v1.3.5

Upgrade for Maven Site Plugin 3.5

README.md

@@ -108,7 +108,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,7 +23,7 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using information
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
  * returned by this class.
  *
  * @author colezlaw

dependency-check-ant/src/main/resources/task.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=data
+data.directory=data/3.0

dependency-check-ant/src/site/site.xml

@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="dependency-check" href="../index.html"/>
         </breadcrumbs>
         <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
             <item name="Configuration" href="configuration.html"/>
         </menu>
         <menu ref="reports" />

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -27,7 +27,6 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import org.apache.commons.cli.ParseException;
-import org.apache.commons.lang.StringUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -344,7 +344,7 @@ public final class CliParser {
         final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
                 .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
                 .build();
-        
+
         final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
                 .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
                 .desc("The path to bundle-audit for Gem bundle analysis.").build();
@@ -576,7 +576,6 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
     }
 
-
     /**
      * Returns true if the disablePyDist command line argument was specified.
      *

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -454,6 +454,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>test</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+            <version>2.7.0</version>
+            <scope>test</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -41,7 +41,7 @@ import org.slf4j.LoggerFactory;
  *
  * <h2>Example:</h2>
  * <pre>
- * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
  * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
  * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
@@ -55,7 +55,7 @@ import org.slf4j.LoggerFactory;
  * scan.execute();
  * </pre>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -104,12 +104,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
      * that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
-     *
-     * @return the file filter used to determine which files are to be analyzed
-     * <p/>
      * <p>
      * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
      * loaded.</p>
+     *
+     * @return the file filter used to determine which files are to be analyzed
      */
     protected abstract FileFilter getFileFilter();
 
@@ -205,7 +204,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
      * declaration.</p>
-     * <p/>
      * <p>
      * This implementation was copied from
      * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -29,7 +29,7 @@ public enum AnalysisPhase {
      */
     INITIAL,
     /**
-     * Pre information collection phase
+     * Pre information collection phase.
      */
     PRE_INFORMATION_COLLECTION,
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -235,16 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                 this.setEnabled(false);
                 throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
             }
+        } catch (AnalysisException e) {
+            throw e;
         } catch (Throwable e) {
-            if (e instanceof AnalysisException) {
-                throw (AnalysisException) e;
-            } else {
-                LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
-                        + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
-                LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                this.setEnabled(false);
-                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
-            }
+            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+                    + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
+            LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
+            this.setEnabled(false);
+            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
         }
         builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -39,7 +39,7 @@ import java.util.regex.Pattern;
  * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
  * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
  */
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.regex.Matcher;
@@ -40,14 +41,13 @@ import java.util.regex.Pattern;
 /**
  * <p>
  * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
- * <p/>
  * <p>
  * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
  * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
  * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -212,8 +212,13 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                 final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                 currentDep.setFilePath(filePath);
 
-                // prevents coalescing into the dependency provided by engine
-                currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
+                byte[] path;
+                try {
+                    path = filePath.getBytes("UTF-8");
+                } catch (UnsupportedEncodingException ex) {
+                    path = filePath.getBytes();
+                }
+                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                 engine.getDependencies().add(currentDep);
             }
             final String source = currentDep.getDisplayFileName();

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
      * process.
      */
     public void open() throws IOException, DatabaseException {
-        cve = new CveDB();
-        cve.open();
-        cpe = CpeMemoryIndex.getInstance();
-        try {
-            LOGGER.info("Creating the CPE Index");
-            final long creationStart = System.currentTimeMillis();
-            cpe.open(cve);
-            LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-        } catch (IndexException ex) {
-            LOGGER.debug("IndexException", ex);
-            throw new DatabaseException(ex);
+        if (!isOpen()) {
+            cve = new CveDB();
+            cve.open();
+            cpe = CpeMemoryIndex.getInstance();
+            try {
+                LOGGER.info("Creating the CPE Index");
+                final long creationStart = System.currentTimeMillis();
+                cpe.open(cve);
+                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
+            } catch (IndexException ex) {
+                LOGGER.debug("IndexException", ex);
+                throw new DatabaseException(ex);
+            }
         }
     }
 
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
             }
             return ret;
         } catch (ParseException ex) {
-            LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
             LOGGER.info("Unable to parse: {}", searchString, ex);
         } catch (IOException ex) {
-            LOGGER.warn("An error occured reading CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
             LOGGER.info("IO Error with search string: {}", searchString, ex);
         }
         return null;
@@ -479,7 +481,7 @@ public class CPEAnalyzer implements Analyzer {
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -44,27 +44,27 @@ import java.security.MessageDigest;
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
-     * The logger
+     * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
 
     /**
-     * The analyzer name
+     * The analyzer name.
      */
     private static final String ANALYZER_NAME = "Composer.lock analyzer";
 
     /**
-     * composer.json
+     * composer.json.
      */
     private static final String COMPOSER_LOCK = "composer.lock";
 
     /**
-     * The FileFilter
+     * The FileFilter.
      */
     private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
 
     /**
-     * Returns the FileFilter
+     * Returns the FileFilter.
      *
      * @return the FileFilter
      */
@@ -74,9 +74,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Initializes the analyzer
+     * Initializes the analyzer.
      *
-     * @throws Exception
+     * @throws Exception thrown if an exception occurs getting an instance of SHA1
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws Exception {
@@ -84,7 +84,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * The MessageDigest for calculating a new digest for the new dependencies added
+     * The MessageDigest for calculating a new digest for the new dependencies added.
      */
     private MessageDigest sha1 = null;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -29,6 +29,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -320,7 +321,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     foundSomething |= setPomEvidence(dependency, pom, classes);
                 }
             } catch (AnalysisException ex) {
-                LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
+                LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
                 LOGGER.trace("", ex);
             }
         }
@@ -627,9 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
-
             final Manifest manifest = jar.getManifest();
-
             if (manifest == null) {
                 //don't log this for javadoc or sources jar files
                 if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
@@ -641,17 +640,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 }
                 return false;
             }
-            final Attributes atts = manifest.getMainAttributes();
-
             final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
             final EvidenceCollection productEvidence = dependency.getProductEvidence();
             final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
 
-            final String source = "Manifest";
-
+            String source = "Manifest";
             String specificationVersion = null;
             boolean hasImplementationVersion = false;
 
+            Attributes atts = manifest.getMainAttributes();
             for (Entry<Object, Object> entry : atts.entrySet()) {
                 String key = entry.getKey().toString();
                 String value = atts.getValue(key);
@@ -707,7 +704,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 //                    addMatchingValues(classInformation, value, productEvidence);
                 } else {
                     key = key.toLowerCase();
-
                     if (!IGNORE_KEYS.contains(key)
                             && !key.endsWith("jdk")
                             && !key.contains("lastmodified")
@@ -723,8 +719,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                         foundSomething = true;
                         if (key.contains("version")) {
                             if (!key.contains("specification")) {
-                                //versionEvidence.addEvidence(source, key, value, Confidence.LOW);
-                                //} else {
                                 versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                             }
                         } else if ("build-id".equals(key)) {
@@ -776,9 +770,36 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     }
                 }
             }
+
+            final Map<String, Attributes> entries = manifest.getEntries();
+            for (Iterator<String> it = entries.keySet().iterator(); it.hasNext();) {
+                final String name = it.next();
+                source = "manifest: " + name;
+                atts = entries.get(name);
+                for (Entry<Object, Object> entry : atts.entrySet()) {
+                    final String key = entry.getKey().toString();
+                    final String value = atts.getValue(key);
+                    if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
+                        foundSomething = true;
+                        versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
+                        foundSomething = true;
+                        vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, vendorEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    }
+                }
+            }
             if (specificationVersion != null && !hasImplementationVersion) {
                 foundSomething = true;
-                versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
+                versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
             }
         } finally {
             if (jar != null) {
@@ -835,10 +856,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             }
 
             if (pos > 0) {
-                final StringBuilder sb = new StringBuilder(pos + 3);
-                sb.append(desc.substring(0, pos));
-                sb.append("...");
-                desc = sb.toString();
+                desc = desc.substring(0, pos) + "...";
             }
             dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
             dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
@@ -1014,7 +1032,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         final String text = value.toLowerCase();
         for (ClassNameInformation cni : classes) {
             for (String key : cni.getPackageStructure()) {
-                if (text.contains(key)) { //note, package structure elements are already lowercase.
+                final Pattern p = Pattern.compile("\b" + key + "\b");
+                if (p.matcher(text).find()) {
+                    //if (text.contains(key)) { //note, package structure elements are already lowercase.
                     evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
                 }
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -43,7 +43,7 @@ import javax.json.JsonValue;
  * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
  * associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java

