v1.3.5

Upgrade for Maven Site Plugin 3.5

README.md

@@ -108,7 +108,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>

dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,7 +23,7 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using information
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
  * returned by this class.
  *
  * @author colezlaw

dependency-check-ant/src/site/site.xml

@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="dependency-check" href="../index.html"/>
         </breadcrumbs>
         <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
             <item name="Configuration" href="configuration.html"/>
         </menu>
         <menu ref="reports" />

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -454,6 +454,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>test</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+            <version>2.7.0</version>
+            <scope>test</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -41,7 +41,7 @@ import org.slf4j.LoggerFactory;
  *
  * <h2>Example:</h2>
  * <pre>
- * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
  * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
  * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
@@ -55,7 +55,7 @@ import org.slf4j.LoggerFactory;
  * scan.execute();
  * </pre>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -104,12 +104,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
      * that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
-     *
-     * @return the file filter used to determine which files are to be analyzed
-     * <p/>
      * <p>
      * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
      * loaded.</p>
+     *
+     * @return the file filter used to determine which files are to be analyzed
      */
     protected abstract FileFilter getFileFilter();
 
@@ -205,7 +204,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
      * declaration.</p>
-     * <p/>
      * <p>
      * This implementation was copied from
      * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -39,7 +39,7 @@ import java.util.regex.Pattern;
  * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
  * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
  */
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -35,21 +35,19 @@ import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.logging.Level;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
  * <p>
  * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
- * <p/>
  * <p>
  * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
  * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
  * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -481,7 +481,7 @@ public class CPEAnalyzer implements Analyzer {
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -44,27 +44,27 @@ import java.security.MessageDigest;
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
-     * The logger
+     * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
 
     /**
-     * The analyzer name
+     * The analyzer name.
      */
     private static final String ANALYZER_NAME = "Composer.lock analyzer";
 
     /**
-     * composer.json
+     * composer.json.
      */
     private static final String COMPOSER_LOCK = "composer.lock";
 
     /**
-     * The FileFilter
+     * The FileFilter.
      */
     private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
 
     /**
-     * Returns the FileFilter
+     * Returns the FileFilter.
      *
      * @return the FileFilter
      */
@@ -74,9 +74,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Initializes the analyzer
+     * Initializes the analyzer.
      *
-     * @throws Exception
+     * @throws Exception thrown if an exception occurs getting an instance of SHA1
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws Exception {
@@ -84,7 +84,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * The MessageDigest for calculating a new digest for the new dependencies added
+     * The MessageDigest for calculating a new digest for the new dependencies added.
      */
     private MessageDigest sha1 = null;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -29,6 +29,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -627,9 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
-
             final Manifest manifest = jar.getManifest();
-
             if (manifest == null) {
                 //don't log this for javadoc or sources jar files
                 if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
@@ -641,17 +640,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 }
                 return false;
             }
-            final Attributes atts = manifest.getMainAttributes();
-
             final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
             final EvidenceCollection productEvidence = dependency.getProductEvidence();
             final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
 
-            final String source = "Manifest";
+            String source = "Manifest";
-
             String specificationVersion = null;
             boolean hasImplementationVersion = false;
 
+            Attributes atts = manifest.getMainAttributes();
             for (Entry<Object, Object> entry : atts.entrySet()) {
                 String key = entry.getKey().toString();
                 String value = atts.getValue(key);
@@ -707,7 +704,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 //                    addMatchingValues(classInformation, value, productEvidence);
                 } else {
                     key = key.toLowerCase();
-
                     if (!IGNORE_KEYS.contains(key)
                             && !key.endsWith("jdk")
                             && !key.contains("lastmodified")
@@ -723,8 +719,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                         foundSomething = true;
                         if (key.contains("version")) {
                             if (!key.contains("specification")) {
-                                //versionEvidence.addEvidence(source, key, value, Confidence.LOW);
-                                //} else {
                                 versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                             }
                         } else if ("build-id".equals(key)) {
@@ -776,9 +770,36 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     }
                 }
             }
+
+            final Map<String, Attributes> entries = manifest.getEntries();
+            for (Iterator<String> it = entries.keySet().iterator(); it.hasNext();) {
+                final String name = it.next();
+                source = "manifest: " + name;
+                atts = entries.get(name);
+                for (Entry<Object, Object> entry : atts.entrySet()) {
+                    final String key = entry.getKey().toString();
+                    final String value = atts.getValue(key);
+                    if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
+                        foundSomething = true;
+                        versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
+                        foundSomething = true;
+                        vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, vendorEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    }
+                }
+            }
             if (specificationVersion != null && !hasImplementationVersion) {
                 foundSomething = true;
-                versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
+                versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
             }
         } finally {
             if (jar != null) {
@@ -1011,7 +1032,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         final String text = value.toLowerCase();
         for (ClassNameInformation cni : classes) {
             for (String key : cni.getPackageStructure()) {
-                if (text.contains(key)) { //note, package structure elements are already lowercase.
+                final Pattern p = Pattern.compile("\b" + key + "\b");
+                if (p.matcher(text).find()) {
+                    //if (text.contains(key)) { //note, package structure elements are already lowercase.
                     evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
                 }
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -43,7 +43,7 @@ import javax.json.JsonValue;
  * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
  * associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java

