version 1.3.4

Upgrades

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/resources/task.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=data
+data.directory=data/3.0

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -27,7 +27,6 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import org.apache.commons.cli.ParseException;
-import org.apache.commons.lang.StringUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -344,7 +344,7 @@ public final class CliParser {
         final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
                 .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
                 .build();
-        
+
         final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
                 .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
                 .desc("The path to bundle-audit for Gem bundle analysis.").build();
@@ -576,7 +576,6 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
     }
 
-
     /**
      * Returns true if the disablePyDist command line argument was specified.
      *

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -29,7 +29,7 @@ public enum AnalysisPhase {
      */
     INITIAL,
     /**
-     * Pre information collection phase
+     * Pre information collection phase.
      */
     PRE_INFORMATION_COLLECTION,
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -235,16 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                 this.setEnabled(false);
                 throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
             }
+        } catch (AnalysisException e) {
+            throw e;
         } catch (Throwable e) {
-            if (e instanceof AnalysisException) {
+            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
-                throw (AnalysisException) e;
+                    + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
-            } else {
+            LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+            this.setEnabled(false);
-                        + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
+            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
-                LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                this.setEnabled(false);
-                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
-            }
         }
         builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -32,8 +32,10 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
+import java.util.logging.Level;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
@@ -212,8 +214,13 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                 final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                 currentDep.setFilePath(filePath);
 
-                // prevents coalescing into the dependency provided by engine
+                byte[] path;
-                currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
+                try {
+                    path = filePath.getBytes("UTF-8");
+                } catch (UnsupportedEncodingException ex) {
+                    path = filePath.getBytes();
+                }
+                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                 engine.getDependencies().add(currentDep);
             }
             final String source = currentDep.getDisplayFileName();

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
      * process.
      */
     public void open() throws IOException, DatabaseException {
-        cve = new CveDB();
+        if (!isOpen()) {
-        cve.open();
+            cve = new CveDB();
-        cpe = CpeMemoryIndex.getInstance();
+            cve.open();
-        try {
+            cpe = CpeMemoryIndex.getInstance();
-            LOGGER.info("Creating the CPE Index");
+            try {
-            final long creationStart = System.currentTimeMillis();
+                LOGGER.info("Creating the CPE Index");
-            cpe.open(cve);
+                final long creationStart = System.currentTimeMillis();
-            LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
+                cpe.open(cve);
-        } catch (IndexException ex) {
+                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-            LOGGER.debug("IndexException", ex);
+            } catch (IndexException ex) {
-            throw new DatabaseException(ex);
+                LOGGER.debug("IndexException", ex);
+                throw new DatabaseException(ex);
+            }
         }
     }
 
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
             }
             return ret;
         } catch (ParseException ex) {
-            LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
             LOGGER.info("Unable to parse: {}", searchString, ex);
         } catch (IOException ex) {
-            LOGGER.warn("An error occured reading CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
             LOGGER.info("IO Error with search string: {}", searchString, ex);
         }
         return null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -320,7 +320,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     foundSomething |= setPomEvidence(dependency, pom, classes);
                 }
             } catch (AnalysisException ex) {
-                LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
+                LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
                 LOGGER.trace("", ex);
             }
         }
@@ -835,10 +835,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             }
 
             if (pos > 0) {
-                final StringBuilder sb = new StringBuilder(pos + 3);
+                desc = desc.substring(0, pos) + "...";
-                sb.append(desc.substring(0, pos));
-                sb.append("...");
-                desc = sb.toString();
             }
             dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
             dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -51,8 +51,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
 
-    private static final FileFilter FILTER =
+    private static final FileFilter FILTER
-            FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+            = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
     public static final String NAME = "Name: ";
     public static final String VERSION = "Version: ";
     public static final String ADVISORY = "Advisory: ";
@@ -113,7 +113,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                     throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
                 } else {
                     final String line = reader.readLine();
-                    if (!line.contains("Errno::ENOENT")) {
+                    if (line == null || !line.contains("Errno::ENOENT")) {
                         LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
                         setEnabled(false);
                         throw new AnalysisException("Unexpected bundle-audit output.");
@@ -126,8 +126,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
             }
         }
         if (isEnabled()) {
-            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " +
+            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
-                    "occasionally to keep its database up to date.");
+                    + "occasionally to keep its database up to date.");
         }
     }
 
