Added support for Java update version parsing.

Thanks for the PR!   Fix groovy script failure because of unescaped Windows File.separator.

.gitattributes

@@ -0,0 +1,2 @@
+*.html linguist-documentation
+(^|/)site/) linguist-documentation

.github/contributing.md

@@ -0,0 +1,34 @@
+# Contributing to OWASP dependency-check
+
+## Reporting Bugs
+
+- Ensure you're running the latest version of dependency-check.
+- Ensure the bug has not [already been reported](https://github.com/jeremylong/DependencyCheck/issues).
+- If you're unable to find an open issue addressing the problem, please [submit a new issue](https://github.com/jeremylong/DependencyCheck/issues/new).
+  - Please fill out the appropriate section of the bug report template provided. Please delete any sections not needed in the template.
+  
+## Reporting Vulnerabilities
+
+- If you believe you have found a vulnerability in dependency-check itself (not that dependency-check found a vulnerability); please email jeremy.long@owasp.org.
+
+## Asking Questions
+
+- Your question may be answered by taking a look at the [documentataion](https://jeremylong.github.io/DependencyCheck/).
+- If you still have a question consider:
+  - posting to the [Google Group](https://groups.google.com/forum/#!forum/dependency-check)
+  - opening a [new issue](https://github.com/jeremylong/DependencyCheck/issues/new)
+
+## Enhancement Requests
+
+- Suggest changes by [submitting a new issue](https://github.com/jeremylong/DependencyCheck/issues/new) and begin coding.
+
+## Contributing Code
+
+- If you have written a new feature or have fixed a bug please open a new pull request with the patch.
+- Ensure the PR description clearly describes the problem and solution. Include any related issue number(s) if applicable.
+- Please ensure the PR passes the automated checks performed (travis-ci, codacy, etc.)
+- Please consider adding test cases for any new functionality
+
+## Thank you for your contributions
+
+OWASP dependency-check team

.github/issue_template.md

@@ -0,0 +1,20 @@
+Please delete any un-needed section from the following issue template:
+
+### Reporting Bugs/Errors
+When reporting errors, 99% of the time log file output is required. Please post the log file as a [gist](https://gist.github.com/) and provide a link in the new issue.
+
+### Reporting False Positives
+When reporting a false positive please include:
+- The location of the dependency (Maven GAV, URL to download the dependency, etc.)
+- The CPE that is believed to be false positive
+  - Please report the CPE not the CVE
+
+#### Example
+False positive on library foo.jar - reported as cpe:/a:apache:tomcat:7.0
+```xml
+<dependency>
+   <groupId>org.sample</groupId>
+   <artifactId>foo</artifactId>
+   <version>1.0</version>
+</dependency>
+```

.github/pull_request_template.md

@@ -0,0 +1,9 @@
+## Fixes Issue #
+
+## Description of Change
+
+*Please add a description of the proposed change*
+
+## Have test cases been added to cover the new functionality?
+
+*yes/no*

.gitignore

@@ -1,6 +1,7 @@
 */target/**
 # IntelliJ test run side-effects
 dependency-check-core/data/
+dependency-check-ant/data/
 # Intellij project files
 *.iml
 *.ipr
@@ -15,6 +16,7 @@ maven-eclipse.xml
 .pmd
 # Netbeans configuration
 nb-configuration.xml
+**/nbproject/
 /target/
 #maven-shade-plugin generated pom
 dependency-reduced-pom.xml
@@ -26,3 +28,5 @@ _site/**
 .LCKpom.xml~
 #coverity
 /cov-int/
+/dependency-check-core/nbproject/
+cov-scan.bat

.travis.settings.xml

@@ -0,0 +1,66 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<settings xsi:schemaLocation="http://maven.apache.org/SETTINGS/1.1.0 http://maven.apache.org/xsd/settings-1.1.0.xsd" xmlns="http://maven.apache.org/SETTINGS/1.1.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <servers>
+    <server>
+      <username>${env.JFROG_USER}</username>
+      <password>${env.JFROG_PASSWORD}</password>
+      <id>release</id>
+    </server>
+    <server>
+      <username>${env.JFROG_USER}</username>
+      <password>${env.JFROG_PASSWORD}</password>
+      <id>snapshot</id>
+    </server>
+    <server>
+      <username>${env.JFROG_USER}</username>
+      <password>${env.JFROG_PASSWORD}</password>
+      <id>plugins-release</id>
+    </server>
+    <server>
+      <username>${env.JFROG_USER}</username>
+      <password>${env.JFROG_PASSWORD}</password>
+      <id>plugins-snapshot</id>
+    </server>
+  </servers>
+  <profiles>
+    <profile>
+      <repositories>
+        <repository>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+          <id>release</id>
+          <name>libs-release</name>
+          <url>https://dependencycheck.jfrog.io/dependencycheck/libs-release</url>
+        </repository>
+        <repository>
+          <snapshots />
+          <id>snapshot</id>
+          <name>libs-snapshot</name>
+          <url>https://dependencycheck.jfrog.io/dependencycheck/libs-snapshot</url>
+        </repository>
+      </repositories>
+      <pluginRepositories>
+        <pluginRepository>
+          <snapshots>
+            <enabled>false</enabled>
+          </snapshots>
+          <id>plugins-release</id>
+          <name>plugins-release</name>
+          <url>https://dependencycheck.jfrog.io/dependencycheck/plugins-release</url>
+        </pluginRepository>
+        <pluginRepository>
+          <snapshots />
+          <id>plugins-snapshot</id>
+          <name>plugins-snapshot</name>
+          <url>https://dependencycheck.jfrog.io/dependencycheck/plugins-snapshot</url>
+        </pluginRepository>
+      </pluginRepositories>
+      <id>artifactory</id>
+    </profile>
+  </profiles>
+  <activeProfiles>
+    <activeProfile>artifactory</activeProfile>
+  </activeProfiles>
+</settings>

.travis.yml

@@ -0,0 +1,78 @@
+language: java
+sudo: required
+group: deprecated-2017Q4
+
+env:
+  global:
+    - secure: "ZUzhWfpXJw/oAeDlUkDFkEJMT0T7kCN3d7ah8urkL2B0KFfKOqQagkbXkgvDa1SYud8VdcnoGa69LfkEr5IrdqW7R4bEYZAiN5swm4Z0iO8t53szVspm2f+O9jQ44O/sfOfpfLxWUUuhdc7Vbrszp+tSszxdPmssWL+f5a/mfWs="
+    - secure: "pmFymoI7qH0Kna3NkcHrqLiTVWKmrhwqA4Z9U6XLhWDQxcs5g94wCCKpGB6Lkz9mkvRxBRFpZZelnXJa9W9mnuVOMIa5tQfS5gBuaNXOe7AXXdc+Y2975OR9sSfvf16FxLFvNJILmZq+bpMLs+EXaQvjYQHW2O6OWZdLhAPVG6A="
+    - secure: "omj5HP2wKdegLYp8/a24Wsoryb92+XYWheEkxp7CzHGDJB1Y4SSr315n/na/mdgd7lr1Ac+m4stYfCrclG7be71xWs6ApF+6I5QSzplJ1fyIF5piHrmhgw6ymIf/HBdeevggJM8igD8agCOwEETYFKfPEj5wFWhNQfxYwANbpl0="
+    - secure: "FqPcda7a6rEvGVYEyWeaFP+mIhZeJ6FGSdHvVRlBL0H9I3bz6eZg50g6DH3yo1bkmTPQ94eXdDpoKihk9+CDLl0TS+Sg9W8HplG3B2U1/6Yi3vd0T8yjKZC7xf0VZO6t8AT9vpFvzQBRZe24n+6kDtp2OiBzawJhgU5t09zH6is="
+    - secure: "Bh5LAk8XQnJ885jc/Lli2fhPKDx0TNZRxcJMnNo96EgwOnD+Zhw+v3u/DMCgyyrRToM8Bkca/HktrlZaRTk2htsdKZZ3RHFMCXO0fXCgpcf+wkaSYDF/lnErpSJG3Lrz8ILxJPODsrGhjaIg2++79lwhsBYtpujc6UdxFhgpffc="
+
+addons:
+  sonarcloud:
+    organization: "odc"
+    token:
+      secure: "YVDnYmonPug885Hmr2pLWBko+rQ+oKyTUA95ry0PGGyfgs0z6kPCjmWBDVm7K4GM7NOluldWb5gLMf0QXoHGstdp9L6fQCQElt8hZMOwJf+IR3bWjiG3VfVyyB3gJWBWlcJFM9NVyfICidwBH5ZiJ0+LXhKUgnNqarTh/YmNj9w="
+
+cache:
+  directories:
+    - "$HOME/.m2/repository"
+    - "$HOME/.sonar/cache"
+
+before_install:
+  - sudo apt-get install jq
+  - wget -O ~/codacy-coverage-reporter-assembly-latest.jar $(curl https://api.github.com/repos/codacy/codacy-coverage-reporter/releases/latest | jq -r .assets[0].browser_download_url)
+
+matrix:
+  include:
+    - jdk: openjdk7
+      env:
+        - JDK="JDK7"
+      script:
+        - if [ ! -z "$TRAVIS_TAG" ]; then travis_wait 60 mvn install site site:stage -DreleaseTesting; else travis_wait 60 mvn install -DreleaseTesting; fi
+    - jdk: oraclejdk8
+      env:
+        - JDK="JDK8"
+      script:
+        - travis_wait 60 mvn install -DreleaseTesting
+
+after_success:
+  - if [ "$JDK" == "JDK8" ]; then 
+      java -cp ~/codacy-coverage-reporter-assembly-latest.jar com.codacy.CodacyCoverageReporter -l Java -r build-reporting/target/coverage-reports/jacoco.xml;
+      mvn sonar:sonar -Dsonar.java.coveragePlugin=jacoco -Dsonar.jacoco.reportPath=build-reporting/target/jacoco.xml;
+      ./coverity_scan.sh; 
+    fi;
+
+after_failure:
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/617-hierarchical-cross-deps/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/618-aggregator-purge/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/618-aggregator-update-only/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/629-jackson-dataformat/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/690-threadsafety/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/710-pom-parse-error/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/729-system-scope-resolved/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/729-system-scope-skipped/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/730-multiple-suppression-files/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/730-multiple-suppression-files-configs/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/815-broken-suppression-aggregate/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/846-site-plugin/build.log
+    - cat /home/travis/build/jeremylong/DependencyCheck/dependency-check-maven/target/it/false-positives/build.log
+
+deploy:
+  - provider: script
+    script: mvn --settings .travis.settings.xml source:jar javadoc:jar package deploy -DskipTests=true
+    skip_cleanup: true
+    on:
+      branch: master
+      jdk: openjdk7
+  - provider: pages
+    skip_cleanup: true
+    local_dir: target/staging
+    github_token: $GITHUB_TOKEN
+    on:
+      tags: true
+      branch: master
+      jdk: openjdk7
+ 

Dockerfile

@@ -0,0 +1,36 @@
+FROM openjdk:8-jre-slim
+
+MAINTAINER Timo Pagel <dependencycheckmaintainer@timo-pagel.de>
+
+ENV user=dependencycheck
+ENV version_url=https://jeremylong.github.io/DependencyCheck/current.txt
+ENV download_url=https://dl.bintray.com/jeremy-long/owasp
+
+RUN apt-get update                                                          && \
+    apt-get install -y --no-install-recommends wget ruby mono-runtime       && \
+    gem install bundle-audit                                                && \
+    gem cleanup
+
+RUN wget -O /tmp/current.txt ${version_url}                                 && \
+    version=$(cat /tmp/current.txt)                                         && \
+    file="dependency-check-${version}-release.zip"                          && \
+    wget "$download_url/$file"                                              && \
+    unzip ${file}                                                           && \
+    rm ${file}                                                              && \
+    mv dependency-check /usr/share/                                         && \
+    useradd -ms /bin/bash ${user}                                           && \
+    chown -R ${user}:${user} /usr/share/dependency-check                    && \
+    mkdir /report                                                           && \
+    chown -R ${user}:${user} /report                                        && \
+    apt-get remove --purge -y wget                                          && \
+    apt-get autoremove -y                                                   && \
+    rm -rf /var/lib/apt/lists/* /tmp/*
+ 
+USER ${user}
+
+VOLUME ["/src" "/usr/share/dependency-check/data" "/report"]
+
+WORKDIR /src
+
+CMD ["--help"]
+ENTRYPOINT ["/usr/share/dependency-check/bin/dependency-check.sh"]

README.md

@@ -1,4 +1,7 @@
-[![Build Status](https://dependency-check.ci.cloudbees.com/buildStatus/icon?job=dependency-check)](https://dependency-check.ci.cloudbees.com/job/dependency-check/)
+[![Build Status](https://travis-ci.org/jeremylong/DependencyCheck.svg?branch=master)](https://travis-ci.org/jeremylong/DependencyCheck) [![Coverity Scan Build Status](https://scan.coverity.com/projects/1654/badge.svg)](https://scan.coverity.com/projects/dependencycheck) [![Codacy Badge](https://api.codacy.com/project/badge/Grade/6b6021d481dc41a888c5da0d9ecf9494)](https://www.codacy.com/app/jeremylong/DependencyCheck?utm_source=github.com&utm_medium=referral&utm_content=jeremylong/DependencyCheck&utm_campaign=Badge_Grade) [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/843/badge)](https://bestpractices.coreinfrastructure.org/projects/843) [![Apache 2.0 License](https://img.shields.io/badge/license-Apache%202-blue.svg)](https://www.apache.org/licenses/LICENSE-2.0.txt)
+
+[![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2015.svg)](https://www.toolswatch.org/2015/06/black-hat-arsenal-usa-2015-speakers-lineup/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2014.svg)](https://www.toolswatch.org/2014/06/black-hat-usa-2014-arsenal-tools-speaker-list/) [![Black Hat Arsenal](https://www.toolswatch.org/badges/arsenal/2013.svg)](https://www.toolswatch.org/2013/06/announcement-blackhat-arsenal-usa-2013-selected-tools/)
+
 Dependency-Check
 ================
 
@@ -22,24 +25,27 @@ The latest CLI can be downloaded from bintray's
 On *nix
 ```
 $ ./bin/dependency-check.sh -h
-$ ./bin/dependency-check.sh --app Testing --out . --scan [path to jar files to be scanned]
+$ ./bin/dependency-check.sh --project Testing --out . --scan [path to jar files to be scanned]
 ```
 On Windows
 ```
-> bin/dependency-check.bat -h
-> bin/dependency-check.bat --app Testing --out . --scan [path to jar files to be scanned]
+> .\bin\dependency-check.bat -h
+> .\bin\dependency-check.bat --project Testing --out . --scan [path to jar files to be scanned]
 ```
 On Mac with [Homebrew](http://brew.sh)
 ```
 $ brew update && brew install dependency-check
 $ dependency-check -h
-$ dependency-check --app Testing --out . --scan [path to jar files to be scanned]
+$ dependency-check --project Testing --out . --scan [path to jar files to be scanned]
 ```
 