@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze OpenSSL source code present in the file system.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
  * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
  * to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -40,7 +40,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -35,7 +35,7 @@ import java.util.*;
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -32,10 +32,10 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
- * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE.
+ * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
- * Regular expressions are used to parse the well-defined Ruby syntax that forms the specification.
+ * expressions are used to parse the well-defined Ruby syntax that forms the specification.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -51,8 +51,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
     private static final String GEMSPEC = "gemspec";
 
-    private static final FileFilter FILTER =
+    private static final FileFilter FILTER
-            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
+            = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
 
     private static final String EMAIL = "email";
 
@@ -102,8 +102,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * The capture group #1 is the block variable.
      */
-    private static final Pattern GEMSPEC_BLOCK_INIT =
+    private static final Pattern GEMSPEC_BLOCK_INIT
-            Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
+            = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
 
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -138,7 +138,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private void addListEvidence(EvidenceCollection evidences, String contents,
-                                 String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
         if (matcher.find()) {
@@ -148,7 +148,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private String addStringEvidence(EvidenceCollection evidences, String contents,
-                                     String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
         String value = "";

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes related to searching Maven Central.<br/><br/>
+ * Contains classes related to searching Maven Central.<br><br>
  *
  * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -37,7 +37,7 @@ public class CweHandler extends DefaultHandler {
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
      *
-     * @return a HashMap of CWE entries <String, String>
+     * @return a HashMap of CWE entries &lt;String, String&gt;
      */
     public HashMap<String, String> getCwe() {
         return cwe;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -27,7 +27,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p>
  * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
  * <p>
- * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
+ * <b>Example:</b> "Spring Framework Core" -&gt; "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
  * @author Jeremy Long
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -31,15 +31,17 @@ import org.slf4j.LoggerFactory;
  * <p>
  * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
  * <p>
- * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ * <b>Example:</b> "3.0.0.RELEASE" -&gt; "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long
  */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
+
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(UrlTokenizingFilter.class);
+
     /**
      * Constructs a new VersionTokenizingFilter.
      *
@@ -50,8 +52,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating
-     * concatenating tokens with the previous token.
+     * tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to searching a Nexus repository.<br/><br/>
+ * Contains classes related to searching a Nexus repository.<br><br>
  *
  * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to parsing Nuget related files<br/><br/>
+ * Contains classes related to parsing Nuget related files<br><br>
  * These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
  */
 package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -276,10 +276,13 @@ public final class ConnectionFactory {
      * execute it against the database. The upgrade script must update the 'version' in the properties table.
      *
      * @param conn the database connection object
-     * @param schema the current schema version that is being upgraded
+     * @param appExpectedVersion the schema version that the application expects
+     * @param currentDbVersion the current schema version of the database
      * @throws DatabaseException thrown if there is an exception upgrading the database schema
      */
-    private static void updateSchema(Connection conn, String schema) throws DatabaseException {
+    private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
+            throws DatabaseException {
+
         final String databaseProductName;
         try {
             databaseProductName = conn.getMetaData().getDatabaseProductName();
@@ -291,7 +294,7 @@ public final class ConnectionFactory {
             InputStream is = null;
             String updateFile = null;
             try {
-                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
                 is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
                 if (is == null) {
                     throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
@@ -303,7 +306,8 @@ public final class ConnectionFactory {
                     statement = conn.createStatement();
                     final boolean success = statement.execute(dbStructureUpdate);
                     if (!success && statement.getUpdateCount() <= 0) {
-                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
+                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s",
+                                currentDbVersion.toString()));
                     }
                 } catch (SQLException ex) {
                     LOGGER.debug("", ex);
@@ -318,8 +322,20 @@ public final class ConnectionFactory {
                 IOUtils.closeQuietly(is);
             }
         } else {
-            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
+            final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
-            throw new DatabaseException("Database schema is out of date");
+            final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
+            final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
+            final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
+            if (e0 == c0 && e1 < c1) {
+                LOGGER.warn("A new version of dependency-check is available; consider upgrading");
+                Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            } else if (e0 == c0 && e1 == c1) {
+                //do nothing - not sure how we got here, but just incase...
+            } else {
+                LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
+                        UPGRADE_HELP_URL);
+                throw new DatabaseException("Database schema is out of date");
+            }
         }
     }
 
@@ -342,12 +358,12 @@ public final class ConnectionFactory {
             cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
             rs = cs.executeQuery();
             if (rs.next()) {
-                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
+                final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
-                if (current.compareTo(db) > 0) {
+                if (appDbVersion.compareTo(db) > 0) {
                     LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
                     LOGGER.debug("DB Schema: {}", rs.getString(1));
-                    updateSchema(conn, rs.getString(1));
+                    updateSchema(conn, appDbVersion, db);
                     if (++callDepth < 10) {
                         ensureSchemaVersion(conn);
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -35,7 +35,6 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
 import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
-import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -69,7 +68,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            if (checkUpdate()) {
+            boolean autoUpdate = true;
+            try {
+                autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+            } catch (InvalidSettingException ex) {
+                LOGGER.debug("Invalid setting for auto-update; using true.");
+            }
+            if (autoUpdate && checkUpdate()) {
                 final UpdateableNvdCve updateable = getUpdatesNeeded();
                 if (updateable.isUpdateNeeded()) {
                     performUpdate(updateable);
@@ -122,7 +127,9 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     }
 
