version 1.3.6

Dependency Updates

README.md

@@ -108,7 +108,7 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2015 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
@@ -118,4 +118,4 @@ Dependency-Check makes use of several other open source libraries. Please see th
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
   [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
   [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt

dependency-check-ant/README.md

@@ -1,134 +1,25 @@
-Dependency-Check-Gradle
+Dependency-Check Ant Task
 =========
 
-**Working in progress**
+Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-This is a DependencyCheck gradle plugin designed for project which use Gradle as build script.
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html).
 
-Dependency-Check is a utility that attempts to detect publicly disclosed vulnerabilities contained within project dependencies. It does this by determining if there is a Common Platform Enumeration (CPE) identifier for a given dependency. If found, it will generate a report linking to the associated CVE entries.
+Mailing List
+------------
 
-=========
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
 
-## What's New
-Current latest version is `0.0.8`
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
 
-## Usage
+Copyright & License
+-------------------
 
-### Step 1, Apply dependency check gradle plugin
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
 
-Install from Maven central repo
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
-```groovy
-buildscript {
-    repositories {
-        mavenCentral()
-    }
-    dependencies {
-        classpath 'org.owasp:dependency-check-gradle:1.3.2'
-    }
-}
-
-apply plugin: 'dependency-check-gradle'
-```
-
-### Step 2, Run gradle task
-
-Once gradle plugin applied, run following gradle task to check dependencies:
-
-```
-gradle dependencyCheck --info
-```
-
-The reports will be generated automatically under `./reports` folder.
-
-If your project includes multiple sub-projects, the report will be generated for each sub-project in different sub-directory.
-
-## FAQ
-
-> **Questions List:**
-> - What if I'm behind a proxy?
-> - What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
-> - How to customize the report directory?
-
-### What if I'm behind a proxy?
-
-Maybe you have to use proxy to access internet, in this case, you could configure proxy settings for this plugin:
-
-```groovy
-dependencyCheck {
-    proxy {
-        server = "127.0.0.1"      // required, the server name or IP address of the proxy
-        port = 3128               // required, the port number of the proxy
-
-        // optional, the proxy server might require username
-        // username = "username"
-
-        // optional, the proxy server might require password
-        // password = "password"
-    }
-}
-```
-
-In addition, if the proxy only allow HTTP `GET` or `POST` methods, you will find that the update process will always fail,
- the root cause is that every time you run `dependencyCheck` task, it will try to query the latest timestamp to determine whether need to perform an update action,
- and for performance reason the HTTP method it uses by default is `HEAD`, which probably is disabled or not supported by the proxy. To avoid this problem, you can simply change the HTTP method by below configuration:
-
-```groovy
-dependencyCheck {
-    quickQueryTimestamp = false    // when set to false, it means use HTTP GET method to query timestamp. (default value is true)
-}
-```
-
-### What if my project includes multiple sub-project? How can I use this plugin for each of them including the root project?
-
-Try put 'apply plugin: "dependency-check"' inside the 'allprojects' or 'subprojects' if you'd like to check all sub-projects only, see below:
-
-(1) For all projects including root project:
-
-```groovy
-buildscript {
-  repositories {
-    mavenCentral()
-  }
-  dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
-  }
-}
-
-allprojects {
-    apply plugin: "dependency-check"
-}
-```
-
-(2) For all sub-projects:
-
-```groovy
-buildscript {
-  repositories {
-    mavenCentral()
-  }
-  dependencies {
-    classpath "gradle.plugin.com.tools.security:dependency-check:0.0.8"
-  }
-}
-
-subprojects {
-    apply plugin: "dependency-check"
-}
-```
-
-In this way, the dependency check will be executed for all projects (including root project) or just sub projects.
-
-### How to customize the report directory?
-
-By default, all reports will be placed under `./reports` folder, to change the default directory, just modify it in the configuration section like this:
-
-```groovy
-subprojects {
-    apply plugin: "dependency-check"
-
-    dependencyCheck {
-        outputDirectory = "./customized-path/security-report"
-    }
-}
-```
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.

dependency-check-ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -256,6 +256,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>

dependency-check-ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,7 +23,7 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using information
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
  * returned by this class.
  *
  * @author colezlaw

dependency-check-ant/src/site/site.xml

@@ -27,7 +27,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
             <item name="dependency-check" href="../index.html"/>
         </breadcrumbs>
         <menu name="Getting Started">
-            <item name="Installation" href="installation.html"/>
+            <item name="Installation" href="index.html"/>
             <item name="Configuration" href="configuration.html"/>
         </menu>
         <menu ref="reports" />

dependency-check-cli/README.md

@@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html).
 
 Mailing List
 ------------

dependency-check-cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -110,6 +110,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>cpe</name>

dependency-check-core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -178,6 +178,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>
@@ -454,6 +455,13 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>test</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>xalan</groupId>
+            <artifactId>xalan</artifactId>
+            <version>2.7.0</version>
+            <scope>test</scope>
+            <optional>true</optional>
+        </dependency>
     </dependencies>
     <profiles>
         <profile>

dependency-check-core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -41,7 +41,7 @@ import org.slf4j.LoggerFactory;
  *
  * <h2>Example:</h2>
  * <pre>
- * List<Dependency> dependencies = new ArrayList<Dependency>();
+ * List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
  * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
  * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
@@ -55,7 +55,7 @@ import org.slf4j.LoggerFactory;
  * scan.execute();
  * </pre>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 @SuppressWarnings("unused")
 public class DependencyCheckScanAgent {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -104,12 +104,11 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Returns the {@link java.io.FileFilter} used to determine which files are to be analyzed. An example would be an analyzer
      * that inspected Java jar files. Implementors may use {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
-     *
-     * @return the file filter used to determine which files are to be analyzed
-     * <p/>
      * <p>
      * If the analyzer returns null it will not cause additional files to be analyzed, but will be executed against every file
      * loaded.</p>
+     *
+     * @return the file filter used to determine which files are to be analyzed
      */
     protected abstract FileFilter getFileFilter();
 
@@ -205,7 +204,6 @@ public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implemen
      * <p>
      * Utility method to help in the creation of the extensions set. This constructs a new Set that can be used in a final static
      * declaration.</p>
-     * <p/>
      * <p>
      * This implementation was copied from
      * http://stackoverflow.com/questions/2041778/initialize-java-hashset-values-by-construction</p>

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -39,7 +39,7 @@ import java.util.regex.Pattern;
  * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
  * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
  */
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -35,21 +35,19 @@ import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.security.MessageDigest;
 import java.security.NoSuchAlgorithmException;
-import java.util.logging.Level;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
  * <p>
  * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
- * <p/>
  * <p>
  * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
  * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
  * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -481,7 +481,7 @@ public class CPEAnalyzer implements Analyzer {
      * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
      */
     @Override
-    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -44,27 +44,27 @@ import java.security.MessageDigest;
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
-     * The logger
+     * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ComposerLockAnalyzer.class);
 
     /**
-     * The analyzer name
+     * The analyzer name.
      */
     private static final String ANALYZER_NAME = "Composer.lock analyzer";
 
     /**
-     * composer.json
+     * composer.json.
      */
     private static final String COMPOSER_LOCK = "composer.lock";
 
     /**
-     * The FileFilter
+     * The FileFilter.
      */
     private static final FileFilter FILE_FILTER = FileFilterBuilder.newInstance().addFilenames(COMPOSER_LOCK).build();
 
     /**
-     * Returns the FileFilter
+     * Returns the FileFilter.
      *
      * @return the FileFilter
      */
@@ -74,9 +74,9 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Initializes the analyzer
+     * Initializes the analyzer.
      *
-     * @throws Exception
+     * @throws Exception thrown if an exception occurs getting an instance of SHA1
      */
     @Override
     protected void initializeFileTypeAnalyzer() throws Exception {
@@ -84,7 +84,7 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * The MessageDigest for calculating a new digest for the new dependencies added
+     * The MessageDigest for calculating a new digest for the new dependencies added.
      */
     private MessageDigest sha1 = null;
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/FileNameAnalyzer.java

@@ -18,7 +18,9 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.File;
+
 import org.apache.commons.io.FilenameUtils;
+import org.apache.commons.io.filefilter.NameFileFilter;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
@@ -65,6 +67,13 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
     }
     //</editor-fold>
 
+    // Python init files
+    private static final NameFileFilter IGNORED_FILES = new NameFileFilter(new String[] {
+        "__init__.py",
+        "__init__.pyc",
+        "__init__.pyo"
+    });
+
     /**
      * Collects information about the file name.
      *
@@ -102,7 +111,7 @@ public class FileNameAnalyzer extends AbstractAnalyzer implements Analyzer {
                     fileName, Confidence.HIGHEST);
             dependency.getVendorEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGHEST);
-        } else {
+        } else if (!IGNORED_FILES.accept(f)) {
             dependency.getProductEvidence().addEvidence("file", "name",
                     fileName, Confidence.HIGH);
             dependency.getVendorEvidence().addEvidence("file", "name",

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/JarAnalyzer.java

@@ -29,6 +29,7 @@ import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
 import java.util.HashMap;
+import java.util.Iterator;
 import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
@@ -627,9 +628,7 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         JarFile jar = null;
         try {
             jar = new JarFile(dependency.getActualFilePath());
-
             final Manifest manifest = jar.getManifest();
-
             if (manifest == null) {
                 //don't log this for javadoc or sources jar files
                 if (!dependency.getFileName().toLowerCase().endsWith("-sources.jar")
@@ -641,17 +640,15 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                 }
                 return false;
             }
-            final Attributes atts = manifest.getMainAttributes();
-
             final EvidenceCollection vendorEvidence = dependency.getVendorEvidence();
             final EvidenceCollection productEvidence = dependency.getProductEvidence();
             final EvidenceCollection versionEvidence = dependency.getVersionEvidence();
 
-            final String source = "Manifest";
-
+            String source = "Manifest";
             String specificationVersion = null;
             boolean hasImplementationVersion = false;
 
+            Attributes atts = manifest.getMainAttributes();
             for (Entry<Object, Object> entry : atts.entrySet()) {
                 String key = entry.getKey().toString();
                 String value = atts.getValue(key);
@@ -707,7 +704,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
 //                    addMatchingValues(classInformation, value, productEvidence);
                 } else {
                     key = key.toLowerCase();
-
                     if (!IGNORE_KEYS.contains(key)
                             && !key.endsWith("jdk")
                             && !key.contains("lastmodified")
@@ -723,8 +719,6 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                         foundSomething = true;
                         if (key.contains("version")) {
                             if (!key.contains("specification")) {
-                                //versionEvidence.addEvidence(source, key, value, Confidence.LOW);
-                                //} else {
                                 versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
                             }
                         } else if ("build-id".equals(key)) {
@@ -776,9 +770,36 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
                     }
                 }
             }
+
+            final Map<String, Attributes> entries = manifest.getEntries();
+            for (Iterator<String> it = entries.keySet().iterator(); it.hasNext();) {
+                final String name = it.next();
+                source = "manifest: " + name;
+                atts = entries.get(name);
+                for (Entry<Object, Object> entry : atts.entrySet()) {
+                    final String key = entry.getKey().toString();
+                    final String value = atts.getValue(key);
+                    if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VERSION.toString())) {
+                        foundSomething = true;
+                        versionEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.IMPLEMENTATION_VENDOR.toString())) {
+                        foundSomething = true;
+                        vendorEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, vendorEvidence);
+                    } else if (key.equalsIgnoreCase(Attributes.Name.SPECIFICATION_TITLE.toString())) {
+                        foundSomething = true;
+                        productEvidence.addEvidence(source, key, value, Confidence.MEDIUM);
+                        addMatchingValues(classInformation, value, productEvidence);
+                    }
+                }
+            }
             if (specificationVersion != null && !hasImplementationVersion) {
                 foundSomething = true;
-                versionEvidence.addEvidence(source, "specificationn-version", specificationVersion, Confidence.HIGH);
+                versionEvidence.addEvidence(source, "specification-version", specificationVersion, Confidence.HIGH);
             }
         } finally {
             if (jar != null) {
@@ -1011,7 +1032,9 @@ public class JarAnalyzer extends AbstractFileTypeAnalyzer {
         final String text = value.toLowerCase();
         for (ClassNameInformation cni : classes) {
             for (String key : cni.getPackageStructure()) {
-                if (text.contains(key)) { //note, package structure elements are already lowercase.
+                final Pattern p = Pattern.compile("\b" + key + "\b");
+                if (p.matcher(text).find()) {
+                    //if (text.contains(key)) { //note, package structure elements are already lowercase.
                     evidence.addEvidence("jar", "package name", key, Confidence.HIGHEST);
                 }
             }