 ### Maven Plugin
 
 More detailed instructions can be found on the [dependency-check-maven github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-maven).
-The plugin can be configured using the following:
+By default, the plugin is tied to the `verify` phase (i.e. `mvn verify`). Alternatively,
+one can directly invoke the plugin via `mvn org.owasp:dependency-check-maven:check`.
+
+The dependency-check plugin can be configured using the following:
 
 ```xml
 <project>
@@ -85,16 +91,157 @@ On *nix
 ```
 $ mvn install
 $ ./dependency-check-cli/target/release/bin/dependency-check.sh -h
-$ ./dependency-check-cli/target/release/bin/dependency-check.sh --app Testing --out . --scan ./src/test/resources
+$ ./dependency-check-cli/target/release/bin/dependency-check.sh --project Testing --out . --scan ./src/test/resources
 ```
 On Windows
 ```
 > mvn install
-> dependency-check-cli/target/release/bin/dependency-check.bat -h
-> dependency-check-cli/target/release/bin/dependency-check.bat --app Testing --out . --scan ./src/test/resources
+> .\dependency-check-cli\target\release\bin\dependency-check.bat -h
+> .\dependency-check-cli\target\release\bin\dependency-check.bat --project Testing --out . --scan ./src/test/resources
 ```
 
-Then load the resulting 'DependencyCheck-Report.html' into your favorite browser.
+Then load the resulting 'dependency-check-report.html' into your favorite browser.
+
+### Docker
+
+In the following example it is assumed that the source to be checked is in the current working directory. Persistent data and report directories are used, allowing you to destroy the container after running.
+
+```
+#!/bin/sh
+
+OWASPDC_DIRECTORY=$HOME/OWASP-Dependency-Check
+DATA_DIRECTORY="$OWASPDC_DIRECTORY/data"
+REPORT_DIRECTORY="$OWASPDC_DIRECTORY/reports"
+
+if [ ! -d "$DATA_DIRECTORY" ]; then
+    echo "Initially creating persistent directories"
+    mkdir -p "$DATA_DIRECTORY"
+    chmod -R 777 "$DATA_DIRECTORY"
+
+    mkdir -p "$REPORT_DIRECTORY"
+    chmod -R 777 "$REPORT_DIRECTORY"
+fi
+
+# Make sure we are using the latest version
+docker pull owasp/dependency-check
+
+docker run --rm \
+    --volume $(pwd):/src \
+    --volume "$DATA_DIRECTORY":/usr/share/dependency-check/data \
+    --volume "$REPORT_DIRECTORY":/report \
+    owasp/dependency-check \
+    --scan /src \
+    --format "ALL" \
+    --project "My OWASP Dependency Check Project"
+    # Use suppression like this: (/src == $pwd)
+    # --suppression "/src/security/dependency-check-suppression.xml"
+
+```
+
+
+Upgrade Notes
+-------------
+
+### Upgrading from **1.x.x** to **2.x.x**
+
+Note that when upgrading from version 1.x.x that the following changes will need to be made to your configuration.
+
+#### Suppression file
+
+In order to support multiple suppression files, the mechanism for configuring suppression files has changed.
+As such, users that have defined a suppression file in their configuration will need to update.
+
+See the examples below:
+
+##### Ant
+
+Old:
+
+```xml
+<dependency-check
+  failBuildOnCVSS="3"
+  suppressionFile="suppression.xml">
+</dependency-check>
+```
+
+New:
+
+```xml
+<dependency-check
+  failBuildOnCVSS="3">
+  <suppressionFile path="suppression.xml" />
+</dependency-check>
+```
+
+##### Maven
+
+Old:
+
+```xml
+<plugin>
+  <groupId>org.owasp</groupId>
+  <artifactId>dependency-check-maven</artifactId>
+  <configuration>
+    <suppressionFile>suppression.xml</suppressionFile>
+  </configuration>
+</plugin>
+```
+
+New:
+
+```xml
+<plugin>
+  <groupId>org.owasp</groupId>
+  <artifactId>dependency-check-maven</artifactId>
+  <configuration>
+    <suppressionFiles>
+      <suppressionFile>suppression.xml</suppressionFile>
+    </suppressionFiles>
+  </configuration>
+</plugin>
+```
+
+### Gradle
+
+In addition to the changes to the suppression file, the task `dependencyCheck` has been
+renamed to `dependencyCheckAnalyze`.
+
+Old:
+
+```groovy
+buildscript {
+    repositories {
+		mavenLocal()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:2.0.1-SNAPSHOT'
+    }
+}
+apply plugin: 'org.owasp.dependencycheck'
+
+dependencyCheck {
+	suppressionFile='path/to/suppression.xml'
+}
+check.dependsOn dependencyCheckAnalyze
+```
+
+New:
+```groovy
+buildscript {
+    repositories {
+		mavenLocal()
+    }
+    dependencies {
+        classpath 'org.owasp:dependency-check-gradle:2.0.1-SNAPSHOT'
+    }
+}
+apply plugin: 'org.owasp.dependencycheck'
+
+dependencyCheck {
+	suppressionFiles = ['path/to/suppression1.xml', 'path/to/suppression2.xml']
+}
+check.dependsOn dependencyCheckAnalyze
+```
 
 Mailing List
 ------------
@@ -108,14 +255,14 @@ Archive: [google group](https://groups.google.com/forum/#!forum/dependency-check
 Copyright & License
 -
 
-Dependency-Check is Copyright (c) 2012-2016 Jeremy Long. All Rights Reserved.
+Dependency-Check is Copyright (c) 2012-2017 Jeremy Long. All Rights Reserved.
 
 Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
 
-Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt] [notices] file for more information.
+Dependency-Check makes use of several other open source libraries. Please see the [NOTICE.txt][notices] file for more information.
 
 
   [wiki]: https://github.com/jeremylong/DependencyCheck/wiki
   [subscribe]: mailto:dependency-check+subscribe@googlegroups.com
   [post]: mailto:dependency-check@googlegroups.com
-  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICES.txt
+  [notices]: https://github.com/jeremylong/DependencyCheck/blob/master/NOTICE.txt

RELEASE_NOTES.md

@@ -0,0 +1,61 @@
+# Release Notes
+
+Please see the [dependency-check google group](https://groups.google.com/forum/#!forum/dependency-check) for the release notes on versions not listed below.
+
+## [Version 3.1.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.1.1) (2018-01-29)
+
+### Bug fixes
+
+- Fixed the Central Analyzer to use the updated SHA1 query syntax.
+- Reverted change that broke Maven 3.1.0 compatability; Maven 3.1.0 and beyond is once again supported.
+- False positive reduction.
+- Minor documentation cleanup.
+
+
+## [Version 3.1.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.1.0) (2018-01-02)
+
+### Enhancements
+
+- Major enhancements to the Node and NSP analyzer - the analyzers are now considered
+  production ready and should be used in combination.
+- Added a shutdown hook so that if the update process is interrupted while using an H2
+  database the lock files will be properly removed allowing future executions of ODC to
+  succeed.
+- UNC paths can now be scanned using the CLI.
+- Batch updates are now used which may help with the update speed when using some DBMS
+  instead of the embedded H2.
+- Upgrade Lucene to 5.5.5, the highest version that will allow us to maintain Java 7 support
+
+### Bug fixes
+
+- Fixed the CSV report output to correctly list all fields.
+- Invalid suppression files will now break the build instead of causing ODC to
+  skip the usage of the suppression analyzer.
+- Fixed bug in Lucene query where LARGE entries in the pom.xml or manifest caused
+  the query to break.
+- General cleanup, false positive, and false negative reduction. 
+
+## [Version 3.0.2](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.2) (2017-11-13)
+
+### Bug fixes
+
+- Updated the query format for the CentralAnalyzer; the old format caused the CentralAnalyzer to fail
+
+## [Version 3.0.1](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.1) (2017-10-20)
+
+### Bug fixes
+
+- Fixed a database connection issue that affected some usages.
+
+## [Version 3.0.0](https://github.com/jeremylong/DependencyCheck/releases/tag/v3.0.0) (2017-10-16)
+
+- Several bug fixes and false positive reduction
+  - The 2.x branch introduced several new false positives – but also reduced the false negatives
+- Java 9 compatibility update
+- Stability issues with the Central Analyzer resolved
+  - This comes at a cost of a longer analysis time
+- The CSV report now includes the GAV and CPE
+- The Hint Analyzer now supports regular expressions
+- If show summary is disabled and vulnerable libraries are found that fail the build details are no longer displayed in the console – only that vulnerable libraries were identified
+- Resolved issues with threading and multiple connections to the embedded H2 database
+  - This allows the Jenkins pipeline, Maven Plugin, etc. to safely run parallel executions of dependency-check

ant/README.md

@@ -0,0 +1,25 @@
+Dependency-Check Ant Task
+=========
+
+Dependency-Check Ant Task can be used to check the project dependencies for published security vulnerabilities. The checks
+performed are a "best effort" and as such, there could be false positives as well as false negatives. However,
+vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
+Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
+
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-ant/index.html).
+
+Mailing List
+------------
+
+Subscribe: [dependency-check+subscribe@googlegroups.com](mailto:dependency-check+subscribe@googlegroups.com)
+
+Post: [dependency-check@googlegroups.com](mailto:dependency-check@googlegroups.com)
+
+Copyright & License
+-------------------
+
+Dependency-Check is Copyright (c) 2012-2014 Jeremy Long. All Rights Reserved.
+
+Permission to modify and redistribute is granted under the terms of the Apache 2.0 license. See the [LICENSE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/LICENSE.txt) file for the full license.
+
+Dependency-Check-Ant makes use of other open source libraries. Please see the [NOTICE.txt](https://raw.githubusercontent.com/jeremylong/DependencyCheck/master/dependency-check-ant/NOTICE.txt) file for more information.

ant/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.5</version>
+        <version>3.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-ant</artifactId>
@@ -28,15 +28,6 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
 
     <name>Dependency-Check Ant Task</name>
     <description>dependency-check-ant is an Ant Task that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the project's dependencies. The task will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
-    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
-    <distributionManagement>
-        <site>
-            <id>github-pages-site</id>
-            <name>Deployment through GitHub's site deployment plugin</name>
-            <url>${basedir}/../target/site/${project.version}/dependency-check-ant</url>
-        </site>
-    </distributionManagement>
-    <!-- end copy -->
     <build>
         <resources>
             <resource>
@@ -223,85 +214,8 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>cobertura-maven-plugin</artifactId>
-                <configuration>
-                    <check>
-                        <branchRate>85</branchRate>
-                        <lineRate>85</lineRate>
-                        <haltOnFailure>false</haltOnFailure>
-                        <totalBranchRate>85</totalBranchRate>
-                        <totalLineRate>85</totalLineRate>
-                        <packageLineRate>85</packageLineRate>
-                        <packageBranchRate>85</packageBranchRate>
-                        <regexes>
-                            <regex>
-                                <pattern>.*\$.*</pattern>
-                                <branchRate>0</branchRate>
-                                <lineRate>0</lineRate>
-                            </regex>
-                        </regexes>
-                    </check>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>clean</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
-                    <systemProperties>
-                        <property>
-                            <name>data.directory</name>
-                            <value>${project.build.directory}/dependency-check-data</value>
-                        </property>
-                    </systemProperties>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
-    <reporting>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${reporting.checkstyle-plugin.version}</version>
-                <configuration>
-                    <enableRulesSummary>false</enableRulesSummary>
-                    <enableFilesSummary>false</enableFilesSummary>
-                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-pmd-plugin</artifactId>
-                <version>${reporting.pmd-plugin.version}</version>
-                <configuration>
-                    <targetJdk>1.6</targetJdk>
-                    <linkXref>true</linkXref>
-                    <sourceEncoding>utf-8</sourceEncoding>
-                    <excludes>
-                        <exclude>**/generated/*.java</exclude>
-                    </excludes>
-                    <rulesets>
-                        <ruleset>../src/main/config/dcrules.xml</ruleset>
-                        <ruleset>/rulesets/java/basic.xml</ruleset>
-                        <ruleset>/rulesets/java/imports.xml</ruleset>
-                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                    </rulesets>
-                </configuration>
-            </plugin>
-        </plugins>
-    </reporting>
     <dependencies>
         <dependency>
             <groupId>org.owasp</groupId>

ant/src/main/java/org/owasp/dependencycheck/ant/logging/AntLoggerAdapter.java

@@ -24,16 +24,21 @@ import org.slf4j.helpers.MarkerIgnoringBase;
 import org.slf4j.helpers.MessageFormatter;
 
 /**
- * An instance of {@link org.slf4j.Logger} which simply calls the log method on the delegate Ant task.
+ * An instance of {@link org.slf4j.Logger} which simply calls the log method on
+ * the delegate Ant task.
  *
  * @author colezlaw
  */
 public class AntLoggerAdapter extends MarkerIgnoringBase {
 
+    /**
+     * serialization UID.
+     */
+    private static final long serialVersionUID = -1337;
     /**
      * A reference to the Ant task used for logging.
      */
-    private Task task;
+    private transient Task task;
 
     /**
      * Constructs an Ant Logger Adapter.

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Check.java

@@ -18,8 +18,10 @@
 package org.owasp.dependencycheck.taskdefs;
 
 import java.io.File;
-import java.io.IOException;
+import java.util.ArrayList;
 import java.util.List;
+import javax.annotation.concurrent.NotThreadSafe;
+
 import org.apache.tools.ant.BuildException;
 import org.apache.tools.ant.Project;
 import org.apache.tools.ant.types.EnumeratedAttribute;
@@ -29,13 +31,13 @@ import org.apache.tools.ant.types.ResourceCollection;
 import org.apache.tools.ant.types.resources.FileProvider;
 import org.apache.tools.ant.types.resources.Resources;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
-import org.owasp.dependencycheck.reporting.ReportGenerator;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.reporting.ReportGenerator.Format;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.impl.StaticLoggerBinder;
@@ -45,22 +47,179 @@ import org.slf4j.impl.StaticLoggerBinder;
  *
  * @author Jeremy Long
  */
+@NotThreadSafe
 public class Check extends Update {
 
     /**
      * System specific new line character.
      */
     private static final String NEW_LINE = System.getProperty("line.separator", "\n").intern();
+    /**
+     * Whether the ruby gemspec analyzer should be enabled.
+     */
+    private Boolean rubygemsAnalyzerEnabled;
+    /**
+     * Whether or not the Node.js Analyzer is enabled.
+     */
+    private Boolean nodeAnalyzerEnabled;
+    /**
+     * Whether or not the NSP Analyzer is enabled.
+     */
+    private Boolean nspAnalyzerEnabled;
 
     /**
-     * Construct a new DependencyCheckTask.
+     * Whether or not the Ruby Bundle Audit Analyzer is enabled.
      */
-    public Check() {
-        super();
-        // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
-        // core end up coming through this tasks logger
-        StaticLoggerBinder.getSingleton().setTask(this);
-    }
+    private Boolean bundleAuditAnalyzerEnabled;
+    /**
+     * Whether the CMake analyzer should be enabled.
+     */
+    private Boolean cmakeAnalyzerEnabled;
+    /**
+     * Whether or not the Open SSL analyzer is enabled.
+     */
+    private Boolean opensslAnalyzerEnabled;
+    /**
+     * Whether the python package analyzer should be enabled.
+     */
+    private Boolean pyPackageAnalyzerEnabled;
+    /**
+     * Whether the python distribution analyzer should be enabled.
+     */
+    private Boolean pyDistributionAnalyzerEnabled;
+    /**
+     * Whether or not the central analyzer is enabled.
+     */
+    private Boolean centralAnalyzerEnabled;
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private Boolean nexusAnalyzerEnabled;
+    /**
+     * The URL of a Nexus server's REST API end point
+     * (http://domain/nexus/service/local).
+     */
+    private String nexusUrl;
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private Boolean nexusUsesProxy;
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a
+     * comma-separated list of file extensions to treat like ZIP files.
+     */
+    private String zipExtensions;
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+
+    /**
+     * The application name for the report.
+     *
+     * @deprecated use projectName instead.
+     */
+    @Deprecated
+    private String applicationName = null;
+    /**
+     * The name of the project being analyzed.
+     */
+    private String projectName = "dependency-check";
+    /**
+     * Specifies the destination directory for the generated Dependency-Check
+     * report.
+     */
+    private String reportOutputDirectory = ".";
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified
+     * level is identified. The default is 11 which means since the CVSS scores
+     * are 0-10, by default the build will never fail and the CVSS score is set
+     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
+     * anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
+     * recommended that this be turned to false. Default is true.
+     */
+    private Boolean autoUpdate;
+    /**
+     * Whether only the update phase should be executed.
+     *
+     * @deprecated Use the update task instead
+     */
+    @Deprecated
+    private boolean updateOnly = false;
+
+    /**
+     * The report format to be generated (HTML, XML, VULN, CSV, JSON, ALL).
+     * Default is HTML.
+     */
+    private String reportFormat = "HTML";
+    /**
+     * Suppression file path.
+     */
+    private String suppressionFile = null;
+    /**
+     * Suppression file paths.
+     */
+    @SuppressWarnings("CanBeFinal")
+    private List<String> suppressionFiles = new ArrayList<>();
+
+    /**
+     * The path to the suppression file.
+     */
+    private String hintsFile;
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+    /**
+     * Whether experimental analyzers are enabled.
+     */
+    private Boolean enableExperimental;
+    /**
+     * Whether retired analyzers are enabled.
+     */
+    private Boolean enableRetired;
+    /**
+     * Whether or not the Jar Analyzer is enabled.
+     */
+    private Boolean jarAnalyzerEnabled;
+    /**
+     * Whether or not the Archive Analyzer is enabled.
+     */
+    private Boolean archiveAnalyzerEnabled;
+    /**
+     * Whether or not the .NET Nuspec Analyzer is enabled.
+     */
+    private Boolean nuspecAnalyzerEnabled;
+    /**
+     * Whether or not the PHP Composer Analyzer is enabled.
+     */
+    private Boolean composerAnalyzerEnabled;
+
+    /**
+     * Whether or not the .NET Assembly Analyzer is enabled.
+     */
+    private Boolean assemblyAnalyzerEnabled;
+    /**
+     * Whether the autoconf analyzer should be enabled.
+     */
+    private Boolean autoconfAnalyzerEnabled;
+    /**
+     * Sets the path for the bundle-audit binary.
+     */
+    private String bundleAuditPath;
+    /**
+     * Whether or not the CocoaPods Analyzer is enabled.
+     */
+    private Boolean cocoapodsAnalyzerEnabled;
+
+    /**
+     * Whether or not the Swift package Analyzer is enabled.
+     */
+    private Boolean swiftPackageManagerAnalyzerEnabled;
     //The following code was copied Apache Ant PathConvert
     //BEGIN COPY from org.apache.tools.ant.taskdefs.PathConvert
     /**
@@ -68,9 +227,9 @@ public class Check extends Update {
      */
     private Resources path = null;
     /**
-     * Reference to path/fileset to convert
+     * Reference to path/file set to convert
      */
-    private Reference refid = null;
+    private Reference refId = null;
 
     /**
      * Add an arbitrary ResourceCollection.
@@ -80,14 +239,25 @@ public class Check extends Update {
      */
     public void add(ResourceCollection rc) {
         if (isReference()) {
-            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
+            throw new BuildException("Nested elements are not allowed when using the refId attribute.");
         }
         getPath().add(rc);
     }
 
     /**
-     * Returns the path. If the path has not been initialized yet, this class is synchronized, and will instantiate the path
-     * object.
+     * Add a suppression file.
+     *
+     * This is called by Ant with the configured {@link SuppressionFile}.
+     *
+     * @param suppressionFile the suppression file to add.
+     */
+    public void addConfiguredSuppressionFile(final SuppressionFile suppressionFile) {
+        suppressionFiles.add(suppressionFile.getPath());
+    }
+
+    /**
+     * Returns the path. If the path has not been initialized yet, this class is
+     * synchronized, and will instantiate the path object.
      *
      * @return the path
      */
@@ -100,49 +270,54 @@ public class Check extends Update {
     }
 
     /**
-     * Learn whether the refid attribute of this element been set.
+     * Learn whether the refId attribute of this element been set.
      *
-     * @return true if refid is valid.
