnalyzerEnabled
     */
-    public void setCMakeAnalyzerEnabled(boolean cmakeAnalyzerEnabled) {
+    public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
        this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
    }
    /**
     * Whether or not the openssl analyzer is enabled.
     */
-    private boolean opensslAnalyzerEnabled = true;
+    private Boolean opensslAnalyzerEnabled;
    /**
     * Get the value of opensslAnalyzerEnabled.
     *
     * @return the value of opensslAnalyzerEnabled
     */
-    public boolean isOpensslAnalyzerEnabled() {
+    public Boolean isOpensslAnalyzerEnabled() {
        return opensslAnalyzerEnabled;
    }
@@ -527,20 +534,20 @@ public class Check extends Update {
     *
     * @param opensslAnalyzerEnabled new value of opensslAnalyzerEnabled
     */
-    public void setOpensslAnalyzerEnabled(boolean opensslAnalyzerEnabled) {
+    public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
        this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
    }
    /**
     * Whether or not the Node.js Analyzer is enabled.
     */
-    private boolean nodeAnalyzerEnabled = true;
+    private Boolean nodeAnalyzerEnabled;
    /**
     * Get the value of nodeAnalyzerEnabled.
     *
     * @return the value of nodeAnalyzerEnabled
     */
-    public boolean isNodeAnalyzerEnabled() {
+    public Boolean isNodeAnalyzerEnabled() {
        return nodeAnalyzerEnabled;
    }
@@ -549,20 +556,20 @@ public class Check extends Update {
     *
     * @param nodeAnalyzerEnabled new value of nodeAnalyzerEnabled
     */
-    public void setNodeAnalyzerEnabled(boolean nodeAnalyzerEnabled) {
+    public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
        this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
    }
    /**
     * Whether the ruby gemspec analyzer should be enabled.
     */
-    private boolean rubygemsAnalyzerEnabled = true;
+    private Boolean rubygemsAnalyzerEnabled;
    /**
     * Get the value of rubygemsAnalyzerEnabled.
     *
     * @return the value of rubygemsAnalyzerEnabled
     */
-    public boolean isRubygemsAnalyzerEnabled() {
+    public Boolean isRubygemsAnalyzerEnabled() {
        return rubygemsAnalyzerEnabled;
    }
@@ -571,20 +578,20 @@ public class Check extends Update {
     *
     * @param rubygemsAnalyzerEnabled new value of rubygemsAnalyzerEnabled
     */
-    public void setRubygemsAnalyzerEnabled(boolean rubygemsAnalyzerEnabled) {
+    public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
        this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
    }
    /**
     * Whether the python package analyzer should be enabled.
     */
-    private boolean pyPackageAnalyzerEnabled = true;
+    private Boolean pyPackageAnalyzerEnabled;
    /**
     * Get the value of pyPackageAnalyzerEnabled.
     *
     * @return the value of pyPackageAnalyzerEnabled
     */
-    public boolean isPyPackageAnalyzerEnabled() {
+    public Boolean isPyPackageAnalyzerEnabled() {
        return pyPackageAnalyzerEnabled;
    }
@@ -593,21 +600,21 @@ public class Check extends Update {
     *
     * @param pyPackageAnalyzerEnabled new value of pyPackageAnalyzerEnabled
     */
-    public void setPyPackageAnalyzerEnabled(boolean pyPackageAnalyzerEnabled) {
+    public void setPyPackageAnalyzerEnabled(Boolean pyPackageAnalyzerEnabled) {
        this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
    }
    /**
     * Whether the python distribution analyzer should be enabled.
     */
-    private boolean pyDistributionAnalyzerEnabled = true;
+    private Boolean pyDistributionAnalyzerEnabled;
    /**
     * Get the value of pyDistributionAnalyzerEnabled.
     *
     * @return the value of pyDistributionAnalyzerEnabled
     */
-    public boolean isPyDistributionAnalyzerEnabled() {
+    public Boolean isPyDistributionAnalyzerEnabled() {
        return pyDistributionAnalyzerEnabled;
    }
@@ -616,21 +623,21 @@ public class Check extends Update {
     *
     * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled
     */
-    public void setPyDistributionAnalyzerEnabled(boolean pyDistributionAnalyzerEnabled) {
+    public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
        this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
    }
    /**
     * Whether or not the central analyzer is enabled.
     */
-    private boolean centralAnalyzerEnabled = false;
+    private Boolean centralAnalyzerEnabled;
    /**
     * Get the value of centralAnalyzerEnabled.
     *
     * @return the value of centralAnalyzerEnabled
     */
-    public boolean isCentralAnalyzerEnabled() {
+    public Boolean isCentralAnalyzerEnabled() {
        return centralAnalyzerEnabled;
    }
@@ -639,21 +646,21 @@ public class Check extends Update {
     *
     * @param centralAnalyzerEnabled new value of centralAnalyzerEnabled
     */
-    public void setCentralAnalyzerEnabled(boolean centralAnalyzerEnabled) {
+    public void setCentralAnalyzerEnabled(Boolean centralAnalyzerEnabled) {
        this.centralAnalyzerEnabled = centralAnalyzerEnabled;
    }
    /**
     * Whether or not the nexus analyzer is enabled.
     */
-    private boolean nexusAnalyzerEnabled = true;
+    private Boolean nexusAnalyzerEnabled;
    /**
     * Get the value of nexusAnalyzerEnabled.
     *
     * @return the value of nexusAnalyzerEnabled
     */
-    public boolean isNexusAnalyzerEnabled() {
+    public Boolean isNexusAnalyzerEnabled() {
        return nexusAnalyzerEnabled;
    }
@@ -662,7 +669,7 @@ public class Check extends Update {
     *
     * @param nexusAnalyzerEnabled new value of nexusAnalyzerEnabled
     */
-    public void setNexusAnalyzerEnabled(boolean nexusAnalyzerEnabled) {
+    public void setNexusAnalyzerEnabled(Boolean nexusAnalyzerEnabled) {
        this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
    }
@@ -691,14 +698,14 @@ public class Check extends Update {
    /**
     * Whether or not the defined proxy should be used when connecting to Nexus.
     */
-    private boolean nexusUsesProxy = true;
+    private Boolean nexusUsesProxy;
    /**
     * Get the value of nexusUsesProxy.
     *
     * @return the value of nexusUsesProxy
     */
-    public boolean isNexusUsesProxy() {
+    public Boolean isNexusUsesProxy() {
        return nexusUsesProxy;
    }
@@ -707,7 +714,7 @@ public class Check extends Update {
     *
     * @param nexusUsesProxy new value of nexusUsesProxy
     */
-    public void setNexusUsesProxy(boolean nexusUsesProxy) {
+    public void setNexusUsesProxy(Boolean nexusUsesProxy) {
        this.nexusUsesProxy = nexusUsesProxy;
    }
@@ -839,42 +846,32 @@ public class Check extends Update {
    /**
     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
     * required to change the proxy server, port, and connection timeout.
     *
     * @throws BuildException thrown when an invalid setting is configured.
     */
    @Override
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
        super.populateSettings();
-        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        if (suppressionFile != null && !suppressionFile.isEmpty()) {
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
-            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
-        }
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
-
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
-
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        if (nexusUrl != null && !nexusUrl.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
        Settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
        if (zipExtensions != null && !zipExtensions.isEmpty()) {
            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
        if (pathToMono != null && !pathToMono.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        }
    }
    /**
--- a/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
+++ b/dependency-check-ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java
@@ -357,6 +357,29 @@ public class Update extends Purge {
        this.cveUrl20Base = cveUrl20Base;
    }
    /**
     * The number of hours to wait before re-checking for updates.
     */
    private Integer cveValidForHours;
    /**
     * Get the value of cveValidForHours.
     *
     * @return the value of cveValidForHours
     */
    public Integer getCveValidForHours() {
        return cveValidForHours;
    }
    /**
     * Set the value of cveValidForHours.
     *
     * @param cveValidForHours new value of cveValidForHours
     */
    public void setCveValidForHours(Integer cveValidForHours) {
        this.cveValidForHours = cveValidForHours;
    }
    /**
     * Executes the update by initializing the settings, downloads the NVD XML data, and then processes the data storing it in the
     * local database.
@@ -383,51 +406,32 @@ public class Update extends Purge {
    /**
     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
     * required to change the proxy server, port, and connection timeout.
     *
     * @throws BuildException thrown when an invalid setting is configured.
     */
    @Override
-    protected void populateSettings() {
+    protected void populateSettings() throws BuildException {
        super.populateSettings();
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        if (proxyUsername != null && !proxyUsername.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        if (proxyPassword != null && !proxyPassword.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        if (cveValidForHours != null) {
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+            if (cveValidForHours >= 0) {
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+                Settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
-        }
+            } else {
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+                throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+            }
        }
        if (connectionString != null && !connectionString.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
        }
        if (databaseUser != null && !databaseUser.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
        }
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
        }
        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
        }
        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
        }
        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
        }
    }
 }
--- a/dependency-check-ant/src/main/resources/task.properties
+++ b/dependency-check-ant/src/main/resources/task.properties
@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=data
+data.directory=data/3.0
--- a/dependency-check-ant/src/site/markdown/config-update.md
+++ b/dependency-check-ant/src/site/markdown/config-update.md
@@ -32,10 +32,10 @@ may be the cvedUrl properties, which can be used to host a mirror of the NVD wit
 Property             | Description                                                                                           | Default Value
 ---------------------|-------------------------------------------------------------------------------------------------------|------------------
-cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | http://nvd.nist.gov/download/nvdcve-modified.xml
+cveUrl12Modified     | URL for the modified CVE 1.2.                                                                         | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+cveUrl20Modified     | URL for the modified CVE 2.0.                                                                         | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
-cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | http://nvd.nist.gov/download/nvdcve-%d.xml
+cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year.                              | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year.                              | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                              | &nbsp;
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path.           | &nbsp;
--- a/dependency-check-ant/src/site/markdown/configuration.md
+++ b/dependency-check-ant/src/site/markdown/configuration.md
@@ -29,19 +29,20 @@ Configuration: dependency-check Task
 --------------------
 The following properties can be set on the dependency-check-update task.
-Property              | Description                        | Default Value
+Property              | Description                                                                                                                                                                                        | Default Value
----------------------|------------------------------------|------------------
+----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
-autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. | true
+autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                 | true
-projectName           | The name of the project being scanned. | Dependency-Check
+cveValidForHours      | Sets the number of hours to wait before checking for new updates from the NVD                                                                                                                      | 4
-reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build | 'target'
+failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
-failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail.         | 11
+projectName           | The name of the project being scanned.                                                                                                                                                             | Dependency-Check
-reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true. | HTML
+reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                   | HTML
-suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html) | &nbsp;
+reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                 | 'target'
-proxyServer           | The Proxy Server.                  | &nbsp;
+suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)                                                                                       | &nbsp;
-proxyPort             | The Proxy Port.                    | &nbsp;
+proxyServer           | The Proxy Server.                                                                                                                                                                                  | &nbsp;
-proxyUsername         | Defines the proxy user name.       | &nbsp;
+proxyPort             | The Proxy Port.                                                                                                                                                                                    | &nbsp;
-proxyPassword         | Defines the proxy password.        | &nbsp;
+proxyUsername         | Defines the proxy user name.                                                                                                                                                                       | &nbsp;
-connectionTimeout     | The URL Connection Timeout.        | &nbsp;
+proxyPassword         | Defines the proxy password.                                                                                                                                                                        | &nbsp;
 connectionTimeout     | The URL Connection Timeout.                                                                                                                                                                        | &nbsp;
 Analyzer Configuration
 ====================
--- a/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
+++ b/dependency-check-ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java
@@ -26,7 +26,7 @@ import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
 import org.junit.rules.ExpectedException;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.utils.Settings;
 import static org.junit.Assert.assertTrue;
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.4</version>
    </parent>
    <artifactId>dependency-check-cli</artifactId>
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java
@@ -279,6 +279,7 @@ public class App {
        final String cveMod20 = cli.getModifiedCve20Url();
        final String cveBase12 = cli.getBaseCve12Url();
        final String cveBase20 = cli.getBaseCve20Url();
        final Integer cveValidForHours = cli.getCveValidForHours();
        if (propertiesFile != null) {
            try {
@@ -308,24 +309,13 @@ public class App {
            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        if (proxyUser != null && !proxyUser.isEmpty()) {
+        Settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUser);
        }
        if (proxyPass != null && !proxyPass.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPass);
        }
        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        }
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
        //File Type Analyzer Settings
        Settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
@@ -336,38 +326,24 @@ public class App {
        Settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
        }
        if (databaseUser != null && !databaseUser.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
        }
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
        if (additionalZipExtensions != null && !additionalZipExtensions.isEmpty()) {
            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
        }
        if (pathToMono != null && !pathToMono.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        }
        if (cveBase12 != null && !cveBase12.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java
@@ -90,6 +90,19 @@ public final class CliParser {
     * @throws ParseException is thrown if there is an exception parsing the command line.
     */
    private void validateArgs() throws FileNotFoundException, ParseException {
        if (isUpdateOnly() || isRunScan()) {
            final String value = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
            if (value != null) {
                try {
                    final int i = Integer.parseInt(value);
                    if (i < 0) {
                        throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
                    }
                } catch (NumberFormatException ex) {
                    throw new ParseException("Invalid Setting: cveValidForHours must be a number greater than or equal to 0.");
                }
            }
        }
        if (isRunScan()) {
            validatePathExists(getScanFiles(), ARGUMENT.SCAN);
            validatePathExists(getReportDirectory(), ARGUMENT.OUT);
@@ -255,6 +268,10 @@ public final class CliParser {
                .desc("The file path to the suppression XML file.")
                .build();
        final Option cveValidForHours = Option.builder().argName("hours").hasArg().longOpt(ARGUMENT.CVE_VALID_FOR_HOURS)
                .desc("The number of hours to wait before checking for new updates from the NVD.")
                .build();
        //This is an option group because it can be specified more then once.
        final OptionGroup og = new OptionGroup();
        og.addOption(path);
@@ -274,7 +291,8 @@ public final class CliParser {
                .addOption(symLinkDepth)
                .addOption(props)
                .addOption(verboseLog)
-                .addOption(suppressionFile);
+                .addOption(suppressionFile)
                .addOption(cveValidForHours);
    }
    /**
@@ -327,6 +345,10 @@ public final class CliParser {
                .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
                .build();
        final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
                .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
                .desc("The path to bundle-audit for Gem bundle analysis.").build();
        final Option connectionTimeout = Option.builder(ARGUMENT.CONNECTION_TIMEOUT_SHORT).argName("timeout").hasArg()
                .longOpt(ARGUMENT.CONNECTION_TIMEOUT).desc("The connection timeout (in milliseconds) to use when downloading resources.")