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzer.java

@@ -43,7 +43,7 @@ import javax.json.JsonValue;
  * Used to analyze Node Package Manager (npm) package.json files, and collect information that can be used to determine the
  * associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzer.java

@@ -34,7 +34,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze OpenSSL source code present in the file system.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzer.java

@@ -48,7 +48,7 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
  * Used to analyze a Wheel or egg distribution files, or their contents in unzipped form, and collect information that can be used
  * to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzer extends AbstractFileTypeAnalyzer {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzer.java

@@ -40,7 +40,7 @@ import java.util.regex.Pattern;
 /**
  * Used to analyze a Python package, and collect information that can be used to determine the associated CPE.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -185,7 +185,7 @@ public class PythonPackageAnalyzer extends AbstractFileTypeAnalyzer {
         if (found) {
             dependency.setDisplayFileName(parentName + "/__init__.py");
             dependency.getProductEvidence().addEvidence(file.getName(),
-                    "PackageName", parentName, Confidence.MEDIUM);
+                    "PackageName", parentName, Confidence.HIGH);
         } else {
             // copy, alter and set in case some other thread is iterating over
             final List<Dependency> dependencies = new ArrayList<Dependency>(

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzer.java

@@ -35,7 +35,7 @@ import java.util.*;
 /**
  * Used to analyze Ruby Bundler Gemspec.lock files utilizing the 3rd party bundle-audit tool.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -83,6 +83,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         final ProcessBuilder builder = new ProcessBuilder(args);
         builder.directory(folder);
         try {
+        	LOGGER.info("Launching: " + args + " from " + folder);
             return builder.start();
         } catch (IOException ioe) {
             throw new AnalysisException("bundle-audit failure", ioe);
@@ -97,7 +98,16 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
     @Override
     public void initializeFileTypeAnalyzer() throws Exception {
         // Now, need to see if bundle-audit actually runs from this location.
-        Process process = launchBundleAudit(Settings.getTempDirectory());
+    	Process process = null;
+    	try {
+	        process = launchBundleAudit(Settings.getTempDirectory());
+    	}
+    	catch(AnalysisException ae) {
+    		LOGGER.warn("Exception from bundle-audit process: {}. Disabling {}", ae.getCause(), ANALYZER_NAME);
+            setEnabled(false);
+            throw ae;
+    	}
+    	
         int exitValue = process.waitFor();
         if (0 == exitValue) {
             LOGGER.warn("Unexpected exit code from bundle-audit process. Disabling {}: {}", ANALYZER_NAME, exitValue);
@@ -125,6 +135,7 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
                 }
             }
         }
+    	
         if (isEnabled()) {
             LOGGER.info(ANALYZER_NAME + " is enabled. It is necessary to manually run \"bundle-audit update\" "
                     + "occasionally to keep its database up to date.");
@@ -194,6 +205,11 @@ public class RubyBundleAuditAnalyzer extends AbstractFileTypeAnalyzer {
         }
         BufferedReader rdr = null;
         try {
+        	BufferedReader errReader = new BufferedReader(new InputStreamReader(process.getErrorStream(), "UTF-8"));
+        	while(errReader.ready()) {
+        		String error = errReader.readLine();
+        		LOGGER.warn(error);
+        	}
             rdr = new BufferedReader(new InputStreamReader(process.getInputStream(), "UTF-8"));
             processBundlerAuditOutput(dependency, engine, rdr);
         } catch (IOException ioe) {

dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzer.java

@@ -32,10 +32,10 @@ import java.util.regex.Matcher;
 import java.util.regex.Pattern;
 
 /**
- * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE.
- * Regular expressions are used to parse the well-defined Ruby syntax that forms the specification.
+ * Used to analyze Ruby Gem specifications and collect information that can be used to determine the associated CPE. Regular
+ * expressions are used to parse the well-defined Ruby syntax that forms the specification.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
@@ -51,8 +51,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
 
     private static final String GEMSPEC = "gemspec";
 
-    private static final FileFilter FILTER =
-            FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
+    private static final FileFilter FILTER
+            = FileFilterBuilder.newInstance().addExtensions(GEMSPEC).addFilenames("Rakefile").build();
 
     private static final String EMAIL = "email";
 
@@ -102,8 +102,8 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * The capture group #1 is the block variable.
      */
-    private static final Pattern GEMSPEC_BLOCK_INIT =
-            Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
+    private static final Pattern GEMSPEC_BLOCK_INIT
+            = Pattern.compile("Gem::Specification\\.new\\s+?do\\s+?\\|(.+?)\\|");
 
     @Override
     protected void analyzeFileType(Dependency dependency, Engine engine)
@@ -138,7 +138,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private void addListEvidence(EvidenceCollection evidences, String contents,
-                                 String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?\\[(.*?)\\]", blockVariable, field)).matcher(contents);
         if (matcher.find()) {
@@ -148,7 +148,7 @@ public class RubyGemspecAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     private String addStringEvidence(EvidenceCollection evidences, String contents,
-                                     String blockVariable, String field, Confidence confidence) {
+            String blockVariable, String field, Confidence confidence) {
         final Matcher matcher = Pattern.compile(
                 String.format("\\s+?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, field)).matcher(contents);
         String value = "";

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes related to searching Maven Central.<br/><br/>
+ * Contains classes related to searching Maven Central.<br><br>
  *
  * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cwe/CweHandler.java

@@ -37,7 +37,7 @@ public class CweHandler extends DefaultHandler {
     /**
      * Returns the HashMap of CWE entries (CWE-ID, Full CWE Name).
      *
-     * @return a HashMap of CWE entries <String, String>
+     * @return a HashMap of CWE entries &lt;String, String&gt;
      */
     public HashMap<String, String> getCwe() {
         return cwe;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/TokenPairConcatenatingFilter.java

@@ -27,7 +27,7 @@ import org.apache.lucene.analysis.tokenattributes.CharTermAttribute;
  * <p>
  * Takes a TokenStream and adds additional tokens by concatenating pairs of words.</p>
  * <p>
- * <b>Example:</b> "Spring Framework Core" -> "Spring SpringFramework Framework FrameworkCore Core".</p>
+ * <b>Example:</b> "Spring Framework Core" -&gt; "Spring SpringFramework Framework FrameworkCore Core".</p>
  *
  * @author Jeremy Long
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/lucene/UrlTokenizingFilter.java

@@ -31,15 +31,17 @@ import org.slf4j.LoggerFactory;
  * <p>
  * Takes a TokenStream and splits or adds tokens to correctly index version numbers.</p>
  * <p>
- * <b>Example:</b> "3.0.0.RELEASE" -> "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
+ * <b>Example:</b> "3.0.0.RELEASE" -&gt; "3 3.0 3.0.0 RELEASE 3.0.0.RELEASE".</p>
  *
  * @author Jeremy Long
  */
 public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
+
     /**
      * The logger.
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(UrlTokenizingFilter.class);
+
     /**
      * Constructs a new VersionTokenizingFilter.
      *
@@ -50,8 +52,8 @@ public final class UrlTokenizingFilter extends AbstractTokenizingFilter {
     }
 
     /**
-     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by
-     * concatenating tokens with the previous token.
+     * Increments the underlying TokenStream and sets CharTermAttributes to construct an expanded set of tokens by concatenating
+     * tokens with the previous token.
      *
      * @return whether or not we have hit the end of the TokenStream
      * @throws IOException is thrown when an IOException occurs

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nexus/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to searching a Nexus repository.<br/><br/>
+ * Contains classes related to searching a Nexus repository.<br><br>
  *
  * These are used to abstract Nexus searching away from OWASP Dependency Check so they can be reused elsewhere.
  */

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nuget/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes related to parsing Nuget related files<br/><br/>
+ * Contains classes related to parsing Nuget related files<br><br>
  * These are used to abstract away Nuget-related handling from Dependency Check so they can be used elsewhere.
  */
 package org.owasp.dependencycheck.data.nuget;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/ConnectionFactory.java

@@ -276,10 +276,13 @@ public final class ConnectionFactory {
      * execute it against the database. The upgrade script must update the 'version' in the properties table.
      *
      * @param conn the database connection object
-     * @param schema the current schema version that is being upgraded
+     * @param appExpectedVersion the schema version that the application expects
+     * @param currentDbVersion the current schema version of the database
      * @throws DatabaseException thrown if there is an exception upgrading the database schema
      */
-    private static void updateSchema(Connection conn, String schema) throws DatabaseException {
+    private static void updateSchema(Connection conn, DependencyVersion appExpectedVersion, DependencyVersion currentDbVersion)
+            throws DatabaseException {
+
         final String databaseProductName;
         try {
             databaseProductName = conn.getMetaData().getDatabaseProductName();
@@ -291,7 +294,7 @@ public final class ConnectionFactory {
             InputStream is = null;
             String updateFile = null;
             try {
-                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, schema);
+                updateFile = String.format(DB_STRUCTURE_UPDATE_RESOURCE, currentDbVersion.toString());
                 is = ConnectionFactory.class.getClassLoader().getResourceAsStream(updateFile);
                 if (is == null) {
                     throw new DatabaseException(String.format("Unable to load update file '%s'", updateFile));
@@ -303,7 +306,8 @@ public final class ConnectionFactory {
                     statement = conn.createStatement();
                     final boolean success = statement.execute(dbStructureUpdate);
                     if (!success && statement.getUpdateCount() <= 0) {
-                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s", schema));
+                        throw new DatabaseException(String.format("Unable to upgrade the database schema to %s",
+                                currentDbVersion.toString()));
                     }
                 } catch (SQLException ex) {
                     LOGGER.debug("", ex);
@@ -318,8 +322,20 @@ public final class ConnectionFactory {
                 IOUtils.closeQuietly(is);
             }
         } else {
-            LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.", UPGRADE_HELP_URL);
-            throw new DatabaseException("Database schema is out of date");
+            final int e0 = Integer.parseInt(appExpectedVersion.getVersionParts().get(0));
+            final int c0 = Integer.parseInt(currentDbVersion.getVersionParts().get(0));
+            final int e1 = Integer.parseInt(appExpectedVersion.getVersionParts().get(1));
+            final int c1 = Integer.parseInt(currentDbVersion.getVersionParts().get(1));
+            if (e0 == c0 && e1 < c1) {
+                LOGGER.warn("A new version of dependency-check is available; consider upgrading");
+                Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, false);
+            } else if (e0 == c0 && e1 == c1) {
+                //do nothing - not sure how we got here, but just incase...
+            } else {
+                LOGGER.error("The database schema must be upgraded to use this version of dependency-check. Please see {} for more information.",
+                        UPGRADE_HELP_URL);
+                throw new DatabaseException("Database schema is out of date");
+            }
         }
     }
 