@@ -162,8 +162,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
-     * be necessary to disable {@link RubyGemspecAnalyzer}.
+     * to disable {@link RubyGemspecAnalyzer}.
      */
     private boolean needToDisableGemspecAnalyzer = true;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -345,8 +345,8 @@ public final class ConnectionFactory {
                 final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
                 if (current.compareTo(db) > 0) {
-                    LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
+                    LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
-                    LOGGER.debug("DB Schema: " + rs.getString(1));
+                    LOGGER.debug("DB Schema: {}", rs.getString(1));
                     updateSchema(conn, rs.getString(1));
                     if (++callDepth < 10) {
                         ensureSchemaVersion(conn);

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -70,11 +70,11 @@ public class DatabaseProperties {
     /**
      * A collection of properties about the data.
      */
-    private Properties properties;
+    private final Properties properties;
     /**
      * A reference to the database.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
 
     /**
      * Constructs a new data properties object.
@@ -83,13 +83,6 @@ public class DatabaseProperties {
      */
     DatabaseProperties(CveDB cveDB) {
         this.cveDB = cveDB;
-        loadProperties();
-    }
-
-    /**
-     * Loads the properties from the database.
-     */
-    private void loadProperties() {
         this.properties = cveDB.getProperties();
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java

@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
 
     @Override
     public void update() throws UpdateException {
+
         try {
-            openDatabase();
+            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
-            LOGGER.debug("Begin Engine Version Check");
+                openDatabase();
-            final DatabaseProperties properties = cveDB.getDatabaseProperties();
+                LOGGER.debug("Begin Engine Version Check");
-            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+                final DatabaseProperties properties = cveDB.getDatabaseProperties();
-            final long now = System.currentTimeMillis();
+                final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
-            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+                final long now = System.currentTimeMillis();
-            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+                updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
-            LOGGER.debug("Last checked: {}", lastChecked);
+                final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
-            LOGGER.debug("Now: {}", now);
+                LOGGER.debug("Last checked: {}", lastChecked);
-            LOGGER.debug("Current version: {}", currentVersion);
+                LOGGER.debug("Now: {}", now);
-            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+                LOGGER.debug("Current version: {}", currentVersion);
-            if (updateNeeded) {
+                final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
-                LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                if (updateNeeded) {
-                        updateToVersion);
+                    LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                            updateToVersion);
+                }
             }
         } catch (DatabaseException ex) {
             LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
             throw new UpdateException("Error occured updating database properties.");
+        } catch (InvalidSettingException ex) {
+            LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
         } finally {
             closeDatabase();
+
         }
     }
 
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
     protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
             String currentVersion) throws UpdateException {
         //check every 30 days if we know there is an update, otherwise check every 7 days
-        int checkRange = 30;
+        final int checkRange = 30;
-        if (updateToVersion.isEmpty()) {
-            checkRange = 7;
-        }
         if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
             LOGGER.debug("Checking web for new version.");
             final String currentRelease = getCurrentReleaseVersion();
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
                     updateToVersion = v.toString();
                     if (!currentRelease.equals(updateToVersion)) {
                         properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
-                    } else {
-                        properties.save(CURRENT_ENGINE_RELEASE, "");
                     }
                     properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
                 }
             }
             LOGGER.debug("Current Release: {}", updateToVersion);
         }
+        if (updateToVersion == null) {
+            LOGGER.debug("Unable to obtain current release");
+            return false;
+        }
         final DependencyVersion running = new DependencyVersion(currentVersion);
         final DependencyVersion released = new DependencyVersion(updateToVersion);
         if (running.compareTo(released) < 0) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -33,6 +35,7 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
 import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
+import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -101,7 +104,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         boolean proceed = true;
         // If the valid setting has not been specified, then we proceed to check...
         final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
-        if (0 < validForHours) {
+        if (dataExists() && 0 < validForHours) {
             // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
             final long msValid = validForHours * 60L * 60L * 1000L;
             final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
@@ -118,6 +121,24 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         return proceed;
     }
 
+    /**
+     * Checks the CPE Index to ensure documents exists.
+     */
+    private boolean dataExists() {
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            return cve.dataExists();
+        } catch (DatabaseException ex) {
+            return false;
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java