+     * @return true if refId is valid.
      */
     public boolean isReference() {
-        return refid != null;
+        return refId != null;
     }
 
     /**
-     * Add a reference to a Path, FileSet, DirSet, or FileList defined elsewhere.
+     * Add a reference to a Path, FileSet, DirSet, or FileList defined
+     * elsewhere.
      *
      * @param r the reference to a path, fileset, dirset or filelist.
      */
-    public void setRefid(Reference r) {
+    public synchronized void setRefId(Reference r) {
         if (path != null) {
-            throw new BuildException("Nested elements are not allowed when using the refid attribute.");
+            throw new BuildException("Nested elements are not allowed when using the refId attribute.");
         }
-        refid = r;
+        refId = r;
     }
 
     /**
-     * If this is a reference, this method will add the referenced resource collection to the collection of paths.
+     * If this is a reference, this method will add the referenced resource
+     * collection to the collection of paths.
      *
      * @throws BuildException if the reference is not to a resource collection
      */
     private void dealWithReferences() throws BuildException {
         if (isReference()) {
-            final Object o = refid.getReferencedObject(getProject());
+            final Object o = refId.getReferencedObject(getProject());
             if (!(o instanceof ResourceCollection)) {
-                throw new BuildException("refid '" + refid.getRefId()
+                throw new BuildException("refId '" + refId.getRefId()
                         + "' does not refer to a resource collection.");
             }
             getPath().add((ResourceCollection) o);
         }
     }
     // END COPY from org.apache.tools.ant.taskdefs
+
     /**
-     * The application name for the report.
-     *
-     * @deprecated use projectName instead.
+     * Construct a new DependencyCheckTask.
      */
-    @Deprecated
-    private String applicationName = null;
+    public Check() {
+        super();
+        // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
+        // core end up coming through this tasks logger
+        StaticLoggerBinder.getSingleton().setTask(this);
+    }
 
     /**
      * Get the value of applicationName.
@@ -166,10 +341,6 @@ public class Check extends Update {
     public void setApplicationName(String applicationName) {
         this.applicationName = applicationName;
     }
-    /**
-     * The name of the project being analyzed.
-     */
-    private String projectName = "dependency-check";
 
     /**
      * Get the value of projectName.
@@ -195,11 +366,6 @@ public class Check extends Update {
         this.projectName = projectName;
     }
 
-    /**
-     * Specifies the destination directory for the generated Dependency-Check report.
-     */
-    private String reportOutputDirectory = ".";
-
     /**
      * Get the value of reportOutputDirectory.
      *
@@ -217,12 +383,6 @@ public class Check extends Update {
     public void setReportOutputDirectory(String reportOutputDirectory) {
         this.reportOutputDirectory = reportOutputDirectory;
     }
-    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
-     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
-     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
-     */
-    private float failBuildOnCVSS = 11;
 
     /**
      * Get the value of failBuildOnCVSS.
@@ -241,11 +401,6 @@ public class Check extends Update {
     public void setFailBuildOnCVSS(float failBuildOnCVSS) {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
-    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
-     * is true.
-     */
-    private Boolean autoUpdate;
 
     /**
      * Get the value of autoUpdate.
@@ -264,13 +419,6 @@ public class Check extends Update {
     public void setAutoUpdate(Boolean autoUpdate) {
         this.autoUpdate = autoUpdate;
     }
-    /**
-     * Whether only the update phase should be executed.
-     *
-     * @deprecated Use the update task instead
-     */
-    @Deprecated
-    private boolean updateOnly = false;
 
     /**
      * Get the value of updateOnly.
@@ -294,11 +442,6 @@ public class Check extends Update {
         this.updateOnly = updateOnly;
     }
 
-    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). Default is HTML.
-     */
-    private String reportFormat = "HTML";
-
     /**
      * Get the value of reportFormat.
      *
@@ -316,18 +459,14 @@ public class Check extends Update {
     public void setReportFormat(ReportFormats reportFormat) {
         this.reportFormat = reportFormat.getValue();
     }
-    /**
-     * The path to the suppression file.
-     */
-    private String suppressionFile;
 
     /**
-     * Get the value of suppressionFile.
+     * Gets suppression file paths.
      *
-     * @return the value of suppressionFile
+     * @return the suppression files.
      */
-    public String getSuppressionFile() {
-        return suppressionFile;
+    public List<String> getSuppressionFiles() {
+        return suppressionFiles;
     }
 
     /**
@@ -337,11 +476,26 @@ public class Check extends Update {
      */
     public void setSuppressionFile(String suppressionFile) {
         this.suppressionFile = suppressionFile;
+        suppressionFiles.add(suppressionFile);
     }
+
     /**
-     * flag indicating whether or not to show a summary of findings.
+     * Get the value of hintsFile.
+     *
+     * @return the value of hintsFile
      */
-    private boolean showSummary = true;
+    public String getHintsFile() {
+        return hintsFile;
+    }
+
+    /**
+     * Set the value of hintsFile.
+     *
+     * @param hintsFile new value of hintsFile
+     */
+    public void setHintsFile(String hintsFile) {
+        this.hintsFile = hintsFile;
+    }
 
     /**
      * Get the value of showSummary.
@@ -362,9 +516,40 @@ public class Check extends Update {
     }
 
     /**
-     * Whether or not the Jar Analyzer is enabled.
+     * Get the value of enableExperimental.
+     *
+     * @return the value of enableExperimental
      */
-    private Boolean jarAnalyzerEnabled;
+    public Boolean isEnableExperimental() {
+        return enableExperimental;
+    }
+
+    /**
+     * Set the value of enableExperimental.
+     *
+     * @param enableExperimental new value of enableExperimental
+     */
+    public void setEnableExperimental(Boolean enableExperimental) {
+        this.enableExperimental = enableExperimental;
+    }
+
+    /**
+     * Get the value of enableRetired.
+     *
+     * @return the value of enableRetired
+     */
+    public Boolean isEnableRetired() {
+        return enableRetired;
+    }
+
+    /**
+     * Set the value of enableRetired.
+     *
+     * @param enableRetired new value of enableRetired
+     */
+    public void setEnableRetired(Boolean enableRetired) {
+        this.enableRetired = enableRetired;
+    }
 
     /**
      * Returns whether or not the analyzer is enabled.
@@ -383,10 +568,6 @@ public class Check extends Update {
     public void setJarAnalyzerEnabled(Boolean jarAnalyzerEnabled) {
         this.jarAnalyzerEnabled = jarAnalyzerEnabled;
     }
-    /**
-     * Whether or not the Archive Analyzer is enabled.
-     */
-    private Boolean archiveAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
@@ -396,10 +577,6 @@ public class Check extends Update {
     public Boolean isArchiveAnalyzerEnabled() {
         return archiveAnalyzerEnabled;
     }
-    /**
-     * Whether or not the .NET Assembly Analyzer is enabled.
-     */
-    private Boolean assemblyAnalyzerEnabled;
 
     /**
      * Sets whether or not the analyzer is enabled.
@@ -427,10 +604,6 @@ public class Check extends Update {
     public void setAssemblyAnalyzerEnabled(Boolean assemblyAnalyzerEnabled) {
         this.assemblyAnalyzerEnabled = assemblyAnalyzerEnabled;
     }
-    /**
-     * Whether or not the .NET Nuspec Analyzer is enabled.
-     */
-    private Boolean nuspecAnalyzerEnabled;
 
     /**
      * Returns whether or not the analyzer is enabled.
@@ -449,10 +622,6 @@ public class Check extends Update {
     public void setNuspecAnalyzerEnabled(Boolean nuspecAnalyzerEnabled) {
         this.nuspecAnalyzerEnabled = nuspecAnalyzerEnabled;
     }
-    /**
-     * Whether or not the PHP Composer Analyzer is enabled.
-     */
-    private Boolean composerAnalyzerEnabled;
 
     /**
      * Get the value of composerAnalyzerEnabled.
@@ -471,10 +640,6 @@ public class Check extends Update {
     public void setComposerAnalyzerEnabled(Boolean composerAnalyzerEnabled) {
         this.composerAnalyzerEnabled = composerAnalyzerEnabled;
     }
-    /**
-     * Whether the autoconf analyzer should be enabled.
-     */
-    private Boolean autoconfAnalyzerEnabled;
 
     /**
      * Get the value of autoconfAnalyzerEnabled.
@@ -493,10 +658,6 @@ public class Check extends Update {
     public void setAutoconfAnalyzerEnabled(Boolean autoconfAnalyzerEnabled) {
         this.autoconfAnalyzerEnabled = autoconfAnalyzerEnabled;
     }
-    /**
-     * Whether the CMake analyzer should be enabled.
-     */
-    private Boolean cmakeAnalyzerEnabled;
 
     /**
      * Get the value of cmakeAnalyzerEnabled.
@@ -515,10 +676,80 @@ public class Check extends Update {
     public void setCMakeAnalyzerEnabled(Boolean cmakeAnalyzerEnabled) {
         this.cmakeAnalyzerEnabled = cmakeAnalyzerEnabled;
     }
+
     /**
-     * Whether or not the openssl analyzer is enabled.
+     * Returns if the Bundle Audit Analyzer is enabled.
+     *
+     * @return if the Bundle Audit Analyzer is enabled.
      */
-    private Boolean opensslAnalyzerEnabled;
+    public Boolean isBundleAuditAnalyzerEnabled() {
+        return bundleAuditAnalyzerEnabled;
+    }
+
+    /**
+     * Sets if the Bundle Audit Analyzer is enabled.
+     *
+     * @param bundleAuditAnalyzerEnabled whether or not the analyzer should be
+     * enabled
+     */
+    public void setBundleAuditAnalyzerEnabled(Boolean bundleAuditAnalyzerEnabled) {
+        this.bundleAuditAnalyzerEnabled = bundleAuditAnalyzerEnabled;
+    }
+
+    /**
+     * Returns the path to the bundle audit executable.
+     *
+     * @return the path to the bundle audit executable
+     */
+    public String getBundleAuditPath() {
+        return bundleAuditPath;
+    }
+
+    /**
+     * Sets the path to the bundle audit executable.
+     *
+     * @param bundleAuditPath the path to the bundle audit executable
+     */
+    public void setBundleAuditPath(String bundleAuditPath) {
+        this.bundleAuditPath = bundleAuditPath;
+    }
+
+    /**
+     * Returns if the cocoapods analyzer is enabled.
+     *
+     * @return if the cocoapods analyzer is enabled
+     */
+    public boolean isCocoapodsAnalyzerEnabled() {
+        return cocoapodsAnalyzerEnabled;
+    }
+
+    /**
+     * Sets whether or not the cocoapods analyzer is enabled.
+     *
+     * @param cocoapodsAnalyzerEnabled the state of the cocoapods analyzer
+     */
+    public void setCocoapodsAnalyzerEnabled(Boolean cocoapodsAnalyzerEnabled) {
+        this.cocoapodsAnalyzerEnabled = cocoapodsAnalyzerEnabled;
+    }
+
+    /**
+     * Returns whether or not the Swift package Analyzer is enabled.
+     *
+     * @return whether or not the Swift package Analyzer is enabled
+     */
+    public Boolean isSwiftPackageManagerAnalyzerEnabled() {
+        return swiftPackageManagerAnalyzerEnabled;
+    }
+
+    /**
+     * Sets the enabled state of the swift package manager analyzer.
+     *
+     * @param swiftPackageManagerAnalyzerEnabled the enabled state of the swift
+     * package manager
+     */
+    public void setSwiftPackageManagerAnalyzerEnabled(Boolean swiftPackageManagerAnalyzerEnabled) {
+        this.swiftPackageManagerAnalyzerEnabled = swiftPackageManagerAnalyzerEnabled;
+    }
 
     /**
      * Get the value of opensslAnalyzerEnabled.
@@ -537,10 +768,6 @@ public class Check extends Update {
     public void setOpensslAnalyzerEnabled(Boolean opensslAnalyzerEnabled) {
         this.opensslAnalyzerEnabled = opensslAnalyzerEnabled;
     }
-    /**
-     * Whether or not the Node.js Analyzer is enabled.
-     */
-    private Boolean nodeAnalyzerEnabled;
 
     /**
      * Get the value of nodeAnalyzerEnabled.
@@ -559,10 +786,24 @@ public class Check extends Update {
     public void setNodeAnalyzerEnabled(Boolean nodeAnalyzerEnabled) {
         this.nodeAnalyzerEnabled = nodeAnalyzerEnabled;
     }
+
     /**
-     * Whether the ruby gemspec analyzer should be enabled.
+     * Get the value of nspAnalyzerEnabled.
+     *
+     * @return the value of nspAnalyzerEnabled
      */
-    private Boolean rubygemsAnalyzerEnabled;
+    public Boolean isNspAnalyzerEnabled() {
+        return nspAnalyzerEnabled;
+    }
+
+    /**
+     * Set the value of nspAnalyzerEnabled.
+     *
+     * @param nspAnalyzerEnabled new value of nspAnalyzerEnabled
+     */
+    public void setNspAnalyzerEnabled(Boolean nspAnalyzerEnabled) {
+        this.nspAnalyzerEnabled = nspAnalyzerEnabled;
+    }
 
     /**
      * Get the value of rubygemsAnalyzerEnabled.
@@ -581,10 +822,6 @@ public class Check extends Update {
     public void setRubygemsAnalyzerEnabled(Boolean rubygemsAnalyzerEnabled) {
         this.rubygemsAnalyzerEnabled = rubygemsAnalyzerEnabled;
     }
-    /**
-     * Whether the python package analyzer should be enabled.
-     */
-    private Boolean pyPackageAnalyzerEnabled;
 
     /**
      * Get the value of pyPackageAnalyzerEnabled.
@@ -604,11 +841,6 @@ public class Check extends Update {
         this.pyPackageAnalyzerEnabled = pyPackageAnalyzerEnabled;
     }
 
-    /**
-     * Whether the python distribution analyzer should be enabled.
-     */
-    private Boolean pyDistributionAnalyzerEnabled;
-
     /**
      * Get the value of pyDistributionAnalyzerEnabled.
      *
@@ -621,17 +853,13 @@ public class Check extends Update {
     /**
      * Set the value of pyDistributionAnalyzerEnabled.
      *
-     * @param pyDistributionAnalyzerEnabled new value of pyDistributionAnalyzerEnabled
+     * @param pyDistributionAnalyzerEnabled new value of
+     * pyDistributionAnalyzerEnabled
      */
     public void setPyDistributionAnalyzerEnabled(Boolean pyDistributionAnalyzerEnabled) {
         this.pyDistributionAnalyzerEnabled = pyDistributionAnalyzerEnabled;
     }
 
-    /**
-     * Whether or not the central analyzer is enabled.
-     */
-    private Boolean centralAnalyzerEnabled;
-
     /**
      * Get the value of centralAnalyzerEnabled.
      *
@@ -650,11 +878,6 @@ public class Check extends Update {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
-    /**
-     * Whether or not the nexus analyzer is enabled.
-     */
-    private Boolean nexusAnalyzerEnabled;
-
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
@@ -673,11 +896,6 @@ public class Check extends Update {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
-    /**
-     * The URL of a Nexus server's REST API end point (http://domain/nexus/service/local).
-     */
-    private String nexusUrl;
-
     /**
      * Get the value of nexusUrl.
      *
@@ -695,10 +913,6 @@ public class Check extends Update {
     public void setNexusUrl(String nexusUrl) {
         this.nexusUrl = nexusUrl;
     }
-    /**
-     * Whether or not the defined proxy should be used when connecting to Nexus.
-     */
-    private Boolean nexusUsesProxy;
 
     /**
      * Get the value of nexusUsesProxy.
@@ -718,12 +932,6 @@ public class Check extends Update {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
-    /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
-     * files.
-     */
-    private String zipExtensions;
-
     /**
      * Get the value of zipExtensions.
      *
@@ -742,11 +950,6 @@ public class Check extends Update {
         this.zipExtensions = zipExtensions;
     }
 
-    /**
-     * The path to Mono for .NET assembly analysis on non-windows systems.
-     */
-    private String pathToMono;
-
     /**
      * Get the value of pathToMono.
      *
@@ -770,71 +973,66 @@ public class Check extends Update {
         dealWithReferences();
         validateConfiguration();
         populateSettings();
-        Engine engine = null;
-        try {
-            engine = new Engine(Check.class.getClassLoader());
+        try (Engine engine = new Engine(Check.class.getClassLoader(), getSettings())) {
             if (isUpdateOnly()) {
                 log("Deprecated 'UpdateOnly' property set; please use the UpdateTask instead", Project.MSG_WARN);
-                engine.doUpdates();
-            } else {
                 try {
-                    for (Resource resource : path) {
-                        final FileProvider provider = resource.as(FileProvider.class);
-                        if (provider != null) {
-                            final File file = provider.getFile();
-                            if (file != null && file.exists()) {
-                                engine.scan(file);
-                            }
+                    engine.doUpdates();
+                } catch (UpdateException ex) {
+                    if (this.isFailOnError()) {
+                        throw new BuildException(ex);
+                    }
+                    log(ex.getMessage(), Project.MSG_ERR);
+                }
+            } else {
+                for (Resource resource : getPath()) {
+                    final FileProvider provider = resource.as(FileProvider.class);
+                    if (provider != null) {
+                        final File file = provider.getFile();
+                        if (file != null && file.exists()) {
+                            engine.scan(file);
                         }
                     }
+                }
 
+                try {
                     engine.analyzeDependencies();
-                    DatabaseProperties prop = null;
-                    CveDB cve = null;
-                    try {
-                        cve = new CveDB();
-                        cve.open();
-                        prop = cve.getDatabaseProperties();
-                    } catch (DatabaseException ex) {
-                        log("Unable to retrieve DB Properties", ex, Project.MSG_DEBUG);
-                    } finally {
-                        if (cve != null) {
-                            cve.close();
-                        }
+                } catch (ExceptionCollection ex) {
+                    if (this.isFailOnError()) {
+                        throw new BuildException(ex);
                     }
-                    final ReportGenerator reporter = new ReportGenerator(getProjectName(), engine.getDependencies(), engine.getAnalyzers(), prop);
-                    reporter.generateReports(reportOutputDirectory, reportFormat);
+                }
+                engine.writeReports(getProjectName(), new File(reportOutputDirectory), reportFormat);
 
-                    if (this.failBuildOnCVSS <= 10) {
-                        checkForFailure(engine.getDependencies());
-                    }
-                    if (this.showSummary) {
-                        showSummary(engine.getDependencies());
-                    }
-                } catch (IOException ex) {
-                    log("Unable to generate dependency-check report", ex, Project.MSG_DEBUG);
-                    throw new BuildException("Unable to generate dependency-check report", ex);
-                } catch (Exception ex) {
-                    log("An exception occurred; unable to continue task", ex, Project.MSG_DEBUG);
-                    throw new BuildException("An exception occurred; unable to continue task", ex);
+                if (this.failBuildOnCVSS <= 10) {
+                    checkForFailure(engine.getDependencies());
+                }
+                if (this.showSummary) {
+                    showSummary(engine.getDependencies());
                 }
             }
         } catch (DatabaseException ex) {
-            log("Unable to connect to the dependency-check database; analysis has stopped", ex, Project.MSG_ERR);
-        } finally {
-            Settings.cleanup(true);
-            if (engine != null) {
-                engine.cleanup();
+            final String msg = "Unable to connect to the dependency-check database; analysis has stopped";
+            if (this.isFailOnError()) {
+                throw new BuildException(msg, ex);
             }
+            log(msg, ex, Project.MSG_ERR);
+        } catch (ReportException ex) {
+            final String msg = "Unable to generate the dependency-check report";
+            if (this.isFailOnError()) {
+                throw new BuildException(msg, ex);
+            }
+            log(msg, ex, Project.MSG_ERR);
         }
     }
 
     /**
-     * Validate the configuration to ensure the parameters have been properly configured/initialized.
+     * Validate the configuration to ensure the parameters have been properly
+     * configured/initialized.
      *
      * @throws BuildException if the task was not configured correctly.
      */
-    private void validateConfiguration() throws BuildException {
+    private synchronized void validateConfiguration() throws BuildException {
         if (path == null) {
             throw new BuildException("No project dependencies have been defined to analyze.");
         }
@@ -844,44 +1042,54 @@ public class Check extends Update {
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
      *
      * @throws BuildException thrown when an invalid setting is configured.
      */
     @Override
     protected void populateSettings() throws BuildException {
         super.populateSettings();
-        Settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        getSettings().setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles.toArray(new String[suppressionFiles.size()]));
