version 1.3.6

Dependency Updates

README.md

@@ -108,7 +108,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
@@ -118,4 +118,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
   [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
   [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt

dependency-check-ant/README.md

@@ -1,134 +1,25 @@
-Dependency-Check-Gradle
+Dependency-Check Ant Task
 =========
 
-**Working in progress**
+Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html).
 
-Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+Mailing List
+------------
 
-=========
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
 
-## What's New
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
-Current latest version is `0.0.8`
 
-## Usage
+Copyright & License
+-------------------
 
-### Step 1, Apply dependency check gradle plugin
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Install from Maven central repo
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
-```groovy
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.
-buildscript {
-    repositories {
-        mavenCentral()
-    }
-    dependencies {
-        classpath 'org.owasp:dependency-check-gradle:1.3.2'
-    }
-}
-
-apply plugin: 'dependency-check-gradle'
-```
-
-### Step 2, Run gradle task
-
-Once gradle plugin applied, run following gradle task to check dependencies:
-
-```
-gradle dependencyCheck --info
-```
-
-The reports will be generated automatically under `./reports` folder.
-
-If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
-
-## FAQ
-
-> **Questions List:**
-> - What if I'm behind a proxy?
-> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
-> - How to customize the report directory?
-
-### What if I'm behind a proxy?
-
-Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
-
-```groovy
-dependencyCheck {
-    proxy {
-        server = "127.0.0.1"      // required, the server name or IP address of the proxy
-        port = 3128               // required, the port number of the proxy
-
-        // optional, the proxy server might require username
-        // username = "username"
-
-        // optional, the proxy server might require password
-        // password = "password"
-    }
-}
-```
-
-In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
- the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
- and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
-
-```groovy
-dependencyCheck {
-    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
-}
-```
-
-### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
-
-Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
-
-(1) For all projects including root project:
-
-```groovy
-buildscript {
-  repositories {
-    mavenCentral()
-  }
-  dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
-  }
-}
-
-allprojects {
-    apply plugin: "dependency-check"
-}
-```
-
-(2) For all sub-projects:
-
-```groovy
-buildscript {
-  repositories {
-    mavenCentral()
-  }
-  dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
-  }
-}
-
-subprojects {
-    apply plugin: "dependency-check"
-}
-```
-
-In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
-
-### How to customize the report directory?
-
-By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
-
-```groovy
-subprojects {
-    apply plugin: "dependency-check"
-
-    dependencyCheck {
-        outputDirectory = "./customized-path/security-report"
-    }
-}
-```

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -256,6 +256,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>

dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,7 +23,7 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using information
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
  * returned by this class.
  *
  * @author colezlaw

dependency-check-ant/src/main/resources/task.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=data
+data.directory=data/3.0

dependency-check-ant/src/site/site.xml

@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="dependency-check" href="../index.html"/>
         </breadcrumbs>
         <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
             <item name="Configuration" href="configuration.html"/>
         </menu>
         <menu ref="reports" />

dependency-check-cli/README.md

@@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html).
 
 Mailing List
 ------------

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -110,6 +110,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>cpe</name>

dependency-check-cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -27,7 +27,6 @@ import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
 import org.apache.commons.cli.ParseException;
-import org.apache.commons.lang.StringUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;

dependency-check-cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -344,7 +344,7 @@ public final class CliParser {
         final Option pathToMono = Option.builder().argName("path").hasArg().longOpt(ARGUMENT.PATH_TO_MONO)
                 .desc("The path to Mono for .NET Assembly analysis on non-windows systems.")
                 .build();
-        
+
         final Option pathToBundleAudit = Option.builder().argName("path").hasArg()
                 .longOpt(ARGUMENT.PATH_TO_BUNDLE_AUDIT)
                 .desc("The path to bundle-audit for Gem bundle analysis.").build();
@@ -576,7 +576,6 @@ public final class CliParser {
         return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
     }
 
-
     /**
      * Returns true if the disablePyDist command line argument was specified.
      *

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -178,6 +178,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>
@@ -454,6 +455,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>test</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+            <version>2.7.0</version>
+            <scope>test</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -41,7 +41,7 @@ import org.slf4j.LoggerFactory;
  *
  * <h2>Example:</h2>
  * <pre>
- * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
  * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
  * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
@@ -55,7 +55,7 @@ import org.slf4j.LoggerFactory;
  * scan.execute();
  * </pre>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -104,12 +104,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
      * that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
-     *
-     * @return the file filter used to determine which files are to be analyzed
-     * <p/>
      * <p>
      * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
      * loaded.</p>
+     *
+     * @return the file filter used to determine which files are to be analyzed
      */
     protected abstract FileFilter getFileFilter();
 
@@ -205,7 +204,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
      * declaration.</p>
-     * <p/>
      * <p>
      * This implementation was copied from
      * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -29,7 +29,7 @@ public enum AnalysisPhase {
      */
     INITIAL,
     /**
-     * Pre information collection phase
+     * Pre information collection phase.
      */
     PRE_INFORMATION_COLLECTION,
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -235,16 +235,14 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                 this.setEnabled(false);
                 throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
             }
+        } catch (AnalysisException e) {
+            throw e;
         } catch (Throwable e) {
-            if (e instanceof AnalysisException) {
+            LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
-                throw (AnalysisException) e;
+                    + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
-            } else {
+            LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
+            this.setEnabled(false);
-                        + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
+            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
-                LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-                this.setEnabled(false);
-                throw new AnalysisException("An error occured with the .NET AssemblyAnalyzer", e);
-            }
         }
         builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -39,7 +39,7 @@ import java.util.regex.Pattern;
  * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
  * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
  */
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -32,6 +32,7 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
+import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
 import java.util.regex.Matcher;
@@ -40,14 +41,13 @@ import java.util.regex.Pattern;
 /**
  * <p>
  * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
- * <p/>
  * <p>
  * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
  * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
  * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -212,8 +212,13 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                 final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                 currentDep.setFilePath(filePath);
 
-                // prevents coalescing into the dependency provided by engine
+                byte[] path;
-                currentDep.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes())));
+                try {
+                    path = filePath.getBytes("UTF-8");
+                } catch (UnsupportedEncodingException ex) {
+                    path = filePath.getBytes();
+                }
+                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
                 engine.getDependencies().add(currentDep);
             }
             final String source = currentDep.getDisplayFileName();

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -134,17 +134,19 @@ public class CPEAnalyzer implements Analyzer {
      * process.
      */
     public void open() throws IOException, DatabaseException {
-        cve = new CveDB();
+        if (!isOpen()) {
-        cve.open();
+            cve = new CveDB();
-        cpe = CpeMemoryIndex.getInstance();
+            cve.open();
-        try {
+            cpe = CpeMemoryIndex.getInstance();
-            LOGGER.info("Creating the CPE Index");
+            try {
-            final long creationStart = System.currentTimeMillis();
+                LOGGER.info("Creating the CPE Index");
-            cpe.open(cve);
+                final long creationStart = System.currentTimeMillis();
-            LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
+                cpe.open(cve);
-        } catch (IndexException ex) {
+                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-            LOGGER.debug("IndexException", ex);
+            } catch (IndexException ex) {
-            throw new DatabaseException(ex);
+                LOGGER.debug("IndexException", ex);
+                throw new DatabaseException(ex);
+            }
         }
     }
 
@@ -284,10 +286,10 @@ public class CPEAnalyzer implements Analyzer {
             }
             return ret;
         } catch (ParseException ex) {
-            LOGGER.warn("An error occured querying the CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred querying the CPE data. See the log for more details.");
             LOGGER.info("Unable to parse: {}", searchString, ex);
         } catch (IOException ex) {
-            LOGGER.warn("An error occured reading CPE data. See the log for more details.");
+            LOGGER.warn("An error occurred reading CPE data. See the log for more details.");
             LOGGER.info("IO Error with search string: {}", searchString, ex);
         }
         return null;
@@ -479,7 +481,7 @@ public class CPEAnalyzer implements Analyzer {
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -44,27 +44,27 @@ import java.security.MessageDigest;
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
-     * The logger
+     * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
 
     /**
-     * The analyzer name
+     * The analyzer name.
      */
     private static final String ANALYZER_NAME = "Composer.lock analyzer";
 
     /**
-     * composer.json
+     * composer.json.
      */
     private static final String COMPOSER_LOCK = "composer.lock";
 
     /**
-     * The FileFilter
+     * The FileFilter.
      */
     private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
 
     /**
-     * Returns the FileFilter
+     * Returns the FileFilter.
      *
      * @return the FileFilter
      */
@@ -74,9 +74,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Initializes the analyzer
+     * Initializes the analyzer.
      *
-     * @throws Exception
+     * @throws Exception thrown if an exception occurs getting an instance of SHA1
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws Exception {
@@ -84,7 +84,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * The MessageDigest for calculating a new digest for the new dependencies added
+     * The MessageDigest for calculating a new digest for the new dependencies added.
      */
     private MessageDigest sha1 = null;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -18,7 +18,9 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+
 import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.filefilter.NameFileFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -65,6 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
     //</editor-fold>
 
+    // Python init files
+    private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
+        "__init__.py",
+        "__init__.pyc",
+        "__init__.pyo"
+    });
+
     /**
      * Collects information about the file name.
      *
@@ -102,7 +111,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
                     fileName, Confidence.HIGHEST);
             dependency.getVendorEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGHEST);
-        } else {
+        } else if (!IGNORED_FILES.accept(f)) {
             dependency.getProductEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -29,6 +29,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -320,7 +321,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     foundSomething |= setPomEvidence(dependency, pom, classes);
                 }
             } catch (AnalysisException ex) {
-                LOGGER.warn("An error occured while analyzing '{}'.", dependency.getActualFilePath());
+                LOGGER.warn("An error occurred while analyzing '{}'.", dependency.getActualFilePath());
                 LOGGER.trace("", ex);
             }
         }
@@ -627,9 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
-
             final Manifest manifest = jar.getManifest();
-
             if (manifest == null) {
                 //don't log this for javadoc or sources jar files
                 if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
@@ -641,17 +640,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 }
                 return false;
             }
-            final Attributes atts = manifest.getMainAttributes();
-
             final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
             final EvidenceCollection productEvidence = dependency.getProductEvidence();
             final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
 
-            final String source = "Manifest";
+            String source = "Manifest";
-
             String specificationVersion = null;
             boolean hasImplementationVersion = false;
 