     /**
-     * Checks the CPE Index to ensure documents exists.
+     * Checks the CVE Index to ensure data exists and analysis can continue.
+     *
+     * @return true if the database contains data
      */
     private boolean dataExists() {
         CveDB cve = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes used to parse the CPE XML file from NIST.<br/><br/>
+ * Contains classes used to parse the CPE XML file from NIST.<br><br>
  *
  * These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
  * we may consider pulling the more descriptive data from the CPE data in the future.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -22,6 +22,7 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URL;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
@@ -176,15 +177,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                 LOGGER.debug("", ex);
                 return null;
             }
-            if (url1.toExternalForm().endsWith(".xml.gz")) {
+            if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
                 extractGzip(first);
             }
-            if (url2.toExternalForm().endsWith(".xml.gz")) {
+            if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
                 extractGzip(second);
             }
 
             LOGGER.info("Download Complete for NVD CVE - {}  ({} ms)", nvdCveInfo.getId(),
-                System.currentTimeMillis() - startDownload);
+                    System.currentTimeMillis() - startDownload);
             if (this.processorService == null) {
                 return null;
             }
@@ -226,6 +227,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         }
     }
 
+    /**
+     * Checks the file header to see if it is an XML file.
+     *
+     * @param file the file to check
+     * @return true if the file is XML
+     */
+    public static boolean isXml(File file) {
+        if (file == null || !file.isFile()) {
+            return false;
+        }
+        InputStream is = null;
+        try {
+            is = new FileInputStream(file);
+
+            final byte[] buf = new byte[5];
+            int read = 0;
+            try {
+                read = is.read(buf);
+            } catch (IOException ex) {
+                return false;
+            }
+            return read == 5
+                    && buf[0] == '<'
+                    && (buf[1] == '?')
+                    && (buf[2] == 'x' || buf[2] == 'X')
+                    && (buf[3] == 'm' || buf[3] == 'M')
+                    && (buf[4] == 'l' || buf[4] == 'L');
+        } catch (FileNotFoundException ex) {
+            return false;
+        } finally {
+            if (is != null) {
+                try {
+                    is.close();
+                } catch (IOException ex) {
+                }
+            }
+        }
+    }
+
     /**
      * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/package-info.java

@@ -1,4 +1,4 @@
 /**
- * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
+ * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br><br>
  */
 package org.owasp.dependencycheck.data.update.nvd;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes used to update the data stores.<br/><br/>
+ * Contains classes used to update the data stores.<br><br>
  *
  * The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
  * must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -692,7 +692,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     }
 
     /**
-     * Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
+     * Implementation of the Comparable&lt;Dependency&gt; interface. The comparison is solely based on the file path.
      *
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -715,23 +715,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         }
         final Dependency other = (Dependency) obj;
         return new EqualsBuilder()
-            .appendSuper(super.equals(obj))
+                .appendSuper(super.equals(obj))
-            .append(this.actualFilePath, other.actualFilePath)
+                .append(this.actualFilePath, other.actualFilePath)
-            .append(this.filePath, other.filePath)
+                .append(this.filePath, other.filePath)
-            .append(this.fileName, other.fileName)
+                .append(this.fileName, other.fileName)
-            .append(this.md5sum, other.md5sum)
+                .append(this.md5sum, other.md5sum)
-            .append(this.sha1sum, other.sha1sum)
+                .append(this.sha1sum, other.sha1sum)
-            .append(this.identifiers, other.identifiers)
+                .append(this.identifiers, other.identifiers)
-            .append(this.vendorEvidence, other.vendorEvidence)
+                .append(this.vendorEvidence, other.vendorEvidence)
-            .append(this.productEvidence, other.productEvidence)
+                .append(this.productEvidence, other.productEvidence)
-            .append(this.versionEvidence, other.versionEvidence)
+                .append(this.versionEvidence, other.versionEvidence)
-            .append(this.description, other.description)
+                .append(this.description, other.description)
-            .append(this.license, other.license)
+                .append(this.license, other.license)
-            .append(this.vulnerabilities, other.vulnerabilities)
+                .append(this.vulnerabilities, other.vulnerabilities)
-            //.append(this.relatedDependencies, other.relatedDependencies)
+                //.append(this.relatedDependencies, other.relatedDependencies)
-            .append(this.projectReferences, other.projectReferences)
+                .append(this.projectReferences, other.projectReferences)
-            .append(this.availableVersions, other.availableVersions)
+                .append(this.availableVersions, other.availableVersions)
-            .isEquals();
+                .isEquals();
     }
 
     /**
@@ -742,22 +742,22 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     @Override
     public int hashCode() {
         return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
-            .append(actualFilePath)
+                .append(actualFilePath)
-            .append(filePath)
+                .append(filePath)
-            .append(fileName)
+                .append(fileName)
-            .append(md5sum)
+                .append(md5sum)
-            .append(sha1sum)
+                .append(sha1sum)
-            .append(identifiers)
+                .append(identifiers)
-            .append(vendorEvidence)
+                .append(vendorEvidence)
-            .append(productEvidence)
+                .append(productEvidence)
-            .append(versionEvidence)
+                .append(versionEvidence)
-            .append(description)
+                .append(description)
-            .append(license)
+                .append(license)
-            .append(vulnerabilities)
+                .append(vulnerabilities)
-            //.append(relatedDependencies)
+                //.append(relatedDependencies)
-            .append(projectReferences)
+                .append(projectReferences)
-            .append(availableVersions)
+                .append(availableVersions)
-            .toHashCode();
+                .toHashCode();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -97,7 +97,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Used to iterate over evidence of the specified confidence.
      *
      * @param confidence the confidence level for the evidence to be iterated over.
-     * @return Iterable<Evidence> an iterable collection of evidence
+     * @return Iterable&lt;Evidence&gt; an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Confidence confidence) {
         if (confidence == Confidence.HIGHEST) {
@@ -168,7 +168,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
      * location.
      *
-     * @return Set<String>
+     * @return Set&lt;String&gt;
      */
     public Set<String> getWeighting() {
         return weightedStrings;
@@ -225,7 +225,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     /**
      * Implements the iterator interface for the Evidence Collection.
      *
-     * @return an Iterator<Evidence>.
+     * @return an Iterator&lt;Evidence&gt;
      */
     @Override
     public Iterator<Evidence> iterator() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java