+        getSettings().setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, enableExperimental);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, enableRetired);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_JAR_ENABLED, jarAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, pyDistributionAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, pyPackageAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, rubygemsAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, opensslAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CMAKE_ENABLED, cmakeAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, swiftPackageManagerAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, cocoapodsAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, bundleAuditAnalyzerEnabled);
+        getSettings().setStringIfNotNull(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, bundleAuditPath);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, autoconfAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, composerAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, nodeAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, nspAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, nuspecAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, archiveAnalyzerEnabled);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, assemblyAnalyzerEnabled);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        getSettings().setBooleanIfNotNull(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
     }
 
     /**
-     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
-     * configuration.
+     * Checks to see if a vulnerability has been identified with a CVSS score
+     * that is above the threshold set in the configuration.
      *
      * @param dependencies the list of dependency objects
-     * @throws BuildException thrown if a CVSS score is found that is higher then the threshold set
+     * @throws BuildException thrown if a CVSS score is found that is higher
+     * than the threshold set
      */
-    private void checkForFailure(List<Dependency> dependencies) throws BuildException {
+    private void checkForFailure(Dependency[] dependencies) throws BuildException {
         final StringBuilder ids = new StringBuilder();
         for (Dependency d : dependencies) {
             for (Vulnerability v : d.getVulnerabilities()) {
@@ -895,24 +1103,32 @@ public class Check extends Update {
             }
         }
         if (ids.length() > 0) {
-            final String msg = String.format("%n%nDependency-Check Failure:%n"
-                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
-                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+            final String msg;
+            if (showSummary) {
+                msg = String.format("%n%nDependency-Check Failure:%n"
+                        + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '%.1f': %s%n"
+                        + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+            } else {
+                msg = String.format("%n%nDependency-Check Failure:%n"
+                        + "One or more dependencies were identified with vulnerabilities.%n%n"
+                        + "See the dependency-check report for more details.%n%n");
+            }
             throw new BuildException(msg);
         }
     }
 
     /**
-     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their
+     * associated CPE and CVE entries.
      *
      * @param dependencies a list of dependency objects
      */
-    private void showSummary(List<Dependency> dependencies) {
+    private void showSummary(Dependency[] dependencies) {
         final StringBuilder summary = new StringBuilder();
         for (Dependency d : dependencies) {
             boolean firstEntry = true;
             final StringBuilder ids = new StringBuilder();
-            for (Vulnerability v : d.getVulnerabilities()) {
+            for (Vulnerability v : d.getVulnerabilities(true)) {
                 if (firstEntry) {
                     firstEntry = false;
                 } else {
@@ -943,7 +1159,8 @@ public class Check extends Update {
     }
 
     /**
-     * An enumeration of supported report formats: "ALL", "HTML", "XML", "VULN", etc..
+     * An enumeration of supported report formats: "ALL", "HTML", "XML", "CSV",
+     * "JSON", "VULN", etc..
      */
     public static class ReportFormats extends EnumeratedAttribute {
 

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Purge.java

@@ -37,21 +37,35 @@ public class Purge extends Task {
      * The properties file location.
      */
     private static final String PROPERTIES_FILE = "task.properties";
+    /**
+     * The configured settings.
+     */
+    private Settings settings;
+
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+    /**
+     * Indicates if dependency-check should fail the build if an exception
+     * occurs.
+     */
+    private boolean failOnError = true;
 
     /**
      * Construct a new DependencyCheckTask.
      */
     public Purge() {
         super();
+
         // Call this before Dependency Check Core starts logging anything - this way, all SLF4J messages from
         // core end up coming through this tasks logger
         StaticLoggerBinder.getSingleton().setTask(this);
     }
 
-    /**
-     * The location of the data directory that contains
-     */
-    private String dataDirectory = null;
+    public Settings getSettings() {
+        return settings;
+    }
 
     /**
      * Get the value of dataDirectory.
@@ -71,57 +85,90 @@ public class Purge extends Task {
         this.dataDirectory = dataDirectory;
     }
 
+    /**
+     * Get the value of failOnError.
+     *
+     * @return the value of failOnError
+     */
+    public boolean isFailOnError() {
+        return failOnError;
+    }
+
+    /**
+     * Set the value of failOnError.
+     *
+     * @param failOnError new value of failOnError
+     */
+    public void setFailOnError(boolean failOnError) {
+        this.failOnError = failOnError;
+    }
+
+    /**
+     * Executes the dependency-check purge to delete the existing local copy of
+     * the NVD CVE data.
+     *
+     * @throws BuildException thrown if there is a problem deleting the file(s)
+     */
     @Override
     public void execute() throws BuildException {
         populateSettings();
         File db;
         try {
-            db = new File(Settings.getDataDirectory(), "dc.h2.db");
+            db = new File(settings.getDataDirectory(), "dc.h2.db");
             if (db.exists()) {
                 if (db.delete()) {
                     log("Database file purged; local copy of the NVD has been removed", Project.MSG_INFO);
                 } else {
-                    log(String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath()), Project.MSG_ERR);
+                    final String msg = String.format("Unable to delete '%s'; please delete the file manually", db.getAbsolutePath());
+                    if (this.failOnError) {
+                        throw new BuildException(msg);
+                    }
+                    log(msg, Project.MSG_ERR);
                 }
             } else {
-                log(String.format("Unable to purge database; the database file does not exists: %s", db.getAbsolutePath()), Project.MSG_ERR);
+                final String msg = String.format("Unable to purge database; the database file does not exist: %s", db.getAbsolutePath());
+                if (this.failOnError) {
+                    throw new BuildException(msg);
+                }
+                log(msg, Project.MSG_ERR);
             }
         } catch (IOException ex) {
-            log("Unable to delete the database", Project.MSG_ERR);
+            final String msg = "Unable to delete the database";
+            if (this.failOnError) {
+                throw new BuildException(msg);
+            }
+            log(msg, Project.MSG_ERR);
         } finally {
-            Settings.cleanup(true);
+            settings.cleanup(true);
         }
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
+     *
+     * @throws BuildException thrown if the properties file cannot be read.
      */
-    protected void populateSettings() {
-        Settings.initialize();
-        InputStream taskProperties = null;
-        try {
-            taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE);
-            Settings.mergeProperties(taskProperties);
+    protected void populateSettings() throws BuildException {
+        settings = new Settings();
+        try (InputStream taskProperties = this.getClass().getClassLoader().getResourceAsStream(PROPERTIES_FILE)) {
+            settings.mergeProperties(taskProperties);
         } catch (IOException ex) {
-            log("Unable to load the dependency-check ant task.properties file.", ex, Project.MSG_WARN);
-        } finally {
-            if (taskProperties != null) {
-                try {
-                    taskProperties.close();
-                } catch (IOException ex) {
-                    log("", ex, Project.MSG_DEBUG);
-                }
+            final String msg = "Unable to load the dependency-check ant task.properties file.";
+            if (this.failOnError) {
+                throw new BuildException(msg, ex);
             }
+            log(msg, ex, Project.MSG_WARN);
         }
         if (dataDirectory != null) {
-            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else {
             final File jarPath = new File(Purge.class.getProtectionDomain().getCodeSource().getLocation().getPath());
             final File base = jarPath.getParentFile();
-            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
             final File dataDir = new File(base, sub);
-            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
         }
     }
 }

ant/src/main/java/org/owasp/dependencycheck/taskdefs/SuppressionFile.java

@@ -0,0 +1,51 @@
+/*
+ * This file is part of dependency-check-ant.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.taskdefs;
+
+/**
+ * Class : {@link SuppressionFile} Responsibility : Models a suppression file
+ * nested XML element where the simple content is its location.
+ *
+ * @author Phillip Whittlesea
+ */
+public class SuppressionFile {
+
+    /**
+     * The path to the suppression file.
+     */
+    private String path;
+
+    /**
+     * Sets the path to the suppression file.
+     *
+     * @param path the path to the suppression file
+     */
+    public void setPath(String path) {
+        this.path = path;
+    }
+
+    /**
+     * Gets the path to the suppression file.
+     *
+     * @return the path
+     */
+    public String getPath() {
+        return path;
+    }
+
+}

ant/src/main/java/org/owasp/dependencycheck/taskdefs/Update.java

@@ -18,19 +18,83 @@
 package org.owasp.dependencycheck.taskdefs;
 
 import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.Project;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.impl.StaticLoggerBinder;
 
 /**
- * An Ant task definition to execute dependency-check update. This will download the latest data from the National Vulnerability
- * Database (NVD) and store a copy in the local database.
+ * An Ant task definition to execute dependency-check update. This will download
+ * the latest data from the National Vulnerability Database (NVD) and store a
+ * copy in the local database.
  *
  * @author Jeremy Long
  */
 public class Update extends Purge {
 
+    /**
+     * The Proxy Server.
+     */
+    private String proxyServer;
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+    /**
+     * The number of hours to wait before re-checking for updates.
+     */
+    private Integer cveValidForHours;
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+
     /**
      * Construct a new UpdateTask.
      */
@@ -41,11 +105,6 @@ public class Update extends Purge {
         StaticLoggerBinder.getSingleton().setTask(this);
     }
 
-    /**
-     * The Proxy Server.
-     */
-    private String proxyServer;
-
     /**
      * Get the value of proxyServer.
      *
@@ -64,11 +123,6 @@ public class Update extends Purge {
         this.proxyServer = server;
     }
 
-    /**
-     * The Proxy Port.
-     */
-    private String proxyPort;
-
     /**
      * Get the value of proxyPort.
      *
@@ -86,10 +140,6 @@ public class Update extends Purge {
     public void setProxyPort(String proxyPort) {
         this.proxyPort = proxyPort;
     }
-    /**
-     * The Proxy username.
-     */
-    private String proxyUsername;
 
     /**
      * Get the value of proxyUsername.
@@ -108,10 +158,6 @@ public class Update extends Purge {
     public void setProxyUsername(String proxyUsername) {
         this.proxyUsername = proxyUsername;
     }
-    /**
-     * The Proxy password.
-     */
-    private String proxyPassword;
 
     /**
      * Get the value of proxyPassword.
@@ -130,10 +176,6 @@ public class Update extends Purge {
     public void setProxyPassword(String proxyPassword) {
         this.proxyPassword = proxyPassword;
     }
-    /**
-     * The Connection Timeout.
-     */
-    private String connectionTimeout;
 
     /**
      * Get the value of connectionTimeout.
@@ -152,10 +194,6 @@ public class Update extends Purge {
     public void setConnectionTimeout(String connectionTimeout) {
         this.connectionTimeout = connectionTimeout;
     }
-    /**
-     * The database driver name; such as org.h2.Driver.
-     */
-    private String databaseDriverName;
 
     /**
      * Get the value of databaseDriverName.
@@ -175,11 +213,6 @@ public class Update extends Purge {
         this.databaseDriverName = databaseDriverName;
     }
 
-    /**
-     * The path to the database driver JAR file if it is not on the class path.
-     */
-    private String databaseDriverPath;
-
     /**
      * Get the value of databaseDriverPath.
      *
@@ -197,10 +230,6 @@ public class Update extends Purge {
     public void setDatabaseDriverPath(String databaseDriverPath) {
         this.databaseDriverPath = databaseDriverPath;
     }
-    /**
-     * The database connection string.
-     */
-    private String connectionString;
 
     /**
      * Get the value of connectionString.
@@ -219,10 +248,6 @@ public class Update extends Purge {
     public void setConnectionString(String connectionString) {
         this.connectionString = connectionString;
     }
-    /**
-     * The user name for connecting to the database.
-     */
-    private String databaseUser;
 
     /**
      * Get the value of databaseUser.
@@ -242,11 +267,6 @@ public class Update extends Purge {
         this.databaseUser = databaseUser;
     }
 
-    /**
-     * The password to use when connecting to the database.
-     */
-    private String databasePassword;
-
     /**
      * Get the value of databasePassword.
      *
@@ -265,11 +285,6 @@ public class Update extends Purge {
         this.databasePassword = databasePassword;
     }
 
-    /**
-     * The url for the modified NVD CVE (1.2 schema).
-     */
-    private String cveUrl12Modified;
-
     /**
      * Get the value of cveUrl12Modified.
      *
@@ -288,11 +303,6 @@ public class Update extends Purge {
         this.cveUrl12Modified = cveUrl12Modified;
     }
 
-    /**
-     * The url for the modified NVD CVE (2.0 schema).
-     */
-    private String cveUrl20Modified;
-
     /**
      * Get the value of cveUrl20Modified.
      *
@@ -311,11 +321,6 @@ public class Update extends Purge {
         this.cveUrl20Modified = cveUrl20Modified;
     }
 
-    /**
-     * Base Data Mirror URL for CVE 1.2.
-     */
-    private String cveUrl12Base;
-
     /**
      * Get the value of cveUrl12Base.
      *
@@ -334,11 +339,6 @@ public class Update extends Purge {
         this.cveUrl12Base = cveUrl12Base;
     }
 
-    /**
-     * Data Mirror URL for CVE 2.0.
-     */
-    private String cveUrl20Base;
-
     /**
      * Get the value of cveUrl20Base.
      *
@@ -357,11 +357,6 @@ public class Update extends Purge {
         this.cveUrl20Base = cveUrl20Base;
     }
 
-    /**
-     * The number of hours to wait before re-checking for updates.
-     */
-    private Integer cveValidForHours;
-
     /**
      * Get the value of cveValidForHours.
      *
@@ -381,54 +376,60 @@ public class Update extends Purge {
     }
 
     /**
-     * Executes the update by initializing the settings, downloads the NVD XML data, and then processes the data storing it in the
-     * local database.
+     * Executes the update by initializing the settings, downloads the NVD XML
+     * data, and then processes the data storing it in the local database.
      *
-     * @throws BuildException thrown if a connection to the local database cannot be made.
+     * @throws BuildException thrown if a connection to the local database
+     * cannot be made.
      */
     @Override
     public void execute() throws BuildException {
         populateSettings();
-        Engine engine = null;
-        try {
-            engine = new Engine(Update.class.getClassLoader());
-            engine.doUpdates();
-        } catch (DatabaseException ex) {
-            throw new BuildException("Unable to connect to the dependency-check database; unable to update the NVD data", ex);
-        } finally {
-            Settings.cleanup(true);
-            if (engine != null) {
-                engine.cleanup();
+        try (Engine engine = new Engine(Update.class.getClassLoader(), getSettings())) {
+            try {
+                engine.doUpdates();
+            } catch (UpdateException ex) {
+                if (this.isFailOnError()) {
+                    throw new BuildException(ex);
+                }
+                log(ex.getMessage(), Project.MSG_ERR);
             }
+        } catch (DatabaseException ex) {
+            final String msg = "Unable to connect to the dependency-check database; unable to update the NVD data";
+            if (this.isFailOnError()) {
+                throw new BuildException(msg, ex);
+            }
+            log(msg, Project.MSG_ERR);
         }
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
      *
      * @throws BuildException thrown when an invalid setting is configured.
      */
     @Override
     protected void populateSettings() throws BuildException {
         super.populateSettings();
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        getSettings().setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
         if (cveValidForHours != null) {
             if (cveValidForHours >= 0) {
-                Settings.setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
+                getSettings().setInt(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
             } else {
                 throw new BuildException("Invalid setting: `cpeValidForHours` must be 0 or greater");
             }

ant/src/main/java/org/slf4j/impl/StaticLoggerBinder.java

@@ -23,33 +23,35 @@ import org.slf4j.ILoggerFactory;
 import org.slf4j.spi.LoggerFactoryBinder;
 
 /**
- * The binding of org.slf4j.LoggerFactory class with an actual instance of org.slf4j.ILoggerFactory is performed using information
- * returned by this class.
+ * The binding of org.slf4j.LoggerFactory class with an actual instance of
+ * org.slf4j.ILoggerFactory is performed using information returned by this
+ * class.
  *
  * @author colezlaw
  */
+//CSOFF: FinalClass
 public class StaticLoggerBinder implements LoggerFactoryBinder {
+//CSON: FinalClass
 
     /**
      * The unique instance of this class
-     *
      */
     private static final StaticLoggerBinder SINGLETON = new StaticLoggerBinder();
+    /**
+     * Ant tasks have the log method we actually want to call. So we hang onto
+     * the task as a delegate
+     */
+    private Task task = null;
 
     /**
      * Return the singleton of this class.
      *
      * @return the StaticLoggerBinder singleton
      */
-    public static final StaticLoggerBinder getSingleton() {
+    public static StaticLoggerBinder getSingleton() {
         return SINGLETON;
     }
 
-    /**
-     * Ant tasks have the log method we actually want to call. So we hang onto the task as a delegate
-     */
-    private Task task = null;
-
     /**
      * Set the Task which will this is to log through.
      *
@@ -61,16 +63,24 @@ public class StaticLoggerBinder implements LoggerFactoryBinder {
     }
 
     /**
-     * Declare the version of the SLF4J API this implementation is compiled against. The value of this filed is usually modified
-     * with each release.
+     * Declare the version of the SLF4J API this implementation is compiled
+     * against. The value of this filed is usually modified with each release.
      */
     // to avoid constant folding by the compiler, this field must *not* be final
+    //CSOFF: StaticVariableName
+    //CSOFF: VisibilityModifier
     public static String REQUESTED_API_VERSION = "1.7.12"; // final
+    //CSON: VisibilityModifier
+    //CSON: StaticVariableName
 
+    /**
+     * The logger factory class string.
+     */
     private static final String LOGGER_FACTORY_CLASS = AntLoggerFactory.class.getName();
 
     /**
-     * The ILoggerFactory instance returned by the {@link #getLoggerFactory} method should always be the smae object
+     * The ILoggerFactory instance returned by the {@link #getLoggerFactory}
+     * method should always be the smae object
      */
     private ILoggerFactory loggerFactory;
 

ant/src/site/markdown/config-purge.md

@@ -2,7 +2,7 @@ Configuration
 ====================
 The dependency-check-purge task deletes the local copy of the NVD. This task
 should rarely be used, if ever. This is included as a convenience method in
-the rare circumstance that the local H2 database because corrupt.
+the rare circumstance that the local H2 database becomes corrupt.
 