+            Attributes atts = manifest.getMainAttributes();
             for (Entry<Object, Object> entry : atts.entrySet()) {
                 String key = entry.getKey().toString();
                 String value = atts.getValue(key);
@@ -707,7 +704,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 //                    addMatchingValues(classInformation, value, productEvidence);
                 } else {
                     key = key.toLowerCase();
-
                     if (!IGNORE_KEYS.contains(key)
                             && !key.endsWith("jdk")
                             && !key.contains("lastmodified")
@@ -723,8 +719,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                         foundSomething = true;
                         if (key.contains("version")) {
                             if (!key.contains("specification")) {
-                                //versionEvidence.addEvidence(source, key, value, Confidence.LOW);
-                                //} else {
                                 versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                             }
                         } else if ("build-id".equals(key)) {
@@ -776,9 +770,36 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     }
                 }
             }
+
+            final Map<String, Attributes> entries = manifest.getEntries();
+            for (Iterator<String> it = entries.keySet().iterator(); it.hasNext();) {
+                final String name = it.next();
+                source = "manifest: " + name;
+                atts = entries.get(name);
+                for (Entry<Object, Object> entry : atts.entrySet()) {
+                    final String key = entry.getKey().toString();
+                    final String value = atts.getValue(key);
+                    if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
+                        foundSomething = true;
+                        versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
+                        foundSomething = true;
+                        vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, vendorEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    }
+                }
+            }
             if (specificationVersion != null && !hasImplementationVersion) {
                 foundSomething = true;
-                versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
+                versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
             }
         } finally {
             if (jar != null) {
@@ -835,10 +856,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
             }
 
             if (pos > 0) {
-                final StringBuilder sb = new StringBuilder(pos + 3);
+                desc = desc.substring(0, pos) + "...";
-                sb.append(desc.substring(0, pos));
-                sb.append("...");
-                desc = sb.toString();
             }
             dependency.getProductEvidence().addEvidence(source, key, desc, Confidence.LOW);
             dependency.getVendorEvidence().addEvidence(source, key, desc, Confidence.LOW);
@@ -1014,7 +1032,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         final String text = value.toLowerCase();
         for (ClassNameInformation cni : classes) {
             for (String key : cni.getPackageStructure()) {
-                if (text.contains(key)) { //note, package structure elements are already lowercase.
+                final Pattern p = Pattern.compile("\b" + key + "\b");
+                if (p.matcher(text).find()) {
+                    //if (text.contains(key)) { //note, package structure elements are already lowercase.
                     evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
                 }
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -43,7 +43,7 @@ import javax.json.JsonValue;
  * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
  * associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java

@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze OpenSSL source code present in the file system.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
  * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
  * to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -40,7 +40,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -185,7 +185,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         if (found) {
             dependency.setDisplayFileName(parentName + "/__init__.py");
             dependency.getProductEvidence().addEvidence(file.getName(),
-                    "PackageName", parentName, Confidence.MEDIUM);
+                    "PackageName", parentName, Confidence.HIGH);
         } else {
             // copy, alter and set in case some other thread is iterating over
             final List<Dependency> dependencies = new ArrayList<Dependency>(

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -35,7 +35,7 @@ import java.util.*;
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -51,8 +51,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.PRE_INFORMATION_COLLECTION;
 
-    private static final FileFilter FILTER =
+    private static final FileFilter FILTER
-            FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
+            = FileFilterBuilder.newInstance().addFilenames("Gemfile.lock").build();
     public static final String NAME = "Name: ";
     public static final String VERSION = "Version: ";
     public static final String ADVISORY = "Advisory: ";
@@ -83,6 +83,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         final ProcessBuilder builder = new ProcessBuilder(args);
         builder.directory(folder);
         try {
+        	LOGGER.info("Launching: " + args + " from " + folder);
             return builder.start();
         } catch (IOException ioe) {
             throw new AnalysisException("bundle-audit failure", ioe);
@@ -97,7 +98,16 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         // Now, need to see if bundle-audit actually runs from this location.
-        Process process = launchBundleAudit(Settings.getTempDirectory());
+    	Process process = null;
+    	try {
+	        process = launchBundleAudit(Settings.getTempDirectory());
+    	}
+    	catch(AnalysisException ae) {
+    		LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
+            setEnabled(false);
+            throw ae;
+    	}
+    	
         int exitValue = process.waitFor();
         if (0 == exitValue) {
             LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
@@ -113,7 +123,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                     throw new AnalysisException("Bundle-audit error stream unexpectedly not ready.");
                 } else {
                     final String line = reader.readLine();
-                    if (!line.contains("Errno::ENOENT")) {
+                    if (line == null || !line.contains("Errno::ENOENT")) {
                         LOGGER.warn("Unexpected bundle-audit output. Disabling {}: {}", ANALYZER_NAME, line);
                         setEnabled(false);
                         throw new AnalysisException("Unexpected bundle-audit output.");
@@ -125,9 +135,10 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                 }
             }
         }
+    	
         if (isEnabled()) {
-            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" " +
+            LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
-                    "occasionally to keep its database up to date.");
+                    + "occasionally to keep its database up to date.");
         }
     }
 
@@ -162,8 +173,8 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will
+     * If {@link #analyzeFileType(Dependency, Engine)} is called, then we have successfully initialized, and it will be necessary
-     * be necessary to disable {@link RubyGemspecAnalyzer}.
+     * to disable {@link RubyGemspecAnalyzer}.
      */
     private boolean needToDisableGemspecAnalyzer = true;
 
@@ -194,6 +205,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         }
         BufferedReader rdr = null;
         try {
+        	BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+        	while(errReader.ready()) {
+        		String error = errReader.readLine();
+        		LOGGER.warn(error);
+        	}
             rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
             processBundlerAuditOutput(dependency, engine, rdr);
         } catch (IOException ioe) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -32,10 +32,10 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
- * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE.
+ * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
- * Regular expressions are used to parse the well-defined Ruby syntax that forms the specification.
+ * expressions are used to parse the well-defined Ruby syntax that forms the specification.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -51,8 +51,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
     private static final String GEMSPEC = "gemspec";
 
-    private static final FileFilter FILTER =
+    private static final FileFilter FILTER
-            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
+            = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
 
     private static final String EMAIL = "email";
 
@@ -102,8 +102,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * The capture group #1 is the block variable.
      */
-    private static final Pattern GEMSPEC_BLOCK_INIT =
+    private static final Pattern GEMSPEC_BLOCK_INIT
-            Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
+            = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
 
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -138,7 +138,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private void addListEvidence(EvidenceCollection evidences, String contents,
-                                 String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
         if (matcher.find()) {
@@ -148,7 +148,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private String addStringEvidence(EvidenceCollection evidences, String contents,
-                                     String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
         String value = "";

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes related to searching Maven Central.<br/><br/>
+ * Contains classes related to searching Maven Central.<br><br>
  *
  * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -37,7 +37,7 @@ public class CweHandler extends DefaultHandler {
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
      *
-     * @return a HashMap of CWE entries <String, String>
+     * @return a HashMap of CWE entries &lt;String, String&gt;
      */
     public HashMap<String, String> getCwe() {
         return cwe;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -27,7 +27,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p>
  * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
  * <p>
- * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
+ * <b>Example:</b> "Spring Framework Core" -&gt; "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
  * @author Jeremy Long
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -31,15 +31,17 @@ import org.slf4j.LoggerFactory;
  * <p>
  * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
  * <p>
- * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ * <b>Example:</b> "3.0.0.RELEASE" -&gt; "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long
  */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
+
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(UrlTokenizingFilter.class);
+
     /**
      * Constructs a new VersionTokenizingFilter.
      *
@@ -50,8 +52,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating
-     * concatenating tokens with the previous token.
+     * tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to searching a Nexus repository.<br/><br/>
+ * Contains classes related to searching a Nexus repository.<br><br>
  *
  * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to parsing Nuget related files<br/><br/>
+ * Contains classes related to parsing Nuget related files<br><br>
  * These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
  */
 package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -276,10 +276,13 @@ public final class ConnectionFactory {
      * execute it against the database. The upgrade script must update the 'version' in the properties table.
      *
      * @param conn the database connection object
-     * @param schema the current schema version that is being upgraded
+     * @param appExpectedVersion the schema version that the application expects
+     * @param currentDbVersion the current schema version of the database
      * @throws DatabaseException thrown if there is an exception upgrading the database schema
      */
-    private static void updateSchema(Connection conn, String schema) throws DatabaseException {
+    private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
+            throws DatabaseException {
+
         final String databaseProductName;
         try {
             databaseProductName = conn.getMetaData().getDatabaseProductName();
@@ -291,7 +294,7 @@ public final class ConnectionFactory {
             InputStream is = null;
             String updateFile = null;
             try {
-                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
                 is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
                 if (is == null) {
                     throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
@@ -303,7 +306,8 @@ public final class ConnectionFactory {
                     statement = conn.createStatement();
                     final boolean success = statement.execute(dbStructureUpdate);
                     if (!success && statement.getUpdateCount() <= 0) {
-                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
+                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s",
+                                currentDbVersion.toString()));
                     }
                 } catch (SQLException ex) {
                     LOGGER.debug("", ex);
@@ -318,8 +322,20 @@ public final class ConnectionFactory {
                 IOUtils.closeQuietly(is);
             }
         } else {
-            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
+            final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
-            throw new DatabaseException("Database schema is out of date");
+            final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
+            final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
+            final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
+            if (e0 == c0 && e1 < c1) {
+                LOGGER.warn("A new version of dependency-check is available; consider upgrading");
+                Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            } else if (e0 == c0 && e1 == c1) {
+                //do nothing - not sure how we got here, but just incase...
+            } else {
+                LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
+                        UPGRADE_HELP_URL);
+                throw new DatabaseException("Database schema is out of date");
+            }
         }
     }
 
@@ -342,12 +358,12 @@ public final class ConnectionFactory {
             cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
             rs = cs.executeQuery();
             if (rs.next()) {
-                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
+                final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
-                if (current.compareTo(db) > 0) {
+                if (appDbVersion.compareTo(db) > 0) {
-                    LOGGER.debug("Current Schema: " + DB_SCHEMA_VERSION);
+                    LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
-                    LOGGER.debug("DB Schema: " + rs.getString(1));
+                    LOGGER.debug("DB Schema: {}", rs.getString(1));
-                    updateSchema(conn, rs.getString(1));
+                    updateSchema(conn, appDbVersion, db);
                     if (++callDepth < 10) {
                         ensureSchemaVersion(conn);
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java

@@ -70,11 +70,11 @@ public class DatabaseProperties {
     /**
      * A collection of properties about the data.
      */
-    private Properties properties;
+    private final Properties properties;
     /**
      * A reference to the database.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
 
     /**
      * Constructs a new data properties object.
@@ -83,13 +83,6 @@ public class DatabaseProperties {
      */
     DatabaseProperties(CveDB cveDB) {
         this.cveDB = cveDB;
-        loadProperties();
-    }
-
-    /**
-     * Loads the properties from the database.
-     */
-    private void loadProperties() {
         this.properties = cveDB.getProperties();
     }
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/EngineVersionCheck.java

@@ -28,6 +28,7 @@ import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DependencyVersion;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.owasp.dependencycheck.utils.URLConnectionFailureException;
@@ -82,27 +83,33 @@ public class EngineVersionCheck implements CachedWebDataSource {
 