@@ -22,7 +22,7 @@ import java.io.IOException;
 /**
  * An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class ScanAgentException extends IOException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -24,15 +24,14 @@ import org.slf4j.LoggerFactory;
 
 /**
  * <p>
- * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom
+ * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom logging implementation
- * logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
+ * that outputs to a file named velocity.log by default. This class is an implementation of a custom Velocity logger that
- * custom Velocity logger that redirects all velocity logging to the Java Logger class.
+ * redirects all velocity logging to the Java Logger class.
  * </p><p>
- * This class was written to address permission issues when using Dependency-Check in a server environment (such as the
+ * This class was written to address permission issues when using Dependency-Check in a server environment (such as the Jenkins
- * Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
+ * plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable directory.</p>
- * directory.</p>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class VelocityLoggerRedirect implements LogChute {
 
@@ -52,8 +51,7 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
+     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified values.
-     * values.
      *
      * @param level the logging level
      * @param message the message to be logged
@@ -82,8 +80,8 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
+     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the specified
-     * specified values.
+     * values.
      *
      * @param level the logging level
      * @param message the message to be logged

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -48,10 +48,11 @@ public final class DependencyVersionUtil {
 
     /**
      * <p>
-     * A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
+     * A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
-     * Example:<br/>
+     * <pre>
-     * Give the file name: library-name-1.4.1r2-release.jar<br/>
+     * Example:
-     * This function would return: 1.4.1.r2</p>
+     * Give the file name: library-name-1.4.1r2-release.jar
+     * This function would return: 1.4.1.r2</pre>
      *
      * @param text the text being analyzed
      * @return a DependencyVersion containing the version

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java

@@ -40,7 +40,7 @@ import java.util.Set;
  *     FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
  * </pre>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
  */
 public class FileFilterBuilder {

dependency-check-core/src/main/resources/data/dbStatements_oracle.properties

@@ -0,0 +1 @@
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM software)

dependency-check-core/src/main/resources/data/initialize_oracle.sql

@@ -0,0 +1,109 @@
+-- Drop
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE vulnerability_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE cpeEntry_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE software CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE cpeEntry CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE reference CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE vulnerability CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE properties CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+
+CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+    description CLOB, cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+    cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+    cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+    CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE SEQUENCE cpeEntry_seq;
+CREATE SEQUENCE vulnerability_seq;
+
+CREATE OR REPLACE TRIGGER VULNERABILITY_TRG
+BEFORE INSERT
+ON VULNERABILITY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := VULNERABILITY_SEQ.nextval;
+END VULNERABILITY_TRG;
+
+CREATE OR REPLACE TRIGGER CPEENTRY_TRG
+BEFORE INSERT
+ON CPEENTRY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := CPEENTRY_SEQ.nextval;
+END CPEENTRY_TRG;
+

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,6 +161,13 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        HK2-utils is flagged as glassfish.
+        ]]></notes>
+        <filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
@@ -233,6 +240,76 @@
             Note, there will be more false positives for Netty. Trying to figure out a better suppression.
         ]]></notes>
         <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
-        <cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
+        <cpe>cpe:/a:netty_project:netty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        JVM instrumentation to Ganglia
+        ]]></notes>
+        <gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        A reporter for Metrics which announces measurements to a Ganglia cluster
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
+        <cpe>cpe:/a:apache:httpclient</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        false positive in drop wizard
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
+        <cpe>cpe:/a:tiger:tiger</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        php cpe
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
+        <cpe>cpe:/a:class:class</cpe>
     </suppress>
 </suppressions>

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java

@@ -30,147 +30,137 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 /**
- * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
+ * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
- * obtained from outside open source software projects. Links to those projects
+ * Links to those projects are given below.
- * are given below.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
- * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
+ * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
- *      Project</a>
  * @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
  * @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
  */
 public class AutoconfAnalyzerTest extends BaseTest {
 
-	/**
+    /**
-	 * The analyzer to test.
+     * The analyzer to test.
-	 */
+     */
-	AutoconfAnalyzer analyzer;
+    AutoconfAnalyzer analyzer;
 
-	private void assertCommonEvidence(Dependency result, String product,
+    private void assertCommonEvidence(Dependency result, String product,
-			String version, String vendor) {
+            String version, String vendor) {
-		assertProductAndVersion(result, product, version);
+        assertProductAndVersion(result, product, version);
-		assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
+        assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
-				result.getVendorEvidence().toString().contains(vendor));
+                result.getVendorEvidence().toString().contains(vendor));
-	}
+    }
 