@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * A reference to the current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * The logger.
      */
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * The list of CPE values.
      */
-    private List<Cpe> data = new ArrayList<Cpe>();
+    private final List<Cpe> data = new ArrayList<Cpe>();
 
     /**
      * Returns the list of CPE values.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -80,11 +80,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * The CVE DB to use when processing the files.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
     /**
      * The processor service to pass the results of the download to.
      */
-    private ExecutorService processorService;
+    private final ExecutorService processorService;
     /**
      * The NVD CVE Meta Data.
      */
@@ -92,7 +92,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Get the value of nvdCveInfo.
@@ -155,28 +155,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setSecond(File second) {
         this.second = second;
     }
-    /**
-     * A placeholder for an exception.
-     */
-    private Exception exception = null;
-
-    /**
-     * Get the value of exception.
-     *
-     * @return the value of exception
-     */
-    public Exception getException() {
-        return exception;
-    }
-
-    /**
-     * returns whether or not an exception occurred during download.
-     *
-     * @return whether or not an exception occurred during download
-     */
-    public boolean hasException() {
-        return exception != null;
-    }
 
     @Override
     public Future<ProcessTask> call() throws Exception {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java

@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
                 software = null;
             }
         } else if (!skip && current.isProdNode()) {
-
             vendor = attributes.getValue("vendor");
             product = attributes.getValue("name");
         } else if (!skip && current.isVersNode()) {
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
                 /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
                  purposes this is good enough as we won't use this if we don't find a corresponding "a"
                  in the nvd cve 2.0. */
-                String cpe = "cpe:/a:" + vendor + ":" + product;
+                final int cpeLen = 8 + vendor.length() + product.length()
+                    + (null != num ? (1 + num.length()) : 0)
+                    + (null != edition ? (1 + edition.length()) : 0);
+                final StringBuilder cpe = new StringBuilder(cpeLen);
+                cpe.append("cpe:/a:").append(vendor).append(':').append(product);
                 if (num != null) {
-                    cpe += ':' + num;
+                    cpe.append(':').append(num);
                 }
                 if (edition != null) {
-                    cpe += ':' + edition;
+                    cpe.append(':').append(edition);
                 }
                 final VulnerableSoftware vs = new VulnerableSoftware();
-                vs.setCpe(cpe);
+                vs.setCpe(cpe.toString());
                 vs.setPreviousVersion(prev);
                 software.add(vs);
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java

@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Constructs a new ProcessTask used to process an NVD CVE update.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java

@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
  *
  * @author Jeremy Long
  */
-public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
+public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
 
     /**
      * A collection of sources of data.
      */
-    private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
+    private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
 
     /**
      * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java

@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
 
     /**
      * Get the value of suppressionRules.

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.suppression;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
-import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -268,8 +267,8 @@ public class SuppressionRule {
     }
 
     /**
-     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
-     * resulting report in the "suppressed" section.
+     * report in the "suppressed" section.
      */
     private boolean base;
 
@@ -292,8 +291,8 @@ public class SuppressionRule {
     }
 
     /**
-     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
+     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
-     * should be, they are removed from the dependency.
+     * are removed from the dependency.
      *
      * @param dependency a project dependency to analyze
      */
@@ -382,7 +381,24 @@ public class SuppressionRule {
      * @return true if the property type does not specify a version; otherwise false
      */
     boolean cpeHasNoVersion(PropertyType c) {
-        return !c.isRegex() && StringUtils.countMatches(c.getValue(), ':') == 3;
+        return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
+    }
+
+    /**
+     * Counts the number of occurrences of the character found within the string.
+     *
+     * @param str the string to check
+     * @param c the character to count
+     * @return the number of times the character is found in the string
+     */
+    int countCharacter(String str, char c) {
+        int count = 0;
+        int pos = str.indexOf(c) + 1;
+        while (pos > 0) {
+            count += 1;
+            pos = str.indexOf(c, pos) + 1;
+        }
+        return count;
     }
 
     /**
@@ -417,7 +433,7 @@ public class SuppressionRule {
      */
     @Override
     public String toString() {
-        final StringBuilder sb = new StringBuilder();
+        final StringBuilder sb = new StringBuilder(64);
         sb.append("SuppressionRule{");
         if (filePath != null) {
             sb.append("filePath=").append(filePath).append(',');