@@ -342,12 +358,12 @@ public final class ConnectionFactory {
             cs = conn.prepareCall("SELECT value FROM properties WHERE id = 'version'");
             rs = cs.executeQuery();
             if (rs.next()) {
-                final DependencyVersion current = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
+                final DependencyVersion appDbVersion = DependencyVersionUtil.parseVersion(DB_SCHEMA_VERSION);
                 final DependencyVersion db = DependencyVersionUtil.parseVersion(rs.getString(1));
-                if (current.compareTo(db) > 0) {
+                if (appDbVersion.compareTo(db) > 0) {
                     LOGGER.debug("Current Schema: {}", DB_SCHEMA_VERSION);
                     LOGGER.debug("DB Schema: {}", rs.getString(1));
-                    updateSchema(conn, rs.getString(1));
+                    updateSchema(conn, appDbVersion, db);
                     if (++callDepth < 10) {
                         ensureSchemaVersion(conn);
                     }

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/NvdCveUpdater.java

@@ -35,7 +35,6 @@ import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
 import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
 import org.owasp.dependencycheck.data.update.nvd.UpdateableNvdCve;
-import org.owasp.dependencycheck.exception.NoDataException;
 import org.owasp.dependencycheck.utils.DateUtil;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
@@ -69,7 +68,13 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     public void update() throws UpdateException {
         try {
             openDataStores();
-            if (checkUpdate()) {
+            boolean autoUpdate = true;
+            try {
+                autoUpdate = Settings.getBoolean(Settings.KEYS.AUTO_UPDATE);
+            } catch (InvalidSettingException ex) {
+                LOGGER.debug("Invalid setting for auto-update; using true.");
+            }
+            if (autoUpdate && checkUpdate()) {
                 final UpdateableNvdCve updateable = getUpdatesNeeded();
                 if (updateable.isUpdateNeeded()) {
                     performUpdate(updateable);
@@ -122,7 +127,9 @@ public class NvdCveUpdater extends BaseUpdater implements CachedWebDataSource {
     }
 
     /**
-     * Checks the CPE Index to ensure documents exists.
+     * Checks the CVE Index to ensure data exists and analysis can continue.
+     *
+     * @return true if the database contains data
      */
     private boolean dataExists() {
         CveDB cve = null;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/cpe/package-info.java

@@ -1,5 +1,5 @@
 /**
- * Contains classes used to parse the CPE XML file from NIST.<br/><br/>
+ * Contains classes used to parse the CPE XML file from NIST.<br><br>
  *
  * These classes are not used as they add no value over the existing CPE data contained within the CVE data from the NVD. However,
  * we may consider pulling the more descriptive data from the CPE data in the future.

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/DownloadTask.java

@@ -22,6 +22,7 @@ import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
+import java.io.InputStream;
 import java.net.URL;
 import java.util.concurrent.Callable;
 import java.util.concurrent.ExecutorService;
@@ -176,15 +177,15 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                 LOGGER.debug("", ex);
                 return null;
             }
-            if (url1.toExternalForm().endsWith(".xml.gz")) {
+            if (url1.toExternalForm().endsWith(".xml.gz") && !isXml(first)) {
                 extractGzip(first);
             }
-            if (url2.toExternalForm().endsWith(".xml.gz")) {
+            if (url2.toExternalForm().endsWith(".xml.gz") && !isXml(second)) {
                 extractGzip(second);
             }
 
             LOGGER.info("Download Complete for NVD CVE - {}  ({} ms)", nvdCveInfo.getId(),
-                System.currentTimeMillis() - startDownload);
+                    System.currentTimeMillis() - startDownload);
             if (this.processorService == null) {
                 return null;
             }
@@ -226,6 +227,45 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
         }
     }
 
+    /**
+     * Checks the file header to see if it is an XML file.
+     *
+     * @param file the file to check
+     * @return true if the file is XML
+     */
+    public static boolean isXml(File file) {
+        if (file == null || !file.isFile()) {
+            return false;
+        }
+        InputStream is = null;
+        try {
+            is = new FileInputStream(file);
+
+            final byte[] buf = new byte[5];
+            int read = 0;
+            try {
+                read = is.read(buf);
+            } catch (IOException ex) {
+                return false;
+            }
+            return read == 5
+                    && buf[0] == '<'
+                    && (buf[1] == '?')
+                    && (buf[2] == 'x' || buf[2] == 'X')
+                    && (buf[3] == 'm' || buf[3] == 'M')
+                    && (buf[4] == 'l' || buf[4] == 'L');
+        } catch (FileNotFoundException ex) {
+            return false;
+        } finally {
+            if (is != null) {
+                try {
+                    is.close();
+                } catch (IOException ex) {
+                }
+            }
+        }
+    }
+
     /**
      * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file specified.
      *

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/nvd/package-info.java

@@ -1,4 +1,4 @@
 /**
- * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br/><br/>
+ * Contains classes used to download, parse, and load the NVD CVE data from NIST into the local database.<br><br>
  */
 package org.owasp.dependencycheck.data.update.nvd;

dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/package-info.java

@@ -1,6 +1,6 @@
 /**
  *
- * Contains classes used to update the data stores.<br/><br/>
+ * Contains classes used to update the data stores.<br><br>
  *
  * The UpdateService will load, any correctly defined CachedWebDataSource(s) and call update() on them. The Cached Data Source
  * must determine if it needs to be updated and if so perform the update. The sub packages contain classes used to perform the

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/Dependency.java

@@ -692,7 +692,7 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     }
 
     /**
-     * Implementation of the Comparable<Dependency> interface. The comparison is solely based on the file path.
+     * Implementation of the Comparable&lt;Dependency&gt; interface. The comparison is solely based on the file path.
      *
      * @param o a dependency to compare
      * @return an integer representing the natural ordering
@@ -715,23 +715,23 @@ public class Dependency implements Serializable, Comparable<Dependency> {
         }
         final Dependency other = (Dependency) obj;
         return new EqualsBuilder()
-            .appendSuper(super.equals(obj))
-            .append(this.actualFilePath, other.actualFilePath)
-            .append(this.filePath, other.filePath)
-            .append(this.fileName, other.fileName)
-            .append(this.md5sum, other.md5sum)
-            .append(this.sha1sum, other.sha1sum)
-            .append(this.identifiers, other.identifiers)
-            .append(this.vendorEvidence, other.vendorEvidence)
-            .append(this.productEvidence, other.productEvidence)
-            .append(this.versionEvidence, other.versionEvidence)
-            .append(this.description, other.description)
-            .append(this.license, other.license)
-            .append(this.vulnerabilities, other.vulnerabilities)
-            //.append(this.relatedDependencies, other.relatedDependencies)
-            .append(this.projectReferences, other.projectReferences)
-            .append(this.availableVersions, other.availableVersions)
-            .isEquals();
+                .appendSuper(super.equals(obj))
+                .append(this.actualFilePath, other.actualFilePath)
+                .append(this.filePath, other.filePath)
+                .append(this.fileName, other.fileName)
+                .append(this.md5sum, other.md5sum)
+                .append(this.sha1sum, other.sha1sum)
+                .append(this.identifiers, other.identifiers)
+                .append(this.vendorEvidence, other.vendorEvidence)
+                .append(this.productEvidence, other.productEvidence)
+                .append(this.versionEvidence, other.versionEvidence)
+                .append(this.description, other.description)
+                .append(this.license, other.license)
+                .append(this.vulnerabilities, other.vulnerabilities)
+                //.append(this.relatedDependencies, other.relatedDependencies)
+                .append(this.projectReferences, other.projectReferences)
+                .append(this.availableVersions, other.availableVersions)
+                .isEquals();
     }
 
     /**
@@ -742,22 +742,22 @@ public class Dependency implements Serializable, Comparable<Dependency> {
     @Override
     public int hashCode() {
         return new HashCodeBuilder(MAGIC_HASH_INIT_VALUE, MAGIC_HASH_MULTIPLIER)
-            .append(actualFilePath)
-            .append(filePath)
-            .append(fileName)
-            .append(md5sum)
-            .append(sha1sum)
-            .append(identifiers)
-            .append(vendorEvidence)
-            .append(productEvidence)
-            .append(versionEvidence)
-            .append(description)
-            .append(license)
-            .append(vulnerabilities)
-            //.append(relatedDependencies)
-            .append(projectReferences)
-            .append(availableVersions)
-            .toHashCode();
+                .append(actualFilePath)
+                .append(filePath)
+                .append(fileName)
+                .append(md5sum)
+                .append(sha1sum)
+                .append(identifiers)
+                .append(vendorEvidence)
+                .append(productEvidence)
+                .append(versionEvidence)
+                .append(description)
+                .append(license)
+                .append(vulnerabilities)
+                //.append(relatedDependencies)
+                .append(projectReferences)
+                .append(availableVersions)
+                .toHashCode();
     }
 
     /**

dependency-check-core/src/main/java/org/owasp/dependencycheck/dependency/EvidenceCollection.java

@@ -97,7 +97,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Used to iterate over evidence of the specified confidence.
      *
      * @param confidence the confidence level for the evidence to be iterated over.
-     * @return Iterable<Evidence> an iterable collection of evidence
+     * @return Iterable&lt;Evidence&gt; an iterable collection of evidence
      */
     public final Iterable<Evidence> iterator(Confidence confidence) {
         if (confidence == Confidence.HIGHEST) {
@@ -168,7 +168,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
      * Returns a set of Weightings - a list of terms that are believed to be of higher confidence when also found in another
      * location.
      *
-     * @return Set<String>
+     * @return Set&lt;String&gt;
      */
     public Set<String> getWeighting() {
         return weightedStrings;
@@ -225,7 +225,7 @@ public class EvidenceCollection implements Serializable, Iterable<Evidence> {
     /**
      * Implements the iterator interface for the Evidence Collection.
      *
-     * @return an Iterator<Evidence>.
+     * @return an Iterator&lt;Evidence&gt;
      */
     @Override
     public Iterator<Evidence> iterator() {

dependency-check-core/src/main/java/org/owasp/dependencycheck/exception/ScanAgentException.java

@@ -22,7 +22,7 @@ import java.io.IOException;
 /**
  * An exception used when using @{link DependencyCheckScanAgent} to conduct a scan and the scan fails.
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class ScanAgentException extends IOException {
 

dependency-check-core/src/main/java/org/owasp/dependencycheck/reporting/VelocityLoggerRedirect.java

@@ -24,15 +24,14 @@ import org.slf4j.LoggerFactory;
 
 /**
  * <p>
- * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom
- * logging implementation that outputs to a file named velocity.log by default. This class is an implementation of a
- * custom Velocity logger that redirects all velocity logging to the Java Logger class.
+ * DependencyCheck uses {@link org.slf4j.Logger} as a logging framework, and Apache Velocity uses a custom logging implementation
+ * that outputs to a file named velocity.log by default. This class is an implementation of a custom Velocity logger that
+ * redirects all velocity logging to the Java Logger class.
  * </p><p>
- * This class was written to address permission issues when using Dependency-Check in a server environment (such as the
- * Jenkins plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable
- * directory.</p>
+ * This class was written to address permission issues when using Dependency-Check in a server environment (such as the Jenkins
+ * plugin). In some circumstances, Velocity would attempt to create velocity.log in an un-writable directory.</p>
  *
- * @author Steve Springett <steve.springett@owasp.org>
+ * @author Steve Springett
  */
 public class VelocityLoggerRedirect implements LogChute {
 
@@ -52,8 +51,7 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified
-     * values.
+     * Given a Velocity log level and message, this method will call the appropriate Logger level and log the specified values.
      *
      * @param level the logging level
      * @param message the message to be logged
@@ -82,8 +80,8 @@ public class VelocityLoggerRedirect implements LogChute {
     }
 