-	private void assertProductAndVersion(Dependency result, String product,
+    private void assertProductAndVersion(Dependency result, String product,
-			String version) {
+            String version) {
-		assertTrue("Expected product evidence to contain \"" + product + "\".",
+        assertTrue("Expected product evidence to contain \"" + product + "\".",
-				result.getProductEvidence().toString().contains(product));
+                result.getProductEvidence().toString().contains(product));
-		assertTrue("Expected version evidence to contain \"" + version + "\".",
+        assertTrue("Expected version evidence to contain \"" + version + "\".",
-				result.getVersionEvidence().toString().contains(version));
+                result.getVersionEvidence().toString().contains(version));
-	}
+    }
 
-	/**
+    /**
-	 * Correctly setup the analyzer for testing.
+     * Correctly setup the analyzer for testing.
-	 *
+     *
-	 * @throws Exception
+     * @throws Exception thrown if there is a problem
-	 *             thrown if there is a problem
+     */
-	 */
+    @Before
-	@Before
+    public void setUp() throws Exception {
-	public void setUp() throws Exception {
+        analyzer = new AutoconfAnalyzer();
-		analyzer = new AutoconfAnalyzer();
+        analyzer.setFilesMatched(true);
-		analyzer.setFilesMatched(true);
+        analyzer.initialize();
-		analyzer.initialize();
+    }
-	}
 
-	/**
+    /**
-	 * Cleanup the analyzer's temp files, etc.
+     * Cleanup the analyzer's temp files, etc.
-	 *
+     *
-	 * @throws Exception
+     * @throws Exception thrown if there is a problem
-	 *             thrown if there is a problem
+     */
-	 */
+    @After
-	@After
+    public void tearDown() throws Exception {
-	public void tearDown() throws Exception {
+        analyzer.close();
-		analyzer.close();
+        analyzer = null;
-		analyzer = null;
+    }
-	}
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from Ghostscript's
+     * Test whether expected evidence is gathered from Ghostscript's configure.ac.
-	 * configure.ac.
+     *
-	 *
+     * @throws AnalysisException is thrown when an exception occurs.
-	 * @throws AnalysisException
+     */
-	 *             is thrown when an exception occurs.
+    @Test
-	 */
+    public void testAnalyzeConfigureAC1() throws AnalysisException {
-	@Test
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-	public void testAnalyzeConfigureAC1() throws AnalysisException {
+                this, "autoconf/ghostscript/configure.ac"));
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+        analyzer.analyze(result, null);
-				this, "autoconf/ghostscript/configure.ac"));
+        assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
-		analyzer.analyze(result, null);
+    }
-		assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
-	}
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from Readable's configure.ac.
+     * Test whether expected evidence is gathered from Readable's configure.ac.
-	 *
+     *
-	 * @throws AnalysisException
+     * @throws AnalysisException is thrown when an exception occurs.
-	 *             is thrown when an exception occurs.
+     */
-	 */
+    @Test
-	@Test
+    public void testAnalyzeConfigureAC2() throws AnalysisException {
-	public void testAnalyzeConfigureAC2() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/readable-code/configure.ac"));
-				this, "autoconf/readable-code/configure.ac"));
+        analyzer.analyze(result, null);
-		analyzer.analyze(result, null);
+        assertReadableCodeEvidence(result);
-		assertReadableCodeEvidence(result);
+    }
-	}
 
-	private void assertReadableCodeEvidence(final Dependency result) {
+    private void assertReadableCodeEvidence(final Dependency result) {
-		assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
+        assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
-		final String url = "http://readable.sourceforge.net/";
+        final String url = "http://readable.sourceforge.net/";
-		assertTrue("Expected product evidence to contain \"" + url + "\".",
+        assertTrue("Expected product evidence to contain \"" + url + "\".",
-				result.getVendorEvidence().toString().contains(url));
+                result.getVendorEvidence().toString().contains(url));
-	}
+    }
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from GNU Binutil's configure.
+     * Test whether expected evidence is gathered from GNU Binutil's configure.
-	 *
+     *
-	 * @throws AnalysisException
+     * @throws AnalysisException is thrown when an exception occurs.
-	 *             is thrown when an exception occurs.
+     */
-	 */
+    @Test
-	@Test
+    public void testAnalyzeConfigureScript() throws AnalysisException {
-	public void testAnalyzeConfigureScript() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/binutils/configure"));
-				this, "autoconf/binutils/configure"));
+        analyzer.analyze(result, null);
-		analyzer.analyze(result, null);
+        assertProductAndVersion(result, "binutils", "2.25.51");
-		assertProductAndVersion(result, "binutils", "2.25.51");
+    }
-	}
 
-	/**
+    /**
-	 * Test whether expected evidence is gathered from GNU Ghostscript's
+     * Test whether expected evidence is gathered from GNU Ghostscript's configure.
-	 * configure.
+     *
-	 *
+     * @throws AnalysisException is thrown when an exception occurs.
-	 * @throws AnalysisException
+     */
-	 *             is thrown when an exception occurs.
+    @Test
-	 */
+    public void testAnalyzeReadableConfigureScript() throws AnalysisException {
-	@Test
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-	public void testAnalyzeReadableConfigureScript() throws AnalysisException {
+                this, "autoconf/readable-code/configure"));
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+        analyzer.analyze(result, null);
-				this, "autoconf/readable-code/configure"));
+        assertReadableCodeEvidence(result);
-		analyzer.analyze(result, null);
+    }
-		assertReadableCodeEvidence(result);
-	}
 