     @Override
     public void update() throws UpdateException {
+
         try {
-            openDatabase();
+            if (Settings.getBoolean(Settings.KEYS.AUTO_UPDATE)) {
-            LOGGER.debug("Begin Engine Version Check");
+                openDatabase();
-            final DatabaseProperties properties = cveDB.getDatabaseProperties();
+                LOGGER.debug("Begin Engine Version Check");
-            final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
+                final DatabaseProperties properties = cveDB.getDatabaseProperties();
-            final long now = System.currentTimeMillis();
+                final long lastChecked = Long.parseLong(properties.getProperty(ENGINE_VERSION_CHECKED_ON, "0"));
-            updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
+                final long now = System.currentTimeMillis();
-            final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
+                updateToVersion = properties.getProperty(CURRENT_ENGINE_RELEASE, "");
-            LOGGER.debug("Last checked: {}", lastChecked);
+                final String currentVersion = Settings.getString(Settings.KEYS.APPLICATION_VERSION, "0.0.0");
-            LOGGER.debug("Now: {}", now);
+                LOGGER.debug("Last checked: {}", lastChecked);
-            LOGGER.debug("Current version: {}", currentVersion);
+                LOGGER.debug("Now: {}", now);
-            final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
+                LOGGER.debug("Current version: {}", currentVersion);
-            if (updateNeeded) {
+                final boolean updateNeeded = shouldUpdate(lastChecked, now, properties, currentVersion);
-                LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                if (updateNeeded) {
-                        updateToVersion);
+                    LOGGER.warn("A new version of dependency-check is available. Consider updating to version {}.",
+                            updateToVersion);
+                }
             }
         } catch (DatabaseException ex) {
             LOGGER.debug("Database Exception opening databases to retrieve properties", ex);
             throw new UpdateException("Error occured updating database properties.");
+        } catch (InvalidSettingException ex) {
+            LOGGER.debug("Unable to determine if autoupdate is enabled", ex);
         } finally {
             closeDatabase();
+
         }
     }
 
@@ -120,10 +127,7 @@ public class EngineVersionCheck implements CachedWebDataSource {
     protected boolean shouldUpdate(final long lastChecked, final long now, final DatabaseProperties properties,
             String currentVersion) throws UpdateException {
         //check every 30 days if we know there is an update, otherwise check every 7 days
-        int checkRange = 30;
+        final int checkRange = 30;
-        if (updateToVersion.isEmpty()) {
-            checkRange = 7;
-        }
         if (!DateUtil.withinDateRange(lastChecked, now, checkRange)) {
             LOGGER.debug("Checking web for new version.");
             final String currentRelease = getCurrentReleaseVersion();
@@ -133,14 +137,16 @@ public class EngineVersionCheck implements CachedWebDataSource {
                     updateToVersion = v.toString();
                     if (!currentRelease.equals(updateToVersion)) {
                         properties.save(CURRENT_ENGINE_RELEASE, updateToVersion);
-                    } else {
-                        properties.save(CURRENT_ENGINE_RELEASE, "");
                     }
                     properties.save(ENGINE_VERSION_CHECKED_ON, Long.toString(now));
                 }
             }
             LOGGER.debug("Current Release: {}", updateToVersion);
         }
+        if (updateToVersion == null) {
+            LOGGER.debug("Unable to obtain current release");
+            return false;
+        }
         final DependencyVersion running = new DependencyVersion(currentVersion);
         final DependencyVersion released = new DependencyVersion(updateToVersion);
         if (running.compareTo(released) < 0) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -25,6 +25,8 @@ import java.util.concurrent.ExecutionException;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Executors;
 import java.util.concurrent.Future;
+import org.owasp.dependencycheck.data.nvdcve.CveDB;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
 import static org.owasp.dependencycheck.data.nvdcve.DatabaseProperties.MODIFIED;
 import org.owasp.dependencycheck.data.update.exception.InvalidDataException;
@@ -66,7 +68,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            if (checkUpdate()) {
+            boolean autoUpdate = true;
+            try {
+                autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+            } catch (InvalidSettingException ex) {
+                LOGGER.debug("Invalid setting for auto-update; using true.");
+            }
+            if (autoUpdate && checkUpdate()) {
                 final UpdateableNvdCve updateable = getUpdatesNeeded();
                 if (updateable.isUpdateNeeded()) {
                     performUpdate(updateable);
@@ -101,7 +109,7 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         boolean proceed = true;
         // If the valid setting has not been specified, then we proceed to check...
         final int validForHours = Settings.getInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, 0);
-        if (0 < validForHours) {
+        if (dataExists() && 0 < validForHours) {
             // ms Valid = valid (hours) x 60 min/hour x 60 sec/min x 1000 ms/sec
             final long msValid = validForHours * 60L * 60L * 1000L;
             final long lastChecked = Long.parseLong(getProperties().getProperty(DatabaseProperties.LAST_CHECKED, "0"));
@@ -118,6 +126,26 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
         return proceed;
     }
 
+    /**
+     * Checks the CVE Index to ensure data exists and analysis can continue.
+     *
+     * @return true if the database contains data
+     */
+    private boolean dataExists() {
+        CveDB cve = null;
+        try {
+            cve = new CveDB();
+            cve.open();
+            return cve.dataExists();
+        } catch (DatabaseException ex) {
+            return false;
+        } finally {
+            if (cve != null) {
+                cve.close();
+            }
+        }
+    }
+
     /**
      * Downloads the latest NVD CVE XML file from the web and imports it into the current CVE Database.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/CPEHandler.java

@@ -46,7 +46,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * A reference to the current element.
      */
-    private Element current = new Element();
+    private final Element current = new Element();
     /**
      * The logger.
      */
@@ -54,7 +54,7 @@ public class CPEHandler extends DefaultHandler {
     /**
      * The list of CPE values.
      */
-    private List<Cpe> data = new ArrayList<Cpe>();
+    private final List<Cpe> data = new ArrayList<Cpe>();
 
     /**
      * Returns the list of CPE values.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes used to parse the CPE XML file from NIST.<br/><br/>
+ * Contains classes used to parse the CPE XML file from NIST.<br><br>
  *
  * These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
  * we may consider pulling the more descriptive data from the CPE data in the future.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -22,6 +22,7 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URL;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
@@ -80,11 +81,11 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * The CVE DB to use when processing the files.
      */
-    private CveDB cveDB;
+    private final CveDB cveDB;
     /**
      * The processor service to pass the results of the download to.
      */
-    private ExecutorService processorService;
+    private final ExecutorService processorService;
     /**
      * The NVD CVE Meta Data.
      */
@@ -92,7 +93,7 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Get the value of nvdCveInfo.
@@ -155,28 +156,6 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
     public void setSecond(File second) {
         this.second = second;
     }
-    /**
-     * A placeholder for an exception.
-     */
-    private Exception exception = null;
-
-    /**
-     * Get the value of exception.
-     *
-     * @return the value of exception
-     */
-    public Exception getException() {
-        return exception;
-    }
-
-    /**
-     * returns whether or not an exception occurred during download.
-     *
-     * @return whether or not an exception occurred during download
-     */
-    public boolean hasException() {
-        return exception != null;
-    }
 
     @Override
     public Future<ProcessTask> call() throws Exception {
@@ -198,15 +177,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                 LOGGER.debug("", ex);
                 return null;
             }
-            if (url1.toExternalForm().endsWith(".xml.gz")) {
+            if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
                 extractGzip(first);
             }
-            if (url2.toExternalForm().endsWith(".xml.gz")) {
+            if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
                 extractGzip(second);
             }
 
             LOGGER.info("Download Complete for NVD CVE - {}  ({} ms)", nvdCveInfo.getId(),
-                System.currentTimeMillis() - startDownload);
+                    System.currentTimeMillis() - startDownload);
             if (this.processorService == null) {
                 return null;
             }
@@ -248,6 +227,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         }
     }
 
+    /**
+     * Checks the file header to see if it is an XML file.
+     *
+     * @param file the file to check
+     * @return true if the file is XML
+     */
+    public static boolean isXml(File file) {
+        if (file == null || !file.isFile()) {
+            return false;
+        }
+        InputStream is = null;
+        try {
+            is = new FileInputStream(file);
+
+            final byte[] buf = new byte[5];
+            int read = 0;
+            try {
+                read = is.read(buf);
+            } catch (IOException ex) {
+                return false;
+            }
+            return read == 5
+                    && buf[0] == '<'
+                    && (buf[1] == '?')
+                    && (buf[2] == 'x' || buf[2] == 'X')
+                    && (buf[3] == 'm' || buf[3] == 'M')
+                    && (buf[4] == 'l' || buf[4] == 'L');
+        } catch (FileNotFoundException ex) {
+            return false;
+        } finally {
+            if (is != null) {
+                try {
+                    is.close();
+                } catch (IOException ex) {
+                }
+            }
+        }
+    }
+
     /**
      * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/NvdCve12Handler.java

@@ -99,7 +99,6 @@ public class NvdCve12Handler extends DefaultHandler {
                 software = null;
             }
         } else if (!skip && current.isProdNode()) {
-
             vendor = attributes.getValue("vendor");
             product = attributes.getValue("name");
         } else if (!skip && current.isVersNode()) {
@@ -112,15 +111,19 @@ public class NvdCve12Handler extends DefaultHandler {
                 /*yes yes, this may not actually be an "a" - it could be an OS, etc. but for our
                  purposes this is good enough as we won't use this if we don't find a corresponding "a"
                  in the nvd cve 2.0. */
-                String cpe = "cpe:/a:" + vendor + ":" + product;
+                final int cpeLen = 8 + vendor.length() + product.length()
+                    + (null != num ? (1 + num.length()) : 0)
+                    + (null != edition ? (1 + edition.length()) : 0);
+                final StringBuilder cpe = new StringBuilder(cpeLen);
+                cpe.append("cpe:/a:").append(vendor).append(':').append(product);
                 if (num != null) {
-                    cpe += ':' + num;
+                    cpe.append(':').append(num);
                 }
                 if (edition != null) {
-                    cpe += ':' + edition;
+                    cpe.append(':').append(edition);
                 }
                 final VulnerableSoftware vs = new VulnerableSoftware();
-                vs.setCpe(cpe);
+                vs.setCpe(cpe.toString());
                 vs.setPreviousVersion(prev);
                 software.add(vs);
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/ProcessTask.java

@@ -85,7 +85,7 @@ public class ProcessTask implements Callable<ProcessTask> {
     /**
      * A reference to the global settings object.
      */
-    private Settings settings;
+    private final Settings settings;
 
     /**
      * Constructs a new ProcessTask used to process an NVD CVE update.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/UpdateableNvdCve.java

@@ -32,12 +32,12 @@ import org.owasp.dependencycheck.utils.Downloader;
  *
  * @author Jeremy Long
  */
-public class UpdateableNvdCve implements java.lang.Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
+public class UpdateableNvdCve implements Iterable<NvdCveInfo>, Iterator<NvdCveInfo> {
 
     /**
      * A collection of sources of data.
      */
-    private Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
+    private final Map<String, NvdCveInfo> collection = new TreeMap<String, NvdCveInfo>();
 
     /**
      * Returns the collection of NvdCveInfo objects. This method is mainly used for testing.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/package-info.java

@@ -1,4 +1,4 @@
 /**
- * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
+ * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br><br>
  */
 package org.owasp.dependencycheck.data.update.nvd;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes used to update the data stores.<br/><br/>
+ * Contains classes used to update the data stores.<br><br>
  *
  * The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
  * must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -692,7 +692,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     }
 