     /**
-     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the
-     * specified values.
+     * Given a Velocity log level, message and Throwable, this method will call the appropriate Logger level and log the specified
+     * values.
      *
      * @param level the logging level
      * @param message the message to be logged

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/DependencyVersionUtil.java

@@ -48,10 +48,11 @@ public final class DependencyVersionUtil {
 
     /**
      * <p>
-     * A utility class to extract version numbers from file names (or other strings containing version numbers.<br/>
-     * Example:<br/>
-     * Give the file name: library-name-1.4.1r2-release.jar<br/>
-     * This function would return: 1.4.1.r2</p>
+     * A utility class to extract version numbers from file names (or other strings containing version numbers.</p>
+     * <pre>
+     * Example:
+     * Give the file name: library-name-1.4.1r2-release.jar
+     * This function would return: 1.4.1.r2</pre>
      *
      * @param text the text being analyzed
      * @return a DependencyVersion containing the version

dependency-check-core/src/main/java/org/owasp/dependencycheck/utils/FileFilterBuilder.java

@@ -40,7 +40,7 @@ import java.util.Set;
  *     FileFilter filter = FileFilterBuilder.newInstance().addExtensions("jar", "war").build();
  * </pre>
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  * @see <a href="https://en.wikipedia.org/wiki/Builder_pattern">Builder pattern</a>
  */
 public class FileFilterBuilder {

dependency-check-core/src/main/resources/data/dbStatements_oracle.properties

@@ -0,0 +1 @@
+CLEANUP_ORPHANS=DELETE FROM cpeEntry WHERE id not in (SELECT CPEEntryId FROM software)

dependency-check-core/src/main/resources/data/initialize_mysql.sql

@@ -25,7 +25,8 @@ CREATE TABLE cpeEntry (id INT auto_increment PRIMARY KEY, cpe VARCHAR(250), vend
 
 CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
     , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
-    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id)
+    , PRIMARY KEY (cveid, cpeEntryId));
 
 CREATE INDEX idxVulnerability ON vulnerability(cve);
 CREATE INDEX idxReference ON reference(cveid);
@@ -53,4 +54,4 @@ DELIMITER ;
 
 GRANT EXECUTE ON PROCEDURE dependencycheck.save_property TO 'dcuser';
 
-UPDATE Properties SET value='3.0' WHERE ID='version';
+UPDATE Properties SET value='3.0' WHERE ID='version';

dependency-check-core/src/main/resources/data/initialize_oracle.sql

@@ -0,0 +1,112 @@
+-- Drop
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE vulnerability_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+  EXECUTE IMMEDIATE 'DROP SEQUENCE cpeEntry_seq';
+EXCEPTION
+  WHEN OTHERS THEN
+    IF SQLCODE != -2289 THEN
+      RAISE;
+    END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE software CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE cpeEntry CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE reference CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE vulnerability CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+BEGIN
+    EXECUTE IMMEDIATE 'DROP TABLE properties CASCADE CONSTRAINTS';
+EXCEPTION
+    WHEN OTHERS THEN
+        IF SQLCODE != -942 THEN
+            RAISE;
+        END IF;
+END;
+
+
+CREATE TABLE vulnerability (id INT NOT NULL PRIMARY KEY, cve VARCHAR(20) UNIQUE,
+    description CLOB, cwe VARCHAR(10), cvssScore DECIMAL(3,1), cvssAccessVector VARCHAR(20),
+    cvssAccessComplexity VARCHAR(20), cvssAuthentication VARCHAR(20), cvssConfidentialityImpact VARCHAR(20),
+    cvssIntegrityImpact VARCHAR(20), cvssAvailabilityImpact VARCHAR(20));
+
+CREATE TABLE reference (cveid INT, name VARCHAR(1000), url VARCHAR(1000), source VARCHAR(255),
+    CONSTRAINT fkReference FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE);
+
+CREATE TABLE cpeEntry (id INT NOT NULL PRIMARY KEY, cpe VARCHAR(250), vendor VARCHAR(255), product VARCHAR(255));
+
+CREATE TABLE software (cveid INT, cpeEntryId INT, previousVersion VARCHAR(50)
+    , CONSTRAINT fkSoftwareCve FOREIGN KEY (cveid) REFERENCES vulnerability(id) ON DELETE CASCADE
+    , CONSTRAINT fkSoftwareCpeProduct FOREIGN KEY (cpeEntryId) REFERENCES cpeEntry(id));
+
+CREATE INDEX idxVulnerability ON vulnerability(cve);
+CREATE INDEX idxReference ON reference(cveid);
+CREATE INDEX idxCpe ON cpeEntry(cpe);
+CREATE INDEX idxCpeEntry ON cpeEntry(vendor, product);
+CREATE INDEX idxSoftwareCve ON software(cveid);
+CREATE INDEX idxSoftwareCpe ON software(cpeEntryId);
+
+CREATE TABLE properties (id varchar(50) PRIMARY KEY, value varchar(500));
+
+CREATE SEQUENCE cpeEntry_seq;
+CREATE SEQUENCE vulnerability_seq;
+
+CREATE OR REPLACE TRIGGER VULNERABILITY_TRG
+BEFORE INSERT
+ON VULNERABILITY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := VULNERABILITY_SEQ.nextval;
+END VULNERABILITY_TRG;
+/
+
+CREATE OR REPLACE TRIGGER CPEENTRY_TRG
+BEFORE INSERT
+ON CPEENTRY
+REFERENCING NEW AS New OLD AS Old
+FOR EACH ROW
+BEGIN
+  :new.ID := CPEENTRY_SEQ.nextval;
+END CPEENTRY_TRG;
+/
+
+INSERT INTO properties(id,value) VALUES ('version','3.0');

dependency-check-core/src/main/resources/dependencycheck-base-suppression.xml

@@ -161,6 +161,13 @@
         <gav regex="true">.*\bhk2\b.*</gav>
         <cpe>cpe:/a:oracle:glassfish</cpe>
     </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        HK2-utils is flagged as glassfish.
+        ]]></notes>
+        <filePath regex="true">.*\bhk2-utils.*\.jar</filePath>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
     <suppress base="true">
         <notes><![CDATA[
         file name: petals-se-camel-1.0.0.jar - false positive for apache camel.
@@ -233,6 +240,83 @@
             Note, there will be more false positives for Netty. Trying to figure out a better suppression.
         ]]></notes>
         <gav regex="true">com.typesafe.netty:netty-http-pipelining:.*</gav>
-        <cpe>cpe:/a:netty_project:netty:1.1.4</cpe>
+        <cpe>cpe:/a:netty_project:netty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        JVM instrumentation to Ganglia
+        ]]></notes>
+        <gav regex="true">info\.ganglia\.gmetric4j:gmetric4j:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        A reporter for Metrics which announces measurements to a Ganglia cluster
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-ganglia:.*</gav>
+        <cpe>cpe:/a:ganglia:ganglia</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard:dropwizard-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-jetty:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.toolchain\.setuid:jetty-setuid-java:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty:jetty-io:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">org\.eclipse\.jetty\.http2:http2-hpack:.*</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        drop wizard false positives
+        ]]></notes>
+        <gav regex="true">io\.dropwizard\.metrics:metrics-httpclient:.*</gav>
+        <cpe>cpe:/a:apache:httpclient</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        javax.transaction false positives
+        ]]></notes>
+        <gav regex="true">javax\.transaction:javax\.transaction-api:.*</gav>
+        <cpe>cpe:/a:oracle:glassfish</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        false positive in drop wizard
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|ear|war|pom)</filePath>
+        <cpe>cpe:/a:tiger:tiger</cpe>
+    </suppress>
+    <suppress base="true">
+        <notes><![CDATA[
+        php cpe
+        ]]></notes>
+        <filePath regex="true">.*\.(jar|exe|dll|ear|war|pom)</filePath>
+        <cpe>cpe:/a:class:class</cpe>
     </suppress>
 </suppressions>

dependency-check-core/src/main/resources/schema/suppression.xsd

@@ -21,7 +21,7 @@
     </xs:simpleType>
     <xs:simpleType name="cveType">
         <xs:restriction base="xs:string">
-            <xs:pattern value="(\w+\-)?CVE\-\d\d\d\d\-\d+"/>
+            <xs:pattern value="((\w+\-)?CVE\-\d\d\d\d\-\d+|\d+)"/>
         </xs:restriction>
     </xs:simpleType>
     <xs:simpleType name="sha1Type">
@@ -56,4 +56,4 @@
             </xs:sequence>
         </xs:complexType>
     </xs:element>
-</xs:schema>
+</xs:schema>

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzerTest.java

@@ -30,147 +30,137 @@ import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
 
 /**
- * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were
- * obtained from outside open source software projects. Links to those projects
- * are given below.
+ * Unit tests for AutoconfAnalyzer. The test resources under autoconf/ were obtained from outside open source software projects.
+ * Links to those projects are given below.
  *
- * @author Dale Visser <dvisser@ida.org>
- * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions
- *      Project</a>
+ * @author Dale Visser
+ * @see <a href="http://readable.sourceforge.net/">Readable Lisp S-expressions Project</a>
  * @see <a href="https://gnu.org/software/binutils/">GNU Binutils</a>
  * @see <a href="https://gnu.org/software/ghostscript/">GNU Ghostscript</a>
  */
 public class AutoconfAnalyzerTest extends BaseTest {
 
-	/**
-	 * The analyzer to test.
-	 */
-	AutoconfAnalyzer analyzer;
+    /**
+     * The analyzer to test.
+     */
+    AutoconfAnalyzer analyzer;
 
-	private void assertCommonEvidence(Dependency result, String product,
-			String version, String vendor) {
-		assertProductAndVersion(result, product, version);
-		assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
-				result.getVendorEvidence().toString().contains(vendor));
-	}
+    private void assertCommonEvidence(Dependency result, String product,
+            String version, String vendor) {
+        assertProductAndVersion(result, product, version);
+        assertTrue("Expected vendor evidence to contain \"" + vendor + "\".",
+                result.getVendorEvidence().toString().contains(vendor));
+    }
 
-	private void assertProductAndVersion(Dependency result, String product,
-			String version) {
-		assertTrue("Expected product evidence to contain \"" + product + "\".",
-				result.getProductEvidence().toString().contains(product));
-		assertTrue("Expected version evidence to contain \"" + version + "\".",
-				result.getVersionEvidence().toString().contains(version));
-	}
+    private void assertProductAndVersion(Dependency result, String product,
+            String version) {
+        assertTrue("Expected product evidence to contain \"" + product + "\".",
+                result.getProductEvidence().toString().contains(product));
+        assertTrue("Expected version evidence to contain \"" + version + "\".",
+                result.getVersionEvidence().toString().contains(version));
+    }
 
-	/**
-	 * Correctly setup the analyzer for testing.
-	 *
-	 * @throws Exception
-	 *             thrown if there is a problem
-	 */
-	@Before
-	public void setUp() throws Exception {
-		analyzer = new AutoconfAnalyzer();
-		analyzer.setFilesMatched(true);
-		analyzer.initialize();
-	}
+    /**
+     * Correctly setup the analyzer for testing.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @Before
+    public void setUp() throws Exception {
+        analyzer = new AutoconfAnalyzer();
+        analyzer.setFilesMatched(true);
+        analyzer.initialize();
+    }
 