@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze OpenSSL source code present in the file system.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
  * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
  * to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -40,7 +40,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -35,7 +35,7 @@ import java.util.*;
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -51,8 +51,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
 
-    private static final FileFilter FILTER =
-            FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+    private static final FileFilter FILTER
+            = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
     public static final String NAME = "Name: ";
     public static final String VERSION = "Version: ";
     public static final String ADVISORY = "Advisory: ";
@@ -113,7 +113,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                     throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
                 } else {
                     final String line = reader.readLine();
-                    if (!line.contains("Errno::ENOENT")) {
+                    if (line == null || !line.contains("Errno::ENOENT")) {
                         LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
                         setEnabled(false);
                         throw new AnalysisException("Unexpected bundle-audit output.");
@@ -126,8 +126,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
             }
         }
         if (isEnabled()) {
-            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " +
-                    "occasionally to keep its database up to date.");
+            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
+                    + "occasionally to keep its database up to date.");
         }
     }
 
@@ -162,8 +162,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
-     * be necessary to disable {@link RubyGemspecAnalyzer}.
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
+     * to disable {@link RubyGemspecAnalyzer}.
      */
     private boolean needToDisableGemspecAnalyzer = true;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -32,10 +32,10 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
- * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE.
- * Regular expressions are used to parse the well-defined Ruby syntax that forms the specification.
+ * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
+ * expressions are used to parse the well-defined Ruby syntax that forms the specification.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -51,8 +51,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
     private static final String GEMSPEC = "gemspec";
 
-    private static final FileFilter FILTER =
-            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
+    private static final FileFilter FILTER
+            = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
 
     private static final String EMAIL = "email";
 
@@ -102,8 +102,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * The capture group #1 is the block variable.
      */
-    private static final Pattern GEMSPEC_BLOCK_INIT =
-            Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
+    private static final Pattern GEMSPEC_BLOCK_INIT
+            = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
 
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -138,7 +138,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private void addListEvidence(EvidenceCollection evidences, String contents,
-                                 String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
         if (matcher.find()) {
@@ -148,7 +148,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private String addStringEvidence(EvidenceCollection evidences, String contents,
-                                     String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
         String value = "";

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes related to searching Maven Central.<br/><br/>
+ * Contains classes related to searching Maven Central.<br><br>
  *
  * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -37,7 +37,7 @@ public class CweHandler extends DefaultHandler {
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
      *
-     * @return a HashMap of CWE entries <String, String>
+     * @return a HashMap of CWE entries &lt;String, String&gt;
      */
     public HashMap<String, String> getCwe() {
         return cwe;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -27,7 +27,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p>
  * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
  * <p>
- * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
+ * <b>Example:</b> "Spring Framework Core" -&gt; "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
  * @author Jeremy Long
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -31,15 +31,17 @@ import org.slf4j.LoggerFactory;
  * <p>
  * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
  * <p>
- * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ * <b>Example:</b> "3.0.0.RELEASE" -&gt; "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long
  */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
+
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(UrlTokenizingFilter.class);
+
     /**
      * Constructs a new VersionTokenizingFilter.
      *
@@ -50,8 +52,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * concatenating tokens with the previous token.
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating
+     * tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to searching a Nexus repository.<br/><br/>
+ * Contains classes related to searching a Nexus repository.<br><br>
  *
  * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to parsing Nuget related files<br/><br/>
+ * Contains classes related to parsing Nuget related files<br><br>
  * These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
  */
 package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -276,10 +276,13 @@ public final class ConnectionFactory {
      * execute it against the database. The upgrade script must update the 'version' in the properties table.
      *
      * @param conn the database connection object
-     * @param schema the current schema version that is being upgraded
+     * @param appExpectedVersion the schema version that the application expects
+     * @param currentDbVersion the current schema version of the database
      * @throws DatabaseException thrown if there is an exception upgrading the database schema
      */
-    private static void updateSchema(Connection conn, String schema) throws DatabaseException {
+    private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
+            throws DatabaseException {
+
         final String databaseProductName;
         try {
             databaseProductName = conn.getMetaData().getDatabaseProductName();
@@ -291,7 +294,7 @@ public final class ConnectionFactory {
             InputStream is = null;
             String updateFile = null;
             try {
-                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
                 is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
                 if (is == null) {
                     throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
@@ -303,7 +306,8 @@ public final class ConnectionFactory {
                     statement = conn.createStatement();
                     final boolean success = statement.execute(dbStructureUpdate);
                     if (!success && statement.getUpdateCount() <= 0) {
-                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
+                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s",
+                                currentDbVersion.toString()));
                     }
                 } catch (SQLException ex) {
                     LOGGER.debug("", ex);
@@ -318,8 +322,20 @@ public final class ConnectionFactory {
                 IOUtils.closeQuietly(is);
             }
         } else {
-            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
-            throw new DatabaseException("Database schema is out of date");
+            final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
+            final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
+            final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
+            final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
+            if (e0 == c0 && e1 < c1) {
+                LOGGER.warn("A new version of dependency-check is available; consider upgrading");
+                Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            } else if (e0 == c0 && e1 == c1) {
+                //do nothing - not sure how we got here, but just incase...
+            } else {
+                LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
+                        UPGRADE_HELP_URL);
+                throw new DatabaseException("Database schema is out of date");
+            }
         }
     }
 
@@ -342,12 +358,12 @@ public final class ConnectionFactory {
             cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
             rs = cs.executeQuery();
             if (rs.next()) {
-                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
+                final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
-                if (current.compareTo(db) > 0) {
-                    LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
-                    LOGGER.debug("DB Schema: " + rs.getString(1));
-                    updateSchema(conn, rs.getString(1));
+                if (appDbVersion.compareTo(db) > 0) {
+                    LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
+                    LOGGER.debug("DB Schema: {}", rs.getString(1));
+                    updateSchema(conn, appDbVersion, db);
                     if (++callDepth < 10) {
                         ensureSchemaVersion(conn);
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -70,11 +70,11 @@ public class DatabaseProperties {
     /**
      * A collection of properties about the data.
      */
-    private Properties properties;
+    private final Properties properties;
     /**
      * A reference to the database.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
 
     /**
      * Constructs a new data properties object.
@@ -83,13 +83,6 @@ public class DatabaseProperties {
      */
     DatabaseProperties(CveDB cveDB) {
         this.cveDB = cveDB;
-        loadProperties();
-    }
-
-    /**
-     * Loads the properties from the database.
-     */
-    private void loadProperties() {
         this.properties = cveDB.getProperties();
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java

@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
 
     @Override
     public void update() throws UpdateException {
+
         try {
-            openDatabase();
-            LOGGER.debug("Begin Engine Version Check");
-            final DatabaseProperties properties = cveDB.getDatabaseProperties();
-            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
-            final long now = System.currentTimeMillis();
-            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
-            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
-            LOGGER.debug("Last checked: {}", lastChecked);
-            LOGGER.debug("Now: {}", now);
-            LOGGER.debug("Current version: {}", currentVersion);
-            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
-            if (updateNeeded) {
-                LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
-                        updateToVersion);
+            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
+                openDatabase();
+                LOGGER.debug("Begin Engine Version Check");
+                final DatabaseProperties properties = cveDB.getDatabaseProperties();
+                final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+                final long now = System.currentTimeMillis();
+                updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+                final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+                LOGGER.debug("Last checked: {}", lastChecked);
+                LOGGER.debug("Now: {}", now);
+                LOGGER.debug("Current version: {}", currentVersion);
+                final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+                if (updateNeeded) {
+                    LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                            updateToVersion);
+                }
             }
         } catch (DatabaseException ex) {
             LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
             throw new UpdateException("Error occured updating database properties.");
+        } catch (InvalidSettingException ex) {
+            LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
         } finally {
             closeDatabase();
+
         }
     }
 