     /**
-     * Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
+     * Implementation of the Comparable&lt;Dependency&gt; interface. The comparison is solely based on the file path.
      *
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -715,23 +715,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         }
         final Dependency other = (Dependency) obj;
         return new EqualsBuilder()
-            .appendSuper(super.equals(obj))
+                .appendSuper(super.equals(obj))
-            .append(this.actualFilePath, other.actualFilePath)
+                .append(this.actualFilePath, other.actualFilePath)
-            .append(this.filePath, other.filePath)
+                .append(this.filePath, other.filePath)
-            .append(this.fileName, other.fileName)
+                .append(this.fileName, other.fileName)
-            .append(this.md5sum, other.md5sum)
+                .append(this.md5sum, other.md5sum)
-            .append(this.sha1sum, other.sha1sum)
+                .append(this.sha1sum, other.sha1sum)
-            .append(this.identifiers, other.identifiers)
+                .append(this.identifiers, other.identifiers)
-            .append(this.vendorEvidence, other.vendorEvidence)
+                .append(this.vendorEvidence, other.vendorEvidence)
-            .append(this.productEvidence, other.productEvidence)
+                .append(this.productEvidence, other.productEvidence)
-            .append(this.versionEvidence, other.versionEvidence)
+                .append(this.versionEvidence, other.versionEvidence)
-            .append(this.description, other.description)
+                .append(this.description, other.description)
-            .append(this.license, other.license)
+                .append(this.license, other.license)
-            .append(this.vulnerabilities, other.vulnerabilities)
+                .append(this.vulnerabilities, other.vulnerabilities)
-            //.append(this.relatedDependencies, other.relatedDependencies)
+                //.append(this.relatedDependencies, other.relatedDependencies)
-            .append(this.projectReferences, other.projectReferences)
+                .append(this.projectReferences, other.projectReferences)
-            .append(this.availableVersions, other.availableVersions)
+                .append(this.availableVersions, other.availableVersions)
-            .isEquals();
+                .isEquals();
     }
 
     /**
@@ -742,22 +742,22 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     @Override
     public int hashCode() {
         return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
-            .append(actualFilePath)
+                .append(actualFilePath)
-            .append(filePath)
+                .append(filePath)
-            .append(fileName)
+                .append(fileName)
-            .append(md5sum)
+                .append(md5sum)
-            .append(sha1sum)
+                .append(sha1sum)
-            .append(identifiers)
+                .append(identifiers)
-            .append(vendorEvidence)
+                .append(vendorEvidence)
-            .append(productEvidence)
+                .append(productEvidence)
-            .append(versionEvidence)
+                .append(versionEvidence)
-            .append(description)
+                .append(description)
-            .append(license)
+                .append(license)
-            .append(vulnerabilities)
+                .append(vulnerabilities)
-            //.append(relatedDependencies)
+                //.append(relatedDependencies)
-            .append(projectReferences)
+                .append(projectReferences)
-            .append(availableVersions)
+                .append(availableVersions)
-            .toHashCode();
+                .toHashCode();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -97,7 +97,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Used to iterate over evidence of the specified confidence.
      *
      * @param confidence the confidence level for the evidence to be iterated over.
-     * @return Iterable<Evidence> an iterable collection of evidence
+     * @return Iterable&lt;Evidence&gt; an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Confidence confidence) {
         if (confidence == Confidence.HIGHEST) {
@@ -168,7 +168,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
      * location.
      *
-     * @return Set<String>
+     * @return Set&lt;String&gt;
      */
     public Set<String> getWeighting() {
         return weightedStrings;
@@ -225,7 +225,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     /**
      * Implements the iterator interface for the Evidence Collection.
      *
-     * @return an Iterator<Evidence>.
+     * @return an Iterator&lt;Evidence&gt;
      */
     @Override
     public Iterator<Evidence> iterator() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java

@@ -22,7 +22,7 @@ import java.io.IOException;
 /**
  * An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class ScanAgentException extends IOException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -24,15 +24,14 @@ import org.slf4j.LoggerFactory;
 
 /**
  * <p>
- * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom
+ * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom logging implementation
- * logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
+ * that outputs to a file named velocity.log by default. This class is an implementation of a custom Velocity logger that
- * custom Velocity logger that redirects all velocity logging to the Java Logger class.
+ * redirects all velocity logging to the Java Logger class.
  * </p><p>
- * This class was written to address permission issues when using Dependency-Check in a server environment (such as the
+ * This class was written to address permission issues when using Dependency-Check in a server environment (such as the Jenkins
- * Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
+ * plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable directory.</p>
- * directory.</p>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class VelocityLoggerRedirect implements LogChute {
 
@@ -52,8 +51,7 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
+     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified values.
-     * values.
      *
      * @param level the logging level
      * @param message the message to be logged
@@ -82,8 +80,8 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
+     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the specified
-     * specified values.
+     * values.
      *
      * @param level the logging level
      * @param message the message to be logged

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionHandler.java

@@ -65,7 +65,7 @@ public class SuppressionHandler extends DefaultHandler {
     /**
      * A list of suppression rules.
      */
-    private List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
+    private final List<SuppressionRule> suppressionRules = new ArrayList<SuppressionRule>();
 
     /**
      * Get the value of suppressionRules.

dependency-check-core/src/main/java/org/owasp/dependencycheck/suppression/SuppressionRule.java

@@ -20,7 +20,6 @@ package org.owasp.dependencycheck.suppression;
 import java.util.ArrayList;
 import java.util.Iterator;
 import java.util.List;
-import org.apache.commons.lang3.StringUtils;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
@@ -268,8 +267,8 @@ public class SuppressionRule {
     }
 
     /**
-     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the
+     * A flag indicating whether or not the suppression rule is a core/base rule that should not be included in the resulting
-     * resulting report in the "suppressed" section.
+     * report in the "suppressed" section.
      */
     private boolean base;
 
@@ -292,8 +291,8 @@ public class SuppressionRule {
     }
 
     /**
-     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any
+     * Processes a given dependency to determine if any CPE, CVE, CWE, or CVSS scores should be suppressed. If any should be, they
-     * should be, they are removed from the dependency.
+     * are removed from the dependency.
      *
      * @param dependency a project dependency to analyze
      */
@@ -382,7 +381,24 @@ public class SuppressionRule {
      * @return true if the property type does not specify a version; otherwise false
      */
     boolean cpeHasNoVersion(PropertyType c) {
-        return !c.isRegex() && StringUtils.countMatches(c.getValue(), ':') == 3;
+        return !c.isRegex() && countCharacter(c.getValue(), ':') <= 3;
+    }
+
+    /**
+     * Counts the number of occurrences of the character found within the string.
+     *
+     * @param str the string to check
+     * @param c the character to count
+     * @return the number of times the character is found in the string
+     */
+    int countCharacter(String str, char c) {
+        int count = 0;
+        int pos = str.indexOf(c) + 1;
+        while (pos > 0) {
+            count += 1;
+            pos = str.indexOf(c, pos) + 1;
+        }
+        return count;
     }
 
     /**
@@ -417,7 +433,7 @@ public class SuppressionRule {
      */
     @Override
     public String toString() {
-        final StringBuilder sb = new StringBuilder();
+        final StringBuilder sb = new StringBuilder(64);
         sb.append("SuppressionRule{");
         if (filePath != null) {
             sb.append("filePath=").append(filePath).append(',');

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -48,10 +48,11 @@ public final class DependencyVersionUtil {
 
     /**
      * <p>
-     * A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
+     * A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
-     * Example:<br/>
+     * <pre>
-     * Give the file name: library-name-1.4.1r2-release.jar<br/>
+     * Example:
-     * This function would return: 1.4.1.r2</p>
+     * Give the file name: library-name-1.4.1r2-release.jar
+     * This function would return: 1.4.1.r2</pre>
      *
      * @param text the text being analyzed
      * @return a DependencyVersion containing the version

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java

@@ -40,7 +40,7 @@ import java.util.Set;
  *     FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
  * </pre>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
  */
 public class FileFilterBuilder {

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/Filter.java

@@ -50,7 +50,7 @@ public abstract class Filter<T> {
             if (next == null) {
                 throw new NoSuchElementException();
             }
-            T returnValue = next;
+            final T returnValue = next;
             toNext();
             return returnValue;
         }
@@ -63,7 +63,7 @@ public abstract class Filter<T> {
         private void toNext() {
             next = null;
             while (iterator.hasNext()) {
-                T item = iterator.next();
+                final T item = iterator.next();
                 if (item != null && passes(item)) {
                     next = item;
                     break;

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/Model.java

@@ -241,7 +241,7 @@ public class Model {
     /**
      * The list of licenses.
      */
-    private List<License> licenses = new ArrayList<License>();
+    private final List<License> licenses = new ArrayList<License>();
 
     /**
      * Returns the list of licenses.

dependency-check-core/src/main/java/org/owasp/dependencycheck/xml/pom/PomHandler.java

@@ -78,7 +78,7 @@ public class PomHandler extends DefaultHandler {
     /**
      * The pom model.
      */
-    private Model model = new Model();
+    private final Model model = new Model();
 
     /**
      * Returns the model obtained from the pom.xml.

dependency-check-core/src/main/resources/data/dbStatements_oracle.properties

@@ -0,0 +1 @@
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM software)

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -25,7 +25,8 @@ CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(250), vend
 
 CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
     , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
-    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id)
+    , PRIMARY KEY (cveid, cpeEntryId));
 
 CREATE INDEX idxVulnerability ON vulnerability(cve);
 CREATE INDEX idxReference ON reference(cveid);
@@ -53,4 +54,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/initialize_oracle.sql

@@ -0,0 +1,112 @@
+-- Drop
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE vulnerability_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE cpeEntry_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE software CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE cpeEntry CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE reference CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE vulnerability CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE properties CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+
+CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+    description CLOB, cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+    cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+    cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+    CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE SEQUENCE cpeEntry_seq;
+CREATE SEQUENCE vulnerability_seq;
+
+CREATE OR REPLACE TRIGGER VULNERABILITY_TRG
+BEFORE INSERT
+ON VULNERABILITY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := VULNERABILITY_SEQ.nextval;
+END VULNERABILITY_TRG;
+/
+
+CREATE OR REPLACE TRIGGER CPEENTRY_TRG
+BEFORE INSERT
+ON CPEENTRY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := CPEENTRY_SEQ.nextval;
+END CPEENTRY_TRG;
+/
+
+INSERT INTO properties(id,value) VALUES ('version','3.0');

dependency-check-core/src/main/resources/data/upgrade_mysql_2.9.sql

@@ -12,4 +12,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,6 +161,13 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        HK2-utils is flagged as glassfish.
+        ]]></notes>
+        <filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
@@ -189,4 +196,127 @@
         <gav regex="true">org.apache.geronimo.specs:.*</gav>
         <cpe>cpe:/a:apache:geronimo</cpe>
     </suppress>
-</suppressions>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-embed-el.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat\.embed:tomcat-embed-el:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-jdbc.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-jdbc:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        This suppresses false positives identified on tomcat-juli.
+        ]]></notes>
+        <gav regex="true">org\.apache\.tomcat:tomcat-juli:.*</gav>
+        <cpe>cpe:/a:apache:tomcat</cpe>
+        <cpe>cpe:/a:apache_tomcat:apache_tomcat</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positive per issue #433
+        ]]></notes>
+        <gav regex="true">com\.google\.javascript:closure-compiler:.*</gav>
+        <cpe>cpe:/a:google:google_apps:-</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #437
+        ]]></notes>
+        <gav regex="true">.*mongodb.*:.*:.*</gav>
+        <cpe>cpe:/a:mongodb:mongodb</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        suppress false positives per issue #438
+            Note, there will be more false positives for Netty. Trying to figure out a better suppression.
+        ]]></notes>
+        <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
+        <cpe>cpe:/a:netty_project:netty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        JVM instrumentation to Ganglia
+        ]]></notes>
+        <gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        A reporter for Metrics which announces measurements to a Ganglia cluster
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
+        <cpe>cpe:/a:apache:httpclient</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        javax.transaction false positives
+        ]]></notes>
+        <gav regex="true">javax\.transaction:javax\.transaction-api:.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        false positive in drop wizard
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
+        <cpe>cpe:/a:tiger:tiger</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        php cpe
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
+        <cpe>cpe:/a:class:class</cpe>
+    </suppress>
+</suppressions>

dependency-check-core/src/main/resources/dependencycheck.properties

@@ -18,8 +18,13 @@ engine.version.url=http://jeremylong.github.io/DependencyCheck/current.txt
 data.directory=[JAR]/data
 #if the filename has a %s it will be replaced with the current expected version
 data.file_name=dc.h2.db
+
+### if you increment the DB version then you must increment the database file path
+### in the mojo.properties, task.properties (maven and ant respectively), and
+### the gradle PurgeDataExtension.
 data.version=3.0
-data.connection_string=jdbc:h2:file:%s;FILE_LOCK=FS;AUTOCOMMIT=ON;
+
+data.connection_string=jdbc:h2:file:%s;FILE_LOCK=SERIALIZED;AUTOCOMMIT=ON;
 #data.connection_string=jdbc:mysql://localhost:3306/dependencycheck
 