-	/**
-	 * Cleanup the analyzer's temp files, etc.
-	 *
-	 * @throws Exception
-	 *             thrown if there is a problem
-	 */
-	@After
-	public void tearDown() throws Exception {
-		analyzer.close();
-		analyzer = null;
-	}
+    /**
+     * Cleanup the analyzer's temp files, etc.
+     *
+     * @throws Exception thrown if there is a problem
+     */
+    @After
+    public void tearDown() throws Exception {
+        analyzer.close();
+        analyzer = null;
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from Ghostscript's
-	 * configure.ac.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeConfigureAC1() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/ghostscript/configure.ac"));
-		analyzer.analyze(result, null);
-		assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
-	}
+    /**
+     * Test whether expected evidence is gathered from Ghostscript's configure.ac.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeConfigureAC1() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/ghostscript/configure.ac"));
+        analyzer.analyze(result, null);
+        assertCommonEvidence(result, "ghostscript", "8.62.0", "gnu");
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from Readable's configure.ac.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeConfigureAC2() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/readable-code/configure.ac"));
-		analyzer.analyze(result, null);
-		assertReadableCodeEvidence(result);
-	}
+    /**
+     * Test whether expected evidence is gathered from Readable's configure.ac.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeConfigureAC2() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/readable-code/configure.ac"));
+        analyzer.analyze(result, null);
+        assertReadableCodeEvidence(result);
+    }
 
-	private void assertReadableCodeEvidence(final Dependency result) {
-		assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
-		final String url = "http://readable.sourceforge.net/";
-		assertTrue("Expected product evidence to contain \"" + url + "\".",
-				result.getVendorEvidence().toString().contains(url));
-	}
+    private void assertReadableCodeEvidence(final Dependency result) {
+        assertCommonEvidence(result, "readable", "1.0.7", "dwheeler");
+        final String url = "http://readable.sourceforge.net/";
+        assertTrue("Expected product evidence to contain \"" + url + "\".",
+                result.getVendorEvidence().toString().contains(url));
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from GNU Binutil's configure.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeConfigureScript() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/binutils/configure"));
-		analyzer.analyze(result, null);
-		assertProductAndVersion(result, "binutils", "2.25.51");
-	}
+    /**
+     * Test whether expected evidence is gathered from GNU Binutil's configure.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeConfigureScript() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/binutils/configure"));
+        analyzer.analyze(result, null);
+        assertProductAndVersion(result, "binutils", "2.25.51");
+    }
 
-	/**
-	 * Test whether expected evidence is gathered from GNU Ghostscript's
-	 * configure.
-	 *
-	 * @throws AnalysisException
-	 *             is thrown when an exception occurs.
-	 */
-	@Test
-	public void testAnalyzeReadableConfigureScript() throws AnalysisException {
-		final Dependency result = new Dependency(BaseTest.getResourceAsFile(
-				this, "autoconf/readable-code/configure"));
-		analyzer.analyze(result, null);
-		assertReadableCodeEvidence(result);
-	}
+    /**
+     * Test whether expected evidence is gathered from GNU Ghostscript's configure.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testAnalyzeReadableConfigureScript() throws AnalysisException {
+        final Dependency result = new Dependency(BaseTest.getResourceAsFile(
+                this, "autoconf/readable-code/configure"));
+        analyzer.analyze(result, null);
+        assertReadableCodeEvidence(result);
+    }
 
-	/**
-	 * Test of getName method, of {@link AutoconfAnalyzer}.
-	 */
-	@Test
-	public void testGetName() {
-		assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
-				analyzer.getName());
-	}
+    /**
+     * Test of getName method, of {@link AutoconfAnalyzer}.
+     */
+    @Test
+    public void testGetName() {
+        assertEquals("Analyzer name wrong.", "Autoconf Analyzer",
+                analyzer.getName());
+    }
 
-	/**
-	 * Test of {@link AutoconfAnalyzer#accept(File)}.
-	 */
-	@Test
-	public void testSupportsFileExtension() {
-		assertTrue("Should support \"ac\" extension.",
-				analyzer.accept(new File("configure.ac")));
-		assertTrue("Should support \"in\" extension.",
-				analyzer.accept(new File("configure.in")));
-		assertTrue("Should support \"configure\" extension.",
-				analyzer.accept(new File("configure")));
-	}
-}
+    /**
+     * Test of {@link AutoconfAnalyzer#accept(File)}.
+     */
+    @Test
+    public void testSupportsFileExtension() {
+        assertTrue("Should support \"ac\" extension.",
+                analyzer.accept(new File("configure.ac")));
+        assertTrue("Should support \"in\" extension.",
+                analyzer.accept(new File("configure.in")));
+        assertTrue("Should support \"configure\" extension.",
+                analyzer.accept(new File("configure")));
+    }
+}

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzerTest.java

@@ -38,7 +38,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for CmakeAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class CMakeAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzerTest.java

@@ -39,7 +39,7 @@ import org.owasp.dependencycheck.BaseDBTestCase;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class ComposerLockAnalyzerTest extends BaseDBTestCase {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java

@@ -23,6 +23,8 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
 
 import java.io.File;
+import java.util.ArrayList;
+import java.util.List;
 
 import static org.junit.Assert.assertEquals;
 import static org.junit.Assert.assertTrue;
@@ -113,4 +115,14 @@ public class JarAnalyzerTest extends BaseTest {
         assertEquals(expResult, result);
     }
 
+    @Test
+    public void testParseManifest() throws Exception {
+        File file = BaseTest.getResourceAsFile(this, "xalan-2.7.0.jar");
+        Dependency result = new Dependency(file);
+        JarAnalyzer instance = new JarAnalyzer();
+        List<JarAnalyzer.ClassNameInformation> cni = new ArrayList<JarAnalyzer.ClassNameInformation>();
+        instance.parseManifest(result, cni);
+
+        assertTrue(result.getVersionEvidence().getEvidence("manifest: org/apache/xalan/").size() > 0);
+    }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/NodePackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for NodePackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class NodePackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/OpenSSLAnalyzerTest.java

@@ -32,7 +32,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for OpenSSLAnalyzerAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class OpenSSLAnalyzerTest extends BaseTest {
 
@@ -84,22 +84,15 @@ public class OpenSSLAnalyzerTest extends BaseTest {
 
     @Test
     public void testVersionConstantExamples() {
-        final long[] constants = {0x1000203fL
-                , 0x00903000
-                , 0x00903001
-                , 0x00903002l
-                , 0x0090300f
-                , 0x0090301f
-                , 0x0090400f
-                , 0x102031af};
+        final long[] constants = {0x1000203fL, 0x00903000, 0x00903001, 0x00903002l, 0x0090300f, 0x0090301f, 0x0090400f, 0x102031af};
         final String[] versions = {"1.0.2c",
-                "0.9.3-dev",
-                "0.9.3-beta1",
-                "0.9.3-beta2",
-                "0.9.3",
-                "0.9.3a",
-                "0.9.4",
-                "1.2.3z"};
+            "0.9.3-dev",
+            "0.9.3-beta1",
+            "0.9.3-beta2",
+            "0.9.3",
+            "0.9.3a",
+            "0.9.4",
+            "1.2.3z"};
         assertEquals(constants.length, versions.length);
         for (int i = 0; i < constants.length; i++) {
             assertEquals(versions[i], OpenSSLAnalyzer.getOpenSSLVersion(constants[i]));

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonDistributionAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonDistributionAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonDistributionAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/PythonPackageAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.assertTrue;
 /**
  * Unit tests for PythonPackageAnalyzer.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class PythonPackageAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyBundleAuditAnalyzerTest.java

@@ -17,6 +17,12 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
+import static org.hamcrest.CoreMatchers.is;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+
 import org.junit.After;
 import org.junit.Assume;
 import org.junit.Before;
@@ -26,19 +32,14 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
-import java.io.File;
-
-import static org.hamcrest.CoreMatchers.is;
-import static org.hamcrest.CoreMatchers.not;
-import static org.junit.Assert.assertThat;
-
 /**
  * Unit tests for {@link RubyBundleAuditAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyBundleAuditAnalyzerTest extends BaseTest {
 
@@ -56,14 +57,9 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @Before
     public void setUp() throws Exception {
-        try {
-            analyzer = new RubyBundleAuditAnalyzer();
-            analyzer.setFilesMatched(true);
-            analyzer.initialize();
-        } catch (Exception e) {
-            //LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Tests will be incomplete", e);
-            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed. Tests will be incomplete", e);
-        }
+    	Settings.initialize();
+        analyzer = new RubyBundleAuditAnalyzer();
+        analyzer.setFilesMatched(true);
     }
 
     /**
@@ -73,6 +69,7 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @After
     public void tearDown() throws Exception {
+    	Settings.cleanup();
         analyzer.close();
         analyzer = null;
     }
@@ -100,10 +97,44 @@ public class RubyBundleAuditAnalyzerTest extends BaseTest {
      */
     @Test
     public void testAnalysis() throws AnalysisException, DatabaseException {
-        final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
-                "ruby/vulnerable/Gemfile.lock"));
-        final Engine engine = new Engine();
-        analyzer.analyze(result, engine);
-        assertThat(engine.getDependencies().size(), is(not(0)));
+    	try {
+            analyzer.initialize();
+
+            final Dependency result = new Dependency(BaseTest.getResourceAsFile(this,
+                    "ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock"));
+            final Engine engine = new Engine();
+            analyzer.analyze(result, engine);
+            int size = engine.getDependencies().size();
+            assertThat(size, is(1));
+            
+            Dependency dependency = engine.getDependencies().get(0);
+            assertTrue(dependency.getProductEvidence().toString().toLowerCase().contains("redcarpet"));
+            assertTrue(dependency.getVersionEvidence().toString().toLowerCase().contains("2.2.2"));
+            
+        } catch (Exception e) {
+            LOGGER.warn("Exception setting up RubyBundleAuditAnalyzer. Make sure Ruby gem bundle-audit is installed. You may also need to set property \"analyzer.bundle.audit.path\".", e);
+            Assume.assumeNoException("Exception setting up RubyBundleAuditAnalyzer; bundle audit may not be installed, or property \"analyzer.bundle.audit.path\" may not be set.", e);
+        }
+    }
+
+    /**
+     * Test when Ruby bundle-audit is not available on the system.
+     *
+     * @throws AnalysisException is thrown when an exception occurs.
+     */
+    @Test
+    public void testMissingBundleAudit() throws AnalysisException, DatabaseException {
+    	//set a non-exist bundle-audit
+        Settings.setString(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, "phantom-bundle-audit");
+        try {
+            //initialize should fail.
+			analyzer.initialize();
+		} catch (Exception e) {
+			//expected, so ignore.
+		}
+        finally {
+	        assertThat(analyzer.isEnabled(), is(false));
+			LOGGER.info("phantom-bundle-audit is not available. Ruby Bundle Audit Analyzer is disabled as expected.");
+        }
     }
 }

dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/RubyGemspecAnalyzerTest.java

@@ -33,7 +33,7 @@ import static org.junit.Assert.*;
 /**
  * Unit tests for {@link RubyGemspecAnalyzer}.
  *
- * @author Dale Visser <dvisser@ida.org>
+ * @author Dale Visser
  */
 public class RubyGemspecAnalyzerTest extends BaseTest {
 

dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/nvd/DownloadTaskTest.java

@@ -17,47 +17,30 @@
  */
 package org.owasp.dependencycheck.data.update.nvd;
 