                .build();
@@ -419,11 +441,14 @@ public final class CliParser {
                .addOption(disableJarAnalyzer)
                .addOption(disableArchiveAnalyzer)
                .addOption(disableAssemblyAnalyzer)
                .addOption(pathToBundleAudit)
                .addOption(disablePythonDistributionAnalyzer)
                .addOption(disableCmakeAnalyzer)
                .addOption(disablePythonPackageAnalyzer)
                .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_RUBYGEMS)
                        .desc("Disable the Ruby Gemspec Analyzer.").build())
                .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_BUNDLE_AUDIT)
                        .desc("Disable the Ruby Bundler-Audit Analyzer.").build())
                .addOption(disableAutoconfAnalyzer)
                .addOption(disableComposerAnalyzer)
                .addOption(disableOpenSSLAnalyzer)
@@ -436,6 +461,7 @@ public final class CliParser {
                .addOption(nexusUsesProxy)
                .addOption(additionalZipExtensions)
                .addOption(pathToMono)
                .addOption(pathToBundleAudit)
                .addOption(purge);
    }
@@ -541,6 +567,15 @@ public final class CliParser {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
    }
    /**
     * Returns true if the disableBundleAudit command line argument was specified.
     *
     * @return true if the disableBundleAudit command line argument was specified; otherwise false
     */
    public boolean isBundleAuditDisabled() {
        return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
    }
    /**
     * Returns true if the disablePyDist command line argument was specified.
     *
@@ -654,7 +689,7 @@ public final class CliParser {
        // still honor the property if it's set.
        if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
            try {
-                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY);
+                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
            } catch (InvalidSettingException ise) {
                return true;
            }
@@ -722,6 +757,15 @@ public final class CliParser {
        return line.getOptionValue(ARGUMENT.PATH_TO_MONO);
    }
    /**
     * Returns the path to bundle-audit for Ruby bundle analysis.
     *
     * @return the path to Mono
     */
    public String getPathToBundleAudit() {
        return line.getOptionValue(ARGUMENT.PATH_TO_BUNDLE_AUDIT);
    }
    /**
     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
     *
@@ -970,6 +1014,19 @@ public final class CliParser {
        return line.getOptionValue(ARGUMENT.ADDITIONAL_ZIP_EXTENSIONS);
    }
    /**
     * Get the value of cveValidForHours.
     *
     * @return the value of cveValidForHours
     */
    public Integer getCveValidForHours() {
        final String v = line.getOptionValue(ARGUMENT.CVE_VALID_FOR_HOURS);
        if (v != null) {
            return Integer.parseInt(v);
        }
        return null;
    }
    /**
     * A collection of static final strings that represent the possible command line arguments.
     */
@@ -1133,6 +1190,10 @@ public final class CliParser {
         * The CLI argument name for setting the location of the suppression file.
         */
        public static final String SUPPRESSION_FILE = "suppression";
        /**
         * The CLI argument name for setting the location of the suppression file.
         */
        public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
        /**
         * Disables the Jar Analyzer.
         */
@@ -1169,6 +1230,10 @@ public final class CliParser {
         * Disables the Assembly Analyzer.
         */
        public static final String DISABLE_ASSEMBLY = "disableAssembly";
        /**
         * Disables the Ruby Bundler Audit Analyzer.
         */
        public static final String DISABLE_BUNDLE_AUDIT = "disableBundleAudit";
        /**
         * Disables the Nuspec Analyzer.
         */
@@ -1229,5 +1294,9 @@ public final class CliParser {
         * Exclude path argument.
         */
        public static final String EXCLUDE = "exclude";
        /**
         * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
         */
        public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
    }
 }
--- a/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
+++ b/dependency-check-cli/src/main/java/org/owasp/dependencycheck/InvalidScanPathException.java
@@ -22,7 +22,7 @@ package org.owasp.dependencycheck;
 *
 * @author Jeremy Long
 */
-class InvalidScanPathException extends Exception {
+public class InvalidScanPathException extends Exception {
    /**
     * The serial version UID for serialization.
--- a/dependency-check-cli/src/site/markdown/arguments.md
+++ b/dependency-check-cli/src/site/markdown/arguments.md
@@ -17,21 +17,24 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp; | Parameter       | Description | Requir
 \-h   | \-\-help              |                 | Print the help message. | Optional
       | \-\-advancedHelp      |                 | Print the advanced help message. | Optional
 \-v   | \-\-version           |                 | Print the version information. | Optional
       | \-\-cveValidForHours  | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
 Advanced Options
 ================
 Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                     | Default&nbsp;Value
 -------|-----------------------|-----------------|----------------------------------------------------------------------------------|-------------------
-       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | http://nvd.nist.gov/download/nvdcve-modified.xml
+       | \-\-cveUrl12Modified  | \<url\>         | URL for the modified CVE 1.2                                                     | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+       | \-\-cveUrl20Modified  | \<url\>         | URL for the modified CVE 2.0                                                     | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
-       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | http://nvd.nist.gov/download/nvdcve-%d.xml
+       | \-\-cveUrl12Base      | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+       | \-\-cveUrl20Base      | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 \-P   | \-\-propertyfile      | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
       | \-\-updateonly        |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
       | \-\-disablePyDist     |                 | Sets whether the Python Distribution Analyzer will be used.                      | false
       | \-\-disablePyPkg      |                 | Sets whether the Python Package Analyzer will be used.                           | false
       | \-\-disableNodeJS     |                 | Sets whether the Node.js Package Analyzer will be used.                          | false
       | \-\-disableRubygems   |                 | Sets whether the Ruby Gemspec Analyzer will be used.                             | false
       | \-\-disableBundleAudit |               | Sets whether the Ruby Bundler Audit Analyzer will be used.                             | false
       | \-\-disableAutoconf   |                 | Sets whether the Autoconf Analyzer will be used.                                 | false
       | \-\-disableOpenSSL    |                 | Sets whether the OpenSSL Analyzer will be used.                                  | false
       | \-\-disableCmake      |                 | Sets whether the Cmake Analyzer will be disabled.                                | false
@@ -46,6 +49,7 @@ Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Paramete
       | \-\-disableNuspec     |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
       | \-\-disableAssembly   |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
       | \-\-mono              | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
       | \-\-bundleAudit       |                 | The path to the bundle-audit executable. | &nbsp;
       | \-\-proxyserver       | \<server\>      | The proxy server to use when downloading resources.                              | &nbsp;
       | \-\-proxyport         | \<port\>        | The proxy port to use when downloading resources.                                | &nbsp;
       | \-\-connectiontimeout | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.      | &nbsp;
--- a/dependency-check-cli/src/site/markdown/index.md.vm
+++ b/dependency-check-cli/src/site/markdown/index.md.vm
@@ -25,10 +25,10 @@ your homebrew installation.
 To scan a folder on the system you can run:
 $H$H$H Windows
-    dependency-check.bat --app "My App Name" --scan "c:\java\application\lib"
+    dependency-check.bat --project "My App Name" --scan "c:\java\application\lib"
 $H$H$H *nix
-    dependency-check.sh --app "My App Name" --scan "/java/application/lib"
+    dependency-check.sh --project "My App Name" --scan "/java/application/lib"
 To view the command line arguments, see the <a href="arguments.html">arguments page</a>, or you can run:
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.1</version>
+        <version>1.3.4</version>
    </parent>
    <artifactId>dependency-check-core</artifactId>
@@ -468,7 +468,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <version>2.18.1</version>
                        <configuration>
                            <skip>true</skip>
                        </configuration>
@@ -476,12 +475,68 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-failsafe-plugin</artifactId>
                        <version>2.18.1</version>
                        <configuration>
                            <systemProperties>
                                <property>
                                    <name>data.driver_path</name>
-                                    <value>${basedir}/${driver_path}</value>
+                                    <value>${driver_path}</value>
                                </property>
                                <property>
                                    <name>data.driver_name</name>
                                    <value>${driver_name}</value>
                                </property>
                                <property>
                                    <name>data.connection_string</name>
                                    <value>${connection_string}</value>
                                </property>
                            </systemProperties>
                            <includes>
                                <include>**/*MySQLTest.java</include>
                            </includes>
                        </configuration>
                        <executions>
                            <execution>
                                <goals>
                                    <goal>integration-test</goal>
                                    <goal>verify</goal>
                                </goals>
                            </execution>
                        </executions>
                    </plugin>
                </plugins>
            </build>
        </profile>
        <profile>
            <id>Postgresql-IntegrationTest</id>
            <activation>
                <property>
                    <name>postgresql</name>
                </property>
            </activation>
            <dependencies>
                <dependency>
                    <groupId>org.postgresql</groupId>
                    <artifactId>postgresql</artifactId>
                    <version>9.4-1204-jdbc42</version>
                </dependency>
            </dependencies>
            <build>
                <plugins>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-surefire-plugin</artifactId>
                        <configuration>
                            <skip>true</skip>
                        </configuration>
                    </plugin>
                    <plugin>
                        <groupId>org.apache.maven.plugins</groupId>
                        <artifactId>maven-failsafe-plugin</artifactId>
                        <configuration>
                            <systemProperties>
                                <property>
                                    <name>data.driver_path</name>
                                    <value>${driver_path}</value>
                                </property>
                                <property>
                                    <name>data.driver_name</name>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/Engine.java
@@ -38,6 +38,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.EnumMap;
 import java.util.HashSet;
 import java.util.Iterator;
@@ -174,8 +175,7 @@ public class Engine implements FileFilter {
    public List<Dependency> scan(String[] paths) {
        final List<Dependency> deps = new ArrayList<Dependency>();
        for (String path : paths) {
-            final File file = new File(path);
+            final List<Dependency> d = scan(path);
            final List<Dependency> d = scan(file);
            if (d != null) {
                deps.addAll(d);
            }
@@ -215,33 +215,14 @@ public class Engine implements FileFilter {
    }
    /**
-     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
+     * Scans a collection of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
     * @param files a set of paths to files or directories to be analyzed
     * @return the list of dependencies scanned
     * @since v0.3.2.5
     */
-    public List<Dependency> scan(Set<File> files) {
+    public List<Dependency> scan(Collection<File> files) {
        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
            final List<Dependency> d = scan(file);
            if (d != null) {
                deps.addAll(d);
            }
        }
        return deps;
    }
    /**
     * Scans a list of files or directories. If a directory is specified, it will be scanned recursively. Any dependencies
     * identified are added to the dependency collection.
     *
     * @param files a set of paths to files or directories to be analyzed
     * @return the list of dependencies scanned
     * @since v0.3.2.5
     */
    public List<Dependency> scan(List<File> files) {
        final List<Dependency> deps = new ArrayList<Dependency>();
        for (File file : files) {
            final List<Dependency> d = scan(file);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java
@@ -840,8 +840,7 @@ public class DependencyCheckScanAgent {
     */
    private Engine executeDependencyCheck() throws DatabaseException {
        populateSettings();
-        Engine engine = null;
+        final Engine engine = new Engine();
        engine = new Engine();
        engine.setDependencies(this.dependencies);
        engine.analyzeDependencies();
        return engine;
@@ -898,67 +897,28 @@ public class DependencyCheckScanAgent {
        }
        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-        if (proxyServer != null && !proxyServer.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-            Settings.setString(Settings.KEYS.PROXY_SERVER, proxyServer);
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        if (proxyPort != null && !proxyPort.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-            Settings.setString(Settings.KEYS.PROXY_PORT, proxyPort);
+        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
        if (proxyUsername != null && !proxyUsername.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_USERNAME, proxyUsername);
        }
        if (proxyPassword != null && !proxyPassword.isEmpty()) {
            Settings.setString(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
        }
        if (connectionTimeout != null && !connectionTimeout.isEmpty()) {
            Settings.setString(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
        }
        if (suppressionFile != null && !suppressionFile.isEmpty()) {
            Settings.setString(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        if (centralUrl != null && !centralUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
            Settings.setString(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
        }
        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        if (nexusUrl != null && !nexusUrl.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-            Settings.setString(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY, nexusUsesProxy);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        if (databaseDriverName != null && !databaseDriverName.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-            Settings.setString(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        if (databaseDriverPath != null && !databaseDriverPath.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-            Settings.setString(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        if (connectionString != null && !connectionString.isEmpty()) {
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-            Settings.setString(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        }
+        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        if (databaseUser != null && !databaseUser.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_USER, databaseUser);
        }
        if (databasePassword != null && !databasePassword.isEmpty()) {
            Settings.setString(Settings.KEYS.DB_PASSWORD, databasePassword);
        }
        if (zipExtensions != null && !zipExtensions.isEmpty()) {
            Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
        }
        if (cveUrl12Modified != null && !cveUrl12Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
        }
        if (cveUrl20Modified != null && !cveUrl20Modified.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
        }
        if (cveUrl12Base != null && !cveUrl12Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
        }
        if (cveUrl20Base != null && !cveUrl20Base.isEmpty()) {
            Settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
        }
        if (pathToMono != null && !pathToMono.isEmpty()) {
            Settings.setString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
        }
    }
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java
@@ -214,7 +214,7 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
     * @return a Set of strings.
     */
    protected static Set<String> newHashSet(String... strings) {
-        final Set<String> set = new HashSet<String>();
+        final Set<String> set = new HashSet<String>(strings.length);
        Collections.addAll(set, strings);
        return set;
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java
@@ -28,6 +28,10 @@ public enum AnalysisPhase {
     * Initialization phase.
     */
    INITIAL,
    /**
     * Pre information collection phase.