 # user name and password for the database connection. The inherent case is to use H2.

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">
@@ -56,4 +56,4 @@
             </xs:sequence>
         </xs:complexType>
     </xs:element>
-</xs:schema>
+</xs:schema>

dependency-check-core/src/main/resources/templates/HtmlReport.vsl

@@ -503,7 +503,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <body>
         <div id="modal-background"></div>
         <div id="modal-content">
-            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
+            <div>Press CTR-C to copy XML&nbsp;<a href="http://jeremylong.github.io/DependencyCheck/general/suppression.html" class="infolink" target="_blank" title="Help with suppressing false positives">[help]</a></div>
                 <textarea id="modal-text" cols="50" rows="10" readonly></textarea><br/>
                 <button id="modal-add-header" title="Add the parent XML nodes to create the complete XML file that can be used to suppress this finding" class="modal-button">Complete XML Doc</button><button id="modal-close" class="modal-button-right">Close</button>
         </div>

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzerTest.java

@@ -159,7 +159,7 @@ public class AssemblyAnalyzerTest extends BaseTest {
             aanalyzer.initialize();
             fail("Expected an AnalysisException");
         } catch (AnalysisException ae) {
-            assertEquals("An error occured with the .NET AssemblyAnalyzer", ae.getMessage());
+            assertEquals("An error occurred with the .NET AssemblyAnalyzer", ae.getMessage());
         } finally {
             System.setProperty(LOG_KEY, oldProp);
             // Recover the logger

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java

@@ -30,147 +30,137 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 /**
- * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
+ * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
- * obtained from outside open source software projects. Links to those projects
+ * Links to those projects are given below.
- * are given below.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
- * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
+ * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
- *      Project</a>
  * @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
  * @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
  */
 public class AutoconfAnalyzerTest extends BaseTest {
 
-	/**
+    /**
-	 * The analyzer to test.
+     * The analyzer to test.
-	 */
+     */
-	AutoconfAnalyzer analyzer;
+    AutoconfAnalyzer analyzer;
 
-	private void assertCommonEvidence(Dependency result, String product,
+    private void assertCommonEvidence(Dependency result, String product,
-			String version, String vendor) {
+            String version, String vendor) {
-		assertProductAndVersion(result, product, version);
+        assertProductAndVersion(result, product, version);
-		assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
+        assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
-				result.getVendorEvidence().toString().contains(vendor));
+                result.getVendorEvidence().toString().contains(vendor));
-	}
+    }
 
-	private void assertProductAndVersion(Dependency result, String product,
+    private void assertProductAndVersion(Dependency result, String product,
-			String version) {
+            String version) {
-		assertTrue("Expected product evidence to contain \"" + product + "\".",
+        assertTrue("Expected product evidence to contain \"" + product + "\".",
-				result.getProductEvidence().toString().contains(product));
+                result.getProductEvidence().toString().contains(product));
-		assertTrue("Expected version evidence to contain \"" + version + "\".",
+        assertTrue("Expected version evidence to contain \"" + version + "\".",
-				result.getVersionEvidence().toString().contains(version));
+                result.getVersionEvidence().toString().contains(version));
-	}
+    }
 
-	/**
+    /**
-	 * Correctly setup the analyzer for testing.
+     * Correctly setup the analyzer for testing.
-	 *
+     *
-	 * @throws Exception
+     * @throws Exception thrown if there is a problem
-	 *             thrown if there is a problem
+     */
-	 */
+    @Before
-	@Before
+    public void setUp() throws Exception {
-	public void setUp() throws Exception {
+        analyzer = new AutoconfAnalyzer();
-		analyzer = new AutoconfAnalyzer();
+        analyzer.setFilesMatched(true);
-		analyzer.setFilesMatched(true);
+        analyzer.initialize();
-		analyzer.initialize();
+    }
-	}
 
-	/**
+    /**
-	 * Cleanup the analyzer's temp files, etc.
+     * Cleanup the analyzer's temp files, etc.
-	 *
+     *
-	 * @throws Exception
+     * @throws Exception thrown if there is a problem
-	 *             thrown if there is a problem
+     */
-	 */
+    @After
-	@After
+    public void tearDown() throws Exception {
-	public void tearDown() throws Exception {
+        analyzer.close();
-		analyzer.close();
+        analyzer = null;
-		analyzer = null;
+    }
-	}
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from Ghostscript's
+     * Test whether expected evidence is gathered from Ghostscript's configure.ac.
-	 * configure.ac.
+     *
-	 *
+     * @throws AnalysisException is thrown when an exception occurs.
-	 * @throws AnalysisException
+     */
-	 *             is thrown when an exception occurs.
+    @Test
-	 */
+    public void testAnalyzeConfigureAC1() throws AnalysisException {
-	@Test
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-	public void testAnalyzeConfigureAC1() throws AnalysisException {
+                this, "autoconf/ghostscript/configure.ac"));
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+        analyzer.analyze(result, null);
-				this, "autoconf/ghostscript/configure.ac"));
+        assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
-		analyzer.analyze(result, null);
+    }
-		assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
-	}
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from Readable's configure.ac.
+     * Test whether expected evidence is gathered from Readable's configure.ac.
-	 *
+     *
-	 * @throws AnalysisException
+     * @throws AnalysisException is thrown when an exception occurs.
-	 *             is thrown when an exception occurs.
+     */
-	 */
+    @Test
-	@Test
+    public void testAnalyzeConfigureAC2() throws AnalysisException {
-	public void testAnalyzeConfigureAC2() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/readable-code/configure.ac"));
-				this, "autoconf/readable-code/configure.ac"));
+        analyzer.analyze(result, null);
-		analyzer.analyze(result, null);
+        assertReadableCodeEvidence(result);
-		assertReadableCodeEvidence(result);
+    }
-	}
 
-	private void assertReadableCodeEvidence(final Dependency result) {
+    private void assertReadableCodeEvidence(final Dependency result) {
-		assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
+        assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
-		final String url = "http://readable.sourceforge.net/";
+        final String url = "http://readable.sourceforge.net/";
-		assertTrue("Expected product evidence to contain \"" + url + "\".",
+        assertTrue("Expected product evidence to contain \"" + url + "\".",
-				result.getVendorEvidence().toString().contains(url));
+                result.getVendorEvidence().toString().contains(url));
-	}
+    }
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from GNU Binutil's configure.
+     * Test whether expected evidence is gathered from GNU Binutil's configure.
-	 *
+     *
-	 * @throws AnalysisException
+     * @throws AnalysisException is thrown when an exception occurs.
-	 *             is thrown when an exception occurs.
+     */
-	 */
+    @Test
-	@Test
+    public void testAnalyzeConfigureScript() throws AnalysisException {
-	public void testAnalyzeConfigureScript() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/binutils/configure"));
-				this, "autoconf/binutils/configure"));
+        analyzer.analyze(result, null);
-		analyzer.analyze(result, null);
+        assertProductAndVersion(result, "binutils", "2.25.51");
-		assertProductAndVersion(result, "binutils", "2.25.51");
+    }
-	}
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from GNU Ghostscript's
+     * Test whether expected evidence is gathered from GNU Ghostscript's configure.
-	 * configure.
+     *
-	 *
+     * @throws AnalysisException is thrown when an exception occurs.
-	 * @throws AnalysisException
+     */
-	 *             is thrown when an exception occurs.
+    @Test
-	 */
+    public void testAnalyzeReadableConfigureScript() throws AnalysisException {
-	@Test
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-	public void testAnalyzeReadableConfigureScript() throws AnalysisException {
+                this, "autoconf/readable-code/configure"));
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+        analyzer.analyze(result, null);
-				this, "autoconf/readable-code/configure"));
+        assertReadableCodeEvidence(result);
-		analyzer.analyze(result, null);
+    }
-		assertReadableCodeEvidence(result);
-	}
 
-	/**
+    /**
-	 * Test of getName method, of {@link AutoconfAnalyzer}.
+     * Test of getName method, of {@link AutoconfAnalyzer}.
-	 */
+     */
-	@Test
+    @Test
-	public void testGetName() {
+    public void testGetName() {
-		assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
+        assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
-				analyzer.getName());
+                analyzer.getName());
-	}
+    }
 
-	/**
+    /**
-	 * Test of {@link AutoconfAnalyzer#accept(File)}.
+     * Test of {@link AutoconfAnalyzer#accept(File)}.
-	 */
+     */
-	@Test
+    @Test
-	public void testSupportsFileExtension() {
+    public void testSupportsFileExtension() {
-		assertTrue("Should support \"ac\" extension.",
+        assertTrue("Should support \"ac\" extension.",
-				analyzer.accept(new File("configure.ac")));
+                analyzer.accept(new File("configure.ac")));
-		assertTrue("Should support \"in\" extension.",
+        assertTrue("Should support \"in\" extension.",
-				analyzer.accept(new File("configure.in")));
+                analyzer.accept(new File("configure.in")));
-		assertTrue("Should support \"configure\" extension.",
+        assertTrue("Should support \"configure\" extension.",
-				analyzer.accept(new File("configure")));
+                analyzer.accept(new File("configure")));
-	}
+    }
-}
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for CmakeAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class ComposerLockAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -23,6 +23,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 
 import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
@@ -113,4 +115,14 @@ public class JarAnalyzerTest extends BaseTest {
         assertEquals(expResult, result);
     }
 
+    @Test
+    public void testParseManifest() throws Exception {
+        File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
+        Dependency result = new Dependency(file);
+        JarAnalyzer instance = new JarAnalyzer();
+        List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<JarAnalyzer.ClassNameInformation>();
+        instance.parseManifest(result, cni);
+
+        assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
+    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java

@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for OpenSSLAnalyzerAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzerTest extends BaseTest {
 