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
     protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
             String currentVersion) throws UpdateException {
         //check every 30 days if we know there is an update, otherwise check every 7 days
-        int checkRange = 30;
-        if (updateToVersion.isEmpty()) {
-            checkRange = 7;
-        }
+        final int checkRange = 30;
         if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
             LOGGER.debug("Checking web for new version.");
             final String currentRelease = getCurrentReleaseVersion();
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
                     updateToVersion = v.toString();
                     if (!currentRelease.equals(updateToVersion)) {
                         properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
-                    } else {
-                        properties.save(CURRENT_ENGINE_RELEASE, "");
                     }
                     properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
                 }
             }
             LOGGER.debug("Current Release: {}", updateToVersion);
         }
+        if (updateToVersion == null) {
+            LOGGER.debug("Unable to obtain current release");
+            return false;
+        }
         final DependencyVersion running = new DependencyVersion(currentVersion);
         final DependencyVersion released = new DependencyVersion(updateToVersion);
         if (running.compareTo(released) < 0) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -66,7 +68,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            if (checkUpdate()) {
+            boolean autoUpdate = true;
+            try {
+                autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+            } catch (InvalidSettingException ex) {
+                LOGGER.debug("Invalid setting for auto-update; using true.");
+            }
+            if (autoUpdate && checkUpdate()) {
                 final UpdateableNvdCve updateable = getUpdatesNeeded();
                 if (updateable.isUpdateNeeded()) {
                     performUpdate(updateable);
@@ -101,7 +109,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         boolean proceed = true;
         // If the valid setting has not been specified, then we proceed to check...
         final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
-        if (0 < validForHours) {
+        if (dataExists() && 0 < validForHours) {
             // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
             final long msValid = validForHours * 60L * 60L * 1000L;
             final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
@@ -118,6 +126,26 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         return proceed;
     }
 
+    /**
+     * Checks the CVE Index to ensure data exists and analysis can continue.
+     *
+     * @return true if the database contains data
+     */
+    private boolean dataExists() {
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            return cve.dataExists();
+        } catch (DatabaseException ex) {
+            return false;
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java

@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * A reference to the current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * The logger.
      */
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * The list of CPE values.
      */
-    private List<Cpe> data = new ArrayList<Cpe>();
+    private final List<Cpe> data = new ArrayList<Cpe>();
 
     /**
      * Returns the list of CPE values.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes used to parse the CPE XML file from NIST.<br/><br/>
+ * Contains classes used to parse the CPE XML file from NIST.<br><br>
  *
  * These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
  * we may consider pulling the more descriptive data from the CPE data in the future.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -22,6 +22,7 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URL;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
@@ -80,11 +81,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * The CVE DB to use when processing the files.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
     /**
      * The processor service to pass the results of the download to.
      */
-    private ExecutorService processorService;
+    private final ExecutorService processorService;
     /**
      * The NVD CVE Meta Data.
      */
@@ -92,7 +93,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Get the value of nvdCveInfo.
@@ -155,28 +156,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setSecond(File second) {
         this.second = second;
     }
-    /**
-     * A placeholder for an exception.
-     */
-    private Exception exception = null;
-
-    /**
-     * Get the value of exception.
-     *
-     * @return the value of exception
-     */
-    public Exception getException() {
-        return exception;
-    }
-
-    /**
-     * returns whether or not an exception occurred during download.
-     *
-     * @return whether or not an exception occurred during download
-     */
-    public boolean hasException() {
-        return exception != null;
-    }
 
     @Override
     public Future<ProcessTask> call() throws Exception {
@@ -198,15 +177,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                 LOGGER.debug("", ex);
                 return null;
             }
-            if (url1.toExternalForm().endsWith(".xml.gz")) {
+            if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
                 extractGzip(first);
             }
-            if (url2.toExternalForm().endsWith(".xml.gz")) {
+            if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
                 extractGzip(second);
             }
 
             LOGGER.info("Download Complete for NVD CVE - {}  ({} ms)", nvdCveInfo.getId(),
-                System.currentTimeMillis() - startDownload);
+                    System.currentTimeMillis() - startDownload);
             if (this.processorService == null) {
                 return null;
             }
@@ -248,6 +227,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         }
     }
 
+    /**
+     * Checks the file header to see if it is an XML file.
+     *
+     * @param file the file to check
+     * @return true if the file is XML
+     */
+    public static boolean isXml(File file) {
+        if (file == null || !file.isFile()) {
+            return false;
+        }
+        InputStream is = null;
+        try {
+            is = new FileInputStream(file);
+
+            final byte[] buf = new byte[5];
+            int read = 0;
+            try {
+                read = is.read(buf);
+            } catch (IOException ex) {
+                return false;
+            }
+            return read == 5
+                    && buf[0] == '<'
+                    && (buf[1] == '?')
+                    && (buf[2] == 'x' || buf[2] == 'X')
+                    && (buf[3] == 'm' || buf[3] == 'M')
+                    && (buf[4] == 'l' || buf[4] == 'L');
+        } catch (FileNotFoundException ex) {
+            return false;
+        } finally {
+            if (is != null) {
+                try {
+                    is.close();
+                } catch (IOException ex) {
+                }
+            }
+        }
+    }
+
     /**
      * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java

@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
                 software = null;
             }
         } else if (!skip && current.isProdNode()) {
-
             vendor = attributes.getValue("vendor");
             product = attributes.getValue("name");
         } else if (!skip && current.isVersNode()) {
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
                 /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
                  purposes this is good enough as we won't use this if we don't find a corresponding "a"
                  in the nvd cve 2.0. */
-                String cpe = "cpe:/a:" + vendor + ":" + product;
+                final int cpeLen = 8 + vendor.length() + product.length()
+                    + (null != num ? (1 + num.length()) : 0)
+                    + (null != edition ? (1 + edition.length()) : 0);
+                final StringBuilder cpe = new StringBuilder(cpeLen);
+                cpe.append("cpe:/a:").append(vendor).append(':').append(product);
                 if (num != null) {
-                    cpe += ':' + num;
+                    cpe.append(':').append(num);
                 }
                 if (edition != null) {
-                    cpe += ':' + edition;
+                    cpe.append(':').append(edition);
                 }
                 final VulnerableSoftware vs = new VulnerableSoftware();
-                vs.setCpe(cpe);
+                vs.setCpe(cpe.toString());
                 vs.setPreviousVersion(prev);
                 software.add(vs);
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java

@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Constructs a new ProcessTask used to process an NVD CVE update.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java

@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
  *
  * @author Jeremy Long
  */
-public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
+public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
 
     /**
      * A collection of sources of data.
      */
-    private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
+    private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
 
     /**
      * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/package-info.java

@@ -1,4 +1,4 @@
 /**
- * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
+ * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br><br>
  */
 package org.owasp.dependencycheck.data.update.nvd;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes used to update the data stores.<br/><br/>
+ * Contains classes used to update the data stores.<br><br>
  *
  * The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
  * must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -692,7 +692,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     }
 
     /**
-     * Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
+     * Implementation of the Comparable&lt;Dependency&gt; interface. The comparison is solely based on the file path.
      *
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -715,23 +715,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         }
         final Dependency other = (Dependency) obj;
         return new EqualsBuilder()
-            .appendSuper(super.equals(obj))
-            .append(this.actualFilePath, other.actualFilePath)
-            .append(this.filePath, other.filePath)
-            .append(this.fileName, other.fileName)
-            .append(this.md5sum, other.md5sum)
-            .append(this.sha1sum, other.sha1sum)
-            .append(this.identifiers, other.identifiers)
-            .append(this.vendorEvidence, other.vendorEvidence)
-            .append(this.productEvidence, other.productEvidence)
-            .append(this.versionEvidence, other.versionEvidence)
-            .append(this.description, other.description)
-            .append(this.license, other.license)
-            .append(this.vulnerabilities, other.vulnerabilities)
-            //.append(this.relatedDependencies, other.relatedDependencies)
-            .append(this.projectReferences, other.projectReferences)
-            .append(this.availableVersions, other.availableVersions)
-            .isEquals();
+                .appendSuper(super.equals(obj))
+                .append(this.actualFilePath, other.actualFilePath)
+                .append(this.filePath, other.filePath)
+                .append(this.fileName, other.fileName)
+                .append(this.md5sum, other.md5sum)
+                .append(this.sha1sum, other.sha1sum)
+                .append(this.identifiers, other.identifiers)
+                .append(this.vendorEvidence, other.vendorEvidence)
+                .append(this.productEvidence, other.productEvidence)
+                .append(this.versionEvidence, other.versionEvidence)
+                .append(this.description, other.description)
+                .append(this.license, other.license)
+                .append(this.vulnerabilities, other.vulnerabilities)
+                //.append(this.relatedDependencies, other.relatedDependencies)
+                .append(this.projectReferences, other.projectReferences)
+                .append(this.availableVersions, other.availableVersions)
+                .isEquals();
     }
 