     */
    PRE_INFORMATION_COLLECTION,
    /**
     * Information collection phase.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java
@@ -114,8 +114,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
    static {
        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
        if (additionalZipExt != null) {
-            final Set<String> ext = new HashSet<String>(Collections.singletonList(additionalZipExt));
+            final String[] ext = additionalZipExt.split("\\s*,\\s*");
-            ZIPPABLES.addAll(ext);
+            Collections.addAll(ZIPPABLES, ext);
        }
        EXTENSIONS.addAll(ZIPPABLES);
    }
@@ -195,8 +195,11 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
        if (tempFileLocation != null && tempFileLocation.exists()) {
            LOGGER.debug("Attempting to delete temporary files");
            final boolean success = FileUtils.delete(tempFileLocation);
-            if (!success && tempFileLocation.exists() && tempFileLocation.list().length > 0) {
+            if (!success && tempFileLocation.exists()) {
-                LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                final String[] l = tempFileLocation.list();
                if (l != null && l.length > 0) {
                    LOGGER.warn("Failed to delete some temporary files, see the log for more details");
                }
            }
        }
    }
@@ -415,11 +418,9 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
        FileOutputStream fos = null;
        try {
            final File parent = file.getParentFile();
-            if (!parent.isDirectory()) {
+            if (!parent.isDirectory() && !parent.mkdirs()) {
-                if (!parent.mkdirs()) {
+                final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
-                    final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
+                throw new AnalysisException(msg);
                    throw new AnalysisException(msg);
                }
            }
            fos = new FileOutputStream(file);
            IOUtils.copy(input, fos);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -17,13 +17,13 @@
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.InputStreamReader;
+import org.apache.commons.io.IOUtils;
 import org.apache.commons.io.output.NullOutputStream;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -115,21 +115,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
        final List<String> args = buildArgumentList();
        args.add(dependency.getActualFilePath());
        final ProcessBuilder pb = new ProcessBuilder(args);
        BufferedReader rdr = null;
        Document doc = null;
        try {
            final Process proc = pb.start();
-            // Try evacuating the error stream
+
            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
            String line = null;
            // CHECKSTYLE:OFF
            while (rdr.ready() && (line = rdr.readLine()) != null) {
                LOGGER.warn("Error from GrokAssembly: {}", line);
            }
            // CHECKSTYLE:ON
            int rc = 0;
            doc = builder.parse(proc.getInputStream());
            // Try evacuating the error stream
            final String errorStream = IOUtils.toString(proc.getErrorStream(), "UTF-8");
            if (null != errorStream && !errorStream.isEmpty()) {
                LOGGER.warn("Error from GrokAssembly: {}", errorStream);
            }
            int rc = 0;
            try {
                rc = proc.waitFor();
            } catch (InterruptedException ie) {
@@ -176,14 +174,6 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
        } catch (XPathExpressionException xpe) {
            // This shouldn't happen
            throw new AnalysisException(xpe);
        } finally {
            if (rdr != null) {
                try {
                    rdr.close();
                } catch (IOException ex) {
                    LOGGER.debug("ignore", ex);
                }
            }
        }
    }
@@ -200,11 +190,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
        try {
            fos = new FileOutputStream(tempFile);
            is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
-            final byte[] buff = new byte[4096];
+            IOUtils.copy(is, fos);
-            int bread = -1;
+
            while ((bread = is.read(buff)) >= 0) {
                fos.write(buff, 0, bread);
            }
            grokAssemblyExe = tempFile;
            // Set the temp file to get deleted when we're done
            grokAssemblyExe.deleteOnExit();
@@ -232,17 +219,12 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
        // Now, need to see if GrokAssembly actually runs from this location.
        final List<String> args = buildArgumentList();
        BufferedReader rdr = null;
        try {
            final ProcessBuilder pb = new ProcessBuilder(args);
            final Process p = pb.start();
            // Try evacuating the error stream
-            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
+            IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
-            // CHECKSTYLE:OFF
+
            while (rdr.ready() && rdr.readLine() != null) {
                // We expect this to complain
            }
            // CHECKSTYLE:ON
            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
            final XPath xpath = XPathFactory.newInstance().newXPath();
            final String error = xpath.evaluate("/assembly/error", doc);
@@ -253,24 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                this.setEnabled(false);
                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
            }
        } catch (AnalysisException e) {
            throw e;
        } catch (Throwable e) {
-            if (e instanceof AnalysisException) {
+            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
-                throw (AnalysisException) e;
+                    + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
-            } else {
+            LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+            this.setEnabled(false);
-                        + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
+            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
                LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
                this.setEnabled(false);
                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
            }
        } finally {
            if (rdr != null) {
                try {
                    rdr.close();
                } catch (IOException ex) {
                    LOGGER.trace("ignore", ex);
                }
            }
        }
        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java
@@ -32,8 +32,10 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.logging.Level;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
@@ -62,11 +64,19 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
    private static final int REGEX_OPTIONS = Pattern.DOTALL
            | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
    /**
     * Regex to extract the product information.
     */
    private static final Pattern PROJECT = Pattern.compile(
            "^ *project *\\([ \\n]*(\\w+)[ \\n]*.*?\\)", REGEX_OPTIONS);
-    // Group 1: Product
+    /**
-    // Group 2: Version
+     * Regex to extract product and version information.
     *
     * Group 1: Product
     *
     * Group 2: Version
     */
    private static final Pattern SET_VERSION = Pattern
            .compile(
                    "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
@@ -172,8 +182,17 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
        }
    }
    /**
     * Extracts the version information from the contents. If more then one version is found additional dependencies are added to
     * the dependency list.
     *
     * @param dependency the dependency being analyzed
     * @param engine the dependency-check engine
     * @param contents the version information
     */
    private void analyzeSetVersionCommand(Dependency dependency, Engine engine, String contents) {
-        final Dependency orig = dependency;
+        Dependency currentDep = dependency;
        final Matcher m = SET_VERSION.matcher(contents);
        int count = 0;
        while (m.find()) {
@@ -190,19 +209,24 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
            }
            if (count > 1) {
                //TODO - refactor so we do not assign to the parameter (checkstyle)
-                dependency = new Dependency(orig.getActualFile());
+                currentDep = new Dependency(dependency.getActualFile());
-                dependency.setDisplayFileName(String.format("%s:%s", orig.getDisplayFileName(), product));
+                currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
-                final String filePath = String.format("%s:%s", orig.getFilePath(), product);
+                final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
-                dependency.setFilePath(filePath);
+                currentDep.setFilePath(filePath);
-                // prevents coalescing into the dependency provided by engine
+                byte[] path;
-                dependency.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
+                try {
-                engine.getDependencies().add(dependency);
+                    path = filePath.getBytes("UTF-8");
                } catch (UnsupportedEncodingException ex) {
                    path = filePath.getBytes();
                }
                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                engine.getDependencies().add(currentDep);
            }
-            final String source = dependency.getDisplayFileName();
+            final String source = currentDep.getDisplayFileName();
-            dependency.getProductEvidence().addEvidence(source, "Product",
+            currentDep.getProductEvidence().addEvidence(source, "Product",
                    product, Confidence.MEDIUM);
-            dependency.getVersionEvidence().addEvidence(source, "Version",
+            currentDep.getVersionEvidence().addEvidence(source, "Version",
                    version, Confidence.MEDIUM);
        }
        LOGGER.debug(String.format("Found %d matches.", count));
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java
@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
     * process.
     */
    public void open() throws IOException, DatabaseException {
-        cve = new CveDB();
+        if (!isOpen()) {
-        cve.open();
+            cve = new CveDB();
-        cpe = CpeMemoryIndex.getInstance();
+            cve.open();
-        try {
+            cpe = CpeMemoryIndex.getInstance();
-            LOGGER.info("Creating the CPE Index");
+            try {
-            final long creationStart = System.currentTimeMillis();
+                LOGGER.info("Creating the CPE Index");
-            cpe.open(cve);
+                final long creationStart = System.currentTimeMillis();
-            LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
+                cpe.open(cve);
-        } catch (IndexException ex) {
+                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-            LOGGER.debug("IndexException", ex);
+            } catch (IndexException ex) {
-            throw new DatabaseException(ex);
+                LOGGER.debug("IndexException", ex);
                throw new DatabaseException(ex);
            }
        }
    }
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
            }
            return ret;
        } catch (ParseException ex) {
-            LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
            LOGGER.info("Unable to parse: {}", searchString, ex);
        } catch (IOException ex) {
-            LOGGER.warn("An error occured reading CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
            LOGGER.info("IO Error with search string: {}", searchString, ex);
        }
        return null;
@@ -335,7 +337,7 @@ public class CPEAnalyzer implements Analyzer {
     * @return if the append was successful.
     */
    private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
-        sb.append(" ").append(field).append(":( ");
+        sb.append(' ').append(field).append(":( ");
        final String cleanText = cleanseText(searchText);
@@ -349,20 +351,27 @@ public class CPEAnalyzer implements Analyzer {
            final StringTokenizer tokens = new StringTokenizer(cleanText);
            while (tokens.hasMoreElements()) {
                final String word = tokens.nextToken();
-                String temp = null;
+                StringBuilder temp = null;
                for (String weighted : weightedText) {
                    final String weightedStr = cleanseText(weighted);
                    if (equalsIgnoreCaseAndNonAlpha(word, weightedStr)) {
-                        temp = LuceneUtils.escapeLuceneQuery(word) + WEIGHTING_BOOST;
+                        temp = new StringBuilder(word.length() + 2);
                        LuceneUtils.appendEscapedLuceneQuery(temp, word);
                        temp.append(WEIGHTING_BOOST);
                        if (!word.equalsIgnoreCase(weightedStr)) {
-                            temp += " " + LuceneUtils.escapeLuceneQuery(weightedStr) + WEIGHTING_BOOST;
+                            temp.append(' ');
                            LuceneUtils.appendEscapedLuceneQuery(temp, weightedStr);
                            temp.append(WEIGHTING_BOOST);
                        }
                        break;
                    }
                }
                sb.append(' ');
                if (temp == null) {
-                    temp = LuceneUtils.escapeLuceneQuery(word);
+                    LuceneUtils.appendEscapedLuceneQuery(sb, word);
                } else {
                    sb.append(temp);
                }
                sb.append(" ").append(temp);
            }
        }
        sb.append(" ) ");
@@ -515,7 +524,7 @@ public class CPEAnalyzer implements Analyzer {
                for (VulnerableSoftware vs : cpes) {
                    DependencyVersion dbVer;
                    if (vs.getUpdate() != null && !vs.getUpdate().isEmpty()) {
-                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + "." + vs.getUpdate());
+                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion() + '.' + vs.getUpdate());
                    } else {
                        dbVer = DependencyVersionUtil.parseVersion(vs.getVersion());
                    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -192,7 +192,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
            final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
            final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
            for (MavenArtifact ma : mas) {
-                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma.toString(), dependency.getFileName());
+                LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
                dependency.addAsEvidence("central", ma, confidence);
                boolean pomAnalyzed = false;
                for (Evidence e : dependency.getVendorEvidence()) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzer.java
@@ -213,10 +213,8 @@ public class DependencyBundlingAnalyzer extends AbstractAnalyzer implements Anal
        //version check
        final DependencyVersion version1 = DependencyVersionUtil.parseVersion(fileName1);
        final DependencyVersion version2 = DependencyVersionUtil.parseVersion(fileName2);
-        if (version1 != null && version2 != null) {
+        if (version1 != null && version2 != null && !version1.equals(version2)) {
-            if (!version1.equals(version2)) {
+            return false;
                return false;
            }
        }
        //filename check
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FalsePositiveAnalyzer.java
@@ -113,7 +113,7 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
        for (Identifier i : dependency.getIdentifiers()) {
            if ("maven".contains(i.getType())) {
                if (i.getValue() != null && i.getValue().startsWith("org.springframework.")) {
-                    final int endPoint = i.getValue().indexOf(":", 19);
+                    final int endPoint = i.getValue().indexOf(':', 19);
                    if (endPoint >= 0) {
                        mustContain = i.getValue().substring(19, endPoint).toLowerCase();
                        break;
@@ -472,8 +472,8 @@ public class FalsePositiveAnalyzer extends AbstractAnalyzer {
     */
    private String trimCpeToVendor(String value) {
        //cpe:/a:jruby:jruby:1.0.8
-        final int pos1 = value.indexOf(":", 7); //right of vendor
+        final int pos1 = value.indexOf(':', 7); //right of vendor
-        final int pos2 = value.indexOf(":", pos1 + 1); //right of product
+        final int pos2 = value.indexOf(':', pos1 + 1); //right of product
        if (pos2 < 0) {
            return value;
        } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java
@@ -18,6 +18,7 @@
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import org.apache.commons.io.FilenameUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -76,13 +77,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
        //strip any path information that may get added by ArchiveAnalyzer, etc.
        final File f = dependency.getActualFile();
-        String fileName = f.getName();
+        final String fileName = FilenameUtils.removeExtension(f.getName());
        //remove file extension
        final int pos = fileName.lastIndexOf(".");
        if (pos > 0) {
            fileName = fileName.substring(0, pos);
        }
        //add version evidence
        final DependencyVersion version = DependencyVersionUtil.parseVersion(fileName);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java
@@ -42,6 +42,7 @@ import java.util.jar.Manifest;
 import java.util.regex.Pattern;
 import java.util.zip.ZipEntry;
 import org.apache.commons.compress.utils.IOUtils;
 import org.apache.commons.io.FilenameUtils;
 import org.jsoup.Jsoup;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
@@ -269,8 +270,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
        }
        File externalPom = null;
        if (pomEntries.isEmpty()) {
-            String pomPath = dependency.getActualFilePath();
+            final String pomPath = FilenameUtils.removeExtension(dependency.getActualFilePath()) + ".pom";
            pomPath = pomPath.substring(0, pomPath.lastIndexOf('.')) + ".pom";
            externalPom = new File(pomPath);
            if (externalPom.isFile()) {
                pomEntries.add(pomPath);
@@ -320,7 +320,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                    foundSomething |= setPomEvidence(dependency, pom, classes);
                }
            } catch (AnalysisException ex) {
-                LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
+                LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
                LOGGER.trace("", ex);
            }
        }
@@ -835,10 +835,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
            }
            if (pos > 0) {
-                final StringBuilder sb = new StringBuilder(pos + 3);
+                desc = desc.substring(0, pos) + "...";
                sb.append(desc.substring(0, pos));
                sb.append("...");
                desc = sb.toString();
            }
            dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
            dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -104,7 +104,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
         */
        boolean retval = false;
        try {
-            if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
+            if (!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))
                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
                LOGGER.info("Enabling Nexus analyzer");
                retval = true;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NuspecAnalyzer.java
@@ -126,7 +126,7 @@ public class NuspecAnalyzer extends AbstractFileTypeAnalyzer {
     */
    @Override
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        LOGGER.debug("Checking Nuspec file {}", dependency.toString());
+        LOGGER.debug("Checking Nuspec file {}", dependency);
        try {
            final NuspecParser parser = new XPathNuspecParser();
            NugetPackage np = null;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NvdCveAnalyzer.java
@@ -73,7 +73,7 @@ public class NvdCveAnalyzer implements Analyzer {
     * @return true or false.
     */
    public boolean isOpen() {
-        return (cveDB != null);
+        return cveDB != null;
    }
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java
@@ -164,7 +164,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     * Analyzes python packages and adds evidence to the dependency.
     *
     * @param dependency the dependency being analyzed
-     * @param engine     the engine being used to perform the scan
+     * @param engine the engine being used to perform the scan
     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
     */
    @Override
@@ -175,8 +175,11 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
        final String parentName = parent.getName();
        boolean found = false;
        if (INIT_PY_FILTER.accept(file)) {
-            for (final File sourceFile : parent.listFiles(PY_FILTER)) {
+            final File[] fileList = parent.listFiles(PY_FILTER);
-                found |= analyzeFileContents(dependency, sourceFile);
+            if (fileList != null) {
                for (final File sourceFile : fileList) {
                    found |= analyzeFileContents(dependency, sourceFile);
                }
            }
        }
        if (found) {
@@ -197,7 +200,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     * __summary__, __uri__, __url__, __home*page__, __author__, and their all caps equivalents.