-	/**
+    /**
-	 * Test of getName method, of {@link AutoconfAnalyzer}.
+     * Test of getName method, of {@link AutoconfAnalyzer}.
-	 */
+     */
-	@Test
+    @Test
-	public void testGetName() {
+    public void testGetName() {
-		assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
+        assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
-				analyzer.getName());
+                analyzer.getName());
-	}
+    }
 
-	/**
+    /**
-	 * Test of {@link AutoconfAnalyzer#accept(File)}.
+     * Test of {@link AutoconfAnalyzer#accept(File)}.
-	 */
+     */
-	@Test
+    @Test
-	public void testSupportsFileExtension() {
+    public void testSupportsFileExtension() {
-		assertTrue("Should support \"ac\" extension.",
+        assertTrue("Should support \"ac\" extension.",
-				analyzer.accept(new File("configure.ac")));
+                analyzer.accept(new File("configure.ac")));
-		assertTrue("Should support \"in\" extension.",
+        assertTrue("Should support \"in\" extension.",
-				analyzer.accept(new File("configure.in")));
+                analyzer.accept(new File("configure.in")));
-		assertTrue("Should support \"configure\" extension.",
+        assertTrue("Should support \"configure\" extension.",
-				analyzer.accept(new File("configure")));
+                analyzer.accept(new File("configure")));
-	}
+    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for CmakeAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class ComposerLockAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -23,6 +23,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 
 import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
@@ -113,4 +115,14 @@ public class JarAnalyzerTest extends BaseTest {
         assertEquals(expResult, result);
     }
 
+    @Test
+    public void testParseManifest() throws Exception {
+        File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
+        Dependency result = new Dependency(file);
+        JarAnalyzer instance = new JarAnalyzer();
+        List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<JarAnalyzer.ClassNameInformation>();
+        instance.parseManifest(result, cni);
+
+        assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
+    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java

@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for OpenSSLAnalyzerAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzerTest extends BaseTest {
 
@@ -84,22 +84,15 @@ public class OpenSSLAnalyzerTest extends BaseTest {
 
     @Test
     public void testVersionConstantExamples() {
-        final long[] constants = {0x1000203fL
+        final long[] constants = {0x1000203fL, 0x00903000, 0x00903001, 0x00903002l, 0x0090300f, 0x0090301f, 0x0090400f, 0x102031af};
-                , 0x00903000
-                , 0x00903001
-                , 0x00903002l
-                , 0x0090300f
-                , 0x0090301f
-                , 0x0090400f
-                , 0x102031af};
         final String[] versions = {"1.0.2c",
-                "0.9.3-dev",
+            "0.9.3-dev",
-                "0.9.3-beta1",
+            "0.9.3-beta1",
-                "0.9.3-beta2",
+            "0.9.3-beta2",
-                "0.9.3",
+            "0.9.3",
-                "0.9.3a",
+            "0.9.3a",
-                "0.9.4",
+            "0.9.4",
-                "1.2.3z"};
+            "1.2.3z"};
         assertEquals(constants.length, versions.length);
         for (int i = 0; i < constants.length; i++) {
             assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonDistributionAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonPackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -38,7 +38,7 @@ import static org.junit.Assert.assertThat;
 /**
  * Unit tests for {@link RubyBundleAuditAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for {@link RubyGemspecAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java

@@ -17,47 +17,30 @@
  */
 package org.owasp.dependencycheck.data.update.nvd;
 
-import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
+import java.io.File;
-import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import org.junit.After;
 import org.junit.AfterClass;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DownloadTaskTest {
+public class DownloadTaskTest extends BaseTest {
 
     public DownloadTaskTest() {
     }
 
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-        Settings.initialize();
-    }
-
-    @After
-    public void tearDown() {
-        Settings.cleanup();
-    }
-
     /**
      * Test of call method, of class DownloadTask.
      */
@@ -74,4 +57,16 @@ public class DownloadTaskTest {
         Future<ProcessTask> result = instance.call();
         assertNull(result);
     }
+
+    /**
+     * Test of isXml(file).
+     */
+    @Test
+    public void testIsXML() {
+        File f = getResourceAsFile(this, "nvdcve-modified.xml");
+        assertTrue(DownloadTask.isXml(f));
+        f = getResourceAsFile(this, "file.tar.gz");
+        assertFalse(DownloadTask.isXml(f));
+
+    }
 }

dependency-check-maven/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -64,12 +64,13 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
     public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine = generateDataFile();
 
-        if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        //if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        if (getProject() == getLastProject()) {
 
             //ensure that the .ser file was created for each.
             for (MavenProject current : getReactorProjects()) {
                 final File dataFile = getDataFile(current);
-                if (dataFile == null) { //dc was never run on this project. write the ser to the target.
+                if (dataFile == null && !skipProject(current)) { //dc was never run on this project. write the ser to the target.
                     getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
                             + "the check but dependencies may be missed resulting in false negatives.", current.getName()));
                     generateDataFile(engine, current);
@@ -124,6 +125,33 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         Settings.cleanup();
     }
 