-import org.owasp.dependencycheck.data.update.nvd.ProcessTask;
-import org.owasp.dependencycheck.data.update.nvd.DownloadTask;
+import java.io.File;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import org.junit.After;
 import org.junit.AfterClass;
+import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertNull;
+import static org.junit.Assert.assertTrue;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
+import org.owasp.dependencycheck.BaseTest;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
-import org.owasp.dependencycheck.data.update.nvd.NvdCveInfo;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
  *
  * @author Jeremy Long
  */
-public class DownloadTaskTest {
+public class DownloadTaskTest extends BaseTest {
 
     public DownloadTaskTest() {
     }
 
-    @BeforeClass
-    public static void setUpClass() {
-    }
-
-    @AfterClass
-    public static void tearDownClass() {
-    }
-
-    @Before
-    public void setUp() {
-        Settings.initialize();
-    }
-
-    @After
-    public void tearDown() {
-        Settings.cleanup();
-    }
-
     /**
      * Test of call method, of class DownloadTask.
      */
@@ -74,4 +57,16 @@ public class DownloadTaskTest {
         Future<ProcessTask> result = instance.call();
         assertNull(result);
     }
+
+    /**
+     * Test of isXml(file).
+     */
+    @Test
+    public void testIsXML() {
+        File f = getResourceAsFile(this, "nvdcve-modified.xml");
+        assertTrue(DownloadTask.isXml(f));
+        f = getResourceAsFile(this, "file.tar.gz");
+        assertFalse(DownloadTask.isXml(f));
+
+    }
 }

dependency-check-core/src/test/resources/dependencycheck.properties

@@ -100,3 +100,5 @@ analyzer.nexus.enabled=false
 #whether the nexus analyzer uses the proxy
 analyzer.nexus.proxy=true
 
+#Use your own bundle-audit install directory.
+#analyzer.bundle.audit.path=/usr/local/bin/bundle-audit

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile

@@ -0,0 +1,102 @@
+source 'https://rubygems.org'
+
+gemspec
+
+# This needs to be with require false as it is
+# loaded after loading the test library to
+# ensure correct loading order
+gem 'mocha', '~> 0.14', require: false
+
+gem 'rack-cache', '~> 1.2'
+gem 'jquery-rails', '~> 3.1.0'
+gem 'turbolinks'
+gem 'coffee-rails', '~> 4.0.0'
+
+gem 'sprockets', '~> 3.0.0.rc.1'
+
+# require: false so bcrypt is loaded only when has_secure_password is used.
+# This is to avoid ActiveModel (and by extension the entire framework)
+# being dependent on a binary library.
+gem 'bcrypt', '~> 3.1.7', require: false
+
+# This needs to be with require false to avoid
+# it being automatically loaded by sprockets
+gem 'uglifier', '>= 1.3.0', require: false
+
+group :doc do
+  gem 'sdoc', '~> 0.4.0'
+  gem 'redcarpet', '~> 2.2.2', platforms: :ruby
+  gem 'w3c_validators'
+  gem 'kindlerb', '0.1.1'
+  gem 'mustache', '~> 0.99.8'
+end
+
+# AS
+gem 'dalli', '>= 2.2.1'
+
+# Add your own local bundler stuff
+local_gemfile = File.dirname(__FILE__) + "/.Gemfile"
+instance_eval File.read local_gemfile if File.exist? local_gemfile
+
+group :test do
+  # FIX: Our test suite isn't ready to run in random order yet
+  gem 'minitest', '< 5.3.4'
+
+  platforms :mri_19 do
+    gem 'ruby-prof', '~> 0.11.2'
+  end
+
+  # platforms :mri_19, :mri_20 do
+  #   gem 'debugger'
+  # end
+
+  platforms :mri do
+    gem 'stackprof'
+  end
+
+  gem 'benchmark-ips'
+end
+
+platforms :ruby do
+  gem 'nokogiri', '>= 1.4.5'
+
+  # Needed for compiling the ActionDispatch::Journey parser
+  gem 'racc', '>=1.4.6', require: false
+
+  # AR
+  gem 'sqlite3', '~> 1.3.6'
+
+  group :db do
+    gem 'pg', '>= 0.11.0'
+    gem 'mysql', '>= 2.9.0'
+    gem 'mysql2', '>= 0.3.13', '< 0.4'
+  end
+end
+
+platforms :jruby do
+  gem 'json'
+  if ENV['AR_JDBC']
+    gem 'activerecord-jdbcsqlite3-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+      gem 'activerecord-jdbcpostgresql-adapter', github: 'jruby/activerecord-jdbc-adapter', branch: 'master'
+    end
+  else
+    gem 'activerecord-jdbcsqlite3-adapter', '>= 1.3.0'
+    group :db do
+      gem 'activerecord-jdbcmysql-adapter', '>= 1.3.0'
+      gem 'activerecord-jdbcpostgresql-adapter', '>= 1.3.0'
+    end
+  end
+end
+
+# gems that are necessary for ActiveRecord tests with Oracle database
+if ENV['ORACLE_ENHANCED']
+  platforms :ruby do
+    gem 'ruby-oci8', '>= 2.0.4'
+  end
+  gem 'activerecord-oracle_enhanced-adapter', github: 'rsim/oracle-enhanced', branch: 'master'
+end
+
+# A gem necessary for ActiveRecord tests with IBM DB
+gem 'ibm_db' if ENV['IBM_DB']

dependency-check-core/src/test/resources/ruby/vulnerable/gems/rails-4.1.15/Gemfile.lock

@@ -0,0 +1,154 @@
+PATH
+  remote: .
+  specs:
+    actionmailer (4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      mail (~> 2.5, >= 2.5.4)
+    actionpack (4.1.15)
+      actionview (= 4.1.15)
+      activesupport (= 4.1.15)
+      rack (~> 1.5.2)
+      rack-test (~> 0.6.2)
+    actionview (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+    activemodel (4.1.15)
+      activesupport (= 4.1.15)
+      builder (~> 3.1)
+    activerecord (4.1.15)
+      activemodel (= 4.1.15)
+      activesupport (= 4.1.15)
+      arel (~> 5.0.0)
+    activesupport (4.1.15)
+      i18n (~> 0.6, >= 0.6.9)
+      json (~> 1.7, >= 1.7.7)
+      minitest (~> 5.1)
+      thread_safe (~> 0.1)
+      tzinfo (~> 1.1)
+    rails (4.1.15)
+      actionmailer (= 4.1.15)
+      actionpack (= 4.1.15)
+      actionview (= 4.1.15)
+      activemodel (= 4.1.15)
+      activerecord (= 4.1.15)
+      activesupport (= 4.1.15)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 4.1.15)
+      sprockets-rails (~> 2.0)
+    railties (4.1.15)
+      actionpack (= 4.1.15)
+      activesupport (= 4.1.15)
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    arel (5.0.1.20140414130214)
+    bcrypt (3.1.10)
+    benchmark-ips (2.3.0)
+    builder (3.2.2)
+    coffee-rails (4.0.1)
+      coffee-script (>= 2.2.0)
+      railties (>= 4.0.0, < 5.0)
+    coffee-script (2.4.1)
+      coffee-script-source
+      execjs
+    coffee-script-source (1.10.0)
+    dalli (2.7.5)
+    erubis (2.7.0)
+    execjs (2.6.0)
+    i18n (0.7.0)
+    jquery-rails (3.1.4)
+      railties (>= 3.0, < 5.0)
+      thor (>= 0.14, < 2.0)
+    json (1.8.3)
+    kindlerb (0.1.1)
+      mustache
+      nokogiri
+    mail (2.6.3)
+      mime-types (>= 1.16, < 3)
+    metaclass (0.0.4)
+    mime-types (2.99.1)
+    mini_portile2 (2.0.0)
+    minitest (5.3.3)
+    mocha (0.14.0)
+      metaclass (~> 0.0.1)
+    mustache (0.99.8)
+    mysql (2.9.1)
+    mysql2 (0.3.20)
+    nokogiri (1.6.7.2)
+      mini_portile2 (~> 2.0.0.rc2)
+    pg (0.18.4)
+    racc (1.4.14)
+    rack (1.5.5)
+    rack-cache (1.5.1)
+      rack (>= 0.4)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rake (10.5.0)
+    rdoc (4.2.1)
+    redcarpet (2.2.2)
+    ruby-prof (0.11.3)
+    sdoc (0.4.1)
+      json (~> 1.7, >= 1.7.7)
+      rdoc (~> 4.0)
+    sprockets (3.0.3)
+      rack (~> 1.0)
+    sprockets-rails (2.3.3)
+      actionpack (>= 3.0)
+      activesupport (>= 3.0)
+      sprockets (>= 2.8, < 4.0)
+    sqlite3 (1.3.11)
+    stackprof (0.2.8)
+    thor (0.19.1)
+    thread_safe (0.3.5)
+    turbolinks (2.5.3)
+      coffee-rails
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    uglifier (2.7.2)
+      execjs (>= 0.3.0)
+      json (>= 1.8.0)
+    w3c_validators (1.2)
+      json
+      nokogiri
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  activerecord-jdbcmysql-adapter (>= 1.3.0)
+  activerecord-jdbcpostgresql-adapter (>= 1.3.0)
+  activerecord-jdbcsqlite3-adapter (>= 1.3.0)
+  bcrypt (~> 3.1.7)
+  benchmark-ips
+  coffee-rails (~> 4.0.0)
+  dalli (>= 2.2.1)
+  jquery-rails (~> 3.1.0)
+  json
+  kindlerb (= 0.1.1)
+  minitest (< 5.3.4)
+  mocha (~> 0.14)
+  mustache (~> 0.99.8)
+  mysql (>= 2.9.0)
+  mysql2 (>= 0.3.13, < 0.4)
+  nokogiri (>= 1.4.5)
+  pg (>= 0.11.0)
+  racc (>= 1.4.6)
+  rack-cache (~> 1.2)
+  rails!
+  redcarpet (~> 2.2.2)
+  ruby-prof (~> 0.11.2)
+  sdoc (~> 0.4.0)
+  sprockets (~> 3.0.0.rc.1)
+  sqlite3 (~> 1.3.6)
+  stackprof
+  turbolinks
+  uglifier (>= 1.3.0)
+  w3c_validators
+
+BUNDLED WITH
+   1.11.2

dependency-check-maven/pom.xml

@@ -20,12 +20,11 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-maven</artifactId>
     <packaging>maven-plugin</packaging>
-
     <name>Dependency-Check Maven Plugin</name>
     <description>dependency-check-maven is a Maven Plugin that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The plugin will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
     <inceptionYear>2013</inceptionYear>
@@ -88,6 +87,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/AggregateMojo.java

@@ -64,12 +64,13 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
     public void runCheck() throws MojoExecutionException, MojoFailureException {
         final Engine engine = generateDataFile();
 
-        if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        //if (getProject() == getReactorProjects().get(getReactorProjects().size() - 1)) {
+        if (getProject() == getLastProject()) {
 
             //ensure that the .ser file was created for each.
             for (MavenProject current : getReactorProjects()) {
                 final File dataFile = getDataFile(current);
-                if (dataFile == null) { //dc was never run on this project. write the ser to the target.
+                if (dataFile == null && !skipProject(current)) { //dc was never run on this project. write the ser to the target.
                     getLog().error(String.format("Module '%s' did not execute dependency-check; an attempt will be made to perform "
                             + "the check but dependencies may be missed resulting in false negatives.", current.getName()));
                     generateDataFile(engine, current);
@@ -124,6 +125,33 @@ public class AggregateMojo extends BaseDependencyCheckMojo {
         Settings.cleanup();
     }
 
+    /**
+     * Gets the last project in the reactor - taking into account skipped projects.
+     *
+     * @return the last project in the reactor
+     */
+    private MavenProject getLastProject() {
+        for (int x = getReactorProjects().size() - 1; x >= 0; x--) {
+            final MavenProject p = getReactorProjects().get(x);
+            if (!skipProject(p)) {
+                return p;
+            }
+
+        }
+        return null;
+    }
+
+    /**
+     * Tests if the project is being skipped in the Maven site report.
+     *
+     * @param project a project in the reactor
+     * @return true if the project is skipped; otherwise false
+     */
+    private boolean skipProject(MavenProject project) {
+        final String skip = (String) project.getProperties().get("maven.site.skip");
+        return "true".equalsIgnoreCase(skip) && isGeneratingSite();
+    }
+
     /**
      * Returns a set containing all the descendant projects of the given project.
      *

dependency-check-maven/src/main/java/org/owasp/dependencycheck/maven/BaseDependencyCheckMojo.java