@@ -84,22 +84,15 @@ public class OpenSSLAnalyzerTest extends BaseTest {
 
     @Test
     public void testVersionConstantExamples() {
-        final long[] constants = {0x1000203fL
+        final long[] constants = {0x1000203fL, 0x00903000, 0x00903001, 0x00903002l, 0x0090300f, 0x0090301f, 0x0090400f, 0x102031af};
-                , 0x00903000
-                , 0x00903001
-                , 0x00903002l
-                , 0x0090300f
-                , 0x0090301f
-                , 0x0090400f
-                , 0x102031af};
         final String[] versions = {"1.0.2c",
-                "0.9.3-dev",
+            "0.9.3-dev",
-                "0.9.3-beta1",
+            "0.9.3-beta1",
-                "0.9.3-beta2",
+            "0.9.3-beta2",
-                "0.9.3",
+            "0.9.3",
-                "0.9.3a",
+            "0.9.3a",
-                "0.9.4",
+            "0.9.4",
-                "1.2.3z"};
+            "1.2.3z"};
         assertEquals(constants.length, versions.length);
         for (int i = 0; i < constants.length; i++) {
             assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonDistributionAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonPackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -17,6 +17,12 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+
 import org.junit.After;
 import org.junit.Assume;
 import org.junit.Before;
@@ -26,19 +32,14 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.File;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.not;
-import static org.junit.Assert.assertThat;
-
 /**
  * Unit tests for {@link RubyBundleAuditAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzerTest extends BaseTest {
 
@@ -56,14 +57,9 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @Before
     public void setUp() throws Exception {
-        try {
+    	Settings.initialize();
-            analyzer = new RubyBundleAuditAnalyzer();
+        analyzer = new RubyBundleAuditAnalyzer();
-            analyzer.setFilesMatched(true);
+        analyzer.setFilesMatched(true);
-            analyzer.initialize();
-        } catch (Exception e) {
-            //LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Tests will be incomplete", e);
-            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed. Tests will be incomplete", e);
-        }
     }
 
     /**
@@ -73,6 +69,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @After
     public void tearDown() throws Exception {
+    	Settings.cleanup();
         analyzer.close();
         analyzer = null;
     }
@@ -100,10 +97,44 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @Test
     public void testAnalysis() throws AnalysisException, DatabaseException {
-        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+    	try {
-                "ruby/vulnerable/Gemfile.lock"));
+            analyzer.initialize();
-        final Engine engine = new Engine();
+
-        analyzer.analyze(result, engine);
+            final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-        assertThat(engine.getDependencies().size(), is(not(0)));
+                    "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock"));
+            final Engine engine = new Engine();
+            analyzer.analyze(result, engine);
+            int size = engine.getDependencies().size();
+            assertThat(size, is(1));
+            
+            Dependency dependency = engine.getDependencies().get(0);
+            assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
+            assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
+            
+        } catch (Exception e) {
+            LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e);
+            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
+        }
+    }
+
+    /**
+     * Test when Ruby bundle-audit is not available on the system.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
+    	//set a non-exist bundle-audit
+        Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
+        try {
+            //initialize should fail.
+			analyzer.initialize();
+		} catch (Exception e) {
+			//expected, so ignore.
+		}
+        finally {
+	        assertThat(analyzer.isEnabled(), is(false));
+			LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
+        }
     }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for {@link RubyGemspecAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/EngineVersionCheckTest.java

@@ -124,7 +124,7 @@ public class EngineVersionCheckTest extends BaseTest {
         updateToVersion = "";
         currentVersion = "1.2.5";
         lastChecked = df.parse("2014-12-01").getTime();
-        now = df.parse("2014-12-08").getTime();
+        now = df.parse("2015-12-08").getTime();
         expResult = true;
         instance.setUpdateToVersion(updateToVersion);
         result = instance.shouldUpdate(lastChecked, now, properties, currentVersion);

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java

@@ -17,47 +17,30 @@
  */
 package org.owasp.dependencycheck.data.update.nvd;
 
-import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
+import java.io.File;
-import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import org.junit.After;
 import org.junit.AfterClass;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DownloadTaskTest {
+public class DownloadTaskTest extends BaseTest {
 
     public DownloadTaskTest() {
     }
 
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-        Settings.initialize();
-    }
-
-    @After
-    public void tearDown() {
-        Settings.cleanup();
-    }
-
     /**
      * Test of call method, of class DownloadTask.
      */
@@ -74,4 +57,16 @@ public class DownloadTaskTest {
         Future<ProcessTask> result = instance.call();
         assertNull(result);
     }
+
+    /**
+     * Test of isXml(file).
+     */
+    @Test
+    public void testIsXML() {
+        File f = getResourceAsFile(this, "nvdcve-modified.xml");
+        assertTrue(DownloadTask.isXml(f));
+        f = getResourceAsFile(this, "file.tar.gz");
+        assertFalse(DownloadTask.isXml(f));
+
+    }
 }

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -100,3 +100,5 @@ analyzer.nexus.enabled=false
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true
 
+#Use your own bundle-audit install directory.
+#analyzer.bundle.audit.path=/usr/local/bin/bundle-audit

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile

@@ -0,0 +1,102 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# This needs to be with require false as it is
+# loaded after loading the test library to
+# ensure correct loading order
+gem 'mocha', '~> 0.14', require: false
+
+gem 'rack-cache', '~> 1.2'
+gem 'jquery-rails', '~> 3.1.0'
+gem 'turbolinks'
+gem 'coffee-rails', '~> 4.0.0'
+
+gem 'sprockets', '~> 3.0.0.rc.1'
+
+# require: false so bcrypt is loaded only when has_secure_password is used.
+# This is to avoid ActiveModel (and by extension the entire framework)
+# being dependent on a binary library.
+gem 'bcrypt', '~> 3.1.7', require: false
+
+# This needs to be with require false to avoid
+# it being automatically loaded by sprockets
+gem 'uglifier', '>= 1.3.0', require: false
+
+group :doc do
+  gem 'sdoc', '~> 0.4.0'
+  gem 'redcarpet', '~> 2.2.2', platforms: :ruby
+  gem 'w3c_validators'
+  gem 'kindlerb', '0.1.1'
+  gem 'mustache', '~> 0.99.8'
+end
+
+# AS
+gem 'dalli', '>= 2.2.1'
+
+# Add your own local bundler stuff
+local_gemfile = File.dirname(__FILE__) + "/.Gemfile"
+instance_eval File.read local_gemfile if File.exist? local_gemfile
+
+group :test do
+  # FIX: Our test suite isn't ready to run in random order yet
+  gem 'minitest', '< 5.3.4'
+
+  platforms :mri_19 do
+    gem 'ruby-prof', '~> 0.11.2'
+  end
+
+  # platforms :mri_19, :mri_20 do
+  #   gem 'debugger'
+  # end
+
+  platforms :mri do
+    gem 'stackprof'
+  end
+
+  gem 'benchmark-ips'
+end
+
+platforms :ruby do
+  gem 'nokogiri', '>= 1.4.5'
+
+  # Needed for compiling the ActionDispatch::Journey parser
+  gem 'racc', '>=1.4.6', require: false
+
+  # AR
+  gem 'sqlite3', '~> 1.3.6'
+
+  group :db do
+    gem 'pg', '>= 0.11.0'
+    gem 'mysql', '>= 2.9.0'
+    gem 'mysql2', '>= 0.3.13', '< 0.4'
+  end
+end
+
+platforms :jruby do
+  gem 'json'
+  if ENV['AR_JDBC']
+    gem 'activerecord-jdbcsqlite3-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+      gem 'activerecord-jdbcpostgresql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    end
+  else
+    gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', '>= 1.3.0'
+      gem 'activerecord-jdbcpostgresql-adapter', '>= 1.3.0'
+    end
+  end
+end
+
+# gems that are necessary for ActiveRecord tests with Oracle database
+if ENV['ORACLE_ENHANCED']
+  platforms :ruby do
+    gem 'ruby-oci8', '>= 2.0.4'
+  end
+  gem 'activerecord-oracle_enhanced-adapter', github: 'rsim/oracle-enhanced', branch: 'master'
+end
+
+# A gem necessary for ActiveRecord tests with IBM DB
+gem 'ibm_db' if ENV['IBM_DB']

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock

@@ -0,0 +1,154 @@
+PATH
+  remote: .
+  specs:
+    actionmailer (4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.15)
+      actionview (= 4.1.15)
+      activesupport (= 4.1.15)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+    activerecord (4.1.15)
+      activemodel (= 4.1.15)
+      activesupport (= 4.1.15)
+      arel (~> 5.0.0)
+    activesupport (4.1.15)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    rails (4.1.15)
+      actionmailer (= 4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      activemodel (= 4.1.15)
+      activerecord (= 4.1.15)
+      activesupport (= 4.1.15)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.15)
+      sprockets-rails (~> 2.0)
+    railties (4.1.15)
+      actionpack (= 4.1.15)
+      activesupport (= 4.1.15)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    arel (5.0.1.20140414130214)
+    bcrypt (3.1.10)
+    benchmark-ips (2.3.0)
+    builder (3.2.2)
+    coffee-rails (4.0.1)
+      coffee-script (>= 2.2.0)
+      railties (>= 4.0.0, < 5.0)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.10.0)
+    dalli (2.7.5)
+    erubis (2.7.0)
+    execjs (2.6.0)
+    i18n (0.7.0)
+    jquery-rails (3.1.4)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.8.3)
+    kindlerb (0.1.1)
+      mustache
+      nokogiri
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.3.3)
+    mocha (0.14.0)
+      metaclass (~> 0.0.1)
+    mustache (0.99.8)
+    mysql (2.9.1)
+    mysql2 (0.3.20)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    pg (0.18.4)
+    racc (1.4.14)
+    rack (1.5.5)
+    rack-cache (1.5.1)
+      rack (>= 0.4)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rake (10.5.0)
+    rdoc (4.2.1)
+    redcarpet (2.2.2)
+    ruby-prof (0.11.3)
+    sdoc (0.4.1)
+      json (~> 1.7, >= 1.7.7)
+      rdoc (~> 4.0)
+    sprockets (3.0.3)
+      rack (~> 1.0)
+    sprockets-rails (2.3.3)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.11)
+    stackprof (0.2.8)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    turbolinks (2.5.3)
+      coffee-rails
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.7.2)
+      execjs (>= 0.3.0)
+      json (>= 1.8.0)
+    w3c_validators (1.2)
+      json
+      nokogiri
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbcmysql-adapter (>= 1.3.0)
+  activerecord-jdbcpostgresql-adapter (>= 1.3.0)
+  activerecord-jdbcsqlite3-adapter (>= 1.3.0)
+  bcrypt (~> 3.1.7)
+  benchmark-ips
+  coffee-rails (~> 4.0.0)
+  dalli (>= 2.2.1)
+  jquery-rails (~> 3.1.0)
+  json
+  kindlerb (= 0.1.1)
+  minitest (< 5.3.4)
+  mocha (~> 0.14)
+  mustache (~> 0.99.8)
+  mysql (>= 2.9.0)
+  mysql2 (>= 0.3.13, < 0.4)
+  nokogiri (>= 1.4.5)
+  pg (>= 0.11.0)
+  racc (>= 1.4.6)
+  rack-cache (~> 1.2)
+  rails!
+  redcarpet (~> 2.2.2)
+  ruby-prof (~> 0.11.2)
+  sdoc (~> 0.4.0)
+  sprockets (~> 3.0.0.rc.1)
+  sqlite3 (~> 1.3.6)
+  stackprof
+  turbolinks
+  uglifier (>= 1.3.0)
+  w3c_validators
+
+BUNDLED WITH
+   1.11.2

dependency-check-maven/pom.xml

@@ -20,12 +20,11 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
-
     <name>Dependency-Check Maven Plugin</name>
     <description>dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
     <inceptionYear>2013</inceptionYear>
@@ -88,6 +87,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>
@@ -204,6 +204,10 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <groupId>org.apache.maven.reporting</groupId>
             <artifactId>maven-reporting-api</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.sonatype.plexus</groupId>
+            <artifactId>plexus-sec-dispatcher</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.jmockit</groupId>
             <artifactId>jmockit</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.Settings;
         name = "aggregate",
         defaultPhase = LifecyclePhase.VERIFY,
         /*aggregator = true,*/
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
         requiresOnline = true
 )
@@ -64,12 +64,13 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
     public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine = generateDataFile();
 