     *
     * @param dependency the dependency being analyzed
-     * @param file       the file name to analyze
+     * @param file the file name to analyze
     * @return whether evidence was found
     * @throws AnalysisException thrown if there is an unrecoverable error
     */
@@ -241,15 +244,15 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
     * Adds summary information to the dependency
     *
     * @param dependency the dependency being analyzed
-     * @param pattern    the pattern used to perform analysis
+     * @param pattern the pattern used to perform analysis
-     * @param group      the group from the pattern that indicates the data to use
+     * @param group the group from the pattern that indicates the data to use
-     * @param contents   the data being analyzed
+     * @param contents the data being analyzed
-     * @param source     the source name to use when recording the evidence
+     * @param source the source name to use when recording the evidence
-     * @param key        the key name to use when recording the evidence
+     * @param key the key name to use when recording the evidence
     * @return true if evidence was collected; otherwise false
     */
    private boolean addSummaryInfo(Dependency dependency, Pattern pattern,
-                                   int group, String contents, String source, String key) {
+            int group, String contents, String source, String key) {
        final Matcher matcher = pattern.matcher(contents);
        final boolean found = matcher.find();
        if (found) {
@@ -262,16 +265,16 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Collects evidence from the home page URL.
     *
-     * @param pattern  the pattern to match
+     * @param pattern the pattern to match
     * @param evidence the evidence collection to add the evidence to
-     * @param source   the source of the evidence
+     * @param source the source of the evidence
-     * @param name     the name of the evidence
+     * @param name the name of the evidence
     * @param contents the home page URL
     * @return true if evidence was collected; otherwise false
     */
    private boolean gatherHomePageEvidence(Pattern pattern,
-                                           EvidenceCollection evidence, String source, String name,
+            EvidenceCollection evidence, String source, String name,
-                                           String contents) {
+            String contents) {
        final Matcher matcher = pattern.matcher(contents);
        boolean found = false;
        if (matcher.find()) {
@@ -287,17 +290,17 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * Gather evidence from a Python source file using the given string assignment regex pattern.
     *
-     * @param pattern    to scan contents with
+     * @param pattern to scan contents with
-     * @param contents   of Python source file
+     * @param contents of Python source file
-     * @param source     for storing evidence
+     * @param source for storing evidence
-     * @param evidence   to store evidence in
+     * @param evidence to store evidence in
-     * @param name       of evidence
+     * @param name of evidence
     * @param confidence in evidence
     * @return whether evidence was found
     */
    private boolean gatherEvidence(Pattern pattern, String contents,
-                                   String source, EvidenceCollection evidence, String name,
+            String source, EvidenceCollection evidence, String name,
-                                   Confidence confidence) {
+            Confidence confidence) {
        final Matcher matcher = pattern.matcher(contents);
        final boolean found = matcher.find();
        if (found) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java
@@ -0,0 +1,326 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Reference;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.*;
 import java.util.*;
 /**
 * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
 *
 * @author Dale Visser <dvisser@ida.org>
 */
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzer.class);
    /**
     * The name of the analyzer.
     */
    private static final String ANALYZER_NAME = "Ruby Bundle Audit Analyzer";
    /**
     * The phase that this analyzer is intended to run in.
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
    private static final FileFilter FILTER
            = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
    public static final String NAME = "Name: ";
    public static final String VERSION = "Version: ";
    public static final String ADVISORY = "Advisory: ";
    public static final String CRITICALITY = "Criticality: ";
    /**
     * @return a filter that accepts files named Gemfile.lock
     */
    @Override
    protected FileFilter getFileFilter() {
        return FILTER;
    }
    /**
     * Launch bundle-audit.
     *
     * @return a handle to the process
     */
    private Process launchBundleAudit(File folder) throws AnalysisException {
        if (!folder.isDirectory()) {
            throw new AnalysisException(String.format("%s should have been a directory.", folder.getAbsolutePath()));
        }
        final List<String> args = new ArrayList<String>();
        final String bundleAuditPath = Settings.getString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH);
        args.add(null == bundleAuditPath ? "bundle-audit" : bundleAuditPath);
        args.add("check");
        args.add("--verbose");
        final ProcessBuilder builder = new ProcessBuilder(args);
        builder.directory(folder);
        try {
            return builder.start();
        } catch (IOException ioe) {
            throw new AnalysisException("bundle-audit failure", ioe);
        }
    }
    /**
     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
     *
     * @throws Exception if anything goes wrong
     */
    @Override
    public void initializeFileTypeAnalyzer() throws Exception {
        // Now, need to see if bundle-audit actually runs from this location.
        Process process = launchBundleAudit(Settings.getTempDirectory());
        int exitValue = process.waitFor();
        if (0 == exitValue) {
            LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
            setEnabled(false);
            throw new AnalysisException("Unexpected exit code from bundle-audit process.");
        } else {
            BufferedReader reader = null;
            try {
                reader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
                if (!reader.ready()) {
                    LOGGER.warn("Bundle-audit error stream unexpectedly not ready. Disabling " + ANALYZER_NAME);
                    setEnabled(false);
                    throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
                } else {
                    final String line = reader.readLine();
                    if (line == null || !line.contains("Errno::ENOENT")) {
                        LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
                        setEnabled(false);
                        throw new AnalysisException("Unexpected bundle-audit output.");
                    }
                }
            } finally {
                if (null != reader) {
                    reader.close();
                }
            }
        }
        if (isEnabled()) {
            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
                    + "occasionally to keep its database up to date.");
        }
    }
    /**
     * Returns the name of the analyzer.
     *
     * @return the name of the analyzer.
     */
    @Override
    public String getName() {
        return ANALYZER_NAME;
    }
    /**
     * Returns the phase that the analyzer is intended to run in.
     *
     * @return the phase that the analyzer is intended to run in.
     */
    @Override
    public AnalysisPhase getAnalysisPhase() {
        return ANALYSIS_PHASE;
    }
    /**
     * Returns the key used in the properties file to reference the analyzer's enabled property.
     *
     * @return the analyzer's enabled property setting key
     */
    @Override
    protected String getAnalyzerEnabledSettingKey() {
        return Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED;
    }
    /**
     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
     * to disable {@link RubyGemspecAnalyzer}.
     */
    private boolean needToDisableGemspecAnalyzer = true;
    @Override
    protected void analyzeFileType(Dependency dependency, Engine engine)
            throws AnalysisException {
        if (needToDisableGemspecAnalyzer) {
            boolean failed = true;
            final String className = RubyGemspecAnalyzer.class.getName();
            for (FileTypeAnalyzer analyzer : engine.getFileTypeAnalyzers()) {
                if (analyzer instanceof RubyGemspecAnalyzer) {
                    ((RubyGemspecAnalyzer) analyzer).setEnabled(false);
                    LOGGER.info("Disabled " + className + " to avoid noisy duplicate results.");
                    failed = false;
                }
            }
            if (failed) {
                LOGGER.warn("Did not find" + className + '.');
            }
            needToDisableGemspecAnalyzer = false;
        }
        final File parentFile = dependency.getActualFile().getParentFile();
        final Process process = launchBundleAudit(parentFile);
        try {
            process.waitFor();
        } catch (InterruptedException ie) {
            throw new AnalysisException("bundle-audit process interrupted", ie);
        }
        BufferedReader rdr = null;
        try {
            rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
            processBundlerAuditOutput(dependency, engine, rdr);
        } catch (IOException ioe) {
            LOGGER.warn("bundle-audit failure", ioe);
        } finally {
            if (null != rdr) {
                try {
                    rdr.close();
                } catch (IOException ioe) {
                    LOGGER.warn("bundle-audit close failure", ioe);
                }
            }
        }
    }
    private void processBundlerAuditOutput(Dependency original, Engine engine, BufferedReader rdr) throws IOException {
        final String parentName = original.getActualFile().getParentFile().getName();
        final String fileName = original.getFileName();
        Dependency dependency = null;
        Vulnerability vulnerability = null;
        String gem = null;
        final Map<String, Dependency> map = new HashMap<String, Dependency>();
        boolean appendToDescription = false;
        while (rdr.ready()) {
            final String nextLine = rdr.readLine();
            if (null == nextLine) {
                break;
            } else if (nextLine.startsWith(NAME)) {
                appendToDescription = false;
                gem = nextLine.substring(NAME.length());
                if (!map.containsKey(gem)) {
                    map.put(gem, createDependencyForGem(engine, parentName, fileName, gem));
                }
                dependency = map.get(gem);
                LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
            } else if (nextLine.startsWith(VERSION)) {
                vulnerability = createVulnerability(parentName, dependency, vulnerability, gem, nextLine);
            } else if (nextLine.startsWith(ADVISORY)) {
                setVulnerabilityName(parentName, dependency, vulnerability, nextLine);
            } else if (nextLine.startsWith(CRITICALITY)) {
                addCriticalityToVulnerability(parentName, vulnerability, nextLine);
            } else if (nextLine.startsWith("URL: ")) {
                addReferenceToVulnerability(parentName, vulnerability, nextLine);
            } else if (nextLine.startsWith("Description:")) {
                appendToDescription = true;
                if (null != vulnerability) {
                    vulnerability.setDescription("*** Vulnerability obtained from bundle-audit verbose report. Title link may not work. CPE below is guessed. CVSS score is estimated (-1.0 indicates unknown). See link below for full details. *** ");
                }
            } else if (appendToDescription) {
                if (null != vulnerability) {
                    vulnerability.setDescription(vulnerability.getDescription() + nextLine + "\n");
                }
            }
        }
    }
    private void setVulnerabilityName(String parentName, Dependency dependency, Vulnerability vulnerability, String nextLine) {
        final String advisory = nextLine.substring((ADVISORY.length()));
        if (null != vulnerability) {
            vulnerability.setName(advisory);
        }
        if (null != dependency) {
            dependency.getVulnerabilities().add(vulnerability); // needed to wait for vulnerability name to avoid NPE
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }
    private void addReferenceToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
        final String url = nextLine.substring(("URL: ").length());
        if (null != vulnerability) {
            Reference ref = new Reference();
            ref.setName(vulnerability.getName());
            ref.setSource("bundle-audit");
            ref.setUrl(url);
            vulnerability.getReferences().add(ref);
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }
    private void addCriticalityToVulnerability(String parentName, Vulnerability vulnerability, String nextLine) {
        if (null != vulnerability) {
            final String criticality = nextLine.substring(CRITICALITY.length()).trim();
            if ("High".equals(criticality)) {
                vulnerability.setCvssScore(8.5f);
            } else if ("Medium".equals(criticality)) {
                vulnerability.setCvssScore(5.5f);
            } else if ("Low".equals(criticality)) {
                vulnerability.setCvssScore(2.0f);
            } else {
                vulnerability.setCvssScore(-1.0f);
            }
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
    }
    private Vulnerability createVulnerability(String parentName, Dependency dependency, Vulnerability vulnerability, String gem, String nextLine) {
        if (null != dependency) {
            final String version = nextLine.substring(VERSION.length());
            dependency.getVersionEvidence().addEvidence(
                    "bundler-audit",
                    "Version",
                    version,
                    Confidence.HIGHEST);
            vulnerability = new Vulnerability(); // don't add to dependency until we have name set later
            vulnerability.setMatchedCPE(
                    String.format("cpe:/a:%1$s_project:%1$s:%2$s::~~~ruby~~", gem, version),
                    null);
            vulnerability.setCvssAccessVector("-");
            vulnerability.setCvssAccessComplexity("-");
            vulnerability.setCvssAuthentication("-");
            vulnerability.setCvssAvailabilityImpact("-");
            vulnerability.setCvssConfidentialityImpact("-");
            vulnerability.setCvssIntegrityImpact("-");
        }
        LOGGER.debug(String.format("bundle-audit (%s): %s", parentName, nextLine));
        return vulnerability;
    }
    private Dependency createDependencyForGem(Engine engine, String parentName, String fileName, String gem) throws IOException {
        final File tempFile = File.createTempFile("Gemfile-" + gem, ".lock", Settings.getTempDirectory());
        final String displayFileName = String.format("%s%c%s:%s", parentName, File.separatorChar, fileName, gem);
        FileUtils.write(tempFile, displayFileName); // unique contents to avoid dependency bundling
        final Dependency dependency = new Dependency(tempFile);
        dependency.getProductEvidence().addEvidence("bundler-audit", "Name", gem, Confidence.HIGHEST);
        dependency.setDisplayFileName(displayFileName);
        engine.getDependencies().add(dependency);
        return dependency;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java
@@ -49,11 +49,12 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     */
    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
    private static final String GEMSPEC = "gemspec";
    private static final FileFilter FILTER =
-            FileFilterBuilder.newInstance().addExtensions("gemspec").addFilenames("Rakefile").build();
+            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
    private static final String EMAIL = "email";
    private static final String GEMSPEC = "gemspec";
    /**
     * @return a filter that accepts files named Rakefile or matching the glob pattern, *.gemspec
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -90,7 +90,7 @@ public class CentralSearch {
        final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
-        LOGGER.debug("Searching Central url {}", url.toString());
+        LOGGER.debug("Searching Central url {}", url);
        // Determine if we need to use a proxy. The rules:
        // 1) If the proxy is set, AND the setting is set to true, use the proxy
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/composer/ComposerException.java
@@ -24,6 +24,11 @@ package org.owasp.dependencycheck.data.composer;
 */
 public class ComposerException extends RuntimeException {
    /**
     * The serial version UID for serialization.
     */
    private static final long serialVersionUID = 1L;
    /**
     * Creates a ComposerException with default message.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
@@ -149,7 +149,6 @@ public final class CpeMemoryIndex {
     *
     * @return the CPE Analyzer.
     */
    @SuppressWarnings("unchecked")
    private Analyzer createIndexingAnalyzer() {
        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
@@ -161,7 +160,6 @@ public final class CpeMemoryIndex {
     *
     * @return the CPE Analyzer.
     */
    @SuppressWarnings("unchecked")
    private Analyzer createSearchingAnalyzer() {
        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
@@ -173,24 +171,6 @@ public final class CpeMemoryIndex {
        return new PerFieldAnalyzerWrapper(new FieldAnalyzer(LuceneUtils.CURRENT_VERSION), fieldAnalyzers);
    }
    /**
     * Saves a CPE IndexEntry into the Lucene index.
     *
     * @param vendor the vendor to index
     * @param product the product to index
     * @param indexWriter the index writer to write the entry into
     * @throws CorruptIndexException is thrown if the index is corrupt
     * @throws IOException is thrown if an IOException occurs
     */
    public void saveEntry(String vendor, String product, IndexWriter indexWriter) throws CorruptIndexException, IOException {
        final Document doc = new Document();
        final Field v = new TextField(Fields.VENDOR, vendor, Field.Store.YES);
        final Field p = new TextField(Fields.PRODUCT, product, Field.Store.YES);
        doc.add(v);
        doc.add(p);
        indexWriter.addDocument(doc);
    }
    /**
     * Closes the CPE Index.
     */
@@ -230,9 +210,20 @@ public final class CpeMemoryIndex {
            final IndexWriterConfig conf = new IndexWriterConfig(LuceneUtils.CURRENT_VERSION, analyzer);
            indexWriter = new IndexWriter(index, conf);
            try {
                // Tip: reuse the Document and Fields for performance...