     /**
@@ -742,22 +742,22 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     @Override
     public int hashCode() {
         return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
-            .append(actualFilePath)
-            .append(filePath)
-            .append(fileName)
-            .append(md5sum)
-            .append(sha1sum)
-            .append(identifiers)
-            .append(vendorEvidence)
-            .append(productEvidence)
-            .append(versionEvidence)
-            .append(description)
-            .append(license)
-            .append(vulnerabilities)
-            //.append(relatedDependencies)
-            .append(projectReferences)
-            .append(availableVersions)
-            .toHashCode();
+                .append(actualFilePath)
+                .append(filePath)
+                .append(fileName)
+                .append(md5sum)
+                .append(sha1sum)
+                .append(identifiers)
+                .append(vendorEvidence)
+                .append(productEvidence)
+                .append(versionEvidence)
+                .append(description)
+                .append(license)
+                .append(vulnerabilities)
+                //.append(relatedDependencies)
+                .append(projectReferences)
+                .append(availableVersions)
+                .toHashCode();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -97,7 +97,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Used to iterate over evidence of the specified confidence.
      *
      * @param confidence the confidence level for the evidence to be iterated over.
-     * @return Iterable<Evidence> an iterable collection of evidence
+     * @return Iterable&lt;Evidence&gt; an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Confidence confidence) {
         if (confidence == Confidence.HIGHEST) {
@@ -168,7 +168,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
      * location.
      *
-     * @return Set<String>
+     * @return Set&lt;String&gt;
      */
     public Set<String> getWeighting() {
         return weightedStrings;
@@ -225,7 +225,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     /**
      * Implements the iterator interface for the Evidence Collection.
      *
-     * @return an Iterator<Evidence>.
+     * @return an Iterator&lt;Evidence&gt;
      */
     @Override
     public Iterator<Evidence> iterator() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java

@@ -22,7 +22,7 @@ import java.io.IOException;
 /**
  * An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class ScanAgentException extends IOException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -24,15 +24,14 @@ import org.slf4j.LoggerFactory;
 
 /**
  * <p>
- * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom
- * logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
- * custom Velocity logger that redirects all velocity logging to the Java Logger class.
+ * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom logging implementation
+ * that outputs to a file named velocity.log by default. This class is an implementation of a custom Velocity logger that
+ * redirects all velocity logging to the Java Logger class.
  * </p><p>
- * This class was written to address permission issues when using Dependency-Check in a server environment (such as the
- * Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
- * directory.</p>
+ * This class was written to address permission issues when using Dependency-Check in a server environment (such as the Jenkins
+ * plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable directory.</p>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class VelocityLoggerRedirect implements LogChute {
 
@@ -52,8 +51,7 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
-     * values.
+     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified values.
      *
      * @param level the logging level
      * @param message the message to be logged
@@ -82,8 +80,8 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
-     * specified values.
+     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the specified
+     * values.
      *
      * @param level the logging level
      * @param message the message to be logged

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java

@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
 
     /**
      * Get the value of suppressionRules.

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.suppression;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
-import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -268,8 +267,8 @@ public class SuppressionRule {
     }
 
     /**
-     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
-     * resulting report in the "suppressed" section.
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
+     * report in the "suppressed" section.
      */
     private boolean base;
 
@@ -292,8 +291,8 @@ public class SuppressionRule {
     }
 
     /**
-     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
-     * should be, they are removed from the dependency.
+     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
+     * are removed from the dependency.
      *
      * @param dependency a project dependency to analyze
      */
@@ -382,7 +381,24 @@ public class SuppressionRule {
      * @return true if the property type does not specify a version; otherwise false
      */
     boolean cpeHasNoVersion(PropertyType c) {
-        return !c.isRegex() && StringUtils.countMatches(c.getValue(), ':') == 3;
+        return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
+    }
+
+    /**
+     * Counts the number of occurrences of the character found within the string.
+     *
+     * @param str the string to check
+     * @param c the character to count
+     * @return the number of times the character is found in the string
+     */
+    int countCharacter(String str, char c) {
+        int count = 0;
+        int pos = str.indexOf(c) + 1;
+        while (pos > 0) {
+            count += 1;
+            pos = str.indexOf(c, pos) + 1;
+        }
+        return count;
     }
 
     /**
@@ -417,7 +433,7 @@ public class SuppressionRule {
      */
     @Override
     public String toString() {
-        final StringBuilder sb = new StringBuilder();
+        final StringBuilder sb = new StringBuilder(64);
         sb.append("SuppressionRule{");
         if (filePath != null) {
             sb.append("filePath=").append(filePath).append(',');

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -48,10 +48,11 @@ public final class DependencyVersionUtil {
 
     /**
      * <p>
-     * A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
-     * Example:<br/>
-     * Give the file name: library-name-1.4.1r2-release.jar<br/>
-     * This function would return: 1.4.1.r2</p>
+     * A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
+     * <pre>
+     * Example:
+     * Give the file name: library-name-1.4.1r2-release.jar
+     * This function would return: 1.4.1.r2</pre>
      *
      * @param text the text being analyzed
      * @return a DependencyVersion containing the version

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java

@@ -40,7 +40,7 @@ import java.util.Set;
  *     FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
  * </pre>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
  */
 public class FileFilterBuilder {

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java

@@ -50,7 +50,7 @@ public abstract class Filter<T> {
             if (next == null) {
                 throw new NoSuchElementException();
             }
-            T returnValue = next;
+            final T returnValue = next;
             toNext();
             return returnValue;
         }
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
         private void toNext() {
             next = null;
             while (iterator.hasNext()) {
-                T item = iterator.next();
+                final T item = iterator.next();
                 if (item != null && passes(item)) {
                     next = item;
                     break;

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java

@@ -241,7 +241,7 @@ public class Model {
     /**
      * The list of licenses.
      */
-    private List<License> licenses = new ArrayList<License>();
+    private final List<License> licenses = new ArrayList<License>();
 
     /**
      * Returns the list of licenses.

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java

@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
     /**
      * The pom model.
      */
-    private Model model = new Model();
+    private final Model model = new Model();
 
     /**
      * Returns the model obtained from the pom.xml.