 ```xml
 <target name="dependency-check-purge" description="Dependency-Check purge">
@@ -14,6 +14,7 @@ Configuration: dependency-check-purge Task
 --------------------
 The following properties can be set on the dependency-check-purge task.
 
-Property              | Description                                                    | Default Value
-----------------------|----------------------------------------------------------------|------------------
-dataDirectory         | Data directory that is used to store the local copy of the NVD | data
+Property              | Description                                                            | Default Value
+----------------------|------------------------------------------------------------------------|------------------
+dataDirectory         | Data directory that is used to store the local copy of the NVD         | data
+failOnError           | Whether the build should fail if there is an error executing the purge | true

ant/src/site/markdown/config-update.md

@@ -3,7 +3,7 @@ Configuration
 The dependency-check-update task downloads and updates the local copy of the NVD.
 There are several reasons that one may want to use this task; primarily, creating
 an update that will be run only once a day or once every few days (but not greater
-then 7 days) and then use the `autoUpdate="false"` setting on individual
+than 7 days) and then use the `autoUpdate="false"` setting on individual
 dependency-check scans. See [Internet Access Required](https://jeremylong.github.io/DependencyCheck/data/index.html)
 for more information on why this task would be used.
 
@@ -24,6 +24,7 @@ proxyPort             | The Proxy Port.                    |  
 proxyUsername         | Defines the proxy user name.       |  
 proxyPassword         | Defines the proxy password.        |  
 connectionTimeout     | The URL Connection Timeout.        |  
+failOnError           | Whether the build should fail if there is an error executing the update | true
 
 Advanced Configuration
 ====================

ant/src/site/markdown/configuration.md

@@ -17,7 +17,7 @@ the project's dependencies.
     <dependency-check projectname="Hello World"
                       reportoutputdirectory="${basedir}"
                       reportformat="ALL">
-
+        <suppressionfile path="${basedir}/path/to/suppression.xml" />
         <fileset dir="lib">
             <include name="**/*.jar"/>
         </fileset>
@@ -27,22 +27,32 @@ the project's dependencies.
 
 Configuration: dependency-check Task
 --------------------
-The following properties can be set on the dependency-check-update task.
+The following properties can be set on the dependency-check task.
 
 Property              | Description                                                                                                                                                                                        | Default Value
 ----------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
 autoUpdate            | Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false.                                                                                 | true
 cveValidForHours      | Sets the number of hours to wait before checking for new updates from the NVD                                                                                                                      | 4
-failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
+failBuildOnCVSS       | Specifies if the build should be failed if a CVSS score equal to or above a specified level is identified. The default is 11 which means since the CVSS scores are 0-10, by default the build will never fail. | 11
+failOnError           | Whether the build should fail if there is an error executing the dependency-check analysis                                                                                                         | true
 projectName           | The name of the project being scanned.                                                                                                                                                             | Dependency-Check
-reportFormat          | The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.                   | HTML
+reportFormat          | The report format to be generated (HTML, XML, CSV, JSON, VULN, ALL). This configuration option has no affect if using this within the Site plugin unless the externalReport is set to true.        | HTML
 reportOutputDirectory | The location to write the report(s). Note, this is not used if generating the report as part of a `mvn site` build                                                                                 | 'target'
-suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html)                                                                                       | &nbsp;
-proxyServer           | The Proxy Server.                                                                                                                                                                                  | &nbsp;
+hintsFile             | The file path to the XML hints file \- used to resolve [false negatives](../general/hints.html)                                                                                                    | &nbsp;
+proxyServer           | The Proxy Server; see the [proxy configuration](../data/proxy.html) page for more information.                                                                                                     | &nbsp;
 proxyPort             | The Proxy Port.                                                                                                                                                                                    | &nbsp;
 proxyUsername         | Defines the proxy user name.                                                                                                                                                                       | &nbsp;
 proxyPassword         | Defines the proxy password.                                                                                                                                                                        | &nbsp;
 connectionTimeout     | The URL Connection Timeout.                                                                                                                                                                        | &nbsp;
+enableExperimental    | Enable the [experimental analyzers](../analyzers/index.html). If not enabled the experimental analyzers (see below) will not be loaded or used.                                                    | false
+enableRetired         | Enable the [retired analyzers](../analyzers/index.html). If not enabled the retired analyzers (see below) will not be loaded or used.                                                              | false
+suppressionFile       | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html).                                                                                      | &nbsp;
+
+The following nested elements can be set on the dependency-check task.
+
+Element           | Property | Description                                                                                                                                                                                        | Default Value
+------------------|----------|----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------
+suppressionFile   | path     | The file path to the XML suppression file \- used to suppress [false positives](../general/suppression.html). Element can be specified multiple times.                                             | &nbsp;
 
 Analyzer Configuration
 ====================
@@ -52,26 +62,31 @@ Note, that specific analyzers will automatically disable themselves if no file
 types that they support are detected - so specifically disabling them may not
 be needed.
 
-Property                      | Description                                                               | Default Value
-------------------------------|---------------------------------------------------------------------------|------------------
-archiveAnalyzerEnabled        | Sets whether the Archive Analyzer will be used.                           | true
+Property                      | Description                                                                                                | Default Value
+------------------------------|------------------------------------------------------------------------------------------------------------|------------------
+archiveAnalyzerEnabled        | Sets whether the Archive Analyzer will be used.                                                            | true
 zipExtensions                 | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
-jarAnalyzer                   | Sets whether the Jar Analyzer will be used.                               | true
+jarAnalyzer                   | Sets whether the Jar Analyzer will be used.                                                                | true
 centralAnalyzerEnabled        | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer (see below).                                  | true
-nexusAnalyzerEnabled          | Sets whether Nexus Analyzer will be used. This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
+nexusAnalyzerEnabled          | Sets whether Nexus Analyzer will be used (requires Nexus Pro). This analyzer is superceded by the Central Analyzer; however, you can configure this to run against a Nexus Pro installation. | true
 nexusUrl                      | Defines the Nexus web service endpoint (example http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
-nexusUsesProxy                | Whether or not the defined proxy should be used when connecting to Nexus. | true
-pyDistributionAnalyzerEnabled | Sets whether the Python Distribution Analyzer will be used.               | true
-pyPackageAnalyzerEnabled      | Sets whether the Python Package Analyzer will be used.                    | true
-rubygemsAnalyzerEnabled       | Sets whether the Ruby Gemspec Analyzer will be used.                      | true
-opensslAnalyzerEnabled        | Sets whether or not the openssl Analyzer should be used.                  | true
-cmakeAnalyzerEnabled          | Sets whether or not the CMake Analyzer should be used.                    | true
-autoconfAnalyzerEnabled       | Sets whether or not the autoconf Analyzer should be used.                 | true
-composerAnalyzerEnabled       | Sets whether or not the PHP Composer Lock File Analyzer should be used.   | true
-nodeAnalyzerEnabled           | Sets whether or not the Node.js Analyzer should be used.                  | true
-nuspecAnalyzerEnabled         | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.          | true
-assemblyAnalyzerEnabled       | Sets whether or not the .NET Assembly Analyzer should be used.            | true
-pathToMono                    | The path to Mono for .NET assembly analysis on non-windows systems.       | &nbsp;
+nexusUsesProxy                | Whether or not the defined proxy should be used when connecting to Nexus.                                  | true
+pyDistributionAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.        | true
+pyPackageAnalyzerEnabled      | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.             | true
+rubygemsAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.               | true
+opensslAnalyzerEnabled        | Sets whether the openssl Analyzer should be used.                                                          | true
+cmakeAnalyzerEnabled          | Sets whether the [experimental](../analyzers/index.html) CMake Analyzer should be used.                    | true
+autoconfAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) autoconf Analyzer should be used.                 | true
+composerAnalyzerEnabled       | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer should be used.   | true
+nodeAnalyzerEnabled           | Sets whether the [retired](../analyzers/index.html) Node.js Analyzer should be used.                  | true
+nspAnalyzerEnabled            | Sets whether the NSP Analyzer should be used.                                                              | true
+nuspecAnalyzerEnabled         | Sets whether the .NET Nuget Nuspec Analyzer will be used.                                                  | true
+cocoapodsAnalyzerEnabled      | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer should be used.                | true
+bundleAuditAnalyzerEnabled    | Sets whether the [experimental](../analyzers/index.html) Bundle Audit Analyzer should be used.             | true
+bundleAuditPath               | Sets the path to the bundle audit executable; only used if bundle audit analyzer is enabled and experimental analyzers are enabled.  | &nbsp;
+swiftPackageManagerAnalyzerEnabled | Sets whether the [experimental](../analyzers/index.html) Switft Package Analyzer should be used.      | true
+assemblyAnalyzerEnabled       | Sets whether the .NET Assembly Analyzer should be used.                                                    | true
+pathToMono                    | The path to Mono for .NET assembly analysis on non-windows systems.                                        | &nbsp;
 
 Advanced Configuration
 ====================
@@ -85,8 +100,8 @@ cveUrl20Modified     | URL for the modified CVE 2.0.
 cveUrl12Base         | Base URL for each year's CVE 1.2, the %d will be replaced with the year. | http://nvd.nist.gov/download/nvdcve-%d.xml
 cveUrl20Base         | Base URL for each year's CVE 2.0, the %d will be replaced with the year. | http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 dataDirectory        | Data directory that is used to store the local copy of the NVD. This should generally not be changed. | data
-databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                                    | &nbsp;
+databaseDriverName   | The name of the database driver. Example: org.h2.Driver.                 | &nbsp;
 databaseDriverPath   | The path to the database driver JAR file; only used if the driver is not in the class path. | &nbsp;
-connectionString     | The connection string used to connect to the database.                                      | &nbsp;
-databaseUser         | The username used when connecting to the database.                                          | &nbsp;
-databasePassword     | The password used when connecting to the database.                                          | &nbsp;
+connectionString     | The connection string used to connect to the database.                   | &nbsp;
+databaseUser         | The username used when connecting to the database.                       | &nbsp;
+databasePassword     | The password used when connecting to the database.                       | &nbsp;

ant/src/site/markdown/index.md.vm

@@ -16,8 +16,11 @@ Installation
     <property name="dependency-check.home" value="C:/tools/dependency-check-ant"/>
     <path id="dependency-check.path">
        <pathelement location="${dependency-check.home}/dependency-check-ant.jar"/>
+        <fileset dir="${dependency-check.home}/lib">
+            <include name="*.jar"/>
+        </fileset>
     </path>
-       <taskdef resource="dependency-check-taskdefs.properties">
+    <taskdef resource="dependency-check-taskdefs.properties">
        <classpath refid="dependency-check.path" />
     </taskdef>
     ```

ant/src/test/java/org/owasp/dependencycheck/taskdefs/DependencyCheckTaskTest.java

@@ -0,0 +1,171 @@
+/*
+ * This file is part of dependency-check-ant.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.taskdefs;
+
+import java.io.File;
+
+import org.apache.tools.ant.BuildException;
+import org.apache.tools.ant.BuildFileRule;
+import org.apache.tools.ant.types.LogLevel;
+import org.junit.Before;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.owasp.dependencycheck.BaseDBTestCase;
+
+import static org.junit.Assert.assertTrue;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class DependencyCheckTaskTest extends BaseDBTestCase {
+
+    @Rule
+    public BuildFileRule buildFileRule = new BuildFileRule();
+
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
+    @Before
+    @Override
+    public void setUp() throws Exception {
+        super.setUp();
+        final String buildFile = this.getClass().getClassLoader().getResource("build.xml").getPath();
+        buildFileRule.configureProject(buildFile, LogLevel.VERBOSE.getLevel());
+    }
+
+    /**
+     * Test of addFileSet method, of class DependencyCheckTask.
+     */
+    @Test
+    public void testAddFileSet() throws Exception {
+        File report = new File("target/dependency-check-report.html");
+        if (report.exists() && !report.delete()) {
+            throw new Exception("Unable to delete 'target/dependency-check-report.html' prior to test.");
+        }
+        buildFileRule.executeTarget("test.fileset");
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of addFileList method, of class DependencyCheckTask.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testAddFileList() throws Exception {
+        File report = new File("target/dependency-check-report.xml");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Report.xml' prior to test.");
+            }
+        }
+        buildFileRule.executeTarget("test.filelist");
+
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of addDirSet method, of class DependencyCheckTask.
+     *
+     * @throws Exception
+     */
+    @Test
+    public void testAddDirSet() throws Exception {
+        File report = new File("target/dependency-check-vulnerability.html");
+        if (report.exists()) {
+            if (!report.delete()) {
+                throw new Exception("Unable to delete 'target/DependencyCheck-Vulnerability.html' prior to test.");
+            }
+        }
+        buildFileRule.executeTarget("test.dirset");
+        assertTrue("DependencyCheck report was not generated", report.exists());
+    }
+
+    /**
+     * Test of getFailBuildOnCVSS method, of class DependencyCheckTask.
+     */
+    @Test
+    public void testGetFailBuildOnCVSS() {
+        expectedException.expect(BuildException.class);
+        buildFileRule.executeTarget("failCVSS");
+    }
+
+    /**
+     * Test the DependencyCheckTask where a CVE is suppressed.
+     */
+    @Test
+    public void testSuppressingCVE() {
+        // GIVEN an ant task with a vulnerability
+        final String antTaskName = "suppression";
+
+        // WHEN executing the ant task
+        buildFileRule.executeTarget(antTaskName);
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+        System.out.println(buildFileRule.getError());
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+        System.out.println(buildFileRule.getFullLog());
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+        System.out.println("----------------------------------------------------------");
+
+        // THEN the ant task executed without error
+        final File report = new File("target/suppression-report.html");
+        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+    }
+
+    /**
+     * Test the DependencyCheckTask deprecated suppression property throws an
+     * exception with a warning.
+     */
+    @Test
+    public void testSuppressingSingle() {
+        // GIVEN an ant task with a vulnerability using the legacy property
+        final String antTaskName = "suppression-single";
+
+        // WHEN executing the ant task
+        buildFileRule.executeTarget(antTaskName);
+
+        // THEN the ant task executed without error
+        final File report = new File("target/suppression-single-report.html");
+        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+    }
+
+    /**
+     * Test the DependencyCheckTask deprecated suppression property throws an
+     * exception with a warning.
+     */
+    @Test
+    public void testSuppressingMultiple() {
+        // GIVEN an ant task with a vulnerability using multiple was to configure the suppression file
+        final String antTaskName = "suppression-multiple";
+
+        // WHEN executing the ant task
+        buildFileRule.executeTarget(antTaskName);
+
+        // THEN the ant task executed without error
+        final File report = new File("target/suppression-multiple-report.html");
+        assertTrue("Expected the DependencyCheck report to be generated", report.exists());
+    }
+}