                // See "Re-use Document and Field instances" from
                // http://wiki.apache.org/lucene-java/ImproveIndexingSpeed
                final Document doc = new Document();
                final Field v = new TextField(Fields.VENDOR, Fields.VENDOR, Field.Store.YES);
                final Field p = new TextField(Fields.PRODUCT, Fields.PRODUCT, Field.Store.YES);
                doc.add(v);
                doc.add(p);
                final Set<Pair<String, String>> data = cve.getVendorProductList();
                for (Pair<String, String> pair : data) {
-                    saveEntry(pair.getLeft(), pair.getRight(), indexWriter);
+                    v.setStringValue(pair.getLeft());
                    p.setStringValue(pair.getRight());
                    indexWriter.addDocument(doc);
                }
            } catch (DatabaseException ex) {
                LOGGER.debug("", ex);
@@ -287,8 +278,9 @@ public final class CpeMemoryIndex {
        if (searchString == null || searchString.trim().isEmpty()) {
            throw new ParseException("Query is null or empty");
        }
        LOGGER.debug(searchString);
        final Query query = queryParser.parse(searchString);
-        return indexSearcher.search(query, maxQueryResults);
+        return search(query, maxQueryResults);
    }
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/IndexEntry.java
@@ -48,7 +48,7 @@ public class IndexEntry implements Serializable {
     */
    public String getDocumentId() {
        if (documentId == null && vendor != null && product != null) {
-            documentId = vendor + ":" + product;
+            documentId = vendor + ':' + product;
        }
        return documentId;
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/LuceneUtils.java
@@ -77,6 +77,7 @@ public final class LuceneUtils {
                case '*':
                case '?':
                case ':':
                case '/':
                case '\\': //it is supposed to fall through here
                    buf.append('\\');
                default:
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/MavenArtifact.java
@@ -94,13 +94,13 @@ public class MavenArtifact {
        }
        if (jarAvailable) {
            //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
-            this.artifactUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+            this.artifactUrl = base + groupId.replace('.', '/') + '/' + artifactId + '/'
-                    + version + "/" + artifactId + "-" + version + ".jar";
+                    + version + '/' + artifactId + '-' + version + ".jar";
        }
        if (pomAvailable) {
            //org/springframework/spring-core/3.2.0.RELEASE/spring-core-3.2.0.RELEASE.pom
-            this.pomUrl = base + groupId.replace('.', '/') + "/" + artifactId + "/"
+            this.pomUrl = base + groupId.replace('.', '/') + '/' + artifactId + '/'
-                    + version + "/" + artifactId + "-" + version + ".pom";
+                    + version + '/' + artifactId + '-' + version + ".pom";
        }
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/NexusSearch.java
@@ -63,7 +63,7 @@ public class NexusSearch {
        this.rootURL = rootURL;
        try {
            if (null != Settings.getString(Settings.KEYS.PROXY_SERVER)
-                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_PROXY)) {
+                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY)) {
                useProxy = true;
                LOGGER.debug("Using proxy");
            } else {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java
@@ -17,11 +17,9 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;
 import java.io.BufferedReader;
 import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.InputStreamReader;
 import java.sql.CallableStatement;
 import java.sql.Connection;
 import java.sql.Driver;
@@ -29,7 +27,10 @@ import java.sql.DriverManager;
 import java.sql.ResultSet;
 import java.sql.SQLException;
 import java.sql.Statement;
 import org.apache.commons.io.IOUtils;
 import org.owasp.dependencycheck.utils.DBUtils;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -58,6 +59,10 @@ public final class ConnectionFactory {
     * Resource location for SQL file used to create the database schema.
     */
    public static final String DB_STRUCTURE_UPDATE_RESOURCE = "data/upgrade_%s.sql";
    /**
     * The URL that discusses upgrading non-H2 databases.
     */
    public static final String UPGRADE_HELP_URL = "http://jeremylong.github.io/DependencyCheck/data/upgrade.html";
    /**
     * The database driver used to connect to the database.
     */
@@ -243,22 +248,15 @@ public final class ConnectionFactory {
     */
    private static void createTables(Connection conn) throws DatabaseException {
        LOGGER.debug("Creating database structure");
-        InputStream is;
+        InputStream is = null;
        InputStreamReader reader;
        BufferedReader in = null;
        try {
            is = ConnectionFactory.class.getClassLoader().getResourceAsStream(DB_STRUCTURE_RESOURCE);
-            reader = new InputStreamReader(is, "UTF-8");
+            final String dbStructure = IOUtils.toString(is, "UTF-8");
-            in = new BufferedReader(reader);
+
            final StringBuilder sb = new StringBuilder(2110);
            String tmp;
            while ((tmp = in.readLine()) != null) {
                sb.append(tmp);
            }
            Statement statement = null;
            try {
                statement = conn.createStatement();
-                statement.execute(sb.toString());
+                statement.execute(dbStructure);
            } catch (SQLException ex) {
                LOGGER.debug("", ex);
                throw new DatabaseException("Unable to create database statement", ex);
@@ -268,13 +266,7 @@ public final class ConnectionFactory {
        } catch (IOException ex) {
            throw new DatabaseException("Unable to create database schema", ex);
        } finally {
-            if (in != null) {
+            IOUtils.closeQuietly(is);
                try {
                    in.close();
                } catch (IOException ex) {
                    LOGGER.trace("", ex);
                }
            }
        }
    }
@@ -288,48 +280,54 @@ public final class ConnectionFactory {
     * @throws DatabaseException thrown if there is an exception upgrading the database schema
     */
    private static void updateSchema(Connection conn, String schema) throws DatabaseException {
-        LOGGER.debug("Updating database structure");
+        final String databaseProductName;
        InputStream is;
        InputStreamReader reader;
        BufferedReader in = null;
        String updateFile = null;
        try {
-            updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+            databaseProductName = conn.getMetaData().getDatabaseProductName();
-            is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
+        } catch (SQLException ex) {
-            if (is == null) {
+            throw new DatabaseException("Unable to get the database product name");
-                throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
+        }
-            }
+        if ("h2".equalsIgnoreCase(databaseProductName)) {
-            reader = new InputStreamReader(is, "UTF-8");
+            LOGGER.debug("Updating database structure");
-            in = new BufferedReader(reader);
+            InputStream is = null;
-            final StringBuilder sb = new StringBuilder(2110);
+            String updateFile = null;
            String tmp;
            while ((tmp = in.readLine()) != null) {
                sb.append(tmp);
            }
            Statement statement = null;
            try {
-                statement = conn.createStatement();
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
-                statement.execute(sb.toString());
+                is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
-            } catch (SQLException ex) {
+                if (is == null) {
-                LOGGER.debug("", ex);
+                    throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
                throw new DatabaseException("Unable to update database schema", ex);
            } finally {
                DBUtils.closeStatement(statement);
            }
        } catch (IOException ex) {
            final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
            throw new DatabaseException(msg, ex);
        } finally {
            if (in != null) {
                try {
                    in.close();
                } catch (IOException ex) {
                    LOGGER.trace("", ex);
                }
                final String dbStructureUpdate = IOUtils.toString(is, "UTF-8");
                Statement statement = null;
                try {
                    statement = conn.createStatement();
                    final boolean success = statement.execute(dbStructureUpdate);
                    if (!success && statement.getUpdateCount() <= 0) {
                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
                    }
                } catch (SQLException ex) {
                    LOGGER.debug("", ex);
                    throw new DatabaseException("Unable to update database schema", ex);
                } finally {
                    DBUtils.closeStatement(statement);
                }
            } catch (IOException ex) {
                final String msg = String.format("Upgrade SQL file does not exist: %s", updateFile);
                throw new DatabaseException(msg, ex);
            } finally {
                IOUtils.closeQuietly(is);
            }
        } else {
            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
            throw new DatabaseException("Database schema is out of date");
        }
    }
    /**
     * Counter to ensure that calls to ensureSchemaVersion does not end up in an endless loop.
     */
    private static int callDepth = 0;
    /**
     * Uses the provided connection to check the specified schema version within the database.
     *
@@ -344,10 +342,15 @@ public final class ConnectionFactory {
            cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
            rs = cs.executeQuery();
            if (rs.next()) {
-                if (!DB_SCHEMA_VERSION.equals(rs.getString(1))) {
+                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
-                    LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
+                final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
-                    LOGGER.debug("DB Schema: " + rs.getString(1));
+                if (current.compareTo(db) > 0) {
                    LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
                    LOGGER.debug("DB Schema: {}", rs.getString(1));
                    updateSchema(conn, rs.getString(1));
                    if (++callDepth < 10) {
                        ensureSchemaVersion(conn);
                    }
                }
            } else {
                throw new DatabaseException("Database schema is missing");
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CorruptDatabaseException.java
@@ -18,12 +18,11 @@
 package org.owasp.dependencycheck.data.nvdcve;
 /**
- * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure
+ * An exception used to indicate the db4o database is corrupt. This could be due to invalid data or a complete failure of the db.
 * of the db.
 *
 * @author Jeremy Long
 */
-class CorruptDatabaseException extends DatabaseException {
+public class CorruptDatabaseException extends DatabaseException {
    /**
     * the serial version uid.
@@ -31,7 +30,7 @@ class CorruptDatabaseException extends DatabaseException {
    private static final long serialVersionUID = 1L;
    /**
-     * Creates an CorruptDatabaseException
+     * Creates an CorruptDatabaseException.
     *
     * @param msg the exception message
     */
@@ -40,7 +39,7 @@ class CorruptDatabaseException extends DatabaseException {
    }
    /**
-     * Creates an CorruptDatabaseException
+     * Creates an CorruptDatabaseException.
     *
     * @param msg the exception message
     * @param ex the cause of the exception
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -29,8 +29,10 @@ import java.util.ArrayList;
 import java.util.HashMap;
 import java.util.HashSet;
 import java.util.List;
 import java.util.Locale;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.MissingResourceException;
 import java.util.Properties;
 import java.util.ResourceBundle;
 import java.util.Set;
@@ -74,9 +76,17 @@ public class CveDB {
     */
    public CveDB() throws DatabaseException {
        super();
        statementBundle = ResourceBundle.getBundle("data/dbStatements");
        try {
            open();
            try {
                final String databaseProductName = conn.getMetaData().getDatabaseProductName();
                LOGGER.debug("Database dialect: {}", databaseProductName);
                final Locale dbDialect = new Locale(databaseProductName);
                statementBundle = ResourceBundle.getBundle("data/dbStatements", dbDialect);
            } catch (SQLException se) {
                LOGGER.warn("Problem loading database specific dialect!", se);
                statementBundle = ResourceBundle.getBundle("data/dbStatements");
            }
            databaseProperties = new DatabaseProperties(this);
        } catch (DatabaseException ex) {
            throw ex;
@@ -252,44 +262,6 @@ public class CveDB {
        return prop;
    }
    /**
     * Saves a set of properties to the database.
     *
     * @param props a collection of properties
     */
    void saveProperties(Properties props) {
        PreparedStatement updateProperty = null;
        PreparedStatement insertProperty = null;
        try {
            try {
                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
                insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
            } catch (SQLException ex) {
                LOGGER.warn("Unable to save properties to the database");
                LOGGER.debug("Unable to save properties to the database", ex);
                return;
            }
            for (Entry<Object, Object> entry : props.entrySet()) {
                final String key = entry.getKey().toString();
                final String value = entry.getValue().toString();
                try {
                    updateProperty.setString(1, value);
                    updateProperty.setString(2, key);
                    if (updateProperty.executeUpdate() == 0) {
                        insertProperty.setString(1, key);
                        insertProperty.setString(2, value);
                    }
                } catch (SQLException ex) {
                    LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
                    LOGGER.debug("", ex);
                }
            }
        } finally {
            DBUtils.closeStatement(updateProperty);
            DBUtils.closeStatement(insertProperty);
        }
    }
    /**
     * Saves a property to the database.
     *
@@ -297,38 +269,38 @@ public class CveDB {
     * @param value the property value
     */
    void saveProperty(String key, String value) {
        PreparedStatement updateProperty = null;
        PreparedStatement insertProperty = null;
        try {
            try {
-                updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
+                final PreparedStatement mergeProperty = getConnection().prepareStatement(statementBundle.getString("MERGE_PROPERTY"));
-            } catch (SQLException ex) {
+                try {
-                LOGGER.warn("Unable to save properties to the database");
+                    mergeProperty.setString(1, key);
-                LOGGER.debug("Unable to save properties to the database", ex);
+                    mergeProperty.setString(2, value);
-                return;
+                    mergeProperty.executeUpdate();
-            }
+                } finally {
-            try {
+                    DBUtils.closeStatement(mergeProperty);
-                updateProperty.setString(1, value);
+                }
-                updateProperty.setString(2, key);
+            } catch (MissingResourceException mre) {
-                if (updateProperty.executeUpdate() == 0) {
+                // No Merge statement, so doing an Update/Insert...
-                    try {
+                PreparedStatement updateProperty = null;
-                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
+                PreparedStatement insertProperty = null;
-                    } catch (SQLException ex) {
+                try {
-                        LOGGER.warn("Unable to save properties to the database");
+                    updateProperty = getConnection().prepareStatement(statementBundle.getString("UPDATE_PROPERTY"));
-                        LOGGER.debug("Unable to save properties to the database", ex);
+                    updateProperty.setString(1, value);
-                        return;
+                    updateProperty.setString(2, key);
-                    }
+                    if (updateProperty.executeUpdate() == 0) {
-                    insertProperty.setString(1, key);
+                        insertProperty = getConnection().prepareStatement(statementBundle.getString("INSERT_PROPERTY"));
-                    insertProperty.setString(2, value);
+                        insertProperty.setString(1, key);
-                    insertProperty.execute();
+                        insertProperty.setString(2, value);
                        insertProperty.executeUpdate();
                    }
                } finally {
                    DBUtils.closeStatement(updateProperty);
                    DBUtils.closeStatement(insertProperty);
                }
            } catch (SQLException ex) {
                LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
                LOGGER.debug("", ex);
            }
-        } finally {
+        } catch (SQLException ex) {
-            DBUtils.closeStatement(updateProperty);
+            LOGGER.warn("Unable to save property '{}' with a value of '{}' to the database", key, value);
-            DBUtils.closeStatement(insertProperty);
+            LOGGER.debug("", ex);
        }
    }
@@ -420,7 +392,7 @@ public class CveDB {
                if (cwe != null) {
                    final String name = CweDB.getCweName(cwe);
                    if (name != null) {
-                        cwe += " " + name;
+                        cwe += ' ' + name;
                    }
                }
                final int cveId = rsV.getInt(1);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
@@ -45,6 +45,10 @@ public class DatabaseProperties {
     * updates)..
     */
    public static final String MODIFIED = "Modified";
    /**
     * The properties file key for the last checked field - used to store the last check time of the Modified NVD CVE xml file.
     */
    public static final String LAST_CHECKED = "NVD CVE Checked";
    /**
     * The properties file key for the last updated field - used to store the last updated time of the Modified NVD CVE xml file.
     */
@@ -66,11 +70,11 @@ public class DatabaseProperties {
    /**
     * A collection of properties about the data.
     */
-    private Properties properties;
+    private final Properties properties;
    /**
     * A reference to the database.