dependency-check-core/src/main/resources/data/dbStatements_oracle.properties

@@ -0,0 +1 @@
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM software)

dependency-check-core/src/main/resources/data/initialize_oracle.sql

@@ -0,0 +1,109 @@
+-- Drop
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE vulnerability_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE cpeEntry_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE software CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE cpeEntry CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE reference CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE vulnerability CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE properties CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+
+CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+    description CLOB, cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+    cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+    cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+    CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE SEQUENCE cpeEntry_seq;
+CREATE SEQUENCE vulnerability_seq;
+
+CREATE OR REPLACE TRIGGER VULNERABILITY_TRG
+BEFORE INSERT
+ON VULNERABILITY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := VULNERABILITY_SEQ.nextval;
+END VULNERABILITY_TRG;
+
+CREATE OR REPLACE TRIGGER CPEENTRY_TRG
+BEFORE INSERT
+ON CPEENTRY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := CPEENTRY_SEQ.nextval;
+END CPEENTRY_TRG;
+

dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql

@@ -12,4 +12,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,6 +161,13 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        HK2-utils is flagged as glassfish.
+        ]]></notes>
+        <filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
@@ -189,4 +196,120 @@
         <gav regex="true">org.apache.geronimo.specs:.*</gav>
         <cpe>cpe:/a:apache:geronimo</cpe>
     </suppress>
-</suppressions>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-embed-el.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-jdbc.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-juli.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positive per issue #433
+        ]]></notes>
+        <gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
+        <cpe>cpe:/a:google:google_apps:-</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #437
+        ]]></notes>
+        <gav regex="true">.*mongodb.*:.*:.*</gav>
+        <cpe>cpe:/a:mongodb:mongodb</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #438
+            Note, there will be more false positives for Netty. Trying to figure out a better suppression.
+        ]]></notes>
+        <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
+        <cpe>cpe:/a:netty_project:netty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        JVM instrumentation to Ganglia
+        ]]></notes>
+        <gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        A reporter for Metrics which announces measurements to a Ganglia cluster
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
+        <cpe>cpe:/a:apache:httpclient</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        false positive in drop wizard
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
+        <cpe>cpe:/a:tiger:tiger</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        php cpe
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
+        <cpe>cpe:/a:class:class</cpe>
+    </suppress>
+</suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -18,8 +18,13 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
+
+### if you increment the DB version then you must increment the database file path
+### in the mojo.properties, task.properties (maven and ant respectively), and
+### the gradle PurgeDataExtension.
 data.version=3.0
-data.connection_string=jdbc:h2:file:%s;FILE_LOCK=FS;AUTOCOMMIT=ON;
+
+data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
 # user name and password for the database connection. The inherent case is to use H2.

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <body>
         <div id="modal-background"></div>
         <div id="modal-content">
-            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
+            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                 <textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
                 <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
         </div>

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java

@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
             aanalyzer.initialize();
             fail("Expected an AnalysisException");
         } catch (AnalysisException ae) {
-            assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
+            assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
         } finally {
             System.setProperty(LOG_KEY, oldProp);
             // Recover the logger

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java

@@ -30,147 +30,137 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 /**
- * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
- * obtained from outside open source software projects. Links to those projects
- * are given below.
+ * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
+ * Links to those projects are given below.
  *
- * @author Dale Visser <dvisser@ida.org>
- * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
- *      Project</a>
+ * @author Dale Visser
+ * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
  * @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
  * @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
  */
 public class AutoconfAnalyzerTest extends BaseTest {
 
-	/**
-	 * The analyzer to test.
-	 */
-	AutoconfAnalyzer analyzer;
+    /**
+     * The analyzer to test.
+     */
+    AutoconfAnalyzer analyzer;
 
-	private void assertCommonEvidence(Dependency result, String product,
-			String version, String vendor) {
-		assertProductAndVersion(result, product, version);
-		assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
-				result.getVendorEvidence().toString().contains(vendor));
-	}
+    private void assertCommonEvidence(Dependency result, String product,
+            String version, String vendor) {
+        assertProductAndVersion(result, product, version);
+        assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
+                result.getVendorEvidence().toString().contains(vendor));
+    }
 
-	private void assertProductAndVersion(Dependency result, String product,
-			String version) {
-		assertTrue("Expected product evidence to contain \"" + product + "\".",
-				result.getProductEvidence().toString().contains(product));
-		assertTrue("Expected version evidence to contain \"" + version + "\".",
-				result.getVersionEvidence().toString().contains(version));
-	}
+    private void assertProductAndVersion(Dependency result, String product,
+            String version) {
+        assertTrue("Expected product evidence to contain \"" + product + "\".",
+                result.getProductEvidence().toString().contains(product));
+        assertTrue("Expected version evidence to contain \"" + version + "\".",
+                result.getVersionEvidence().toString().contains(version));
+    }
 
-	/**
-	 * Correctly setup the analyzer for testing.
-	 *
-	 * @throws Exception
-	 *             thrown if there is a problem
-	 */
-	@Before
-	public void setUp() throws Exception {
-		analyzer = new AutoconfAnalyzer();
-		analyzer.setFilesMatched(true);
-		analyzer.initialize();
-	}
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        analyzer = new AutoconfAnalyzer();
+        analyzer.setFilesMatched(true);
+        analyzer.initialize();
+    }
 
-	/**
-	 * Cleanup the analyzer's temp files, etc.
-	 *
-	 * @throws Exception
-	 *             thrown if there is a problem
-	 */
-	@After
-	public void tearDown() throws Exception {
-		analyzer.close();
-		analyzer = null;
-	}
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from Ghostscript's
-	 * configure.ac.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeConfigureAC1() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/ghostscript/configure.ac"));
-		analyzer.analyze(result, null);
-		assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
-	}
+    /**
+     * Test whether expected evidence is gathered from Ghostscript's configure.ac.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeConfigureAC1() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/ghostscript/configure.ac"));
+        analyzer.analyze(result, null);
+        assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from Readable's configure.ac.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeConfigureAC2() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/readable-code/configure.ac"));
-		analyzer.analyze(result, null);
-		assertReadableCodeEvidence(result);
-	}
+    /**
+     * Test whether expected evidence is gathered from Readable's configure.ac.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeConfigureAC2() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/readable-code/configure.ac"));
+        analyzer.analyze(result, null);
+        assertReadableCodeEvidence(result);
+    }
 
-	private void assertReadableCodeEvidence(final Dependency result) {
-		assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
-		final String url = "http://readable.sourceforge.net/";
-		assertTrue("Expected product evidence to contain \"" + url + "\".",
-				result.getVendorEvidence().toString().contains(url));
-	}
+    private void assertReadableCodeEvidence(final Dependency result) {
+        assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
+        final String url = "http://readable.sourceforge.net/";
+        assertTrue("Expected product evidence to contain \"" + url + "\".",
+                result.getVendorEvidence().toString().contains(url));
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from GNU Binutil's configure.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeConfigureScript() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/binutils/configure"));
-		analyzer.analyze(result, null);
-		assertProductAndVersion(result, "binutils", "2.25.51");
-	}
+    /**
+     * Test whether expected evidence is gathered from GNU Binutil's configure.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeConfigureScript() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/binutils/configure"));
+        analyzer.analyze(result, null);
+        assertProductAndVersion(result, "binutils", "2.25.51");
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from GNU Ghostscript's
-	 * configure.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeReadableConfigureScript() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/readable-code/configure"));
-		analyzer.analyze(result, null);
-		assertReadableCodeEvidence(result);
-	}
+    /**
+     * Test whether expected evidence is gathered from GNU Ghostscript's configure.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeReadableConfigureScript() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/readable-code/configure"));
+        analyzer.analyze(result, null);
+        assertReadableCodeEvidence(result);
+    }
 
-	/**
-	 * Test of getName method, of {@link AutoconfAnalyzer}.
-	 */
-	@Test
-	public void testGetName() {
-		assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
-				analyzer.getName());
-	}
+    /**
+     * Test of getName method, of {@link AutoconfAnalyzer}.
+     */
+    @Test
+    public void testGetName() {
+        assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
+                analyzer.getName());
+    }
 
-	/**
-	 * Test of {@link AutoconfAnalyzer#accept(File)}.
-	 */
-	@Test
-	public void testSupportsFileExtension() {
-		assertTrue("Should support \"ac\" extension.",
-				analyzer.accept(new File("configure.ac")));
-		assertTrue("Should support \"in\" extension.",
-				analyzer.accept(new File("configure.in")));
-		assertTrue("Should support \"configure\" extension.",
-				analyzer.accept(new File("configure")));
-	}
-}
+    /**
+     * Test of {@link AutoconfAnalyzer#accept(File)}.
+     */
+    @Test
+    public void testSupportsFileExtension() {
+        assertTrue("Should support \"ac\" extension.",
+                analyzer.accept(new File("configure.ac")));
+        assertTrue("Should support \"in\" extension.",
+                analyzer.accept(new File("configure.in")));
+        assertTrue("Should support \"configure\" extension.",
+                analyzer.accept(new File("configure")));
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for CmakeAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class ComposerLockAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -23,6 +23,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 
 import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
@@ -113,4 +115,14 @@ public class JarAnalyzerTest extends BaseTest {
         assertEquals(expResult, result);
     }
 