ant/src/test/resources/build.xml

@@ -61,11 +61,57 @@
 
     <target name="failCVSS">
         <dependency-check
-            applicationName="test formatBAD"
+            applicationName="test failCVSS"
             reportOutputDirectory="${project.build.directory}"
             reportFormat="XML"
             autoupdate="false"
-            failBuildOnCVSS="8">
+            failBuildOnCVSS="3">
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
         </dependency-check>
     </target>
+
+    <target name="suppression">
+        <dependency-check
+            applicationName="test suppression"
+            reportOutputDirectory="${project.build.directory}/suppression-report.html"
+            autoupdate="false"
+            failBuildOnCVSS="3">
+            <suppressionfile path="${project.build.directory}/test-classes/test-suppression1.xml" />
+            <suppressionfile path="${project.build.directory}/test-classes/test-suppression2.xml" />
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
+            <filelist
+                dir="${project.build.directory}/test-classes/list"
+                files="jetty-6.1.0.jar,org.mortbay.jetty.jar"/>
+        </dependency-check>
+    </target>
+    <target name="suppression-single">
+        <dependency-check
+            applicationName="test suppression"
+            reportOutputDirectory="${project.build.directory}/suppression-single-report.html"
+            autoupdate="false"
+            failBuildOnCVSS="3"
+            suppressionFile="${project.build.directory}/test-classes/test-suppression.xml">
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
+        </dependency-check>
+    </target>
+    <target name="suppression-multiple">
+        <dependency-check
+            applicationName="test suppression"
+            reportOutputDirectory="${project.build.directory}/suppression-multiple-report.html"
+            autoupdate="false"
+            failBuildOnCVSS="3"
+            suppressionFile="${project.build.directory}/test-classes/test-suppression1.xml">
+            <suppressionfile path="${project.build.directory}/test-classes/test-suppression2.xml"/>
+            <fileset dir="${project.build.directory}/test-classes/jars">
+                <include name="axis-1.4.jar"/>
+            </fileset>
+        </dependency-check>
+    </target>
+    
 </project>

ant/src/test/resources/test-suppression.xml

@@ -0,0 +1,48 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-core.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+    <suppress>
+        <notes><![CDATA[
+            file name: axis-1.4.jar
+        ]]></notes>
+        <gav regex="true">^org\.apache\.axis:axis:.*$</gav>
+        <cpe>cpe:/a:apache:axis</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            file name: org.mortbay.jetty.jar
+        ]]></notes>
+        <gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+         file name: org.mortbay.jetty.jar
+         ]]></notes>
+        <gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
+        <cpe>cpe:/a:mortbay:jetty</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            file name: org.mortbay.jetty.jar
+        ]]></notes>
+        <gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
+        <cpe>cpe:/a:mortbay_jetty:jetty</cpe>
+    </suppress>
+</suppressions>

ant/src/test/resources/test-suppression1.xml

@@ -0,0 +1,27 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-core.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+    <suppress>
+        <notes><![CDATA[
+            file name: axis-1.4.jar
+        ]]></notes>
+        <gav regex="true">^org\.apache\.axis:axis:.*$</gav>
+        <cpe>cpe:/a:apache:axis</cpe>
+    </suppress>
+</suppressions>

ant/src/test/resources/test-suppression2.xml

@@ -0,0 +1,41 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+This file is part of dependency-check-core.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+-->
+<suppressions xmlns="https://jeremylong.github.io/DependencyCheck/dependency-suppression.1.1.xsd">
+    <suppress>
+        <notes><![CDATA[
+            file name: org.mortbay.jetty.jar
+        ]]></notes>
+        <gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
+        <cpe>cpe:/a:jetty:jetty</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            file name: org.mortbay.jetty.jar
+        ]]></notes>
+        <gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
+        <cpe>cpe:/a:mortbay:jetty</cpe>
+    </suppress>
+    <suppress>
+        <notes><![CDATA[
+            file name: org.mortbay.jetty.jar
+        ]]></notes>
+        <gav regex="true">^jetty:org\.mortbay\.jetty:.*$</gav>
+        <cpe>cpe:/a:mortbay_jetty:jetty</cpe>
+    </suppress>
+</suppressions>

archetype/pom.xml

@@ -0,0 +1,57 @@
+<!--
+This file is part of dependency-check-maven.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+-->
+<project xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd" xmlns="http://maven.apache.org/POM/4.0.0"
+         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>3.1.2-SNAPSHOT</version>
+    </parent>
+    <groupId>org.owasp</groupId>
+    <artifactId>dependency-check-plugin</artifactId>
+    <name>Dependency-Check Plugin Archetype</name>
+    <packaging>jar</packaging>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-resources-plugin</artifactId>
+                <configuration>
+                    <escapeString>\</escapeString>
+                </configuration>
+            </plugin>
+        </plugins>
+        <resources>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>true</filtering>
+                <includes>
+                    <include>archetype-resources/pom.xml</include>
+                </includes>
+            </resource>
+            <resource>
+                <directory>src/main/resources</directory>
+                <filtering>false</filtering>
+                <excludes>
+                    <exclude>archetype-resources/pom.xml</exclude>
+                </excludes>
+            </resource>
+        </resources>
+    </build>
+</project>

archetype/src/main/resources/META-INF/maven/archetype-metadata.xml

@@ -0,0 +1,37 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<archetype-descriptor name="dependency-check-plugin"
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-archetype-plugin/archetype-descriptor/1.0.0 http://maven.apache.org/xsd/archetype-descriptor-1.0.0.xsd" 
+    xmlns="http://maven.apache.org/plugins/maven-archetype-plugin/archetype-descriptor/1.0.0"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+  <requiredProperties>
+    <requiredProperty key="analyzerName">
+      <defaultValue>CustomAnalyzer</defaultValue>
+    </requiredProperty>
+  </requiredProperties>
+  <fileSets>
+    <fileSet filtered="true" packaged="true" encoding="UTF-8">
+      <directory>src/main/java</directory>
+      <includes>
+        <include>**/*.java</include>
+      </includes>
+    </fileSet>
+    <fileSet filtered="true" encoding="UTF-8">
+      <directory>src/main/resources</directory>
+      <includes>
+        <include>**/*</include>
+      </includes>
+    </fileSet>
+	<fileSet filtered="true" packaged="true" encoding="UTF-8">
+      <directory>src/test/java</directory>
+      <includes>
+        <include>**/*.java</include>
+      </includes>
+    </fileSet>
+    <fileSet filtered="true" encoding="UTF-8">
+      <directory>src/test/resources</directory>
+      <includes>
+        <include>**/*</include>
+      </includes>
+    </fileSet>
+  </fileSets>
+</archetype-descriptor>

archetype/src/main/resources/archetype-resources/pom.xml

@@ -0,0 +1,44 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <groupId>\${groupId}</groupId>
+    <artifactId>\${artifactId}</artifactId>
+    <version>\${version}</version>
+    
+    <name>\${artifactId}</name>
+    <packaging>jar</packaging>
+    
+    <licenses>
+        <license>
+            <name>The Apache Software License, Version 2.0</name>
+            <url>http://www.apache.org/licenses/LICENSE-2.0.txt</url>
+        </license>
+    </licenses>
+    
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>org.slf4j</groupId>
+            <artifactId>slf4j-api</artifactId>
+            <version>${slf4j.version}</version>
+            <scope>provided</scope>
+        </dependency>
+        <dependency>
+            <groupId>junit</groupId>
+            <artifactId>junit</artifactId>       
+            <version>4.12</version>
+            <scope>test</scope>
+        </dependency>
+    </dependencies>
+</project>

archetype/src/main/resources/archetype-resources/src/main/java/__analyzerName__.java

@@ -0,0 +1,155 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package ${package};
+
+import java.io.File;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.AnalysisPhase;
+import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * An OWASP dependency-check plug-in example. If you are not implementing a
+ * FileTypeAnalyzer, simple remove the annotation and the accept() method.
+ */
+public class ${analyzerName} implements Analyzer, FileTypeAnalyzer {
+
+    /**
+     * The Logger for use throughout the ${analyzerName}.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(${analyzerName}.class);
+
+    /**
+     * <p>
+     * Method implementation for the FileTypeAnalyzer; if not implementing a
+     * file type analyzer this method can be removed.</p>
+     * <p>
+     * Determines if the analyzer can process the given file.</p>
+     *
+     * @param pathname the path to the file
+     * @return <code>true</code> if the analyzer can process the file; otherwise
+     * <code>false</code>
+     */
+    @Override
+    public boolean accept(File pathname) {
+        return true;
+    }
+
+    /**
+     * Analyzes the given dependency. The analysis could be anything from
+     * identifying an Identifier for the dependency, to finding vulnerabilities,
+     * etc. Additionally, if the analyzer collects enough information to add a
+     * description or license information for the dependency it should be added.
+     *
+     * @param dependency a dependency to analyze.
+     * @param engine the engine that is scanning the dependencies - this is
+     * useful if we need to check other dependencies
+     * @throws AnalysisException is thrown if there is an error analyzing the
+     * dependency file
+     */
+    @Override
+    public void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (enabled) {
+            //TODO implement analyze
+        }
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return "${analyzerName}";
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return AnalysisPhase.INFORMATION_COLLECTION;
+    }
+
+    /**
+     * The initialize method is called just after instantiation of the object.
+     *
+     * @param settings a reference to the configured settings
+     */
+    @Override
+    public void initialize(Settings settings) {
+        //TODO implement initialize
+    }
+
+    /**
+     * The prepare method is called once just prior to repeated calls to
+     * analyze.
+     *
+     * @param engine a reference to the engine
+     * @throws InitializationException thrown when the analyzer cannot be
+     * initialized
+     */
+    @Override
+    public void prepare(Engine engine) throws InitializationException {
+        //TODO implement prepare
+    }
+
+    /**
+     * The close method is called after all of the dependencies have been
+     * analyzed.
+     *
+     * @throws Exception is thrown if an exception occurs closing the analyzer.
+     */
+    @Override
+    public void close() throws Exception {
+
+    }
+
+    /**
+     * Returns whether multiple instances of the same type of analyzer can run
+     * in parallel. If the analyzer does not support parallel processing it is
+     * generally best to also mark the analyze(Dependency,Engine) as synchronized.
+     *
+     * @return {@code true} if the analyzer supports parallel processing,
+     * {@code false} else
+     */
+    @Override
+    public boolean supportsParallelProcessing() {
+        return true;
+    }
+
+    /**
+     * Flag indicating whether or not the analyzer is enabled.
+     */
+    private boolean enabled = true;
+
+    /**
+     * Returns whether or not the analyzer is enabled.
+     *
+     * @return whether or not the analyzer is enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+}

archetype/src/main/resources/archetype-resources/src/main/resources/META-INF/services/org.owasp.dependencycheck.analyzer.Analyzer

@@ -0,0 +1 @@
+${package}.${analyzerName}

archetype/src/main/resources/archetype-resources/src/test/java/__analyzerName__Test.java

@@ -0,0 +1,147 @@
+/*
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package ${package};
+
+import java.io.File;
+import org.junit.After;
+import org.junit.AfterClass;
+import org.junit.Before;
+import org.junit.BeforeClass;
+import org.junit.Test;
+import static org.junit.Assert.*;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.AnalysisPhase;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * Test cases for ${analyzerName}
+ */
+public class ${analyzerName}Test {
+    
+    Settings settings = null;
+	
+    public ${analyzerName}Test() {
+    }
+    
+    @BeforeClass
+    public static void setUpClass() {
+    }
+    
+    @AfterClass
+    public static void tearDownClass() {
+    }
+    
+    @Before
+    public void setUp() {
+        settings = new Settings();
+    }
+
+    @After
+    public void tearDown() {
+        settings.cleanup();
+    }
+
+    /**
+     * Test of accept method, of class ${analyzerName}.
+     */
+    @Test
+    public void testAccept() {
+        File pathname = new File("test.file");
+        ${analyzerName} instance = new ${analyzerName}();
+        boolean expResult = true;
+        boolean result = instance.accept(pathname);
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of analyze method, of class ${analyzerName}.
+     */
+    @Test
+    public void testAnalyze() throws Exception {
+        //The engine is generally null for most analyzer test cases but can be instantiated if needed.
+        Engine engine = null;
+        ${analyzerName} instance = new ${analyzerName}();
+        instance.initialize(settings);
+        instance.prepare(engine);
+		
+        File file = new File(${analyzerName}.class.getClassLoader().getResource("test.file").toURI().getPath());
+        Dependency dependency = new Dependency(file);
+
+        //TODO uncomment the following line and add assertions against the dependency.
+        //instance.analyze(dependency, engine);
+    }
+
+    /**
+     * Test of getName method, of class ${analyzerName}.
+     */
+    @Test
+    public void testGetName() {
+        ${analyzerName} instance = new ${analyzerName}();
+        String expResult = "${analyzerName}";
+        String result = instance.getName();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of getAnalysisPhase method, of class ${analyzerName}.
+     */
+    @Test
+    public void testGetAnalysisPhase() {
+        ${analyzerName} instance = new ${analyzerName}();
+        AnalysisPhase expResult = AnalysisPhase.INFORMATION_COLLECTION;
+        AnalysisPhase result = instance.getAnalysisPhase();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of initialize method, of class ${analyzerName}.
+     */
+    @Test
+    public void testInitialize() throws Exception {
+        ${analyzerName} instance = new ${analyzerName}();
+        instance.initialize(settings);
+    }
+
+    /**
+     * Test of close method, of class ${analyzerName}.
+     */
+    @Test
+    public void testClose() throws Exception {
+        ${analyzerName} instance = new ${analyzerName}();
+        instance.close();
+    }
+
+    /**
+     * Test of supportsParallelProcessing method, of class ${analyzerName}.
+     */
+    @Test
+    public void testSupportsParallelProcessing() {
+        ${analyzerName} instance = new ${analyzerName}();
+        boolean expResult = true;
+        boolean result = instance.supportsParallelProcessing();
+        assertEquals(expResult, result);
+    }
+
+    /**
+     * Test of isEnabled method, of class ${analyzerName}.
+     */
+    @Test
+    public void testIsEnabled() {
+        ${analyzerName} instance = new ${analyzerName}();
+        boolean expResult = true;
+        boolean result = instance.isEnabled();
+        assertEquals(expResult, result);
+    }
+}

archetype/src/site/markdown/index.md.vm

@@ -0,0 +1,10 @@
+About
+=====
+OWASP dependency-check-plugin is a maven archetype for generating a maven project for
+a dependency-check plugin (i.e. a project containing one or more analyzers).
+
+Usage
+=====
+```bash
+mvn archetype:generate -DarchetypeGroupId=org.owasp -DarchetypeArtifactId=dependency-check-plugin -DarchetypeVersion=${project.version}
+```

archetype/src/site/site.xml

@@ -0,0 +1,34 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+This file is part of dependency-check-plugin.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+-->
+<project name="dependency-check-plugin">
+	<bannerLeft>
+        <name>OWASP dependency-check-plugin</name>
+        <alt>OWASP dependency-check-plugin</alt>
+        <src>/images/dc.svg</src>
+    </bannerLeft>
+    <body>
+        <breadcrumbs>
+            <item name="dependency-check" href="../index.html"/>
+        </breadcrumbs>
+        <menu name="Getting Started">
+            <item name="Usage" href="index.html"/>
+        </menu>
+		<menu ref="reports"/>
+    </body>
+</project>

build-reporting/pom.xml

@@ -0,0 +1,114 @@
+<!--
+This file is part of dependency-check build-reporting.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 - Jeremy Long. All Rights Reserved.
+-->
+<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/xsd/maven-4.0.0.xsd">
+    <modelVersion>4.0.0</modelVersion>
+    <parent>
+        <groupId>org.owasp</groupId>
+        <artifactId>dependency-check-parent</artifactId>
+        <version>3.1.2-SNAPSHOT</version>
+    </parent>
+    <name>Dependency-Check Build-Reporting</name>
+    <artifactId>build-reporting</artifactId>
+    <packaging>pom</packaging>
+    <dependencies>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-utils</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-core</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-ant</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-cli</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+        <dependency>
+            <groupId>org.owasp</groupId>
+            <artifactId>dependency-check-maven</artifactId>
+            <version>${project.version}</version>
+        </dependency>
+    </dependencies>
+    <build>
+        <plugins>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-deploy-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.apache.maven.plugins</groupId>
+                <artifactId>maven-enforcer-plugin</artifactId>
+                <configuration>
+                    <skip>true</skip>
+                </configuration>
+            </plugin>
+            <plugin>
+                <groupId>org.jacoco</groupId>
+                <artifactId>jacoco-maven-plugin</artifactId>
+                <executions>
+                    <execution>
+                        <id>report-merge</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>merge</goal>
+                        </goals>
+                        <configuration>
+                            <fileSets>
+                                <fileSet implementation="org.apache.maven.shared.model.fileset.FileSet">
+                                    <directory>${project.basedir}/../</directory>
+                                    <includes>
+                                        <include>utils/target/coverage-reports/*.exec</include>
+                                        <include>core/target/coverage-reports/*.exec</include>
+                                        <include>cli/target/coverage-reports/*.exec</include>
+                                        <include>ant/target/coverage-reports/*.exec</include>
+                                        <include>maven/target/coverage-reports/*.exec</include>
+                                    </includes>
+                                </fileSet>
+                            </fileSets>
+                        </configuration>
+                    </execution>
+                    <execution>
+                        <id>report-aggregate</id>
+                        <phase>verify</phase>
+                        <goals>
+                            <goal>report-aggregate</goal>
+                        </goals>
+                        <configuration>
+                            <outputDirectory>target/coverage-reports/</outputDirectory>
+                            <dataFileIncludes>
+                                <dataFileInclude>target/coverage-reports/jacoco-ut.exec</dataFileInclude>
+                                <dataFileInclude>target/coverage-reports/jacoco-it.exec</dataFileInclude>
+                            </dataFileIncludes>
+                        </configuration>
+                    </execution>
+                </executions>
+            </plugin>
+        </plugins>
+    </build>
+</project>

build-reporting/src/site/markdown/index.md

@@ -0,0 +1,5 @@
+About
+=====
+OWASP dependency-check build reporting is used to aggregate jacoco test coverage results
+so that they can be posted to [Codacy](https://www.codacy.com/app/OWASP_Reviews/DependencyCheck/dashboard)
+to track code coverage.

build-reporting/src/site/site.xml

@@ -0,0 +1,32 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!--
+This file is part of dependency-check build reporting.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+
+Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+-->
+<project name="dependency-check-build-reporting">
+	<bannerLeft>
+        <name>OWASP dependency-check build reporting</name>
+        <alt>OWASP dependency-check build reporting</alt>
+        <src>../images/dc.svg</src>
+    </bannerLeft>
+    <body>
+        <breadcrumbs>
+            <item name="dependency-check" href="../index.html"/>
+        </breadcrumbs>
+        <menu ref="Project Documentation" />
+        <menu ref="reports" />
+    </body>
+</project>

cli/README.md

@@ -5,7 +5,7 @@ performed are a "best effort" and as such, there could be false positives as wel
 vulnerabilities in 3rd party components is a well-known problem and is currently documented in the 2013 OWASP
 Top 10 as [A9 - Using Components with Known Vulnerabilities](https://www.owasp.org/index.php/Top_10_2013-A9-Using_Components_with_Known_Vulnerabilities).
 
-Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/installation.html).
+Documentation and links to production binary releases can be found on the [github pages](http://jeremylong.github.io/DependencyCheck/dependency-check-cli/index.html).
 
 Mailing List
 ------------

cli/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.5</version>
+        <version>3.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-cli</artifactId>
@@ -28,15 +28,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
 
     <name>Dependency-Check Command Line</name>
     <description>dependency-check-cli is an command line tool that uses dependency-check-core to detect publicly disclosed vulnerabilities associated with the scanned project dependencies. The tool will generate a report listing the dependency, any identified Common Platform Enumeration (CPE) identifiers, and the associated Common Vulnerability and Exposure (CVE) entries.</description>
-    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
-    <distributionManagement>
-        <site>
-            <id>github-pages-site</id>
-            <name>Deployment through GitHub's site deployment plugin</name>
-            <url>${basedir}/../target/site/${project.version}/dependency-check-cli</url>
-        </site>
-    </distributionManagement>
-    <!-- end copy -->
     <build>
         <finalName>dependency-check-${project.version}</finalName>
         <resources>
@@ -69,61 +60,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                     </archive>
                 </configuration>
             </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>cobertura-maven-plugin</artifactId>
-                <configuration>
-                    <!--instrumentation>
-                        <ignoreTrivial>true</ignoreTrivial>
-                    </instrumentation-->
-                    <check>
-                        <branchRate>85</branchRate>
-                        <lineRate>85</lineRate>
-                        <haltOnFailure>false</haltOnFailure>
-                        <totalBranchRate>85</totalBranchRate>
-                        <totalLineRate>85</totalLineRate>
-                        <packageLineRate>85</packageLineRate>
-                        <packageBranchRate>85</packageBranchRate>
-                        <regexes>
-                            <regex>
-                                <pattern>.*\$.*</pattern>
-                                <branchRate>0</branchRate>
-                                <lineRate>0</lineRate>
-                            </regex>
-                            <regex>
-                                <pattern>org.owasp.dependencycheck.App</pattern>
-                                <branchRate>0</branchRate>
-                                <lineRate>0</lineRate>
-                            </regex>
-                        </regexes>
-                    </check>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>clean</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
-                    <systemProperties>
-                        <property>
-                            <name>cpe</name>
-                            <value>data/cpe</value>
-                            <workingDirectory>target</workingDirectory>
-                        </property>
-                        <property>
-                            <name>cve</name>
-                            <value>data/cpe</value>
-                            <workingDirectory>target</workingDirectory>
-                        </property>
-                    </systemProperties>
-                </configuration>
-            </plugin>
             <plugin>
                 <groupId>org.codehaus.mojo</groupId>
                 <artifactId>appassembler-maven-plugin</artifactId>
@@ -139,6 +75,8 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
                     <binFileExtensions>
                         <unix>.sh</unix>
                     </binFileExtensions>
+                    <configurationDirectory>plugins/*</configurationDirectory>
+                    <includeConfigurationDirectoryInClasspath>true</includeConfigurationDirectoryInClasspath>
                 </configuration>
                 <executions>
                     <execution>
@@ -172,42 +110,6 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
             </plugin>
         </plugins>
     </build>
-    <reporting>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${reporting.checkstyle-plugin.version}</version>
-                <configuration>
-                    <enableRulesSummary>false</enableRulesSummary>
-                    <enableFilesSummary>false</enableFilesSummary>
-                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-pmd-plugin</artifactId>
-                <version>${reporting.pmd-plugin.version}</version>
-                <configuration>
-                    <targetJdk>1.6</targetJdk>
-                    <linkXref>true</linkXref>
-                    <sourceEncoding>utf-8</sourceEncoding>
-                    <excludes>
-                        <exclude>**/generated/*.java</exclude>
-                    </excludes>
-                    <rulesets>
-                        <ruleset>../src/main/config/dcrules.xml</ruleset>
-                        <ruleset>/rulesets/java/basic.xml</ruleset>
-                        <ruleset>/rulesets/java/imports.xml</ruleset>
-                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                    </rulesets>
-                </configuration>
-            </plugin>
-        </plugins>
-    </reporting>
     <dependencies>
         <dependency>
             <groupId>commons-cli</groupId>

cli/src/main/assembly/release.xml

@@ -29,6 +29,13 @@
             <outputDirectory>dependency-check/repo</outputDirectory>
             <directory>${project.build.directory}/release/repo</directory>
         </fileSet>
+        <fileSet>
+            <directory>.</directory>
+            <outputDirectory>dependency-check/plugins</outputDirectory>
+            <excludes>
+                <exclude>*/**</exclude>
+            </excludes>
+        </fileSet>
         <fileSet>
             <outputDirectory>dependency-check</outputDirectory>
             <includes>
@@ -53,21 +60,4 @@
             </includes>
         </fileSet>
     </fileSets>
-    <!--
-            <fileSets>
-            <fileSet>
-                <outputDirectory>/</outputDirectory>
-                <directory>${project.build.directory}</directory>
-                <includes>
-                    <include>dependency-check*.jar</include>
-                </includes>
-            </fileSet>
-        </fileSets>
-        <dependencySets>
-            <dependencySet>
-                <outputDirectory>/lib</outputDirectory>
-                <scope>runtime</scope>
-            </dependencySet>
-        </dependencySets>
-    -->
 </assembly>

cli/src/main/java/org/owasp/dependencycheck/App.java

@@ -0,0 +1,593 @@
+/*
+ * This file is part of dependency-check-cli.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import ch.qos.logback.classic.LoggerContext;
+import ch.qos.logback.classic.encoder.PatternLayoutEncoder;
+import ch.qos.logback.classic.spi.ILoggingEvent;
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.IOException;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+import java.util.Set;
+import org.apache.commons.cli.ParseException;
+import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.apache.tools.ant.DirectoryScanner;
+import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import ch.qos.logback.core.FileAppender;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.slf4j.impl.StaticLoggerBinder;
+
+/**
+ * The command line interface for the DependencyCheck application.
+ *
+ * @author Jeremy Long
+ */
+public class App {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(App.class);
+    /**
+     * The configured settings.
+     */
+    private Settings settings = null;
+
+    /**
+     * The main method for the application.
+     *
+     * @param args the command line arguments
+     */
+    public static void main(String[] args) {
+        int exitCode = 0;
+        final App app = new App();
+        exitCode = app.run(args);
+        LOGGER.debug("Exit code: {}", exitCode);
+        System.exit(exitCode);
+    }
+
+    /**
+     * Builds the App object.
+     */
+    public App() {
+        settings = new Settings();
+    }
+
+    /**
+     * Builds the App object; this method is used for testing.
+     *
+     * @param settings the configured settings
+     */
+    protected App(Settings settings) {
+        this.settings = settings;
+    }
+
+    /**
+     * Main CLI entry-point into the application.
+     *
+     * @param args the command line arguments
+     * @return the exit code to return
+     */
+    public int run(String[] args) {
+        int exitCode = 0;
+        final CliParser cli = new CliParser(settings);
+
+        try {
+            cli.parse(args);
+        } catch (FileNotFoundException ex) {
+            System.err.println(ex.getMessage());
+            cli.printHelp();
+            return -1;
+        } catch (ParseException ex) {
+            System.err.println(ex.getMessage());
+            cli.printHelp();
+            return -2;
+        }
+
+        if (cli.getVerboseLog() != null) {
+            prepareLogger(cli.getVerboseLog());
+        }
+
+        if (cli.isPurge()) {
+            if (cli.getConnectionString() != null) {
+                LOGGER.error("Unable to purge the database when using a non-default connection string");
+                exitCode = -3;
+            } else {
+                try {
+                    populateSettings(cli);
+                } catch (InvalidSettingException ex) {
+                    LOGGER.error(ex.getMessage());
+                    LOGGER.debug("Error loading properties file", ex);
+                    exitCode = -4;
+                    return exitCode;
+                }
+                File db;
+                try {
+                    db = new File(settings.getDataDirectory(), settings.getString(Settings.KEYS.DB_FILE_NAME, "dc.h2.db"));
+                    if (db.exists()) {
+                        if (db.delete()) {
+                            LOGGER.info("Database file purged; local copy of the NVD has been removed");
+                        } else {
+                            LOGGER.error("Unable to delete '{}'; please delete the file manually", db.getAbsolutePath());
+                            exitCode = -5;
+                        }
+                    } else {
+                        LOGGER.error("Unable to purge database; the database file does not exist: {}", db.getAbsolutePath());
+                        exitCode = -6;
+                    }
+                } catch (IOException ex) {
+                    LOGGER.error("Unable to delete the database");
+                    exitCode = -7;
+                } finally {
+                    settings.cleanup();
+                }
+            }
+        } else if (cli.isGetVersion()) {
+            cli.printVersionInfo();
+        } else if (cli.isUpdateOnly()) {
+            try {
+                populateSettings(cli);
+            } catch (InvalidSettingException ex) {
+                LOGGER.error(ex.getMessage());
+                LOGGER.debug("Error loading properties file", ex);
+                exitCode = -4;
+                return exitCode;
+            }
+            try {
+                runUpdateOnly();
+            } catch (UpdateException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -8;
+            } catch (DatabaseException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -9;
+            } finally {
+                settings.cleanup();
+            }
+        } else if (cli.isRunScan()) {
+            try {
+                populateSettings(cli);
+            } catch (InvalidSettingException ex) {
+                LOGGER.error(ex.getMessage());
+                LOGGER.debug("Error loading properties file", ex);
+                exitCode = -4;
+                return exitCode;
+            }
+            try {
+                final String[] scanFiles = cli.getScanFiles();
+                if (scanFiles != null) {
+                    exitCode = runScan(cli.getReportDirectory(), cli.getReportFormat(), cli.getProjectName(), scanFiles,
+                            cli.getExcludeList(), cli.getSymLinkDepth(), cli.getFailOnCVSS());
+                } else {
+                    LOGGER.error("No scan files configured");
+                }
+            } catch (InvalidScanPathException ex) {
+                LOGGER.error("An invalid scan path was detected; unable to scan '//*' paths");
+                exitCode = -10;
+            } catch (DatabaseException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -11;
+            } catch (ReportException ex) {
+                LOGGER.error(ex.getMessage());
+                exitCode = -12;
+            } catch (ExceptionCollection ex) {
+                if (ex.isFatal()) {
+                    exitCode = -13;
+                    LOGGER.error("One or more fatal errors occurred");
+                } else {
+                    exitCode = -14;
+                }
+                for (Throwable e : ex.getExceptions()) {
+                    if (e.getMessage() != null) {
+                        LOGGER.error(e.getMessage());
+                    }
+                }
+            } finally {
+                settings.cleanup();
+            }
+        } else {
+            cli.printHelp();
+        }
+        return exitCode;
+    }
+
+    /**
+     * Scans the specified directories and writes the dependency reports to the
+     * reportDirectory.
+     *
+     * @param reportDirectory the path to the directory where the reports will
+     * be written
+     * @param outputFormat the output format of the report
+     * @param applicationName the application name for the report
+     * @param files the files/directories to scan
+     * @param excludes the patterns for files/directories to exclude
+     * @param symLinkDepth the depth that symbolic links will be followed
+     * @param cvssFailScore the score to fail on if a vulnerability is found
+     * @return the exit code if there was an error
+     *
+     * @throws InvalidScanPathException thrown if the path to scan starts with
+     * "//"
+     * @throws ReportException thrown when the report cannot be generated
+     * @throws DatabaseException thrown when there is an error connecting to the
+     * database
+     * @throws ExceptionCollection thrown when an exception occurs during
+     * analysis; there may be multiple exceptions contained within the
+     * collection.
+     */
+    private int runScan(String reportDirectory, String outputFormat, String applicationName, String[] files,
+            String[] excludes, int symLinkDepth, int cvssFailScore) throws InvalidScanPathException, DatabaseException,
+            ExceptionCollection, ReportException {
+        Engine engine = null;
+        try {
+            final List<String> antStylePaths = getPaths(files);
+            final Set<File> paths = scanAntStylePaths(antStylePaths, symLinkDepth, excludes);
+
+            engine = new Engine(settings);
+            engine.scan(paths);
+
+            ExceptionCollection exCol = null;
+            try {
+                engine.analyzeDependencies();
+            } catch (ExceptionCollection ex) {
+                if (ex.isFatal()) {
+                    throw ex;
+                }
+                exCol = ex;
+            }
+
+            try {
+                engine.writeReports(applicationName, new File(reportDirectory), outputFormat);
+            } catch (ReportException ex) {
+                if (exCol != null) {
+                    exCol.addException(ex);
+                    throw exCol;
+                } else {
+                    throw ex;
+                }
+            }
+            if (exCol != null && !exCol.getExceptions().isEmpty()) {
+                throw exCol;
+            }
+            return determineReturnCode(engine, cvssFailScore);
+        } finally {
+            if (engine != null) {
+                engine.close();
+            }
+        }
+    }
+
+    /**
+     * Determines the return code based on if one of the dependencies scanned
+     * has a vulnerability with a CVSS score above the cvssFailScore.
+     *
+     * @param engine the engine used during analysis
+     * @param cvssFailScore the max allowed CVSS score
+     * @return returns <code>1</code> if a severe enough vulnerability is
+     * identified; otherwise <code>0</code>
+     */
+    private int determineReturnCode(Engine engine, int cvssFailScore) {
+        int retCode = 0;
+        //Set the exit code based on whether we found a high enough vulnerability
+        for (Dependency dep : engine.getDependencies()) {
+            if (!dep.getVulnerabilities().isEmpty()) {
+                for (Vulnerability vuln : dep.getVulnerabilities()) {
+                    LOGGER.debug("VULNERABILITY FOUND {}", dep.getDisplayFileName());
+                    if (vuln.getCvssScore() > cvssFailScore) {
+                        retCode = 1;
+                    }
+                }
+            }
+        }
+        return retCode;
+    }
+
+    /**
+     * Scans the give Ant Style paths and collects the actual files.
+     *
+     * @param antStylePaths a list of ant style paths to scan for actual files
+     * @param symLinkDepth the depth to traverse symbolic links
+     * @param excludes an array of ant style excludes
+     * @return returns the set of identified files
+     * @throws InvalidScanPathException thrown when the scan path is invalid
+     */
+    private Set<File> scanAntStylePaths(List<String> antStylePaths, int symLinkDepth, String[] excludes)
+            throws InvalidScanPathException {
+        final Set<File> paths = new HashSet<>();
+        for (String file : antStylePaths) {
+            LOGGER.debug("Scanning {}", file);
+            final DirectoryScanner scanner = new DirectoryScanner();
+            String include = file.replace('\\', '/');
+            File baseDir;
+
+            if (include.startsWith("//")) {
+                throw new InvalidScanPathException("Unable to scan paths specified by //");
+            } else {
+                final int pos = getLastFileSeparator(include);
+                final String tmpBase = include.substring(0, pos);
+                final String tmpInclude = include.substring(pos + 1);
+                if (tmpInclude.indexOf('*') >= 0 || tmpInclude.indexOf('?') >= 0
+                        || (new File(include)).isFile()) {
+                    baseDir = new File(tmpBase);
+                    include = tmpInclude;
+                } else {
+                    baseDir = new File(tmpBase, tmpInclude);
+                    include = "**/*";
+                }
+            }
+            scanner.setBasedir(baseDir);
+            final String[] includes = {include};
+            scanner.setIncludes(includes);
+            scanner.setMaxLevelsOfSymlinks(symLinkDepth);
+            if (symLinkDepth <= 0) {
+                scanner.setFollowSymlinks(false);
+            }
+            if (excludes != null && excludes.length > 0) {
+                scanner.addExcludes(excludes);
+            }
+            scanner.scan();
+            if (scanner.getIncludedFilesCount() > 0) {
+                for (String s : scanner.getIncludedFiles()) {
+                    final File f = new File(baseDir, s);
+                    LOGGER.debug("Found file {}", f.toString());
+                    paths.add(f);
+                }
+            }
+        }
+        return paths;
+    }
+
+    /**
+     * Determines the ant style paths from the given array of files.
+     *
+     * @param files an array of file paths
+     * @return a list containing ant style paths
+     */
+    private List<String> getPaths(String[] files) {
+        final List<String> antStylePaths = new ArrayList<>();
+        for (String file : files) {
+            final String antPath = ensureCanonicalPath(file);
+            antStylePaths.add(antPath);
+        }
+        return antStylePaths;
+    }
+
+    /**
+     * Only executes the update phase of dependency-check.
+     *
+     * @throws UpdateException thrown if there is an error updating
+     * @throws DatabaseException thrown if a fatal error occurred and a
+     * connection to the database could not be established
+     */
+    private void runUpdateOnly() throws UpdateException, DatabaseException {
+        try (Engine engine = new Engine(settings)) {
+            engine.doUpdates();
+        }
+    }
+
+    /**
+     * Updates the global Settings.
+     *
+     * @param cli a reference to the CLI Parser that contains the command line
+     * arguments used to set the corresponding settings in the core engine.
+     *
+     * @throws InvalidSettingException thrown when a user defined properties
+     * file is unable to be loaded.
+     */
+    protected void populateSettings(CliParser cli) throws InvalidSettingException {
+        final String connectionTimeout = cli.getConnectionTimeout();
+        final String proxyServer = cli.getProxyServer();
+        final String proxyPort = cli.getProxyPort();
+        final String proxyUser = cli.getProxyUsername();
+        final String proxyPass = cli.getProxyPassword();
+        final String dataDirectory = cli.getDataDirectory();
+        final File propertiesFile = cli.getPropertiesFile();
+        final String[] suppressionFiles = cli.getSuppressionFiles();
+        final String hintsFile = cli.getHintsFile();
+        final String nexusUrl = cli.getNexusUrl();
+        final String databaseDriverName = cli.getDatabaseDriverName();
+        final String databaseDriverPath = cli.getDatabaseDriverPath();
+        final String connectionString = cli.getConnectionString();
+        final String databaseUser = cli.getDatabaseUser();
+        final String databasePassword = cli.getDatabasePassword();
+        final String additionalZipExtensions = cli.getAdditionalZipExtensions();
+        final String pathToMono = cli.getPathToMono();
+        final String cveMod12 = cli.getModifiedCve12Url();
+        final String cveMod20 = cli.getModifiedCve20Url();
+        final String cveBase12 = cli.getBaseCve12Url();
+        final String cveBase20 = cli.getBaseCve20Url();
+        final Integer cveValidForHours = cli.getCveValidForHours();
+        final Boolean autoUpdate = cli.isAutoUpdate();
+        final Boolean experimentalEnabled = cli.isExperimentalEnabled();
+        final Boolean retiredEnabled = cli.isRetiredEnabled();
+
+        if (propertiesFile != null) {
+            try {
+                settings.mergeProperties(propertiesFile);
+            } catch (FileNotFoundException ex) {
+                throw new InvalidSettingException("Unable to find properties file '" + propertiesFile.getPath() + "'", ex);
+            } catch (IOException ex) {
+                throw new InvalidSettingException("Error reading properties file '" + propertiesFile.getPath() + "'", ex);
+            }
+        }
+        // We have to wait until we've merged the properties before attempting to set whether we use
+        // the proxy for Nexus since it could be disabled in the properties, but not explicitly stated
+        // on the command line.  This is true of other boolean values set below not using the setBooleanIfNotNull.
+        final boolean nexusUsesProxy = cli.isNexusUsesProxy();
+        if (dataDirectory != null) {
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+        } else if (System.getProperty("basedir") != null) {
+            final File dataDir = new File(System.getProperty("basedir"), "data");
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        } else {
+            final File jarPath = new File(App.class.getProtectionDomain().getCodeSource().getLocation().getPath());
+            final File base = jarPath.getParentFile();
+            final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final File dataDir = new File(base, sub);
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+        settings.setBooleanIfNotNull(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUser);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPass);
+        settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        settings.setStringIfNotEmpty(Settings.KEYS.HINTS_FILE, hintsFile);
+        settings.setIntIfNotNull(Settings.KEYS.CVE_CHECK_VALID_FOR_HOURS, cveValidForHours);
+
+        settings.setArrayIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFiles);
+
+        //File Type Analyzer Settings
+        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, experimentalEnabled);
+        settings.setBooleanIfNotNull(Settings.KEYS.ANALYZER_RETIRED_ENABLED, retiredEnabled);
+
+        settings.setBoolean(Settings.KEYS.ANALYZER_JAR_ENABLED, !cli.isJarDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, !cli.isArchiveDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED, !cli.isPythonDistributionDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED, !cli.isPythonPackageDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_AUTOCONF_ENABLED, !cli.isAutoconfDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_CMAKE_ENABLED, !cli.isCmakeDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_NUSPEC_ENABLED, !cli.isNuspecDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED, !cli.isAssemblyDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED, !cli.isBundleAuditDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_OPENSSL_ENABLED, !cli.isOpenSSLDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED, !cli.isComposerDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED, !cli.isNodeJsDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED, !cli.isNspDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED, !cli.isSwiftPackageAnalyzerDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_COCOAPODS_ENABLED, !cli.isCocoapodsAnalyzerDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED, !cli.isRubyGemspecDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, !cli.isCentralDisabled());
+        settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, !cli.isNexusDisabled());
+
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_BUNDLE_AUDIT_PATH, cli.getPathToBundleAudit());
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
+        settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, additionalZipExtensions);
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        if (cveBase12 != null && !cveBase12.isEmpty()) {
+            settings.setString(Settings.KEYS.CVE_SCHEMA_1_2, cveBase12);
+            settings.setString(Settings.KEYS.CVE_SCHEMA_2_0, cveBase20);
+            settings.setString(Settings.KEYS.CVE_MODIFIED_12_URL, cveMod12);
+            settings.setString(Settings.KEYS.CVE_MODIFIED_20_URL, cveMod20);
+        }
+    }
+
+    /**
+     * Creates a file appender and adds it to logback.
+     *
+     * @param verboseLog the path to the verbose log file
+     */
+    private void prepareLogger(String verboseLog) {
+        final StaticLoggerBinder loggerBinder = StaticLoggerBinder.getSingleton();
+        final LoggerContext context = (LoggerContext) loggerBinder.getLoggerFactory();
+
+        final PatternLayoutEncoder encoder = new PatternLayoutEncoder();
+        encoder.setPattern("%d %C:%L%n%-5level - %msg%n");
+        encoder.setContext(context);
+        encoder.start();
+        final FileAppender<ILoggingEvent> fa = new FileAppender<>();
+        fa.setAppend(true);
+        fa.setEncoder(encoder);
+        fa.setContext(context);
+        fa.setFile(verboseLog);
+        final File f = new File(verboseLog);
+        String name = f.getName();
+        final int i = name.lastIndexOf('.');
+        if (i > 1) {
+            name = name.substring(0, i);
+        }
+        fa.setName(name);
+        fa.start();
+        final ch.qos.logback.classic.Logger rootLogger = context.getLogger(ch.qos.logback.classic.Logger.ROOT_LOGGER_NAME);
+        rootLogger.addAppender(fa);
+    }
+
+    /**
+     * Takes a path and resolves it to be a canonical &amp; absolute path. The
+     * caveats are that this method will take an Ant style file selector path
+     * (../someDir/**\/*.jar) and convert it to an absolute/canonical path (at
+     * least to the left of the first * or ?).
+     *
+     * @param path the path to canonicalize
+     * @return the canonical path
+     */
+    protected String ensureCanonicalPath(String path) {
+        String basePath;
+        String wildCards = null;
+        final String file = path.replace('\\', '/');
+        if (file.contains("*") || file.contains("?")) {
+
+            int pos = getLastFileSeparator(file);
+            if (pos < 0) {
+                return file;
+            }
+            pos += 1;
+            basePath = file.substring(0, pos);
+            wildCards = file.substring(pos);
+        } else {
+            basePath = file;
+        }
+
+        File f = new File(basePath);
+        try {
+            f = f.getCanonicalFile();
+            if (wildCards != null) {
+                f = new File(f, wildCards);
+            }
+        } catch (IOException ex) {
+            LOGGER.warn("Invalid path '{}' was provided.", path);
+            LOGGER.debug("Invalid path provided", ex);
+        }
+        return f.getAbsolutePath().replace('\\', '/');
+    }
+
+    /**
+     * Returns the position of the last file separator.
+     *
+     * @param file a file path
+     * @return the position of the last file separator
+     */
+    private int getLastFileSeparator(String file) {
+        if (file.contains("*") || file.contains("?")) {
+            int p1 = file.indexOf('*');
+            int p2 = file.indexOf('?');
+            p1 = p1 > 0 ? p1 : file.length();
+            p2 = p2 > 0 ? p2 : file.length();
+            int pos = p1 < p2 ? p1 : p2;
+            pos = file.lastIndexOf('/', pos);
+            return pos;
+        } else {
+            return file.lastIndexOf('/');
+        }
+    }
+}