     */
-    private CveDB cveDB;
+    private final CveDB cveDB;
    /**
     * Constructs a new data properties object.
@@ -79,13 +83,6 @@ public class DatabaseProperties {
     */
    DatabaseProperties(CveDB cveDB) {
        this.cveDB = cveDB;
        loadProperties();
    }
    /**
     * Loads the properties from the database.
     */
    private void loadProperties() {
        this.properties = cveDB.getProperties();
    }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DriverLoader.java
@@ -63,15 +63,13 @@ public final class DriverLoader {
    }
    /**
-     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver
+     * Loads the specified class by registering the supplied paths to the class loader and then registers the driver with the
-     * with the driver manager. The pathToDriver argument is added to the class loader so that an external driver can be
+     * driver manager. The pathToDriver argument is added to the class loader so that an external driver can be loaded. Note, the
-     * loaded. Note, the pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added
+     * pathToDriver can contain a semi-colon separated list of paths so any dependencies can be added as needed. If a path in the
-     * as needed. If a path in the pathToDriver argument is a directory all files in the directory are added to the
+     * pathToDriver argument is a directory all files in the directory are added to the class path.
     * class path.
     *
     * @param className the fully qualified name of the desired class
-     * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list
+     * @param pathToDriver the path to the JAR file containing the driver; note, this can be a semi-colon separated list of paths
     * of paths
     * @return the loaded Driver
     * @throws DriverLoadException thrown if the driver cannot be loaded
     */
@@ -83,14 +81,15 @@ public final class DriverLoader {
            final File file = new File(path);
            if (file.isDirectory()) {
                final File[] files = file.listFiles();
-
+                if (files != null) {
-                for (File f : files) {
+                    for (File f : files) {
-                    try {
+                        try {
-                        urls.add(f.toURI().toURL());
+                            urls.add(f.toURI().toURL());
-                    } catch (MalformedURLException ex) {
+                        } catch (MalformedURLException ex) {
-                        LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
+                            LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
-                            className, f.getAbsoluteFile(), ex);
+                                    className, f.getAbsoluteFile(), ex);
-                        throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
+                            throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
                        }
                    }
                }
            } else if (file.exists()) {
@@ -98,7 +97,7 @@ public final class DriverLoader {
                    urls.add(file.toURI().toURL());
                } catch (MalformedURLException ex) {
                    LOGGER.debug("Unable to load database driver '{}'; invalid path provided '{}'",
-                        className, file.getAbsoluteFile(), ex);
+                            className, file.getAbsoluteFile(), ex);
                    throw new DriverLoadException("Unable to load database driver. Invalid path provided", ex);
                }
            }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/CpeUpdater.java
@@ -137,7 +137,7 @@ public class CpeUpdater extends BaseUpdater implements CachedWebDataSource {
     */
    private boolean updateNeeded() {
        final long now = System.currentTimeMillis();
-        final int days = Settings.getInt(Settings.KEYS.CVE_MODIFIED_VALID_FOR_DAYS, 30);
+        final int days = Settings.getInt(Settings.KEYS.CPE_MODIFIED_VALID_FOR_DAYS, 30);
        long timestamp = 0;
        final String ts = getProperties().getProperty(LAST_CPE_UPDATE);
        if (ts != null && ts.matches("^[0-9]+$")) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java
@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
    @Override
    public void update() throws UpdateException {
        try {
-            openDatabase();
+            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
-            LOGGER.debug("Begin Engine Version Check");
+                openDatabase();
-            final DatabaseProperties properties = cveDB.getDatabaseProperties();
+                LOGGER.debug("Begin Engine Version Check");
-            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+                final DatabaseProperties properties = cveDB.getDatabaseProperties();
-            final long now = System.currentTimeMillis();
+                final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
-            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+                final long now = System.currentTimeMillis();
-            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+                updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
-            LOGGER.debug("Last checked: {}", lastChecked);
+                final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
-            LOGGER.debug("Now: {}", now);
+                LOGGER.debug("Last checked: {}", lastChecked);
-            LOGGER.debug("Current version: {}", currentVersion);
+                LOGGER.debug("Now: {}", now);
-            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+                LOGGER.debug("Current version: {}", currentVersion);
-            if (updateNeeded) {
+                final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
-                LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                if (updateNeeded) {
-                        updateToVersion);
+                    LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
                            updateToVersion);
                }
            }
        } catch (DatabaseException ex) {
            LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
            throw new UpdateException("Error occured updating database properties.");
        } catch (InvalidSettingException ex) {
            LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
        } finally {
            closeDatabase();
        }
    }
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
    protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
            String currentVersion) throws UpdateException {
        //check every 30 days if we know there is an update, otherwise check every 7 days
-        int checkRange = 30;
+        final int checkRange = 30;
        if (updateToVersion.isEmpty()) {
            checkRange = 7;
        }
        if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
            LOGGER.debug("Checking web for new version.");
            final String currentRelease = getCurrentReleaseVersion();
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
                    updateToVersion = v.toString();
                    if (!currentRelease.equals(updateToVersion)) {
                        properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
                    } else {
                        properties.save(CURRENT_ENGINE_RELEASE, "");
                    }
                    properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
                }
            }
            LOGGER.debug("Current Release: {}", updateToVersion);
        }
        if (updateToVersion == null) {
            LOGGER.debug("Unable to obtain current release");
            return false;
        }
        final DependencyVersion running = new DependencyVersion(currentVersion);
        final DependencyVersion released = new DependencyVersion(updateToVersion);
        if (running.compareTo(released) < 0) {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java
@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -33,6 +35,7 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
 import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
 import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -66,9 +69,11 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
    public void update() throws UpdateException {
        try {
            openDataStores();
-            final UpdateableNvdCve updateable = getUpdatesNeeded();
+            if (checkUpdate()) {
-            if (updateable.isUpdateNeeded()) {
+                final UpdateableNvdCve updateable = getUpdatesNeeded();
-                performUpdate(updateable);
+                if (updateable.isUpdateNeeded()) {
                    performUpdate(updateable);
                }
            }
        } catch (MalformedURLException ex) {
            LOGGER.warn(
@@ -87,6 +92,53 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
        }
    }
    /**
     * Checks if the NVD CVE XML files were last checked recently. As an optimization, we can avoid repetitive checks against the
     * NVD. Setting CVE_CHECK_VALID_FOR_HOURS determines the duration since last check before checking again. A database property
     * stores the timestamp of the last check.
     *
     * @return true to proceed with the check, or false to skip.
     * @throws UpdateException thrown when there is an issue checking for updates.
     */
    private boolean checkUpdate() throws UpdateException {
        boolean proceed = true;
        // If the valid setting has not been specified, then we proceed to check...
        final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
        if (dataExists() && 0 < validForHours) {
            // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
            final long msValid = validForHours * 60L * 60L * 1000L;
            final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
            final long now = System.currentTimeMillis();
            proceed = (now - lastChecked) > msValid;
            if (proceed) {
                getProperties().save(DatabaseProperties.LAST_CHECKED, Long.toString(now));
            } else {
                LOGGER.info("Skipping NVD check since last check was within {} hours.", validForHours);
                LOGGER.debug("Last NVD was at {}, and now {} is within {} ms.",
                        lastChecked, now, msValid);
            }
        }
        return proceed;
    }
    /**
     * Checks the CPE Index to ensure documents exists.
     */
    private boolean dataExists() {
        CveDB cve = null;
        try {
            cve = new CveDB();
            cve.open();
            return cve.dataExists();
        } catch (DatabaseException ex) {
            return false;
        } finally {
            if (cve != null) {
                cve.close();
            }
        }
    }
    /**
     * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
     *
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java
@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
    /**
     * A reference to the current element.
     */
-    private Element current = new Element();
+    private final Element current = new Element();
    /**
     * The logger.
     */
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
    /**
     * The list of CPE values.
     */
-    private List<Cpe> data = new ArrayList<Cpe>();
+    private final List<Cpe> data = new ArrayList<Cpe>();
    /**
     * Returns the list of CPE values.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java
@@ -68,8 +68,8 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
        final File file2;
        try {
-            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file1 = File.createTempFile("cve" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
-            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + "_", ".xml", Settings.getTempDirectory());
+            file2 = File.createTempFile("cve_1_2_" + nvdCveInfo.getId() + '_', ".xml", Settings.getTempDirectory());
        } catch (IOException ex) {
            throw new UpdateException("Unable to create temporary files", ex);
        }
@@ -80,11 +80,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
    /**
     * The CVE DB to use when processing the files.
     */
-    private CveDB cveDB;
+    private final CveDB cveDB;
    /**
     * The processor service to pass the results of the download to.
     */
-    private ExecutorService processorService;
+    private final ExecutorService processorService;
    /**
     * The NVD CVE Meta Data.
     */
@@ -92,7 +92,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
    /**
     * A reference to the global settings object.
     */
-    private Settings settings;
+    private final Settings settings;
    /**
     * Get the value of nvdCveInfo.
@@ -155,28 +155,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
    public void setSecond(File second) {
        this.second = second;
    }
    /**
     * A placeholder for an exception.
     */
    private Exception exception = null;
    /**
     * Get the value of exception.
     *
     * @return the value of exception
     */
    public Exception getException() {
        return exception;
    }
    /**
     * returns whether or not an exception occurred during download.
     *
     * @return whether or not an exception occurred during download
     */
    public boolean hasException() {
        return exception != null;
    }
    @Override
    public Future<ProcessTask> call() throws Exception {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java
@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
                software = null;
            }
        } else if (!skip && current.isProdNode()) {
            vendor = attributes.getValue("vendor");
            product = attributes.getValue("name");
        } else if (!skip && current.isVersNode()) {
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
                /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
                 purposes this is good enough as we won't use this if we don't find a corresponding "a"
                 in the nvd cve 2.0. */
-                String cpe = "cpe:/a:" + vendor + ":" + product;
+                final int cpeLen = 8 + vendor.length() + product.length()
                    + (null != num ? (1 + num.length()) : 0)
                    + (null != edition ? (1 + edition.length()) : 0);
                final StringBuilder cpe = new StringBuilder(cpeLen);
                cpe.append("cpe:/a:").append(vendor).append(':').append(product);
                if (num != null) {
-                    cpe += ":" + num;
+                    cpe.append(':').append(num);
                }
                if (edition != null) {
-                    cpe += ":" + edition;
+                    cpe.append(':').append(edition);
                }
                final VulnerableSoftware vs = new VulnerableSoftware();
-                vs.setCpe(cpe);
+                vs.setCpe(cpe.toString());
                vs.setPreviousVersion(prev);
                software.add(vs);
            }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java
@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
    /**
     * A reference to the global settings object.
     */
-    private Settings settings;
+    private final Settings settings;
    /**
     * Constructs a new ProcessTask used to process an NVD CVE update.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java
@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
 *
 * @author Jeremy Long
 */
-public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
+public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
    /**
     * A collection of sources of data.
     */
-    private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
+    private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
    /**
     * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java
@@ -341,7 +341,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
                }
            }
            if (!found) {
-                LOGGER.debug("Adding new maven identifier {}", mavenArtifact.toString());
+                LOGGER.debug("Adding new maven identifier {}", mavenArtifact);
                this.addIdentifier("maven", mavenArtifact.toString(), mavenArtifact.getArtifactUrl(), Confidence.HIGHEST);
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java
@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
    /**
     * A list of suppression rules.
     */
-    private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
    /**
     * Get the value of suppressionRules.
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java
@@ -267,8 +267,8 @@ public class SuppressionRule {
    }
    /**
-     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
-     * resulting report in the "suppressed" section.
+     * report in the "suppressed" section.
     */
    private boolean base;
@@ -291,8 +291,8 @@ public class SuppressionRule {
    }
    /**
-     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
+     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
-     * should be, they are removed from the dependency.
+     * are removed from the dependency.
     *
     * @param dependency a project dependency to analyze
     */
@@ -381,13 +381,7 @@ public class SuppressionRule {
     * @return true if the property type does not specify a version; otherwise false
     */
    boolean cpeHasNoVersion(PropertyType c) {
-        if (c.isRegex()) {
+        return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
            return false;
        }
        if (countCharacter(c.getValue(), ':') == 3) {
            return true;
        }
        return false;
    }
    /**
@@ -439,46 +433,46 @@ public class SuppressionRule {
     */
    @Override
    public String toString() {
-        final StringBuilder sb = new StringBuilder();
+        final StringBuilder sb = new StringBuilder(64);
        sb.append("SuppressionRule{");
        if (filePath != null) {
-            sb.append("filePath=").append(filePath).append(",");
+            sb.append("filePath=").append(filePath).append(',');
        }
        if (sha1 != null) {
-            sb.append("sha1=").append(sha1).append(",");
+            sb.append("sha1=").append(sha1).append(',');
        }
        if (gav != null) {
-            sb.append("gav=").append(gav).append(",");
+            sb.append("gav=").append(gav).append(',');
        }
        if (cpe != null && !cpe.isEmpty()) {
            sb.append("cpe={");
            for (PropertyType pt : cpe) {
-                sb.append(pt).append(",");
+                sb.append(pt).append(',');
            }
-            sb.append("}");
+            sb.append('}');
        }
        if (cwe != null && !cwe.isEmpty()) {
            sb.append("cwe={");
            for (String s : cwe) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
            }
-            sb.append("}");
+            sb.append('}');
        }
        if (cve != null && !cve.isEmpty()) {
            sb.append("cve={");
            for (String s : cve) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
            }
-            sb.append("}");
+            sb.append('}');
        }
        if (cvssBelow != null && !cvssBelow.isEmpty()) {
            sb.append("cvssBelow={");
            for (Float s : cvssBelow) {
-                sb.append(s).append(",");
+                sb.append(s).append(',');
            }
-            sb.append("}");
+            sb.append('}');
        }
-        sb.append("}");
+        sb.append('}');
        return sb.toString();
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DateUtil.java
@@ -36,11 +36,12 @@ public final class DateUtil {
     *
     * @param date the date to be checked.
     * @param compareTo the date to compare to.
-     * @param range the range in days to be considered valid.
+     * @param dayRange the range in days to be considered valid.
     * @return whether or not the date is within the range.