+    @Test
+    public void testParseManifest() throws Exception {
+        File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
+        Dependency result = new Dependency(file);
+        JarAnalyzer instance = new JarAnalyzer();
+        List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<JarAnalyzer.ClassNameInformation>();
+        instance.parseManifest(result, cni);
+
+        assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
+    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java

@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for OpenSSLAnalyzerAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzerTest extends BaseTest {
 
@@ -84,22 +84,15 @@ public class OpenSSLAnalyzerTest extends BaseTest {
 
     @Test
     public void testVersionConstantExamples() {
-        final long[] constants = {0x1000203fL
-                , 0x00903000
-                , 0x00903001
-                , 0x00903002l
-                , 0x0090300f
-                , 0x0090301f
-                , 0x0090400f
-                , 0x102031af};
+        final long[] constants = {0x1000203fL, 0x00903000, 0x00903001, 0x00903002l, 0x0090300f, 0x0090301f, 0x0090400f, 0x102031af};
         final String[] versions = {"1.0.2c",
-                "0.9.3-dev",
-                "0.9.3-beta1",
-                "0.9.3-beta2",
-                "0.9.3",
-                "0.9.3a",
-                "0.9.4",
-                "1.2.3z"};
+            "0.9.3-dev",
+            "0.9.3-beta1",
+            "0.9.3-beta2",
+            "0.9.3",
+            "0.9.3a",
+            "0.9.4",
+            "1.2.3z"};
         assertEquals(constants.length, versions.length);
         for (int i = 0; i < constants.length; i++) {
             assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonDistributionAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonPackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -38,7 +38,7 @@ import static org.junit.Assert.assertThat;
 /**
  * Unit tests for {@link RubyBundleAuditAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for {@link RubyGemspecAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java

@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
         updateToVersion = "";
         currentVersion = "1.2.5";
         lastChecked = df.parse("2014-12-01").getTime();
-        now = df.parse("2014-12-08").getTime();
+        now = df.parse("2015-12-08").getTime();
         expResult = true;
         instance.setUpdateToVersion(updateToVersion);
         result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java

@@ -17,47 +17,30 @@
  */
 package org.owasp.dependencycheck.data.update.nvd;
 
-import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
-import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
+import java.io.File;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import org.junit.After;
 import org.junit.AfterClass;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DownloadTaskTest {
+public class DownloadTaskTest extends BaseTest {
 
     public DownloadTaskTest() {
     }
 
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-        Settings.initialize();
-    }
-
-    @After
-    public void tearDown() {
-        Settings.cleanup();
-    }
-
     /**
      * Test of call method, of class DownloadTask.
      */
@@ -74,4 +57,16 @@ public class DownloadTaskTest {
         Future<ProcessTask> result = instance.call();
         assertNull(result);
     }
+
+    /**
+     * Test of isXml(file).
+     */
+    @Test
+    public void testIsXML() {
+        File f = getResourceAsFile(this, "nvdcve-modified.xml");
+        assertTrue(DownloadTask.isXml(f));
+        f = getResourceAsFile(this, "file.tar.gz");
+        assertFalse(DownloadTask.isXml(f));
+
+    }
 }

dependency-check-maven/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>
@@ -204,6 +204,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <groupId>org.apache.maven.reporting</groupId>
             <artifactId>maven-reporting-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.sonatype.plexus</groupId>
+            <artifactId>plexus-sec-dispatcher</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
             <artifactId>jmockit</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.Settings;
         name = "aggregate",
         defaultPhase = LifecyclePhase.VERIFY,
         /*aggregator = true,*/
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
         requiresOnline = true
 )
@@ -64,12 +64,13 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
     public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine = generateDataFile();
 
-        if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        //if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        if (getProject() == getLastProject()) {
 
             //ensure that the .ser file was created for each.
             for (MavenProject current : getReactorProjects()) {
                 final File dataFile = getDataFile(current);
-                if (dataFile == null) { //dc was never run on this project. write the ser to the target.
+                if (dataFile == null && !skipProject(current)) { //dc was never run on this project. write the ser to the target.
                     getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
                             + "the check but dependencies may be missed resulting in false negatives.", current.getName()));
                     generateDataFile(engine, current);
@@ -107,7 +108,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                         getLog().debug(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
                     }
                 } catch (AnalysisException ex) {
-                    getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
+                    getLog().warn("An error occurred grouping the dependencies; duplicate entries may exist in the report", ex);
                     getLog().debug("Bundling Exception", ex);
                 }
 
@@ -124,6 +125,33 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         Settings.cleanup();
     }
 
+    /**
+     * Gets the last project in the reactor - taking into account skipped projects.
+     *
+     * @return the last projecct in the reactor
+     */
+    private MavenProject getLastProject() {
+        for (int x = getReactorProjects().size() - 1; x >= 0; x--) {
+            final MavenProject p = getReactorProjects().get(x);
+            if (!skipProject(p)) {
+                return p;
+            }
+
+        }
+        return null;
+    }
+
+    /**
+     * Tests if the project is being skipped in the Maven site report.
+     *
+     * @param project a project in the reactor
+     * @return true if the project is skipped; otherwise false
+     */
+    private boolean skipProject(MavenProject project) {
+        final String skip = (String) project.getProperties().get("maven.site.skip");
+        return "true".equalsIgnoreCase(skip);
+    }
+
     /**
      * Returns a set containing all the descendant projects of the given project.
      *

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -24,7 +24,6 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.util.List;
 import java.util.Locale;
@@ -33,11 +32,13 @@ import org.apache.maven.doxia.sink.Sink;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.reporting.MavenReport;
 import org.apache.maven.reporting.MavenReportException;
 import org.apache.maven.settings.Proxy;
+import org.apache.maven.settings.Server;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -47,7 +48,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
 import org.owasp.dependencycheck.utils.Settings;
+import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
 
 /**
  *
@@ -105,7 +110,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * is true.
      */
     @SuppressWarnings("CanBeFinal")
-    @Parameter(property = "autoupdate")
+    @Parameter(property = "autoUpdate")
     private Boolean autoUpdate;
     /**
      * Generate aggregate reports in multi-module projects.
@@ -262,6 +267,21 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
     private String databaseDriverPath;
+    /**
+     * The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
+     */
+    @Parameter(property = "serverId", defaultValue = "", required = false)
+    private String serverId;
+    /**
+     * A reference to the settings.xml settings.
+     */
+    @Parameter(defaultValue = "${settings}", readonly = true, required = true)
+    private org.apache.maven.settings.Settings settingsXml;
+    /**
+     * The security dispatcher that can decrypt passwords in the settings.xml.
+     */
+    @Component(role = SecDispatcher.class, hint = "default")
+    private SecDispatcher securityDispatcher;
     /**
      * The database user name.
      */
@@ -647,6 +667,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             final String password = proxy.getPassword();
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
+            Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
         }
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
@@ -677,9 +698,49 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+
+        if (databaseUser == null && databasePassword == null && serverId != null) {
+            final Server server = settingsXml.getServer(serverId);
+            if (server != null) {
+                databaseUser = server.getUsername();
+                try {
+                    //The following fix was copied from:
+                    //   https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java
+                    //
+                    // FIX to resolve
+                    // org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
+                    // java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory)
+                    //
+                    if (securityDispatcher instanceof DefaultSecDispatcher) {
+                        ((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
+                    }
+
+                    databasePassword = securityDispatcher.decrypt(server.getPassword());
+                } catch (SecDispatcherException ex) {
+                    if (ex.getCause() instanceof FileNotFoundException
+                            || (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) {
+                        //maybe its not encrypted?
+                        final String tmp = server.getPassword();
+                        if (tmp.startsWith("{") && tmp.endsWith("}")) {
+                            getLog().error(String.format(
+                                    "Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
+                                    serverId, ex.getMessage()));
+                        } else {
+                            databasePassword = tmp;
+                        }
+                    } else {
+                        getLog().error(String.format(
+                                "Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
+                                serverId, ex.getMessage()));
+                    }
+                }
+            } else {
+                getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
+            }
+        }
+
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-
         Settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
@@ -974,9 +1035,26 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         }
         List<Dependency> ret = null;
         final String path = (String) oPath;
-        ObjectInputStream ois = null;
+        //ObjectInputStream ois = null;
+        ExpectedOjectInputStream ois = null;
         try {
-            ois = new ObjectInputStream(new FileInputStream(path));
+            //ois = new ObjectInputStream(new FileInputStream(path));
+            ois = new ExpectedOjectInputStream(new FileInputStream(path),
+                    "java.util.ArrayList",
+                    "java.util.HashSet",
+                    "java.util.TreeSet",
+                    "java.lang.AbstractSet",
+                    "java.lang.AbstractCollection",
+                    "java.lang.Enum",
+                    "org.owasp.dependencycheck.dependency.Confidence",
+                    "org.owasp.dependencycheck.dependency.Dependency",
+                    "org.owasp.dependencycheck.dependency.Evidence",
+                    "org.owasp.dependencycheck.dependency.EvidenceCollection",
+                    "org.owasp.dependencycheck.dependency.Identifier",
+                    "org.owasp.dependencycheck.dependency.Reference",
+                    "org.owasp.dependencycheck.dependency.Vulnerability",
+                    "org.owasp.dependencycheck.dependency.VulnerabilityComparator",
+                    "org.owasp.dependencycheck.dependency.VulnerableSoftware");
             ret = (List<Dependency>) ois.readObject();
         } catch (FileNotFoundException ex) {
             //TODO fix logging