-        if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        //if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        if (getProject() == getLastProject()) {
 
             //ensure that the .ser file was created for each.
             for (MavenProject current : getReactorProjects()) {
                 final File dataFile = getDataFile(current);
-                if (dataFile == null) { //dc was never run on this project. write the ser to the target.
+                if (dataFile == null && !skipProject(current)) { //dc was never run on this project. write the ser to the target.
                     getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
                             + "the check but dependencies may be missed resulting in false negatives.", current.getName()));
                     generateDataFile(engine, current);
@@ -107,7 +108,7 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
                         getLog().debug(String.format("Dependency count post-bundler: %s", engine.getDependencies().size()));
                     }
                 } catch (AnalysisException ex) {
-                    getLog().warn("An error occured grouping the dependencies; duplicate entries may exist in the report", ex);
+                    getLog().warn("An error occurred grouping the dependencies; duplicate entries may exist in the report", ex);
                     getLog().debug("Bundling Exception", ex);
                 }
 
@@ -124,6 +125,33 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         Settings.cleanup();
     }
 
+    /**
+     * Gets the last project in the reactor - taking into account skipped projects.
+     *
+     * @return the last project in the reactor
+     */
+    private MavenProject getLastProject() {
+        for (int x = getReactorProjects().size() - 1; x >= 0; x--) {
+            final MavenProject p = getReactorProjects().get(x);
+            if (!skipProject(p)) {
+                return p;
+            }
+
+        }
+        return null;
+    }
+
+    /**
+     * Tests if the project is being skipped in the Maven site report.
+     *
+     * @param project a project in the reactor
+     * @return true if the project is skipped; otherwise false
+     */
+    private boolean skipProject(MavenProject project) {
+        final String skip = (String) project.getProperties().get("maven.site.skip");
+        return "true".equalsIgnoreCase(skip) && isGeneratingSite();
+    }
+
     /**
      * Returns a set containing all the descendant projects of the given project.
      *

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -24,7 +24,6 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.util.List;
 import java.util.Locale;
@@ -33,11 +32,13 @@ import org.apache.maven.doxia.sink.Sink;
 import org.apache.maven.plugin.AbstractMojo;
 import org.apache.maven.plugin.MojoExecutionException;
 import org.apache.maven.plugin.MojoFailureException;
+import org.apache.maven.plugins.annotations.Component;
 import org.apache.maven.plugins.annotations.Parameter;
 import org.apache.maven.project.MavenProject;
 import org.apache.maven.reporting.MavenReport;
 import org.apache.maven.reporting.MavenReportException;
 import org.apache.maven.settings.Proxy;
+import org.apache.maven.settings.Server;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
@@ -47,7 +48,11 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
 import org.owasp.dependencycheck.utils.Settings;
+import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
+import org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException;
 
 /**
  *
@@ -105,7 +110,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * is true.
      */
     @SuppressWarnings("CanBeFinal")
-    @Parameter(property = "autoupdate")
+    @Parameter(property = "autoUpdate")
     private Boolean autoUpdate;
     /**
      * Generate aggregate reports in multi-module projects.
@@ -262,6 +267,21 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Parameter(property = "databaseDriverPath", defaultValue = "", required = false)
     private String databaseDriverPath;
+    /**
+     * The server id in the settings.xml; used to retrieve encrypted passwords from the settings.xml.
+     */
+    @Parameter(property = "serverId", defaultValue = "", required = false)
+    private String serverId;
+    /**
+     * A reference to the settings.xml settings.
+     */
+    @Parameter(defaultValue = "${settings}", readonly = true, required = true)
+    private org.apache.maven.settings.Settings settingsXml;
+    /**
+     * The security dispatcher that can decrypt passwords in the settings.xml.
+     */
+    @Component(role = SecDispatcher.class, hint = "default")
+    private SecDispatcher securityDispatcher;
     /**
      * The database user name.
      */
@@ -367,6 +387,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Override
     public void execute() throws MojoExecutionException, MojoFailureException {
+        generatingSite = false;
         if (skip) {
             getLog().info("Skipping " + getName(Locale.US));
         } else {
@@ -404,6 +425,20 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         generate((Sink) sink, locale);
     }
 
+    /**
+     * A flag indicating whether or not the maven site is being generated.
+     */
+    private boolean generatingSite = false;
+
+    /**
+     * Returns true if the Maven site is being generated.
+     *
+     * @return true if the Maven site is being generated
+     */
+    protected boolean isGeneratingSite() {
+        return generatingSite;
+    }
+
     /**
      * Generates the Dependency-Check Site Report.
      *
@@ -412,6 +447,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @throws MavenReportException if a maven report exception occurs
      */
     public void generate(Sink sink, Locale locale) throws MavenReportException {
+        generatingSite = true;
         try {
             validateAggregate();
         } catch (MojoExecutionException ex) {
@@ -647,6 +683,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             final String password = proxy.getPassword();
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
+            Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
         }
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
@@ -677,9 +714,49 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+
+        if (databaseUser == null && databasePassword == null && serverId != null) {
+            final Server server = settingsXml.getServer(serverId);
+            if (server != null) {
+                databaseUser = server.getUsername();
+                try {
+                    //The following fix was copied from:
+                    //   https://github.com/bsorrentino/maven-confluence-plugin/blob/master/maven-confluence-reporting-plugin/src/main/java/org/bsc/maven/confluence/plugin/AbstractBaseConfluenceMojo.java
+                    //
+                    // FIX to resolve
+                    // org.sonatype.plexus.components.sec.dispatcher.SecDispatcherException:
+                    // java.io.FileNotFoundException: ~/.settings-security.xml (No such file or directory)
+                    //
+                    if (securityDispatcher instanceof DefaultSecDispatcher) {
+                        ((DefaultSecDispatcher) securityDispatcher).setConfigurationFile("~/.m2/settings-security.xml");
+                    }
+
+                    databasePassword = securityDispatcher.decrypt(server.getPassword());
+                } catch (SecDispatcherException ex) {
+                    if (ex.getCause() instanceof FileNotFoundException
+                            || (ex.getCause() != null && ex.getCause().getCause() instanceof FileNotFoundException)) {
+                        //maybe its not encrypted?
+                        final String tmp = server.getPassword();
+                        if (tmp.startsWith("{") && tmp.endsWith("}")) {
+                            getLog().error(String.format(
+                                    "Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
+                                    serverId, ex.getMessage()));
+                        } else {
+                            databasePassword = tmp;
+                        }
+                    } else {
+                        getLog().error(String.format(
+                                "Unable to decrypt the server password for server id '%s' in settings.xml%n\tCause: %s",
+                                serverId, ex.getMessage()));
+                    }
+                }
+            } else {
+                getLog().error(String.format("Server '%s' not found in the settings.xml file", serverId));
+            }
+        }
+
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
         Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-
         Settings.setStringIfNotEmpty(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
@@ -974,9 +1051,27 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         }
         List<Dependency> ret = null;
         final String path = (String) oPath;
-        ObjectInputStream ois = null;
+        //ObjectInputStream ois = null;
+        ExpectedOjectInputStream ois = null;
         try {
-            ois = new ObjectInputStream(new FileInputStream(path));
+            //ois = new ObjectInputStream(new FileInputStream(path));
+            ois = new ExpectedOjectInputStream(new FileInputStream(path),
+                    "java.util.ArrayList",
+                    "java.util.HashSet",
+                    "java.util.TreeSet",
+                    "java.lang.AbstractSet",
+                    "java.lang.AbstractCollection",
+                    "java.lang.Enum",
+                    "org.owasp.dependencycheck.dependency.Confidence",
+                    "org.owasp.dependencycheck.dependency.Dependency",
+                    "org.owasp.dependencycheck.dependency.Evidence",
+                    "org.owasp.dependencycheck.dependency.EvidenceCollection",
+                    "org.owasp.dependencycheck.dependency.Identifier",
+                    "org.owasp.dependencycheck.dependency.Reference",
+                    "org.owasp.dependencycheck.dependency.Vulnerability",
+                    "org.owasp.dependencycheck.dependency.VulnerabilityComparator",
+                    "org.owasp.dependencycheck.dependency.VulnerableSoftware",
+                    "org.owasp.dependencycheck.data.cpe.IndexEntry");
             ret = (List<Dependency>) ois.readObject();
         } catch (FileNotFoundException ex) {
             //TODO fix logging

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/CheckMojo.java

@@ -36,7 +36,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "check",
         defaultPhase = LifecyclePhase.VERIFY,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.COMPILE_PLUS_RUNTIME,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/PurgeMojo.java

@@ -35,7 +35,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "purge",
         defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.NONE,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/UpdateMojo.java

@@ -34,7 +34,7 @@ import org.owasp.dependencycheck.utils.Settings;
 @Mojo(
         name = "update-only",
         defaultPhase = LifecyclePhase.GENERATE_RESOURCES,
-        threadSafe = true,
+        threadSafe = false,
         requiresDependencyResolution = ResolutionScope.NONE,
         requiresOnline = true
 )

dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,8 +23,8 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link org.slf4j.LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
- * information returned by this class.
+ * returned by this class.
  *
  * @author colezlaw
  */

dependency-check-maven/src/main/resources/mojo.properties

@@ -1,2 +1,2 @@
 # the path to the data directory
-data.directory=[JAR]/../../dependency-check-data
+data.directory=[JAR]/../../dependency-check-data/3.0

dependency-check-maven/src/site/markdown/configuration.md

@@ -3,7 +3,7 @@ Goals
 
 Goal        | Description
 ------------|-----------------------
-aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report.
+aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/jeremylong/DependencyCheck/issues/325) for more information.
 check       | Runs dependency-check against the project and generates a report.
 update-only | Updates the local cache of the NVD data from NIST.
 purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.
@@ -71,6 +71,7 @@ dataDirectory        | Sets the data directory to hold SQL CVEs contents. This s
 databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    |  
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. |  
 connectionString     | The connection string used to connect to the database.                                      |  
+serverId             | The id of a server defined in the settings.xml; this can be used to encrypt the database password. See [password encryption](http://maven.apache.org/guides/mini/guide-encryption.html) for more information. |  
 databaseUser         | The username used when connecting to the database.                                          |  
 databasePassword     | The password used when connecting to the database.                                          |  
 metaFileName         | Sets the name of the file to use for storing the metadata about the project.                | dependency-check.ser

dependency-check-maven/src/site/markdown/index.md.vm

@@ -156,8 +156,8 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content
                 <artifactId>dependency-check-maven</artifactId>
                 <version>${project.version}</version>
                 <configuration>
-                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
+                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-Modified.xml.gz</cveUrl12Modified>
-                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
+                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-Modified.xml.gz</cveUrl20Modified>
                     <cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
                     <cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
                 </configuration>

dependency-check-utils/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.2</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -77,6 +77,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>
@@ -139,6 +140,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -33,8 +33,6 @@ import java.util.zip.GZIPInputStream;
 import java.util.zip.InflaterInputStream;
 
 import static java.lang.String.format;
-import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP;
-import static org.owasp.dependencycheck.utils.Settings.getBoolean;
 