     */
-    public static boolean withinDateRange(long date, long compareTo, int range) {
+    public static boolean withinDateRange(long date, long compareTo, int dayRange) {
-        final double differenceInDays = (compareTo - date) / 1000.0 / 60.0 / 60.0 / 24.0;
+        // ms = dayRange x 24 hours/day x 60 min/hour x 60 sec/min x 1000 ms/sec
-        return differenceInDays < range;
+        final long msRange = dayRange * 24L * 60L * 60L * 1000L;
        return (compareTo - date) < msRange;
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersion.java
@@ -115,7 +115,7 @@ public class DependencyVersion implements Iterable<String>, Comparable<Dependenc
     */
    @Override
    public String toString() {
-        return StringUtils.join(versionParts.toArray(), ".");
+        return StringUtils.join(versionParts, '.');
    }
    /**
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/ExtractionUtil.java
@@ -182,13 +182,11 @@ public final class ExtractionUtil {
            while ((entry = input.getNextEntry()) != null) {
                if (entry.isDirectory()) {
                    final File dir = new File(destination, entry.getName());
-                    if (!dir.exists()) {
+                    if (!dir.exists() && !dir.mkdirs()) {
-                        if (!dir.mkdirs()) {
+                        final String msg = String.format(
-                            final String msg = String.format(
+                                "Unable to create directory '%s'.",
-                                    "Unable to create directory '%s'.",
+                                dir.getAbsolutePath());
-                                    dir.getAbsolutePath());
+                        throw new AnalysisException(msg);
                            throw new AnalysisException(msg);
                        }
                    }
                } else {
                    extractFile(input, destination, filter, entry);
@@ -264,13 +262,11 @@ public final class ExtractionUtil {
    private static void createParentFile(final File file)
            throws ExtractionException {
        final File parent = file.getParentFile();
-        if (!parent.isDirectory()) {
+        if (!parent.isDirectory() && !parent.mkdirs()) {
-            if (!parent.mkdirs()) {
+            final String msg = String.format(
-                final String msg = String.format(
+                    "Unable to build directory '%s'.",
-                        "Unable to build directory '%s'.",
+                    parent.getAbsolutePath());
-                        parent.getAbsolutePath());
+            throw new ExtractionException(msg);
                throw new ExtractionException(msg);
            }
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java
@@ -50,7 +50,7 @@ public abstract class Filter<T> {
            if (next == null) {
                throw new NoSuchElementException();
            }
-            T returnValue = next;
+            final T returnValue = next;
            toNext();
            return returnValue;
        }
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
        private void toNext() {
            next = null;
            while (iterator.hasNext()) {
-                T item = iterator.next();
+                final T item = iterator.next();
                if (item != null && passes(item)) {
                    next = item;
                    break;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/NonClosingStream.java
@@ -1,47 +0,0 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.utils;
 import java.io.FilterInputStream;
 import java.io.InputStream;
 /**
 * NonClosingStream is a stream filter which prevents another class that processes the stream from closing it. This is
 * necessary when dealing with things like JAXB and zipInputStreams.
 *
 * @author Jeremy Long
 */
 public class NonClosingStream extends FilterInputStream {
    /**
     * Constructs a new NonClosingStream.
     *
     * @param in an input stream.
     */
    public NonClosingStream(InputStream in) {
        super(in);
    }
    /**
     * Prevents closing of the stream.
     */
    @Override
    public void close() {
        // don't close the stream.
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java
@@ -21,6 +21,9 @@ import java.util.ArrayList;
 import java.util.List;
 import java.util.Properties;
 import org.apache.commons.lang3.text.StrLookup;
 import org.apache.commons.lang3.text.StrSubstitutor;
 /**
 * A simple pojo to hold data related to a Maven POM file.
 *
@@ -238,7 +241,7 @@ public class Model {
    /**
     * The list of licenses.
     */
-    private List<License> licenses = new ArrayList<License>();
+    private final List<License> licenses = new ArrayList<License>();
    /**
     * Returns the list of licenses.
@@ -307,33 +310,41 @@ public class Model {
     * @return the interpolated text.
     */
    public static String interpolateString(String text, Properties properties) {
-        final Properties props = properties;
+        if (null == text || null == properties) {
        if (text == null) {
            return text;
        }
-        if (props == null) {
+        final StrSubstitutor substitutor = new StrSubstitutor(new PropertyLookup(properties));
-            return text;
+        return substitutor.replace(text);
        }
        final int pos = text.indexOf("${");
        if (pos < 0) {
            return text;
        }
        final int end = text.indexOf("}");
        if (end < pos) {
            return text;
        }
        final String propName = text.substring(pos + 2, end);
        String propValue = interpolateString(props.getProperty(propName), props);
        if (propValue == null) {
            propValue = "";
        }
        final StringBuilder sb = new StringBuilder(propValue.length() + text.length());
        sb.append(text.subSequence(0, pos));
        sb.append(propValue);
        sb.append(text.substring(end + 1));
        return interpolateString(sb.toString(), props); //yes yes, this should be a loop...
    }
    /**
     * Utility class that can provide values from a Properties object to a StrSubstitutor.
     */
    private static class PropertyLookup extends StrLookup {
        /**
         * Reference to the properties to lookup.
         */
        private final Properties props;
        /**
         * Constructs a new property lookup.
         *
         * @param props the properties to wrap.
         */
        PropertyLookup(Properties props) {
            this.props = props;
        }
        /**
         * Looks up the given property.
         *
         * @param key the key to the property
         * @return the value of the property specified by the key
         */
        @Override
        public String lookup(String key) {
            return props.getProperty(key);
        }
    }
 }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java
@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
    /**
     * The pom model.
     */
-    private Model model = new Model();
+    private final Model model = new Model();
    /**
     * Returns the model obtained from the pom.xml.
--- a/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
+++ b/dependency-check-core/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer
@@ -19,4 +19,5 @@ org.owasp.dependencycheck.analyzer.OpenSSLAnalyzer
 org.owasp.dependencycheck.analyzer.CMakeAnalyzer
 org.owasp.dependencycheck.analyzer.NodePackageAnalyzer
 org.owasp.dependencycheck.analyzer.RubyGemspecAnalyzer
 org.owasp.dependencycheck.analyzer.RubyBundleAuditAnalyzer
 org.owasp.dependencycheck.analyzer.ComposerLockAnalyzer
--- a/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties
+++ b/dependency-check-gradle/src/main/resources/META-INF/gradle-plugins/dependency-check.properties
@@ -1,19 +1,15 @@
-#
+# Copyright 2015 OWASP.
 # This file is part of dependency-check-gradle.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
-#     http://www.apache.org/licenses/LICENSE-2.0
+#      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 #
 # Copyright (c) 2015 Wei Ma. All Rights Reserved.
 #
-implementation-class=com.tools.security.plugin.DependencyCheckGradlePlugin
+MERGE_PROPERTY=MERGE INTO properties (id, value) KEY(id) VALUES(?, ?)
--- a/dependency-check-core/src/main/resources/data/dbStatements_mysql.properties
+++ b/dependency-check-core/src/main/resources/data/dbStatements_mysql.properties
@@ -0,0 +1,15 @@
 # Copyright 2015 OWASP.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 MERGE_PROPERTY=CALL save_property(?, ?)
--- a/dependency-check-core/src/main/resources/data/dbStatements_postgreSQL.properties
+++ b/dependency-check-core/src/main/resources/data/dbStatements_postgreSQL.properties
@@ -0,0 +1,16 @@
 # Copyright 2015 OWASP.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #      http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 MERGE_PROPERTY=CALL save_property(?, ?)
 CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id IN (SELECT id FROM cpeEntry LEFT JOIN software ON cpeEntry.id = software.CPEEntryId WHERE software.CPEEntryId IS NULL);
--- a/dependency-check-core/src/main/resources/data/initialize_mysql.sql
+++ b/dependency-check-core/src/main/resources/data/initialize_mysql.sql
@@ -37,4 +37,20 @@ CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
 INSERT INTO properties(id,value) VALUES ('version','2.9');
 CREATE USER 'dcuser' IDENTIFIED BY 'DC-Pass1337!';
-GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
+GRANT SELECT, INSERT, DELETE, UPDATE ON dependencycheck.* TO 'dcuser';
 DROP PROCEDURE IF EXISTS save_property;
 DELIMITER //
 CREATE PROCEDURE save_property
 (IN prop varchar(50), IN val varchar(500))
 BEGIN
 INSERT INTO properties (`id`, `value`) VALUES (prop, val)
 	ON DUPLICATE KEY UPDATE `value`=val;
 END //
 DELIMITER ;
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 UPDATE Properties SET value='3.0' WHERE ID='version';
--- a/dependency-check-core/src/main/resources/data/initialize_postgres.sql
+++ b/dependency-check-core/src/main/resources/data/initialize_postgres.sql
@@ -0,0 +1,53 @@
 CREATE USER dcuser WITH PASSWORD 'DC-Pass1337!';
 DROP TABLE IF EXISTS software;
 DROP TABLE IF EXISTS cpeEntry;
 DROP TABLE IF EXISTS reference;
 DROP TABLE IF EXISTS vulnerability;
 DROP TABLE IF EXISTS properties;
 CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
 CREATE TABLE vulnerability (id SERIAL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
 	description VARCHAR(8000), cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
 	cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
 	cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
 CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
 	CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
 CREATE TABLE cpeEntry (id SERIAL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
 CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
 CREATE INDEX idxVulnerability ON vulnerability(cve);
 CREATE INDEX idxReference ON reference(cveid);
 CREATE INDEX idxCpe ON cpeEntry(cpe);
 CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
 CREATE INDEX idxSoftwareCve ON software(cveid);
 CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
 INSERT INTO properties(id,value) VALUES ('version','2.9');
 GRANT SELECT, INSERT, DELETE, UPDATE ON ALL TABLES IN SCHEMA public TO dcuser;
 GRANT USAGE, SELECT ON ALL SEQUENCES IN SCHEMA public to dcuser;
 DROP FUNCTION IF EXISTS save_property(varchar(50),varchar(500));
 CREATE FUNCTION save_property (IN prop varchar(50), IN val varchar(500))
 RETURNS void
 AS
 $$
 UPDATE properties SET "value"=val WHERE id=prop;
 INSERT INTO properties (id, value)
 	SELECT prop, val
 	WHERE NOT EXISTS (SELECT 1 FROM properties WHERE id=prop);
 $$ LANGUAGE sql;
 GRANT EXECUTE ON FUNCTION public.save_property(varchar(50),varchar(500)) TO dcuser;
 UPDATE Properties SET value='3.0' WHERE ID='version';
--- a/dependency-check-core/src/main/resources/data/upgrade_2.9.sql
+++ b/dependency-check-core/src/main/resources/data/upgrade_2.9.sql
@@ -1,7 +1 @@
-
+UPDATE Properties SET value='3.0' WHERE ID='version';
 --the following is not currently used.
 --ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
 --ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
 --UPDATE cpeEntry SET dictionaryEntry=false;
 --UPDATE Properties SET value='3.0' WHERE ID='version';
--- a/dependency-check-core/src/main/resources/data/upgrade_3.0.sql
+++ b/dependency-check-core/src/main/resources/data/upgrade_3.0.sql
@@ -0,0 +1,7 @@
 --the following is not currently used.
 --ALTER TABLE cpeEntry ADD COLUMN IF NOT EXISTS dictionaryEntry BOOLEAN;
 --ALTER TABLE cpeEntry ALTER COLUMN dictionaryEntry  SET DEFAULT FALSE;
 --UPDATE cpeEntry SET dictionaryEntry=false;
 --UPDATE Properties SET value='3.1' WHERE ID='version';
--- a/dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql
+++ b/dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql
@@ -0,0 +1,15 @@
 DROP PROCEDURE IF EXISTS save_property;
 DELIMITER //
 CREATE PROCEDURE save_property
 (IN prop varchar(50), IN val varchar(500))
 BEGIN
 INSERT INTO properties (`id`, `value`) VALUES (prop, val)
 	ON DUPLICATE KEY UPDATE `value`=val;
 END //
 DELIMITER ;
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 UPDATE properties SET value='3.0' WHERE ID='version';
--- a/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
+++ b/dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml
@@ -161,4 +161,78 @@
        <gav regex="true">.*\bhk2\b.*</gav>
        <cpe>cpe:/a:oracle:glassfish</cpe>
    </suppress>
-</suppressions>
+    <suppress base="true">
        <notes><![CDATA[
        file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
        ]]></notes>
        <gav regex="true">org.ow2.petals:petals-se-camel:.*</gav>
        <cpe>cpe:/a:apache:camel</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Mina gets flagged as apache-ssl
        ]]></notes>
        <gav regex="true">org.apache.mina:mina.*</gav>
        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        Woden gets flagged as apache-ssl
        ]]></notes>
        <gav regex="true">org.apache.woden:woden.*</gav>
        <cpe>cpe:/a:apache-ssl:apache-ssl</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        spec gets flagged as the implementation.
        ]]></notes>
        <gav regex="true">org.apache.geronimo.specs:.*</gav>
        <cpe>cpe:/a:apache:geronimo</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        This suppresses false positives identified on tomcat-embed-el.
        ]]></notes>
        <gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
        <cpe>cpe:/a:apache:tomcat</cpe>
        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        This suppresses false positives identified on tomcat-jdbc.
        ]]></notes>
        <gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
        <cpe>cpe:/a:apache:tomcat</cpe>
        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        This suppresses false positives identified on tomcat-juli.
        ]]></notes>
        <gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
        <cpe>cpe:/a:apache:tomcat</cpe>
        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        suppress false positive per issue #433
        ]]></notes>
        <gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
        <cpe>cpe:/a:google:google_apps:-</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        suppress false positives per issue #437
        ]]></notes>
        <gav regex="true">.*mongodb.*:.*:.*</gav>
        <cpe>cpe:/a:mongodb:mongodb</cpe>
    </suppress>
    <suppress base="true">
        <notes><![CDATA[
        suppress false positives per issue #438
            Note, there will be more false positives for Netty. Trying to figure out a better suppression.
        ]]></notes>
        <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
        <cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
    </suppress>
 </suppressions>
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -18,7 +18,12 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
-data.version=2.9
+
 ### if you increment the DB version then you must increment the database file path
 ### in the mojo.properties, task.properties (maven and ant respectively), and
 ### the gradle PurgeDataExtension.
 data.version=3.0
 data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
@@ -41,13 +46,15 @@ data.driver_path=
 # to update the other files if we are within this timespan. Per NIST this file
 # holds 8 days of updates, we are using 7 just to be safe.
 cve.url.modified.validfordays=7
-
+# the number of hours to wait before checking if updates are available from the NVD.
 cve.check.validforhours=4
 #first year to pull data from the URLs below
 cve.startyear=2002
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
 #cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.startyear=2002
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
@@ -79,3 +86,22 @@ archive.scan.depth=3
 # use HEAD (default) or GET as HTTP request method for query timestamp
 downloader.quick.query.timestamp=true
 analyzer.jar.enabled=true
 analyzer.archive.enabled=true
 analyzer.node.package.enabled=true
 analyzer.composer.lock.enabled=true
 analyzer.python.distribution.enabled=true
 analyzer.python.package.enabled=true
 analyzer.ruby.gemspec.enabled=true
 analyzer.autoconf.enabled=true
 analyzer.cmake.enabled=true
 analyzer.assembly.enabled=true
 analyzer.nuspec.enabled=true
 analyzer.openssl.enabled=true
 analyzer.central.enabled=true
 analyzer.nexus.enabled=false
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true
--- a/dependency-check-core/src/main/resources/schema/suppression.xsd
+++ b/dependency-check-core/src/main/resources/schema/suppression.xsd
@@ -21,7 +21,7 @@
    </xs:simpleType>
    <xs:simpleType name="cveType">
        <xs:restriction base="xs:string">
-            <xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
        </xs:restriction>
    </xs:simpleType>
    <xs:simpleType name="sha1Type">
--- a/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
+++ b/dependency-check-core/src/main/resources/templates/HtmlReport.vsl
@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
    <body>
        <div id="modal-background"></div>
        <div id="modal-content">
-            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
+            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                <textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
                <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
        </div>
@@ -578,6 +578,7 @@ arising out of or in connection with the use of this tool, the analysis performe
                        <td data-sort-value="$sortValue">
                        #set($sortValue="")
                        #foreach($id in $dependency.getIdentifiers())
                            #set($cpeSort=0)
                            #if ($id.type=="maven")
                                #if ($mavenlink=="" || !$mavenlink.url)
                                    #set($mavenlink=$id)
@@ -591,7 +592,6 @@ arising out of or in connection with the use of this tool, the analysis performe
                                #else
                                    $enc.html($id.value)
                                #end
                                #set($cpeSort=0)
                                #if ($cpeIdConf == "")
                                    #set($cpeIdConf=$id.confidence)
                                    #set($cpeSort=$id.confidence.ordinal())
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/BaseDBTestCase.java
@@ -15,7 +15,7 @@
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
-package org.owasp.dependencycheck.data.nvdcve;
+package org.owasp.dependencycheck;
 import java.io.BufferedInputStream;
 import java.io.BufferedOutputStream;
@@ -31,6 +31,8 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 /**
 * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the data
 * contained within.