+    /**
+     * Gets the last project in the reactor - taking into account skipped projects.
+     *
+     * @return the last projecct in the reactor
+     */
+    private MavenProject getLastProject() {
+        for (int x = getReactorProjects().size() - 1; x >= 0; x--) {
+            final MavenProject p = getReactorProjects().get(x);
+            if (!skipProject(p)) {
+                return p;
+            }
+
+        }
+        return null;
+    }
+
+    /**
+     * Tests if the project is being skipped in the Maven site report.
+     *
+     * @param project a project in the reactor
+     * @return true if the project is skipped; otherwise false
+     */
+    private boolean skipProject(MavenProject project) {
+        final String skip = (String) project.getProperties().get("maven.site.skip");
+        return "true".equalsIgnoreCase(skip);
+    }
+
     /**
      * Returns a set containing all the descendant projects of the given project.
      *

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -24,7 +24,6 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.util.List;
 import java.util.Locale;
@@ -49,6 +48,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
 import org.owasp.dependencycheck.utils.Settings;
 import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
 import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
@@ -667,6 +667,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             final String password = proxy.getPassword();
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
+            Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
         }
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
@@ -1034,9 +1035,26 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         }
         List<Dependency> ret = null;
         final String path = (String) oPath;
-        ObjectInputStream ois = null;
+        //ObjectInputStream ois = null;
+        ExpectedOjectInputStream ois = null;
         try {
-            ois = new ObjectInputStream(new FileInputStream(path));
+            //ois = new ObjectInputStream(new FileInputStream(path));
+            ois = new ExpectedOjectInputStream(new FileInputStream(path),
+                    "java.util.ArrayList",
+                    "java.util.HashSet",
+                    "java.util.TreeSet",
+                    "java.lang.AbstractSet",
+                    "java.lang.AbstractCollection",
+                    "java.lang.Enum",
+                    "org.owasp.dependencycheck.dependency.Confidence",
+                    "org.owasp.dependencycheck.dependency.Dependency",
+                    "org.owasp.dependencycheck.dependency.Evidence",
+                    "org.owasp.dependencycheck.dependency.EvidenceCollection",
+                    "org.owasp.dependencycheck.dependency.Identifier",
+                    "org.owasp.dependencycheck.dependency.Reference",
+                    "org.owasp.dependencycheck.dependency.Vulnerability",
+                    "org.owasp.dependencycheck.dependency.VulnerabilityComparator",
+                    "org.owasp.dependencycheck.dependency.VulnerableSoftware");
             ret = (List<Dependency>) ois.readObject();
         } catch (FileNotFoundException ex) {
             //TODO fix logging

dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,8 +23,8 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link org.slf4j.LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
- * information returned by this class.
+ * returned by this class.
  *
  * @author colezlaw
  */

dependency-check-maven/src/site/markdown/configuration.md

@@ -3,7 +3,7 @@ Goals
 
 Goal        | Description
 ------------|-----------------------
-aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report.
+aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/jeremylong/DependencyCheck/issues/325) for more information.
 check       | Runs dependency-check against the project and generates a report.
 update-only | Updates the local cache of the NVD data from NIST.
 purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.

dependency-check-utils/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.5</version>
     </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -139,6 +139,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -33,8 +33,6 @@ import java.util.zip.GZIPInputStream;
 import java.util.zip.InflaterInputStream;
 
 import static java.lang.String.format;
-import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP;
-import static org.owasp.dependencycheck.utils.Settings.getBoolean;
 
 /**
  * A utility to download files from the Internet.
@@ -243,6 +241,16 @@ public final class Downloader {
                 throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
             } catch (IOException ex) {
                 analyzeException(ex);
+                try {
+                    //retry
+                    if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
+                        Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+                        return getLastModified(url);
+                    }
+                } catch (InvalidSettingException ex1) {
+                    LOGGER.debug("invalid setting?", ex);
+                }
+
                 throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
             } finally {
                 if (conn != null) {
@@ -300,7 +308,7 @@ public final class Downloader {
         boolean quickQuery;
 
         try {
-            quickQuery = getBoolean(DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+            quickQuery = Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
         } catch (InvalidSettingException e) {
             quickQuery = true;
         }

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * An ObjectInputStream that will only deserialize expected classes.
+ *
+ * @author Jeremy Long
+ */
+public class ExpectedOjectInputStream extends ObjectInputStream {
+
+    /**
+     * The list of fully qualified class names that are able to be deserialized.
+     */
+    private List<String> expected = new ArrayList<String>();
+
+    /**
+     * Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes
+     * that can deserialized to a known set of expected classes.
+     *
+     * @param inputStream the input stream that contains the object to deserialize
+     * @param expected the fully qualified class names of the classes that can be deserialized
+     * @throws IOException thrown if there is an error reading from the stream
+     */
+    public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException {
+        super(inputStream);
+        this.expected.addAll(Arrays.asList(expected));
+    }
+
+    /**
+     * Only deserialize instances of expected classes by validating the class name prior to deserialization.
+     *
+     * @param desc the class from the object stream to validate
+     * @return the resolved class
+     * @throws java.io.IOException thrown if the class being read is not one of the expected classes or if there is an error
+     * reading from the stream
+     * @throws java.lang.ClassNotFoundException thrown if there is an error finding the class to deserialize
+     */
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        if (!this.expected.contains(desc.getName())) {
+            throw new InvalidClassException("Unexpected deserialization", desc.getName());
+        }
+        return super.resolveClass(desc);
+    }
+}