 /**
  * A utility to download files from the Internet.
@@ -243,6 +241,16 @@ public final class Downloader {
                 throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
             } catch (IOException ex) {
                 analyzeException(ex);
+                try {
+                    //retry
+                    if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
+                        Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+                        return getLastModified(url);
+                    }
+                } catch (InvalidSettingException ex1) {
+                    LOGGER.debug("invalid setting?", ex);
+                }
+
                 throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
             } finally {
                 if (conn != null) {
@@ -300,7 +308,7 @@ public final class Downloader {
         boolean quickQuery;
 
         try {
-            quickQuery = getBoolean(DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+            quickQuery = Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
         } catch (InvalidSettingException e) {
             quickQuery = true;
         }

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * An ObjectInputStream that will only deserialize expected classes.
+ *
+ * @author Jeremy Long
+ */
+public class ExpectedOjectInputStream extends ObjectInputStream {
+
+    /**
+     * The list of fully qualified class names that are able to be deserialized.
+     */
+    private List<String> expected = new ArrayList<String>();
+
+    /**
+     * Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes
+     * that can deserialized to a known set of expected classes.
+     *
+     * @param inputStream the input stream that contains the object to deserialize
+     * @param expected the fully qualified class names of the classes that can be deserialized
+     * @throws IOException thrown if there is an error reading from the stream
+     */
+    public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException {
+        super(inputStream);
+        this.expected.addAll(Arrays.asList(expected));
+    }
+
+    /**
+     * Only deserialize instances of expected classes by validating the class name prior to deserialization.
+     *
+     * @param desc the class from the object stream to validate
+     * @return the resolved class
+     * @throws java.io.IOException thrown if the class being read is not one of the expected classes or if there is an error
+     * reading from the stream
+     * @throws java.lang.ClassNotFoundException thrown if there is an error finding the class to deserialize
+     */
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        if (!this.expected.contains(desc.getName())) {
+            throw new InvalidClassException("Unexpected deserialization ", desc.getName());
+        }
+        return super.resolveClass(desc);
+    }
+}

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -165,6 +165,10 @@ public final class Settings {
          * The properties key for the proxy password.
          */
         public static final String PROXY_PASSWORD = "proxy.password";
+        /**
+         * The properties key for the non proxy hosts.
+         */
+        public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
         /**
          * The properties key for the connection timeout.
          */
@@ -523,8 +527,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
      * @throws FileNotFoundException is thrown when the filePath points to a non-existent file
@@ -548,7 +552,7 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
      * Note: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
@@ -573,8 +577,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param stream an Input Stream pointing at a properties file to merge
      * @throws IOException is thrown when there is an exception loading/merging the properties
@@ -739,7 +743,9 @@ public final class Settings {
         try {
             value = Integer.parseInt(Settings.getString(key));
         } catch (NumberFormatException ex) {
-            LOGGER.trace("Could not convert property '{}' to an int.", key, ex);
+            if (!Settings.getString(key, "").isEmpty()) {
+                LOGGER.debug("Could not convert property '{}={}' to an int; using {} instead.", key, Settings.getString(key), defaultValue);
+            }
             value = defaultValue;
         }
         return value;

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java

@@ -18,6 +18,8 @@
 package org.owasp.dependencycheck.utils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.lang3.StringUtils;
+
 import java.io.IOException;
 import java.net.Authenticator;
 import java.net.HttpURLConnection;
@@ -53,13 +55,15 @@ public final class URLConnectionFactory {
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
+
         try {
-            if (proxyUrl != null) {
+            if (proxyUrl != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
+
                 if (username != null && password != null) {
                     final Authenticator auth = new Authenticator() {
                         @Override
@@ -94,6 +98,47 @@ public final class URLConnectionFactory {
         return conn;
     }
 
+    /**
+     * Check if hostname matches nonProxy settings
+     *
+     * @param url the url to connect to
+     * @return matching result. true: match nonProxy
+     */
+    private static boolean matchNonProxy(final URL url) {
+        final String host = url.getHost();
+
+        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
+        final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
+        if (null != nonProxyHosts) {
+            final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
+            for (final String nonProxyHost : nonProxies) {
+                //if ( StringUtils.contains( nonProxyHost, "*" ) )
+                if (null != nonProxyHost && nonProxyHost.contains("*")) {
+                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
+                    final int pos = nonProxyHost.indexOf('*');
+                    final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
+                    final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
+                    // prefix*
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // *suffix
+                    if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // prefix*suffix
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
+                            && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                } else if (host.equals(nonProxyHost)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
      * configured but we don't want to use it (for example, if there's an internal repository configured)

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java

@@ -0,0 +1,96 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.List;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ExpectedOjectInputStreamTest {
+
+    public ExpectedOjectInputStreamTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test
+    public void testResolveClass() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number");
+        instance.readObject();
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test(expected = java.io.InvalidClassException.class)
+    public void testResolveClassException() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
+        instance.readObject();
+    }
+}

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java

@@ -139,6 +139,18 @@ public class SettingsTest extends BaseTest {
         Assert.assertEquals(expResult, result);
     }
 
+    /**
+     * Test of getInt method, of class Settings.
+     */
+    @Test
+    public void testGetIntDefault() throws InvalidSettingException {
+        String key = "SomeKey";
+        int expResult = 85;
+        Settings.setString(key, "blue");
+        int result = Settings.getInt(key, expResult);
+        Assert.assertEquals(expResult, result);
+    }
+
     /**
      * Test of getLong method, of class Settings.
      */

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SimplePojo.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2016 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.Serializable;
+
+/**
+ * Simple pojo used to test the ExpectedObjectInputStream.
+ *
+ * @author jeremy
+ */
+public class SimplePojo implements Serializable {
+
+    public String s = "3";
+    public Integer i = 3;
+}

pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.3.2</version>
+    <version>1.3.6</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -125,11 +125,11 @@ Copyright (c) 2012 - Jeremy Long
         <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
         thus, we cannot upgrade beyond 4.7.2 -->
         <apache.lucene.version>4.7.2</apache.lucene.version>
-        <slf4j.version>1.7.13</slf4j.version>
+        <slf4j.version>1.7.21</slf4j.version>
-        <logback.version>1.1.3</logback.version>
+        <logback.version>1.1.7</logback.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
-        <reporting.pmd-plugin.version>3.5</reporting.pmd-plugin.version>
+        <reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
     </properties>
     <distributionManagement>
         <snapshotRepository>
@@ -170,12 +170,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-clean-plugin</artifactId>
-                    <version>2.6.1</version>
+                    <version>3.0.0</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.3</version>
+                    <version>3.5.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -195,7 +195,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-failsafe-plugin</artifactId>
-                    <version>2.19</version>
+                    <version>2.19.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -225,12 +225,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-site-plugin</artifactId>
-                    <version>3.4</version>
+                    <version>3.5</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-surefire-plugin</artifactId>
-                    <version>2.18.1</version>
+                    <version>2.19.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -240,12 +240,12 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-source-plugin</artifactId>
-                    <version>2.2.1</version>
+                    <version>2.4</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-javadoc-plugin</artifactId>
-                    <version>2.9.1</version>
+                    <version>2.10.3</version>
                 </plugin>
             </plugins>
         </pluginManagement>
@@ -335,7 +335,7 @@ Copyright (c) 2012 - Jeremy Long
                     <dependency>
                         <groupId>org.apache.maven.doxia</groupId>
                         <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.6</version>
+                        <version>1.7</version>
                     </dependency>
                 </dependencies>
                 <configuration>
@@ -445,7 +445,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-project-info-reports-plugin</artifactId>
-                <version>2.8.1</version>
+                <version>2.9</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -472,7 +472,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-report-plugin</artifactId>
-                <version>2.19</version>
+                <version>2.19.1</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -496,7 +496,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>findbugs-maven-plugin</artifactId>
-                <version>3.0.2</version>
+                <version>3.0.3</version>
             </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
@@ -562,12 +562,13 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-lang3</artifactId>
-                <version>3.4</version>
+                <!--upgrading beyond this may cause issues with the Jenkins plugin-->
+                <version>3.3.2</version>
             </dependency>
             <dependency>
                 <groupId>com.sun.mail</groupId>
                 <artifactId>mailapi</artifactId>
-                <version>1.5.4</version>
+                <version>1.5.5</version>
             </dependency>
             <dependency>
                 <groupId>ch.qos.logback</groupId>
@@ -588,7 +589,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-compress</artifactId>
-                <version>1.10</version>
+                <version>1.11</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.ant</groupId>
@@ -635,11 +636,6 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-settings</artifactId>
                 <version>3.3.3</version>
             </dependency>
-            <dependency>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.4</version>
-            </dependency>
             <dependency>
                 <groupId>org.apache.maven.plugin-testing</groupId>
                 <artifactId>maven-plugin-testing-harness</artifactId>
@@ -655,11 +651,22 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-reporting-api</artifactId>
                 <version>3.0</version>
             </dependency>
+            <!-- Upgrading transitive commons-collections-3.2.1 from velocity-1.7. -->
+            <dependency>
+                <groupId>commons-collections</groupId>
+                <artifactId>commons-collections</artifactId>
+                <version>3.2.2</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.velocity</groupId>
                 <artifactId>velocity</artifactId>
                 <version>1.7</version>
             </dependency>
+            <dependency>
+                <groupId>org.sonatype.plexus</groupId>
+                <artifactId>plexus-sec-dispatcher</artifactId>
+                <version>1.4</version>
+            </dependency>
             <dependency>
                 <groupId>org.glassfish</groupId>
                 <artifactId>javax.json</artifactId>
@@ -674,7 +681,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.jmockit</groupId>
                 <artifactId>jmockit</artifactId>
-                <version>1.20</version>
+                <version>1.22</version>
                 <scope>test</scope>
             </dependency>
             <dependency>

src/main/config/checkstyle-checks.xml

@@ -28,9 +28,10 @@
         <property name="allowLegacy" value="false"/>
     </module>
 
-    <module name="Translation">
+    <!-- this causes a ton of noise due to how this is abused in core for dealing with database dialects.-->
+    <!--module name="Translation">
         <property name="severity" value="warning"/>
-    </module>
+    </module-->
 
     <module name="FileTabCharacter">
         <property name="eachLine" value="false"/>