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java

@@ -50,7 +50,7 @@ public abstract class Filter<T> {
             if (next == null) {
                 throw new NoSuchElementException();
             }
-            T returnValue = next;
+            final T returnValue = next;
             toNext();
             return returnValue;
         }
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
         private void toNext() {
             next = null;
             while (iterator.hasNext()) {
-                T item = iterator.next();
+                final T item = iterator.next();
                 if (item != null && passes(item)) {
                     next = item;
                     break;

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java

@@ -241,7 +241,7 @@ public class Model {
     /**
      * The list of licenses.
      */
-    private List<License> licenses = new ArrayList<License>();
+    private final List<License> licenses = new ArrayList<License>();
 
     /**
      * Returns the list of licenses.

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java

@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
     /**
      * The pom model.
      */
-    private Model model = new Model();
+    private final Model model = new Model();
 
     /**
      * Returns the model obtained from the pom.xml.

dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql

@@ -12,4 +12,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -189,4 +189,50 @@
         <gav regex="true">org.apache.geronimo.specs:.*</gav>
         <cpe>cpe:/a:apache:geronimo</cpe>
     </suppress>
-</suppressions>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-embed-el.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-jdbc.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-juli.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positive per issue #433
+        ]]></notes>
+        <gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
+        <cpe>cpe:/a:google:google_apps:-</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #437
+        ]]></notes>
+        <gav regex="true">.*mongodb.*:.*:.*</gav>
+        <cpe>cpe:/a:mongodb:mongodb</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #438
+            Note, there will be more false positives for Netty. Trying to figure out a better suppression.
+        ]]></notes>
+        <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
+        <cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
+    </suppress>
+</suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -18,8 +18,13 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
+
+### if you increment the DB version then you must increment the database file path
+### in the mojo.properties, task.properties (maven and ant respectively), and
+### the gradle PurgeDataExtension.
 data.version=3.0
-data.connection_string=jdbc:h2:file:%s;FILE_LOCK=FS;AUTOCOMMIT=ON;
+
+data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
 # user name and password for the database connection. The inherent case is to use H2.

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <body>
         <div id="modal-background"></div>
         <div id="modal-content">
-            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
+            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                 <textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
                 <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
         </div>

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java

@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
             aanalyzer.initialize();
             fail("Expected an AnalysisException");
         } catch (AnalysisException ae) {
-            assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
+            assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
         } finally {
             System.setProperty(LOG_KEY, oldProp);
             // Recover the logger

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java

@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
         updateToVersion = "";
         currentVersion = "1.2.5";
         lastChecked = df.parse("2014-12-01").getTime();
-        now = df.parse("2014-12-08").getTime();
+        now = df.parse("2015-12-08").getTime();
         expResult = true;
         instance.setUpdateToVersion(updateToVersion);
         result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);

dependency-check-maven/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>
@@ -204,6 +204,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <groupId>org.apache.maven.reporting</groupId>
             <artifactId>maven-reporting-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.sonatype.plexus</groupId>
+            <artifactId>plexus-sec-dispatcher</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
             <artifactId>jmockit</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.Settings;
         name = "aggregate",
         defaultPhase = LifecyclePhase.VERIFY,
         /*aggregator = true,*/
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
         requiresOnline = true
 )
@@ -107,7 +107,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                         getLog().debug(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
                     }
                 } catch (AnalysisException ex) {
-                    getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
+                    getLog().warn("An error occurred grouping the dependencies; duplicate entries may exist in the report", ex);
                     getLog().debug("Bundling Exception", ex);
                 }
 

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -33,11 +33,13 @@ import org.apache.maven.doxia.sink.Sink;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.reporting.MavenReport;
 import org.apache.maven.reporting.MavenReportException;
 import org.apache.maven.settings.Proxy;
+import org.apache.maven.settings.Server;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -48,6 +50,9 @@ import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
+import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
 