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -165,6 +165,10 @@ public final class Settings {
          * The properties key for the proxy password.
          */
         public static final String PROXY_PASSWORD = "proxy.password";
+        /**
+         * The properties key for the non proxy hosts.
+         */
+        public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
         /**
          * The properties key for the connection timeout.
          */
@@ -523,8 +527,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
      * @throws FileNotFoundException is thrown when the filePath points to a non-existent file
@@ -548,7 +552,7 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
      * Note: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
@@ -573,8 +577,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param stream an Input Stream pointing at a properties file to merge
      * @throws IOException is thrown when there is an exception loading/merging the properties

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java

@@ -18,6 +18,8 @@
 package org.owasp.dependencycheck.utils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.lang3.StringUtils;
+
 import java.io.IOException;
 import java.net.Authenticator;
 import java.net.HttpURLConnection;
@@ -53,13 +55,15 @@ public final class URLConnectionFactory {
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
+
         try {
-            if (proxyUrl != null) {
+            if (proxyUrl != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
+
                 if (username != null && password != null) {
                     final Authenticator auth = new Authenticator() {
                         @Override
@@ -94,6 +98,47 @@ public final class URLConnectionFactory {
         return conn;
     }
 
+    /**
+     * Check if hostname matches nonProxy settings
+     *
+     * @param url the url to connect to
+     * @return matching result. true: match nonProxy
+     */
+    private static boolean matchNonProxy(final URL url) {
+        final String host = url.getHost();
+
+        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
+        final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
+        if (null != nonProxyHosts) {
+            final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
+            for (final String nonProxyHost : nonProxies) {
+                //if ( StringUtils.contains( nonProxyHost, "*" ) )
+                if (null != nonProxyHost && nonProxyHost.contains("*")) {
+                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
+                    final int pos = nonProxyHost.indexOf('*');
+                    final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
+                    final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
+                    // prefix*
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // *suffix
+                    if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // prefix*suffix
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
+                            && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                } else if (host.equals(nonProxyHost)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
      * configured but we don't want to use it (for example, if there's an internal repository configured)

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java

@@ -0,0 +1,96 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.List;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ExpectedOjectInputStreamTest {
+
+    public ExpectedOjectInputStreamTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test
+    public void testResolveClass() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number");
+        instance.readObject();
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test(expected = java.io.InvalidClassException.class)
+    public void testResolveClassException() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
+        instance.readObject();
+    }
+}

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SimplePojo.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2016 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.Serializable;
+
+/**
+ * Simple pojo used to test the ExpectedObjectInputStream.
+ *
+ * @author jeremy
+ */
+public class SimplePojo implements Serializable {
+
+    public String s = "3";
+    public Integer i = 3;
+}

pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.3.4</version>
+    <version>1.3.5</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -125,8 +125,8 @@ Copyright (c) 2012 - Jeremy Long
         <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
         thus, we cannot upgrade beyond 4.7.2 -->
         <apache.lucene.version>4.7.2</apache.lucene.version>
-        <slf4j.version>1.7.13</slf4j.version>
+        <slf4j.version>1.7.16</slf4j.version>
-        <logback.version>1.1.3</logback.version>
+        <logback.version>1.1.5</logback.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
         <reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
@@ -175,7 +175,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.3</version>
+                    <version>3.5.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -225,7 +225,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-site-plugin</artifactId>
-                    <version>3.4</version>
+                    <version>3.5</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -335,7 +335,7 @@ Copyright (c) 2012 - Jeremy Long
                     <dependency>
                         <groupId>org.apache.maven.doxia</groupId>
                         <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.6</version>
+                        <version>1.7</version>
                     </dependency>
                 </dependencies>
                 <configuration>

src/main/config/checkstyle-checks.xml

@@ -28,9 +28,10 @@
         <property name="allowLegacy" value="false"/>
     </module>
 
-    <module name="Translation">
+    <!-- this causes a ton of noise due to how this is abused in core for dealing with database dialects.-->
+    <!--module name="Translation">
         <property name="severity" value="warning"/>
-    </module>
+    </module-->
 
     <module name="FileTabCharacter">
         <property name="eachLine" value="false"/>

src/site/markdown/general/suppression.md

@@ -80,7 +80,7 @@ The full schema for suppression files can be found here: [suppression.xsd](https
 
 Please see the appropriate configuration option in each interfaces configuration guide:
 
--  [Command Line Tool](dependency-check-cli/arguments.html)
+-  [Command Line Tool](../dependency-check-cli/arguments.html)
--  [Maven Plugin](dependency-check-maven/configuration.html)
+-  [Maven Plugin](../dependency-check-maven/configuration.html)
--  [Ant Task](dependency-check-ant/configuration.html)
+-  [Ant Task](../dependency-check-ant/configuration.html)
--  [Jenkins Plugin](dependency-check-jenkins/index.html)
+-  [Jenkins Plugin](../dependency-check-jenkins/index.html)

src/site/site.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <skin>
         <groupId>org.apache.maven.skins</groupId>
         <artifactId>maven-fluido-skin</artifactId>
-        <version>1.4</version>
+        <version>1.5</version>
     </skin>
     <custom>
         <fluidoSkin>
@@ -65,9 +65,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 
     <body>
         <head>
-            <style type="text/css">
+            <![CDATA[<style type="text/css">
                 #bannerLeft { margin-top:-20px;margin-bottom:5px !important }
-            </style>
+            </style>]]>
         </head>
         <breadcrumbs>
             <item name=" " href="#"/>