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java

@@ -36,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "check",
         defaultPhase = LifecyclePhase.VERIFY,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java

@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "purge",
         defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.NONE,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "update-only",
         defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.NONE,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,8 +23,8 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link org.slf4j.LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using
- * information returned by this class.
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
+ * returned by this class.
  *
  * @author colezlaw
  */

dependency-check-maven/src/main/resources/mojo.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=[JAR]/../../dependency-check-data
+data.directory=[JAR]/../../dependency-check-data/3.0

dependency-check-maven/src/site/markdown/configuration.md

@@ -3,7 +3,7 @@ Goals
 
 Goal        | Description
 ------------|-----------------------
-aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report.
+aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/jeremylong/DependencyCheck/issues/325) for more information.
 check       | Runs dependency-check against the project and generates a report.
 update-only | Updates the local cache of the NVD data from NIST.
 purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.
@@ -71,6 +71,7 @@ dataDirectory        | Sets the data directory to hold SQL CVEs contents. This s
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |  
 connectionString     | The connection string used to connect to the database.                                      |  
+serverId             | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. |  
 databaseUser         | The username used when connecting to the database.                                          |  
 databasePassword     | The password used when connecting to the database.                                          |  
 metaFileName         | Sets the name of the file to use for storing the metadata about the project.                | dependency-check.ser

dependency-check-utils/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -139,6 +139,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -33,8 +33,6 @@ import java.util.zip.GZIPInputStream;
 import java.util.zip.InflaterInputStream;
 
 import static java.lang.String.format;
-import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP;
-import static org.owasp.dependencycheck.utils.Settings.getBoolean;
 
 /**
  * A utility to download files from the Internet.
@@ -243,6 +241,16 @@ public final class Downloader {
                 throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
             } catch (IOException ex) {
                 analyzeException(ex);
+                try {
+                    //retry
+                    if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
+                        Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+                        return getLastModified(url);
+                    }
+                } catch (InvalidSettingException ex1) {
+                    LOGGER.debug("invalid setting?", ex);
+                }
+
                 throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
             } finally {
                 if (conn != null) {
@@ -300,7 +308,7 @@ public final class Downloader {
         boolean quickQuery;
 
         try {
-            quickQuery = getBoolean(DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+            quickQuery = Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
         } catch (InvalidSettingException e) {
             quickQuery = true;
         }

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * An ObjectInputStream that will only deserialize expected classes.
+ *
+ * @author Jeremy Long
+ */
+public class ExpectedOjectInputStream extends ObjectInputStream {
+
+    /**
+     * The list of fully qualified class names that are able to be deserialized.
+     */
+    private List<String> expected = new ArrayList<String>();
+
+    /**
+     * Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes
+     * that can deserialized to a known set of expected classes.
+     *
+     * @param inputStream the input stream that contains the object to deserialize
+     * @param expected the fully qualified class names of the classes that can be deserialized
+     * @throws IOException thrown if there is an error reading from the stream
+     */
+    public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException {
+        super(inputStream);
+        this.expected.addAll(Arrays.asList(expected));
+    }
+
+    /**
+     * Only deserialize instances of expected classes by validating the class name prior to deserialization.
+     *
+     * @param desc the class from the object stream to validate
+     * @return the resolved class
+     * @throws java.io.IOException thrown if the class being read is not one of the expected classes or if there is an error
+     * reading from the stream
+     * @throws java.lang.ClassNotFoundException thrown if there is an error finding the class to deserialize
+     */
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        if (!this.expected.contains(desc.getName())) {
+            throw new InvalidClassException("Unexpected deserialization", desc.getName());
+        }
+        return super.resolveClass(desc);
+    }
+}

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -165,6 +165,10 @@ public final class Settings {
          * The properties key for the proxy password.
          */
         public static final String PROXY_PASSWORD = "proxy.password";
+        /**
+         * The properties key for the non proxy hosts.
+         */
+        public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
         /**
          * The properties key for the connection timeout.
          */
@@ -523,8 +527,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * file.<br><br>
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
      * @throws FileNotFoundException is thrown when the filePath points to a non-existent file
@@ -548,7 +552,7 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
      * Note: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
@@ -573,8 +577,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * file.<br><br>
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param stream an Input Stream pointing at a properties file to merge
      * @throws IOException is thrown when there is an exception loading/merging the properties

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java

@@ -18,6 +18,8 @@
 package org.owasp.dependencycheck.utils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.lang3.StringUtils;
+
 import java.io.IOException;
 import java.net.Authenticator;
 import java.net.HttpURLConnection;
@@ -53,13 +55,15 @@ public final class URLConnectionFactory {
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
+
         try {
-            if (proxyUrl != null) {
+            if (proxyUrl != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
+
                 if (username != null && password != null) {
                     final Authenticator auth = new Authenticator() {
                         @Override
@@ -94,6 +98,47 @@ public final class URLConnectionFactory {
         return conn;
     }
 
+    /**
+     * Check if hostname matches nonProxy settings
+     *
+     * @param url the url to connect to
+     * @return matching result. true: match nonProxy
+     */
+    private static boolean matchNonProxy(final URL url) {
+        final String host = url.getHost();
+
+        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
+        final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
+        if (null != nonProxyHosts) {
+            final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
+            for (final String nonProxyHost : nonProxies) {
+                //if ( StringUtils.contains( nonProxyHost, "*" ) )
+                if (null != nonProxyHost && nonProxyHost.contains("*")) {
+                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
+                    final int pos = nonProxyHost.indexOf('*');
+                    final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
+                    final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
+                    // prefix*
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // *suffix
+                    if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // prefix*suffix
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
+                            && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                } else if (host.equals(nonProxyHost)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
      * configured but we don't want to use it (for example, if there's an internal repository configured)

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java

@@ -0,0 +1,96 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.List;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ExpectedOjectInputStreamTest {
+
+    public ExpectedOjectInputStreamTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test
+    public void testResolveClass() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number");
+        instance.readObject();
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test(expected = java.io.InvalidClassException.class)
+    public void testResolveClassException() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
+        instance.readObject();
+    }
+}