 /**
  *
@@ -105,7 +110,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * is true.
      */
     @SuppressWarnings("CanBeFinal")
-    @Parameter(property = "autoupdate")
+    @Parameter(property = "autoUpdate")
     private Boolean autoUpdate;
     /**
      * Generate aggregate reports in multi-module projects.
@@ -262,6 +267,21 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
     private String databaseDriverPath;
+    /**
+     * The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
+     */
+    @Parameter(property = "serverId", defaultValue = "", required = false)
+    private String serverId;
+    /**
+     * A reference to the settings.xml settings.
+     */
+    @Parameter(defaultValue = "${settings}", readonly = true, required = true)
+    private org.apache.maven.settings.Settings settingsXml;
+    /**
+     * The security dispatcher that can decrypt passwords in the settings.xml.
+     */
+    @Component(role = SecDispatcher.class, hint = "default")
+    private SecDispatcher securityDispatcher;
     /**
      * The database user name.
      */
@@ -677,9 +697,49 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+
+        if (databaseUser == null && databasePassword == null && serverId != null) {
+            final Server server = settingsXml.getServer(serverId);
+            if (server != null) {
+                databaseUser = server.getUsername();
+                try {
+                    //The following fix was copied from:
+                    //   https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java
+                    //
+                    // FIX to resolve
+                    // org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
+                    // java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory)
+                    //
+                    if (securityDispatcher instanceof DefaultSecDispatcher) {
+                        ((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
+                    }
+
+                    databasePassword = securityDispatcher.decrypt(server.getPassword());
+                } catch (SecDispatcherException ex) {
+                    if (ex.getCause() instanceof FileNotFoundException
+                            || (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) {
+                        //maybe its not encrypted?
+                        final String tmp = server.getPassword();
+                        if (tmp.startsWith("{") && tmp.endsWith("}")) {
+                            getLog().error(String.format(
+                                    "Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
+                                    serverId, ex.getMessage()));
+                        } else {
+                            databasePassword = tmp;
+                        }
+                    } else {
+                        getLog().error(String.format(
+                                "Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
+                                serverId, ex.getMessage()));
+                    }
+                }
+            } else {
+                getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
+            }
+        }
+
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-
         Settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java

@@ -36,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "check",
         defaultPhase = LifecyclePhase.VERIFY,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java

@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "purge",
         defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.NONE,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "update-only",
         defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.NONE,
         requiresOnline = true
 )

dependency-check-maven/src/main/resources/mojo.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=[JAR]/../../dependency-check-data
+data.directory=[JAR]/../../dependency-check-data/3.0

dependency-check-maven/src/site/markdown/configuration.md

@@ -71,6 +71,7 @@ dataDirectory        | Sets the data directory to hold SQL CVEs contents. This s
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |  
 connectionString     | The connection string used to connect to the database.                                      |  
+serverId             | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. |  
 databaseUser         | The username used when connecting to the database.                                          |  
 databasePassword     | The password used when connecting to the database.                                          |  
 metaFileName         | Sets the name of the file to use for storing the metadata about the project.                | dependency-check.ser

dependency-check-utils/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.4</version>
     </parent>
 
     <artifactId>dependency-check-utils</artifactId>

pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.3.2</version>
+    <version>1.3.4</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -129,7 +129,7 @@ Copyright (c) 2012 - Jeremy Long
         <logback.version>1.1.3</logback.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
-        <reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
+        <reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
     </properties>
     <distributionManagement>
         <snapshotRepository>
@@ -170,7 +170,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>2.6.1</version>
+                    <version>3.0.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -195,7 +195,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-failsafe-plugin</artifactId>
-                    <version>2.19</version>
+                    <version>2.19.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -230,7 +230,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>2.18.1</version>
+                    <version>2.19.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -240,12 +240,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-source-plugin</artifactId>
-                    <version>2.2.1</version>
+                    <version>2.4</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-javadoc-plugin</artifactId>
-                    <version>2.9.1</version>
+                    <version>2.10.3</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -472,7 +472,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-report-plugin</artifactId>
-                <version>2.19</version>
+                <version>2.19.1</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -496,7 +496,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>findbugs-maven-plugin</artifactId>
-                <version>3.0.2</version>
+                <version>3.0.3</version>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
@@ -562,12 +562,13 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.4</version>
+                <!--upgrading beyond this may cause issues with the Jenkins plugin-->
+                <version>3.3.2</version>
             </dependency>
             <dependency>
                 <groupId>com.sun.mail</groupId>
                 <artifactId>mailapi</artifactId>
-                <version>1.5.4</version>
+                <version>1.5.5</version>
             </dependency>
             <dependency>
                 <groupId>ch.qos.logback</groupId>
@@ -660,6 +661,11 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>velocity</artifactId>
                 <version>1.7</version>
             </dependency>
+            <dependency>
+                <groupId>org.sonatype.plexus</groupId>
+                <artifactId>plexus-sec-dispatcher</artifactId>
+                <version>1.4</version>
+            </dependency>
             <dependency>
                 <groupId>org.glassfish</groupId>
                 <artifactId>javax.json</artifactId>
@@ -674,7 +680,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.jmockit</groupId>
                 <artifactId>jmockit</artifactId>
-                <version>1.20</version>
+                <version>1.21</version>
                 <scope>test</scope>
             </dependency>
             <dependency>