@@ -24,7 +24,6 @@ import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.io.InputStream;
-import java.io.ObjectInputStream;
 import java.io.ObjectOutputStream;
 import java.util.List;
 import java.util.Locale;
@@ -49,6 +48,7 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.utils.ExpectedOjectInputStream;
 import org.owasp.dependencycheck.utils.Settings;
 import org.sonatype.plexus.components.sec.dispatcher.DefaultSecDispatcher;
 import org.sonatype.plexus.components.sec.dispatcher.SecDispatcher;
@@ -387,6 +387,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      */
     @Override
     public void execute() throws MojoExecutionException, MojoFailureException {
+        generatingSite = false;
         if (skip) {
             getLog().info("Skipping " + getName(Locale.US));
         } else {
@@ -424,6 +425,20 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         generate((Sink) sink, locale);
     }
 
+    /**
+     * A flag indicating whether or not the maven site is being generated.
+     */
+    private boolean generatingSite = false;
+
+    /**
+     * Returns true if the Maven site is being generated.
+     *
+     * @return true if the Maven site is being generated
+     */
+    protected boolean isGeneratingSite() {
+        return generatingSite;
+    }
+
     /**
      * Generates the Dependency-Check Site Report.
      *
@@ -432,6 +447,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
      * @throws MavenReportException if a maven report exception occurs
      */
     public void generate(Sink sink, Locale locale) throws MavenReportException {
+        generatingSite = true;
         try {
             validateAggregate();
         } catch (MojoExecutionException ex) {
@@ -667,6 +683,7 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
             final String password = proxy.getPassword();
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_USERNAME, userName);
             Settings.setStringIfNotNull(Settings.KEYS.PROXY_PASSWORD, password);
+            Settings.setStringIfNotNull(Settings.KEYS.PROXY_NON_PROXY_HOSTS, proxy.getNonProxyHosts());
         }
 
         Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
@@ -1034,9 +1051,27 @@ public abstract class BaseDependencyCheckMojo extends AbstractMojo implements Ma
         }
         List<Dependency> ret = null;
         final String path = (String) oPath;
-        ObjectInputStream ois = null;
+        //ObjectInputStream ois = null;
+        ExpectedOjectInputStream ois = null;
         try {
-            ois = new ObjectInputStream(new FileInputStream(path));
+            //ois = new ObjectInputStream(new FileInputStream(path));
+            ois = new ExpectedOjectInputStream(new FileInputStream(path),
+                    "java.util.ArrayList",
+                    "java.util.HashSet",
+                    "java.util.TreeSet",
+                    "java.lang.AbstractSet",
+                    "java.lang.AbstractCollection",
+                    "java.lang.Enum",
+                    "org.owasp.dependencycheck.dependency.Confidence",
+                    "org.owasp.dependencycheck.dependency.Dependency",
+                    "org.owasp.dependencycheck.dependency.Evidence",
+                    "org.owasp.dependencycheck.dependency.EvidenceCollection",
+                    "org.owasp.dependencycheck.dependency.Identifier",
+                    "org.owasp.dependencycheck.dependency.Reference",
+                    "org.owasp.dependencycheck.dependency.Vulnerability",
+                    "org.owasp.dependencycheck.dependency.VulnerabilityComparator",
+                    "org.owasp.dependencycheck.dependency.VulnerableSoftware",
+                    "org.owasp.dependencycheck.data.cpe.IndexEntry");
             ret = (List<Dependency>) ois.readObject();
         } catch (FileNotFoundException ex) {
             //TODO fix logging

dependency-check-maven/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,8 +23,8 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of {@link org.slf4j.LoggerFactory} class with an actual instance of {@link ILoggerFactory} is performed using
- * information returned by this class.
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
+ * returned by this class.
  *
  * @author colezlaw
  */

dependency-check-maven/src/site/markdown/configuration.md

@@ -3,7 +3,7 @@ Goals
 
 Goal        | Description
 ------------|-----------------------
-aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report.
+aggregate   | Runs dependency-check against the child projects and aggregates the results into a single report. **Warning**: if the aggregate goal is used within the site reporting a blank report will likely be present for any goal beyond site:site (i.e. site:stage or site:deploy will likely result in blank reports being staged or deployed); however, site:site will work. See issue [#325](https://github.com/jeremylong/DependencyCheck/issues/325) for more information.
 check       | Runs dependency-check against the project and generates a report.
 update-only | Updates the local cache of the NVD data from NIST.
 purge       | Deletes the local copy of the NVD. This is used to force a refresh of the data.

dependency-check-maven/src/site/markdown/index.md.vm

@@ -156,8 +156,8 @@ Create the DependencyCheck-report.html and use internal mirroring of CVE content
                 <artifactId>dependency-check-maven</artifactId>
                 <version>${project.version}</version>
                 <configuration>
-                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-modified.xml</cveUrl12Modified>
-                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-modified.xml</cveUrl20Modified>
+                    <cveUrl12Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-Modified.xml.gz</cveUrl12Modified>
+                    <cveUrl20Modified>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-Modified.xml.gz</cveUrl20Modified>
                     <cveUrl12Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-%d.xml</cveUrl12Base>
                     <cveUrl20Base>http://internal-mirror.mycorp.com/downloads/nist/nvdcve-2.0-%d.xml</cveUrl20Base>
                 </configuration>

dependency-check-utils/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.4</version>
+        <version>1.3.6</version>
     </parent>
 
     <artifactId>dependency-check-utils</artifactId>
@@ -77,6 +77,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-surefire-plugin</artifactId>
                 <configuration>
+                    <argLine>-Dfile.encoding=UTF-8</argLine>
                     <systemProperties>
                         <property>
                             <name>data.directory</name>
@@ -139,6 +140,10 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
             <groupId>commons-io</groupId>
             <artifactId>commons-io</artifactId>
         </dependency>
+        <dependency>
+            <groupId>org.apache.commons</groupId>
+            <artifactId>commons-lang3</artifactId>
+        </dependency>
         <dependency>
             <groupId>org.slf4j</groupId>
             <artifactId>slf4j-api</artifactId>

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Downloader.java

@@ -33,8 +33,6 @@ import java.util.zip.GZIPInputStream;
 import java.util.zip.InflaterInputStream;
 
 import static java.lang.String.format;
-import static org.owasp.dependencycheck.utils.Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP;
-import static org.owasp.dependencycheck.utils.Settings.getBoolean;
 
 /**
  * A utility to download files from the Internet.
@@ -243,6 +241,16 @@ public final class Downloader {
                 throw new DownloadFailedException(format("Error creating URL Connection for HTTP %s request.", httpMethod), ex);
             } catch (IOException ex) {
                 analyzeException(ex);
+                try {
+                    //retry
+                    if (!Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP)) {
+                        Settings.setBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+                        return getLastModified(url);
+                    }
+                } catch (InvalidSettingException ex1) {
+                    LOGGER.debug("invalid setting?", ex);
+                }
+
                 throw new DownloadFailedException(format("Error making HTTP %s request.", httpMethod), ex);
             } finally {
                 if (conn != null) {
@@ -300,7 +308,7 @@ public final class Downloader {
         boolean quickQuery;
 
         try {
-            quickQuery = getBoolean(DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
+            quickQuery = Settings.getBoolean(Settings.KEYS.DOWNLOADER_QUICK_QUERY_TIMESTAMP, true);
         } catch (InvalidSettingException e) {
             quickQuery = true;
         }

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStream.java

@@ -0,0 +1,70 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.IOException;
+import java.io.InputStream;
+import java.io.InvalidClassException;
+import java.io.ObjectInputStream;
+import java.io.ObjectStreamClass;
+import java.util.ArrayList;
+import java.util.Arrays;
+import java.util.List;
+
+/**
+ * An ObjectInputStream that will only deserialize expected classes.
+ *
+ * @author Jeremy Long
+ */
+public class ExpectedOjectInputStream extends ObjectInputStream {
+
+    /**
+     * The list of fully qualified class names that are able to be deserialized.
+     */
+    private List<String> expected = new ArrayList<String>();
+
+    /**
+     * Constructs a new ExpectedOjectInputStream that can be used to securely deserialize an object by restricting the classes
+     * that can deserialized to a known set of expected classes.
+     *
+     * @param inputStream the input stream that contains the object to deserialize
+     * @param expected the fully qualified class names of the classes that can be deserialized
+     * @throws IOException thrown if there is an error reading from the stream
+     */
+    public ExpectedOjectInputStream(InputStream inputStream, String... expected) throws IOException {
+        super(inputStream);
+        this.expected.addAll(Arrays.asList(expected));
+    }
+
+    /**
+     * Only deserialize instances of expected classes by validating the class name prior to deserialization.
+     *
+     * @param desc the class from the object stream to validate
+     * @return the resolved class
+     * @throws java.io.IOException thrown if the class being read is not one of the expected classes or if there is an error
+     * reading from the stream
+     * @throws java.lang.ClassNotFoundException thrown if there is an error finding the class to deserialize
+     */
+    @Override
+    protected Class<?> resolveClass(ObjectStreamClass desc) throws IOException, ClassNotFoundException {
+        if (!this.expected.contains(desc.getName())) {
+            throw new InvalidClassException("Unexpected deserialization ", desc.getName());
+        }
+        return super.resolveClass(desc);
+    }
+}

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/Settings.java

@@ -165,6 +165,10 @@ public final class Settings {
          * The properties key for the proxy password.
          */
         public static final String PROXY_PASSWORD = "proxy.password";
+        /**
+         * The properties key for the non proxy hosts.
+         */
+        public static final String PROXY_NON_PROXY_HOSTS = "proxy.nonproxyhosts";
         /**
          * The properties key for the connection timeout.
          */
@@ -523,8 +527,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * file.<br><br>
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
      * @throws FileNotFoundException is thrown when the filePath points to a non-existent file
@@ -548,7 +552,7 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
+     * file.<br><br>
      * Note: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param filePath the path to the properties file to merge.
@@ -573,8 +577,8 @@ public final class Settings {
 
     /**
      * Merges a new properties file into the current properties. This method allows for the loading of a user provided properties
-     * file.<br/><br/>
-     * Note: even if using this method - system properties will be loaded before properties loaded from files.
+     * file.<br><br>
+     * <b>Note</b>: even if using this method - system properties will be loaded before properties loaded from files.
      *
      * @param stream an Input Stream pointing at a properties file to merge
      * @throws IOException is thrown when there is an exception loading/merging the properties
@@ -739,7 +743,9 @@ public final class Settings {
         try {
             value = Integer.parseInt(Settings.getString(key));
         } catch (NumberFormatException ex) {
-            LOGGER.trace("Could not convert property '{}' to an int.", key, ex);
+            if (!Settings.getString(key, "").isEmpty()) {
+                LOGGER.debug("Could not convert property '{}={}' to an int; using {} instead.", key, Settings.getString(key), defaultValue);
+            }
             value = defaultValue;
         }
         return value;

dependency-check-utils/src/main/java/org/owasp/dependencycheck/utils/URLConnectionFactory.java