 *
 * @author Jeremy Long
 */
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/EngineIntegrationTest.java
@@ -34,7 +34,7 @@ public class EngineIntegrationTest extends BaseTest {
    @Before
    public void setUp() throws Exception {
-        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
+        org.owasp.dependencycheck.BaseDBTestCase.ensureDBExists();
    }
    @After
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzerTest.java
@@ -34,7 +34,7 @@ public class AbstractFileTypeAnalyzerTest extends BaseTest {
     */
    @Test
    public void testNewHashSet() {
-        Set result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
+        Set<String> result = AbstractFileTypeAnalyzer.newHashSet("one", "two");
        assertEquals(2, result.size());
        assertTrue(result.contains("one"));
        assertTrue(result.contains("two"));
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
@@ -24,7 +24,7 @@ import static org.junit.Assert.*;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long
 */
-public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class ArchiveAnalyzerIntegrationTest extends BaseDBTestCase {
    /**
     * Test of getSupportedExtensions method, of class ArchiveAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerTest.java
@@ -0,0 +1,80 @@
 /*
 * Copyright 2015 OWASP.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.FileFilter;
 import java.lang.reflect.InvocationTargetException;
 import java.lang.reflect.Method;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import static org.junit.Assert.*;
 import static org.junit.Assume.assumeFalse;
 import static org.junit.Assume.assumeNotNull;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 *
 * @author jeremy
 */
 public class ArchiveAnalyzerTest extends BaseTest {
    @Before
    public void setUp() {
        Settings.setString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, "z2, z3");
    }
    /**
     * Test of analyzeFileType method, of class ArchiveAnalyzer.
     */
    @Test
    public void testZippableExtensions() throws Exception {
        assumeFalse(isPreviouslyLoaded("org.owasp.dependencycheck.analyzer.ArchiveAnalyzer"));
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
        assertTrue(instance.getFileFilter().accept(new File("c:/test.zip")));
        assertTrue(instance.getFileFilter().accept(new File("c:/test.z2")));
        assertTrue(instance.getFileFilter().accept(new File("c:/test.z3")));
        assertFalse(instance.getFileFilter().accept(new File("c:/test.z4")));
    }
    private boolean isPreviouslyLoaded(String className) {
        try {
            Method m = ClassLoader.class.getDeclaredMethod("findLoadedClass", new Class[]{String.class});
            m.setAccessible(true);
            Object t = m.invoke(Thread.currentThread().getContextClassLoader(), className);
            return t != null;
        } catch (NoSuchMethodException ex) {
            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
        } catch (SecurityException ex) {
            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
        } catch (IllegalAccessException ex) {
            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
        } catch (IllegalArgumentException ex) {
            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
        } catch (InvocationTargetException ex) {
            Logger.getLogger(ArchiveAnalyzerTest.class.getName()).log(Level.SEVERE, null, ex);
        }
        return false;
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java
@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
            aanalyzer.initialize();
            fail("Expected an AnalysisException");
        } catch (AnalysisException ae) {
-            assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
+            assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
        } finally {
            System.setProperty(LOG_KEY, oldProp);
            // Recover the logger
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java
@@ -33,7 +33,7 @@ import java.util.regex.Pattern;
 import static org.hamcrest.CoreMatchers.equalTo;
 import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.*;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 /**
 * Unit tests for CmakeAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CPEAnalyzerIntegrationTest.java
@@ -19,7 +19,7 @@ package org.owasp.dependencycheck.analyzer;
 import java.io.File;
 import java.io.IOException;
-import java.util.HashSet;
+import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import org.apache.lucene.index.CorruptIndexException;
@@ -28,7 +28,7 @@ import org.junit.Assert;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.dependency.Identifier;
 *
 * @author Jeremy Long
 */
-public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class CPEAnalyzerIntegrationTest extends BaseDBTestCase {
    /**
     * Tests of buildSearch of class CPEAnalyzer.
@@ -49,11 +49,9 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
     */
    @Test
    public void testBuildSearch() throws IOException, CorruptIndexException, ParseException {
-        Set<String> productWeightings = new HashSet<String>(1);
+        Set<String> productWeightings = Collections.singleton("struts2");
        productWeightings.add("struts2");
-        Set<String> vendorWeightings = new HashSet<String>(1);
+        Set<String> vendorWeightings = Collections.singleton("apache");
        vendorWeightings.add("apache");
        String vendor = "apache software foundation";
        String product = "struts 2 core";
@@ -238,11 +236,9 @@ public class CPEAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
        CPEAnalyzer instance = new CPEAnalyzer();
        instance.open();
-        Set<String> productWeightings = new HashSet<String>(1);
+        Set<String> productWeightings = Collections.singleton("struts2");
        productWeightings.add("struts2");
-        Set<String> vendorWeightings = new HashSet<String>(1);
+        Set<String> vendorWeightings = Collections.singleton("apache");
        vendorWeightings.add("apache");
        List<IndexEntry> result = instance.searchCPE(vendor, product, productWeightings, vendorWeightings);
        instance.close();
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java
@@ -34,13 +34,14 @@ import static org.hamcrest.CoreMatchers.is;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertThat;
 import static org.junit.Assert.assertTrue;
 import org.owasp.dependencycheck.BaseDBTestCase;
 /**
 * Unit tests for NodePackageAnalyzer.
 *
 * @author Dale Visser <dvisser@ida.org>
 */
-public class ComposerLockAnalyzerTest extends BaseTest {
+public class ComposerLockAnalyzerTest extends BaseDBTestCase {
    /**
     * The analyzer to test.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/DependencyBundlingAnalyzerIntegrationTest.java
@@ -18,13 +18,13 @@
 package org.owasp.dependencycheck.analyzer;
 import org.junit.Test;
-import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 /**
 *
 * @author Jeremy Long
 */
-public class DependencyBundlingAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class DependencyBundlingAnalyzerIntegrationTest extends BaseDBTestCase {
    /**
     * Test of analyze method, of class DependencyBundlingAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/HintAnalyzerTest.java
@@ -24,6 +24,7 @@ import org.junit.Before;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
@@ -33,12 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long
 */
-public class HintAnalyzerTest extends BaseTest {
+public class HintAnalyzerTest extends BaseDBTestCase {
    @Before
    public void setUp() throws Exception {
        org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase.ensureDBExists();
    }
    /**
     * Test of getName method, of class HintAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java
@@ -0,0 +1,109 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2015 Institute for Defense Analyses. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.junit.After;
 import org.junit.Assume;
 import org.junit.Before;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 import java.io.File;
 import static org.hamcrest.CoreMatchers.is;
 import static org.hamcrest.CoreMatchers.not;
 import static org.junit.Assert.assertThat;
 /**
 * Unit tests for {@link RubyBundleAuditAnalyzer}.
 *
 * @author Dale Visser <dvisser@ida.org>
 */
 public class RubyBundleAuditAnalyzerTest extends BaseTest {
    private static final Logger LOGGER = LoggerFactory.getLogger(RubyBundleAuditAnalyzerTest.class);
    /**
     * The analyzer to test.
     */
    RubyBundleAuditAnalyzer analyzer;
    /**
     * Correctly setup the analyzer for testing.
     *
     * @throws Exception thrown if there is a problem
     */
    @Before
    public void setUp() throws Exception {
        try {
            analyzer = new RubyBundleAuditAnalyzer();
            analyzer.setFilesMatched(true);
            analyzer.initialize();
        } catch (Exception e) {
            //LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Tests will be incomplete", e);
            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed. Tests will be incomplete", e);
        }
    }
    /**
     * Cleanup the analyzer's temp files, etc.
     *
     * @throws Exception thrown if there is a problem
     */
    @After
    public void tearDown() throws Exception {
        analyzer.close();
        analyzer = null;
    }
    /**
     * Test Ruby Gemspec name.
     */
    @Test
    public void testGetName() {
        assertThat(analyzer.getName(), is("Ruby Bundle Audit Analyzer"));
    }
    /**
     * Test Ruby Bundler Audit file support.
     */
    @Test
    public void testSupportsFiles() {
        assertThat(analyzer.accept(new File("Gemfile.lock")), is(true));
    }
    /**
     * Test Ruby BundlerAudit analysis.
     *
     * @throws AnalysisException is thrown when an exception occurs.
     */
    @Test
    public void testAnalysis() throws AnalysisException, DatabaseException {
        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
                "ruby/vulnerable/Gemfile.lock"));
        final Engine engine = new Engine();
        analyzer.analyze(result, engine);
        assertThat(engine.getDependencies().size(), is(not(0)));
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java
@@ -66,7 +66,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
    }
    /**
-     * Test of getName method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec name.
     */
    @Test
    public void testGetName() {
@@ -74,7 +74,7 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
    }
    /**
-     * Test of supportsExtension method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec file support.
     */
    @Test
    public void testSupportsFiles() {
@@ -83,14 +83,14 @@ public class RubyGemspecAnalyzerTest extends BaseTest {
    }
    /**
-     * Test of inspect method, of class PythonDistributionAnalyzer.
+     * Test Ruby Gemspec analysis.
     *
     * @throws AnalysisException is thrown when an exception occurs.
     */
    @Test
    public void testAnalyzePackageJson() throws AnalysisException {
        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-                "ruby/gems/specifications/rest-client-1.7.2.gemspec"));
+                "ruby/vulnerable/gems/specifications/rest-client-1.7.2.gemspec"));
        analyzer.analyze(result, null);
        final String vendorString = result.getVendorEvidence().toString();
        assertThat(vendorString, containsString("REST Client Team"));
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/VulnerabilitySuppressionAnalyzerIntegrationTest.java
@@ -21,9 +21,9 @@ import java.io.File;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.cpe.AbstractDatabaseTestCase;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.Settings;
@@ -32,7 +32,7 @@ import org.owasp.dependencycheck.utils.Settings;
 *
 * @author Jeremy Long
 */
-public class VulnerabilitySuppressionAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
+public class VulnerabilitySuppressionAnalyzerIntegrationTest extends BaseDBTestCase {
    /**
     * Test of getName method, of class VulnerabilitySuppressionAnalyzer.
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/cpe/AbstractDatabaseTestCase.java
@@ -1,37 +0,0 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.data.cpe;
 import org.junit.Before;
 import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
 /**
 * An abstract database test case that is used to ensure the H2 DB exists prior to performing tests that utilize the
 * data contained within.
 *
 * @author Jeremy Long
 */
 public abstract class AbstractDatabaseTestCase extends BaseTest {
    @Before
    public void setUp() throws Exception {
        BaseDBTestCase.ensureDBExists();
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactoryTest.java
@@ -0,0 +1,47 @@
 /*
 * Copyright 2015 OWASP.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *      http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
 package org.owasp.dependencycheck.data.nvdcve;
 import java.sql.Connection;
 import java.sql.SQLException;
 import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import static org.junit.Assert.*;
 import org.owasp.dependencycheck.BaseDBTestCase;
 /**
 *
 * @author jeremy
 */
 public class ConnectionFactoryTest extends BaseDBTestCase {
    /**
     * Test of initialize method, of class ConnectionFactory.
     *
     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException
     */
    @Test
    public void testInitialize() throws DatabaseException, SQLException {
        ConnectionFactory.initialize();
        Connection result = ConnectionFactory.getConnection();
        assertNotNull(result);
        result.close();
        ConnectionFactory.cleanup();
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.HashMap;
 import java.util.List;
 import java.util.Map;
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBMySQLTest.java
@@ -25,7 +25,9 @@ import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 *
@@ -35,10 +37,12 @@ public class CveDBMySQLTest {
    @BeforeClass
    public static void setUpClass() {
        Settings.initialize();
    }
    @AfterClass
    public static void tearDownClass() {
        Settings.cleanup();
    }
    @Before
@@ -93,7 +97,7 @@ public class CveDBMySQLTest {
        CveDB instance = new CveDB();
        try {
            instance.open();
-            List result = instance.getVulnerabilities(cpeStr);
+            List<Vulnerability> result = instance.getVulnerabilities(cpeStr);
            assertTrue(result.size() > 5);
        } catch (Exception ex) {
            System.out.println("Unable to access the My SQL database; verify that the db server is running and that the schema has been generated");
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/DatabasePropertiesIntegrationTest.java
@@ -17,6 +17,7 @@
 */
 package org.owasp.dependencycheck.data.nvdcve;
 import org.owasp.dependencycheck.BaseDBTestCase;
 import java.util.Properties;
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/BaseUpdaterTest.java
@@ -18,7 +18,7 @@
 package org.owasp.dependencycheck.data.update;
 import org.junit.Test;
-import org.owasp.dependencycheck.data.nvdcve.BaseDBTestCase;
+import org.owasp.dependencycheck.BaseDBTestCase;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java
@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
        updateToVersion = "";
        currentVersion = "1.2.5";
        lastChecked = df.parse("2014-12-01").getTime();
-        now = df.parse("2014-12-08").getTime();
+        now = df.parse("2015-12-08").getTime();
        expResult = true;
        instance.setUpdateToVersion(updateToVersion);
        result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/dependency/DependencyTest.java
@@ -185,7 +185,6 @@ public class DependencyTest {
    @Test
    public void testGetIdentifiers() {
        Dependency instance = new Dependency();
        List expResult = null;
        Set<Identifier> result = instance.getIdentifiers();
        assertTrue(true); //this is just a getter setter pair.
--- a/Show More
+++ b/Show More
`@@ -1,2 +1,2 @@`
	`# the path to the data directory`	`# the path to the data directory`
	`data.directory=data`	`data.directory=data/3.0`