src/site/markdown/dependency-check-gradle/configuration.md

@@ -17,7 +17,7 @@ autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is ena
 cveValidForHours     | Sets the number of hours to wait before checking for new updates from the NVD.                                     | 4
 failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. | 11
 format               | The report format to be generated (HTML, XML, VULN, ALL).                                                          | HTML
-reportsDirName       | The location to write the report(s). This directory will be located in the build directory.                        | reports
+outputDirectory      | The location to write the report(s). This directory will be located in the build directory.                        | build/reports
 skipTestGroups       | When set to true (the default) all dependency groups that being with 'test' will be skipped.                       | true
 suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)       |  
 
@@ -81,7 +81,7 @@ dependencyCheck {
 ### Analyzer Configuration
 
 In addition to the above, the dependencyCheck plugin can be configured to enable or disable specific
-analyzers by configuring the `analyzer` section. Note, specific file type analyzers will automatically
+analyzers by configuring the `analyzers` section. Note, specific file type analyzers will automatically
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
@@ -109,7 +109,7 @@ pathToMono            | The path to Mono for .NET assembly analysis on non-windo
 #### Example
 ```groovy
 dependencyCheck {
-    analyzer {
+    analyzers {
         assemblyEnabled=false
     }
 }

src/site/markdown/dependency-check-gradle/index.md.vm

@@ -12,6 +12,8 @@ seven days the update will only take a few seconds.
 
 #set( $H = '#' )
 
+$H$H Quick Start
+
 $H$H$H Step 1, Apply dependency-check-gradle plugin
 Install from Maven central repo
 
@@ -25,7 +27,7 @@ buildscript {
     }
 }
 
-apply plugin: 'dependencyCheck'
+apply plugin: 'org.owasp.dependencycheck'
 ```
 
 $H$H$H Step 2, Run the dependencyCheck task
@@ -36,9 +38,14 @@ Once gradle plugin applied, run following gradle task to check dependencies:
 gradle dependencyCheck --info
 ```
 
-The reports will be generated automatically under `buildDir/reports` folder.
+The reports will be generated automatically under `build/reports` folder.
 
 
+$H$H Task Configuration
+The OWASP dependency-check-gradle plugin contains three tasks: [dependencyCheck](configuration.html),
+[dependencyCheckUpdate](configuration-update.html), and [dependencyCheckPurge](configuration-purge.html).
+Please see each tasks configuration page for more information.
+
 Mailing List
 ------------
 

src/site/site.xml

@@ -74,7 +74,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
         </breadcrumbs>
 
         <menu name="OWASP dependency-check">
-            <item collapse="false" name="General" href="./index.html">
+            <item collapse="true" name="General" href="./index.html">
                 <item name="How it Works" href="./general/internals.html">
                     <description>How does dependency-check work?</description>
                 </item>
@@ -156,9 +156,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                 </item>
                 <item collapse="true" name="Gradle Plugin" href="./dependency-check-gradle/index.html">
                     <description>Gradle plugin for OWASP dependency-check.</description>
-                    <item name="dependencyCheck" href="./dependency-check-gradle/configuration.html" />
+                    <item name="Check Task" href="./dependency-check-gradle/configuration.html" />
-                    <item name="dependencyCheckUpdate" href="./dependency-check-gradle/configuration-update.html" />
+                    <item name="Update Task" href="./dependency-check-gradle/configuration-update.html" />
-                    <item name="dependencyCheckPurge" href="./dependency-check-gradle/configuration-purge.html" />
+                    <item name="Purge Task" href="./dependency-check-gradle/configuration-purge.html" />
                 </item>
                 <item name="Jenkins Plugin" href="./dependency-check-jenkins/index.html">
                     <description>A Jenkins plugin for OWASP dependency-check.</description>