@@ -18,6 +18,8 @@
 package org.owasp.dependencycheck.utils;
 
 import edu.umd.cs.findbugs.annotations.SuppressFBWarnings;
+import org.apache.commons.lang3.StringUtils;
+
 import java.io.IOException;
 import java.net.Authenticator;
 import java.net.HttpURLConnection;
@@ -53,13 +55,15 @@ public final class URLConnectionFactory {
     public static HttpURLConnection createHttpURLConnection(URL url) throws URLConnectionFailureException {
         HttpURLConnection conn = null;
         final String proxyUrl = Settings.getString(Settings.KEYS.PROXY_SERVER);
+
         try {
-            if (proxyUrl != null) {
+            if (proxyUrl != null && !matchNonProxy(url)) {
                 final int proxyPort = Settings.getInt(Settings.KEYS.PROXY_PORT);
                 final SocketAddress address = new InetSocketAddress(proxyUrl, proxyPort);
 
                 final String username = Settings.getString(Settings.KEYS.PROXY_USERNAME);
                 final String password = Settings.getString(Settings.KEYS.PROXY_PASSWORD);
+
                 if (username != null && password != null) {
                     final Authenticator auth = new Authenticator() {
                         @Override
@@ -94,6 +98,47 @@ public final class URLConnectionFactory {
         return conn;
     }
 
+    /**
+     * Check if hostname matches nonProxy settings
+     *
+     * @param url the url to connect to
+     * @return matching result. true: match nonProxy
+     */
+    private static boolean matchNonProxy(final URL url) {
+        final String host = url.getHost();
+
+        // code partially from org.apache.maven.plugins.site.AbstractDeployMojo#getProxyInfo
+        final String nonProxyHosts = Settings.getString(Settings.KEYS.PROXY_NON_PROXY_HOSTS);
+        if (null != nonProxyHosts) {
+            final String[] nonProxies = nonProxyHosts.split("(,)|(;)|(\\|)");
+            for (final String nonProxyHost : nonProxies) {
+                //if ( StringUtils.contains( nonProxyHost, "*" ) )
+                if (null != nonProxyHost && nonProxyHost.contains("*")) {
+                    // Handle wildcard at the end, beginning or middle of the nonProxyHost
+                    final int pos = nonProxyHost.indexOf('*');
+                    final String nonProxyHostPrefix = nonProxyHost.substring(0, pos);
+                    final String nonProxyHostSuffix = nonProxyHost.substring(pos + 1);
+                    // prefix*
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && StringUtils.isEmpty(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // *suffix
+                    if (StringUtils.isEmpty(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix) && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                    // prefix*suffix
+                    if (!StringUtils.isEmpty(nonProxyHostPrefix) && host.startsWith(nonProxyHostPrefix) && !StringUtils.isEmpty(nonProxyHostSuffix)
+                            && host.endsWith(nonProxyHostSuffix)) {
+                        return true;
+                    }
+                } else if (host.equals(nonProxyHost)) {
+                    return true;
+                }
+            }
+        }
+        return false;
+    }
+
     /**
      * Utility method to create an HttpURLConnection. The use of a proxy here is optional as there may be cases where a proxy is
      * configured but we don't want to use it (for example, if there's an internal repository configured)

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/ExpectedOjectInputStreamTest.java

@@ -0,0 +1,96 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.BufferedOutputStream;
+import java.io.ByteArrayInputStream;
+import java.io.ByteArrayOutputStream;
+import java.io.ObjectOutputStream;
+import java.util.ArrayList;
+import java.util.List;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+
+/**
+ *
+ * @author jeremy
+ */
+public class ExpectedOjectInputStreamTest {
+
+    public ExpectedOjectInputStreamTest() {
+    }
+
+    @BeforeClass
+    public static void setUpClass() {
+    }
+
+    @AfterClass
+    public static void tearDownClass() {
+    }
+
+    @Before
+    public void setUp() {
+    }
+
+    @After
+    public void tearDown() {
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test
+    public void testResolveClass() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo", "java.lang.Integer", "java.lang.Number");
+        instance.readObject();
+    }
+
+    /**
+     * Test of resolveClass method, of class ExpectedOjectInputStream.
+     */
+    @Test(expected = java.io.InvalidClassException.class)
+    public void testResolveClassException() throws Exception {
+        List<SimplePojo> data = new ArrayList<SimplePojo>();
+        data.add(new SimplePojo());
+
+        ByteArrayOutputStream mem = new ByteArrayOutputStream();
+        ObjectOutputStream out = new ObjectOutputStream(new BufferedOutputStream(mem));
+        out.writeObject(data);
+        out.flush();
+        byte[] buf = mem.toByteArray();
+        out.close();
+        ByteArrayInputStream in = new ByteArrayInputStream(buf);
+
+        ExpectedOjectInputStream instance = new ExpectedOjectInputStream(in, "java.util.ArrayList", "org.owasp.dependencycheck.utils.SimplePojo");
+        instance.readObject();
+    }
+}

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SettingsTest.java

@@ -139,6 +139,18 @@ public class SettingsTest extends BaseTest {
         Assert.assertEquals(expResult, result);
     }
 
+    /**
+     * Test of getInt method, of class Settings.
+     */
+    @Test
+    public void testGetIntDefault() throws InvalidSettingException {
+        String key = "SomeKey";
+        int expResult = 85;
+        Settings.setString(key, "blue");
+        int result = Settings.getInt(key, expResult);
+        Assert.assertEquals(expResult, result);
+    }
+
     /**
      * Test of getLong method, of class Settings.
      */

dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/SimplePojo.java

@@ -0,0 +1,29 @@
+/*
+ * Copyright 2016 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck.utils;
+
+import java.io.Serializable;
+
+/**
+ * Simple pojo used to test the ExpectedObjectInputStream.
+ *
+ * @author jeremy
+ */
+public class SimplePojo implements Serializable {
+
+    public String s = "3";
+    public Integer i = 3;
+}

pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
 
     <groupId>org.owasp</groupId>
     <artifactId>dependency-check-parent</artifactId>
-    <version>1.3.4</version>
+    <version>1.3.6</version>
     <packaging>pom</packaging>
 
     <modules>
@@ -125,8 +125,8 @@ Copyright (c) 2012 - Jeremy Long
         <!-- new versions of lucene are compiled with JDK 1.7 and cannot be used ubiquitously in Jenkins
         thus, we cannot upgrade beyond 4.7.2 -->
         <apache.lucene.version>4.7.2</apache.lucene.version>
-        <slf4j.version>1.7.13</slf4j.version>
-        <logback.version>1.1.3</logback.version>
+        <slf4j.version>1.7.21</slf4j.version>
+        <logback.version>1.1.7</logback.version>
         <reporting.checkstyle-plugin.version>2.17</reporting.checkstyle-plugin.version>
         <reporting.cobertura-plugin.version>2.7</reporting.cobertura-plugin.version>
         <reporting.pmd-plugin.version>3.6</reporting.pmd-plugin.version>
@@ -175,7 +175,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-compiler-plugin</artifactId>
-                    <version>3.3</version>
+                    <version>3.5.1</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -225,7 +225,7 @@ Copyright (c) 2012 - Jeremy Long
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
                     <artifactId>maven-site-plugin</artifactId>
-                    <version>3.4</version>
+                    <version>3.5</version>
                 </plugin>
                 <plugin>
                     <groupId>org.apache.maven.plugins</groupId>
@@ -335,7 +335,7 @@ Copyright (c) 2012 - Jeremy Long
                     <dependency>
                         <groupId>org.apache.maven.doxia</groupId>
                         <artifactId>doxia-module-markdown</artifactId>
-                        <version>1.6</version>
+                        <version>1.7</version>
                     </dependency>
                 </dependencies>
                 <configuration>
@@ -445,7 +445,7 @@ Copyright (c) 2012 - Jeremy Long
             <plugin>
                 <groupId>org.apache.maven.plugins</groupId>
                 <artifactId>maven-project-info-reports-plugin</artifactId>
-                <version>2.8.1</version>
+                <version>2.9</version>
                 <reportSets>
                     <reportSet>
                         <reports>
@@ -589,7 +589,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.apache.commons</groupId>
                 <artifactId>commons-compress</artifactId>
-                <version>1.10</version>
+                <version>1.11</version>
             </dependency>
             <dependency>
                 <groupId>org.apache.ant</groupId>
@@ -636,11 +636,6 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-settings</artifactId>
                 <version>3.3.3</version>
             </dependency>
-            <dependency>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-site-plugin</artifactId>
-                <version>3.4</version>
-            </dependency>
             <dependency>
                 <groupId>org.apache.maven.plugin-testing</groupId>
                 <artifactId>maven-plugin-testing-harness</artifactId>
@@ -656,6 +651,12 @@ Copyright (c) 2012 - Jeremy Long
                 <artifactId>maven-reporting-api</artifactId>
                 <version>3.0</version>
             </dependency>
+            <!-- Upgrading transitive commons-collections-3.2.1 from velocity-1.7. -->
+            <dependency>
+                <groupId>commons-collections</groupId>
+                <artifactId>commons-collections</artifactId>
+                <version>3.2.2</version>
+            </dependency>
             <dependency>
                 <groupId>org.apache.velocity</groupId>
                 <artifactId>velocity</artifactId>
@@ -680,7 +681,7 @@ Copyright (c) 2012 - Jeremy Long
             <dependency>
                 <groupId>org.jmockit</groupId>
                 <artifactId>jmockit</artifactId>
-                <version>1.21</version>
+                <version>1.22</version>
                 <scope>test</scope>
             </dependency>
             <dependency>

src/main/config/checkstyle-checks.xml

@@ -28,9 +28,10 @@
         <property name="allowLegacy" value="false"/>
     </module>
 
-    <module name="Translation">
+    <!-- this causes a ton of noise due to how this is abused in core for dealing with database dialects.-->
+    <!--module name="Translation">
         <property name="severity" value="warning"/>
-    </module>
+    </module-->
 
     <module name="FileTabCharacter">
         <property name="eachLine" value="false"/>

src/site/markdown/dependency-check-gradle/configuration-purge.md

@@ -4,7 +4,7 @@ Tasks
 Task                                                | Description
 ----------------------------------------------------|-----------------------
 [dependencyCheck](configuration.html)               | Runs dependency-check against the project and generates a report.
-[dependencyCheckUpdate]](configuration-update.html) | Updates the local cache of the NVD data from NIST.
+[dependencyCheckUpdate](configuration-update.html)  | Updates the local cache of the NVD data from NIST.
 dependencyCheckPurge                                | Deletes the local copy of the NVD. This is used to force a refresh of the data.
 
 Configuration: dependencyCheckPurge
@@ -24,7 +24,7 @@ Config Group | Property          | Description
 -------------|-------------------|---------------------------------------------------------------------------------------------|------------------
 data         | directory         | Sets the data directory to hold SQL CVEs contents. This should generally not be changed.    |  
 
-$H$H$H$H Example
+#### Example
 ```groovy
 dependencyCheckPurge {
     data {

src/site/markdown/general/suppression.md

@@ -80,7 +80,7 @@ The full schema for suppression files can be found here: [suppression.xsd](https
 
 Please see the appropriate configuration option in each interfaces configuration guide:
 
--  [Command Line Tool](dependency-check-cli/arguments.html)
--  [Maven Plugin](dependency-check-maven/configuration.html)
--  [Ant Task](dependency-check-ant/configuration.html)
--  [Jenkins Plugin](dependency-check-jenkins/index.html)
+-  [Command Line Tool](../dependency-check-cli/arguments.html)
+-  [Maven Plugin](../dependency-check-maven/configuration.html)
+-  [Ant Task](../dependency-check-ant/configuration.html)
+-  [Jenkins Plugin](../dependency-check-jenkins/index.html)

src/site/site.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
     <skin>
         <groupId>org.apache.maven.skins</groupId>
         <artifactId>maven-fluido-skin</artifactId>
-        <version>1.4</version>
+        <version>1.5</version>
     </skin>
     <custom>
         <fluidoSkin>
@@ -65,9 +65,9 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
 
     <body>
         <head>
-            <style type="text/css">
+            <![CDATA[<style type="text/css">
                 #bannerLeft { margin-top:-20px;margin-bottom:5px !important }
-            </style>
+            </style>]]>
         </head>
         <breadcrumbs>
             <item name=" " href="#"/>