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SimplePojo.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2016 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.Serializable;
+
+/**
+ * Simple pojo used to test the ExpectedObjectInputStream.
+ *
+ * @author jeremy
+ */
+public class SimplePojo implements Serializable {
+
+    public String s = "3";
+    public Integer i = 3;
+}

pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.3.2</version>
+    <version>1.3.5</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -125,11 +125,11 @@ Copyright (c) 2012 - Jeremy Long
         <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
         thus, we cannot upgrade beyond 4.7.2 -->
         <apache.lucene.version>4.7.2</apache.lucene.version>
-        <slf4j.version>1.7.13</slf4j.version>
-        <logback.version>1.1.3</logback.version>
+        <slf4j.version>1.7.16</slf4j.version>
+        <logback.version>1.1.5</logback.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
-        <reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
+        <reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
     </properties>
     <distributionManagement>
         <snapshotRepository>
@@ -170,12 +170,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>2.6.1</version>
+                    <version>3.0.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.3</version>
+                    <version>3.5.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -195,7 +195,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-failsafe-plugin</artifactId>
-                    <version>2.19</version>
+                    <version>2.19.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -225,12 +225,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-site-plugin</artifactId>
-                    <version>3.4</version>
+                    <version>3.5</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>2.18.1</version>
+                    <version>2.19.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -240,12 +240,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-source-plugin</artifactId>
-                    <version>2.2.1</version>
+                    <version>2.4</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-javadoc-plugin</artifactId>
-                    <version>2.9.1</version>
+                    <version>2.10.3</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -335,7 +335,7 @@ Copyright (c) 2012 - Jeremy Long
                     <dependency>
                         <groupId>org.apache.maven.doxia</groupId>
                         <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.6</version>
+                        <version>1.7</version>
                     </dependency>
                 </dependencies>
                 <configuration>
@@ -472,7 +472,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-report-plugin</artifactId>
-                <version>2.19</version>
+                <version>2.19.1</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -496,7 +496,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>findbugs-maven-plugin</artifactId>
-                <version>3.0.2</version>
+                <version>3.0.3</version>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
@@ -562,12 +562,13 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.4</version>
+                <!--upgrading beyond this may cause issues with the Jenkins plugin-->
+                <version>3.3.2</version>
             </dependency>
             <dependency>
                 <groupId>com.sun.mail</groupId>
                 <artifactId>mailapi</artifactId>
-                <version>1.5.4</version>
+                <version>1.5.5</version>
             </dependency>
             <dependency>
                 <groupId>ch.qos.logback</groupId>
@@ -660,6 +661,11 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>velocity</artifactId>
                 <version>1.7</version>
             </dependency>
+            <dependency>
+                <groupId>org.sonatype.plexus</groupId>
+                <artifactId>plexus-sec-dispatcher</artifactId>
+                <version>1.4</version>
+            </dependency>
             <dependency>
                 <groupId>org.glassfish</groupId>
                 <artifactId>javax.json</artifactId>
@@ -674,7 +680,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.jmockit</groupId>
                 <artifactId>jmockit</artifactId>
-                <version>1.20</version>
+                <version>1.21</version>
                 <scope>test</scope>
             </dependency>
             <dependency>

src/main/config/checkstyle-checks.xml

@@ -28,9 +28,10 @@
         <property name="allowLegacy" value="false"/>
     </module>
 
-    <module name="Translation">
+    <!-- this causes a ton of noise due to how this is abused in core for dealing with database dialects.-->
+    <!--module name="Translation">
         <property name="severity" value="warning"/>
-    </module>
+    </module-->
 
     <module name="FileTabCharacter">
         <property name="eachLine" value="false"/>

src/site/markdown/dependency-check-gradle/configuration.md

@@ -17,7 +17,7 @@ autoUpdate           | Sets whether auto-updating of the NVD CVE/CPE data is ena
 cveValidForHours     | Sets the number of hours to wait before checking for new updates from the NVD.                                     | 4
 failBuildOnCVSS      | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11; since the CVSS scores are 0-10, by default the build will never fail. | 11
 format               | The report format to be generated (HTML, XML, VULN, ALL).                                                          | HTML
-reportsDirName       | The location to write the report(s). This directory will be located in the build directory.                        | reports
+outputDirectory      | The location to write the report(s). This directory will be located in the build directory.                        | build/reports
 skipTestGroups       | When set to true (the default) all dependency groups that being with 'test' will be skipped.                       | true
 suppressionFile      | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)       |  
 
@@ -81,7 +81,7 @@ dependencyCheck {
 ### Analyzer Configuration
 
 In addition to the above, the dependencyCheck plugin can be configured to enable or disable specific
-analyzers by configuring the `analyzer` section. Note, specific file type analyzers will automatically
+analyzers by configuring the `analyzers` section. Note, specific file type analyzers will automatically
 disable themselves if no file types that they support are detected - so specifically disabling the
 analyzers is likely not needed.
 
@@ -109,7 +109,7 @@ pathToMono            | The path to Mono for .NET assembly analysis on non-windo
 #### Example
 ```groovy
 dependencyCheck {
-    analyzer {
+    analyzers {
         assemblyEnabled=false
     }
 }

src/site/markdown/dependency-check-gradle/index.md.vm

@@ -12,6 +12,8 @@ seven days the update will only take a few seconds.
 
 #set( $H = '#' )
 
+$H$H Quick Start
+
 $H$H$H Step 1, Apply dependency-check-gradle plugin
 Install from Maven central repo
 
@@ -25,7 +27,7 @@ buildscript {
     }
 }
 
-apply plugin: 'dependencyCheck'
+apply plugin: 'org.owasp.dependencycheck'
 ```
 
 $H$H$H Step 2, Run the dependencyCheck task
@@ -36,9 +38,14 @@ Once gradle plugin applied, run following gradle task to check dependencies:
 gradle dependencyCheck --info
 ```
 
-The reports will be generated automatically under `buildDir/reports` folder.
+The reports will be generated automatically under `build/reports` folder.
 
 
+$H$H Task Configuration
+The OWASP dependency-check-gradle plugin contains three tasks: [dependencyCheck](configuration.html),
+[dependencyCheckUpdate](configuration-update.html), and [dependencyCheckPurge](configuration-purge.html).
+Please see each tasks configuration page for more information.
+
 Mailing List
 ------------
 

src/site/markdown/general/suppression.md

@@ -80,7 +80,7 @@ The full schema for suppression files can be found here: [suppression.xsd](https
 
 Please see the appropriate configuration option in each interfaces configuration guide:
 
--  [Command Line Tool](dependency-check-cli/arguments.html)
--  [Maven Plugin](dependency-check-maven/configuration.html)
--  [Ant Task](dependency-check-ant/configuration.html)
--  [Jenkins Plugin](dependency-check-jenkins/index.html)
+-  [Command Line Tool](../dependency-check-cli/arguments.html)
+-  [Maven Plugin](../dependency-check-maven/configuration.html)
+-  [Ant Task](../dependency-check-ant/configuration.html)
+-  [Jenkins Plugin](../dependency-check-jenkins/index.html)

src/site/site.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <skin>
         <groupId>org.apache.maven.skins</groupId>
         <artifactId>maven-fluido-skin</artifactId>
-        <version>1.4</version>
+        <version>1.5</version>
     </skin>
     <custom>
         <fluidoSkin>
@@ -65,16 +65,16 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 
     <body>
         <head>
-            <style type="text/css">
+            <![CDATA[<style type="text/css">
                 #bannerLeft { margin-top:-20px;margin-bottom:5px !important }
-            </style>
+            </style>]]>
         </head>
         <breadcrumbs>
             <item name=" " href="#"/>
         </breadcrumbs>
 
         <menu name="OWASP dependency-check">
-            <item collapse="false" name="General" href="./index.html">
+            <item collapse="true" name="General" href="./index.html">
                 <item name="How it Works" href="./general/internals.html">
                     <description>How does dependency-check work?</description>
                 </item>
@@ -156,9 +156,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                 </item>
                 <item collapse="true" name="Gradle Plugin" href="./dependency-check-gradle/index.html">
                     <description>Gradle plugin for OWASP dependency-check.</description>
-                    <item name="dependencyCheck" href="./dependency-check-gradle/configuration.html" />
-                    <item name="dependencyCheckUpdate" href="./dependency-check-gradle/configuration-update.html" />
-                    <item name="dependencyCheckPurge" href="./dependency-check-gradle/configuration-purge.html" />
+                    <item name="Check Task" href="./dependency-check-gradle/configuration.html" />
+                    <item name="Update Task" href="./dependency-check-gradle/configuration-update.html" />
+                    <item name="Purge Task" href="./dependency-check-gradle/configuration-purge.html" />
                 </item>
                 <item name="Jenkins Plugin" href="./dependency-check-jenkins/index.html">
                     <description>A Jenkins plugin for OWASP dependency-check.</description>