cli/src/main/java/org/owasp/dependencycheck/CliParser.java

@@ -53,12 +53,26 @@ public final class CliParser {
      * Indicates whether the arguments are valid.
      */
     private boolean isValid = true;
+    /**
+     * The configured settings.
+     */
+    private final Settings settings;
+
+    /**
+     * Constructs a new CLI Parser object with the configured settings.
+     *
+     * @param settings the configured settings
+     */
+    public CliParser(Settings settings) {
+        this.settings = settings;
+    }
 
     /**
      * Parses the arguments passed in and captures the results for later use.
      *
      * @param args the command line arguments
-     * @throws FileNotFoundException is thrown when a 'file' argument does not point to a file that exists.
+     * @throws FileNotFoundException is thrown when a 'file' argument does not
+     * point to a file that exists.
      * @throws ParseException is thrown when a Parse Exception occurs.
      */
     public void parse(String[] args) throws FileNotFoundException, ParseException {
@@ -85,9 +99,10 @@ public final class CliParser {
     /**
      * Validates that the command line arguments are valid.
      *
-     * @throws FileNotFoundException if there is a file specified by either the SCAN or CPE command line arguments that does not
-     * exist.
-     * @throws ParseException is thrown if there is an exception parsing the command line.
+     * @throws FileNotFoundException if there is a file specified by either the
+     * SCAN or CPE command line arguments that does not exist.
+     * @throws ParseException is thrown if there is an exception parsing the
+     * command line.
      */
     private void validateArgs() throws FileNotFoundException, ParseException {
         if (isUpdateOnly() || isRunScan()) {
@@ -118,7 +133,7 @@ public final class CliParser {
                     Format.valueOf(format);
                 } catch (IllegalArgumentException ex) {
                     final String msg = String.format("An invalid 'format' of '%s' was specified. "
-                            + "Supported output formats are XML, HTML, VULN, or ALL", format);
+                            + "Supported output formats are HTML, XML, CSV, JSON, VULN, or ALL", format);
                     throw new ParseException(msg);
                 }
             }
@@ -141,12 +156,14 @@ public final class CliParser {
     }
 
     /**
-     * Validates whether or not the path(s) points at a file that exists; if the path(s) does not point to an existing file a
-     * FileNotFoundException is thrown.
+     * Validates whether or not the path(s) points at a file that exists; if the
+     * path(s) does not point to an existing file a FileNotFoundException is
+     * thrown.
      *
      * @param paths the paths to validate if they exists
      * @param optType the option being validated (e.g. scan, out, etc.)
-     * @throws FileNotFoundException is thrown if one of the paths being validated does not exist.
+     * @throws FileNotFoundException is thrown if one of the paths being
+     * validated does not exist.
      */
     private void validatePathExists(String[] paths, String optType) throws FileNotFoundException {
         for (String path : paths) {
@@ -155,12 +172,14 @@ public final class CliParser {
     }
 
     /**
-     * Validates whether or not the path points at a file that exists; if the path does not point to an existing file a
-     * FileNotFoundException is thrown.
+     * Validates whether or not the path points at a file that exists; if the
+     * path does not point to an existing file a FileNotFoundException is
+     * thrown.
      *
      * @param path the paths to validate if they exists
      * @param argumentName the argument being validated (e.g. scan, out, etc.)
-     * @throws FileNotFoundException is thrown if the path being validated does not exist.
+     * @throws FileNotFoundException is thrown if the path being validated does
+     * not exist.
      */
     private void validatePathExists(String path, String argumentName) throws FileNotFoundException {
         if (path == null) {
@@ -181,22 +200,24 @@ public final class CliParser {
                         throw new FileNotFoundException(msg);
                     }
                 }
-            } else {
-                if (!f.exists()) {
-                    isValid = false;
-                    final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
-                    throw new FileNotFoundException(msg);
-                }
+            } else if (!f.exists()) {
+                isValid = false;
+                final String msg = String.format("Invalid '%s' argument: '%s'", argumentName, path);
+                throw new FileNotFoundException(msg);
             }
-        } else if (path.startsWith("//") || path.startsWith("\\\\")) {
-            isValid = false;
-            final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
-            throw new FileNotFoundException(msg);
+//        } else if (path.startsWith("//") || path.startsWith("\\\\")) {
+//            isValid = false;
+//            final String msg = String.format("Invalid '%s' argument: '%s'%nUnable to scan paths that start with '//'.", argumentName, path);
+//            throw new FileNotFoundException(msg);
+        } else if ((path.endsWith("/*") && !path.endsWith("**/*")) || (path.endsWith("\\*") && path.endsWith("**\\*"))) {
+            LOGGER.warn("Possibly incorrect path '{}' from argument '{}' because it ends with a slash star; "
+                    + "dependency-check uses ant-style paths", path, argumentName);
         }
     }
 
     /**
-     * Generates an Options collection that is used to parse the command line and to display the help message.
+     * Generates an Options collection that is used to parse the command line
+     * and to display the help message.
      *
      * @return the command line options used for parsing the command line
      */
@@ -213,10 +234,9 @@ public final class CliParser {
      * Adds the standard command line options to the given options collection.
      *
      * @param options a collection of command line arguments
-     * @throws IllegalArgumentException thrown if there is an exception
      */
     @SuppressWarnings("static-access")
-    private void addStandardOptions(final Options options) throws IllegalArgumentException {
+    private void addStandardOptions(final Options options) {
         final Option help = new Option(ARGUMENT.HELP_SHORT, ARGUMENT.HELP, false,
                 "Print this message.");
 
@@ -240,7 +260,7 @@ public final class CliParser {
 
         final Option excludes = Option.builder().argName("pattern").hasArg().longOpt(ARGUMENT.EXCLUDE)
                 .desc("Specify and exclusion pattern. This option can be specified multiple times"
-                        + " and it accepts Ant style excludsions.")
+                        + " and it accepts Ant style exclusions.")
                 .build();
 
         final Option props = Option.builder(ARGUMENT.PROP_SHORT).argName("file").hasArg().longOpt(ARGUMENT.PROP)
@@ -253,7 +273,7 @@ public final class CliParser {
                 .build();
 
         final Option outputFormat = Option.builder(ARGUMENT.OUTPUT_FORMAT_SHORT).argName("format").hasArg().longOpt(ARGUMENT.OUTPUT_FORMAT)
-                .desc("The output format to write to (XML, HTML, VULN, ALL). The default is HTML.")
+                .desc("The output format to write to (XML, JSON, HTML, VULN, ALL). The default is HTML.")
                 .build();
 
         final Option verboseLog = Option.builder(ARGUMENT.VERBOSE_LOG_SHORT).argName("file").hasArg().longOpt(ARGUMENT.VERBOSE_LOG)
@@ -264,14 +284,32 @@ public final class CliParser {
                 .desc("Sets how deep nested symbolic links will be followed; 0 indicates symbolic links will not be followed.")
                 .build();
 
-        final Option suppressionFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.SUPPRESSION_FILE)
-                .desc("The file path to the suppression XML file.")
+        final Option suppressionFile = Option.builder().argName("file").hasArgs().longOpt(ARGUMENT.SUPPRESSION_FILES)
+                .desc("The file path to the suppression XML file. This can be specified more then once to utilize multiple "
+                        + "suppression files")
+                .build();
+
+        final Option hintsFile = Option.builder().argName("file").hasArg().longOpt(ARGUMENT.HINTS_FILE)
+                .desc("The file path to the hints XML file.")
                 .build();
 
         final Option cveValidForHours = Option.builder().argName("hours").hasArg().longOpt(ARGUMENT.CVE_VALID_FOR_HOURS)
                 .desc("The number of hours to wait before checking for new updates from the NVD.")
                 .build();
 
+        final Option experimentalEnabled = Option.builder().longOpt(ARGUMENT.EXPERIMENTAL)
+                .desc("Enables the experimental analyzers.")
+                .build();
+
+        final Option retiredEnabled = Option.builder().longOpt(ARGUMENT.RETIRED)
+                .desc("Enables the experimental analyzers.")
+                .build();
+
+        final Option failOnCVSS = Option.builder().argName("score").hasArg().longOpt(ARGUMENT.FAIL_ON_CVSS)
+                .desc("Specifies if the build should be failed if a CVSS score above a specified level is identified. "
+                        + "The default is 11; since the CVSS scores are 0-10, by default the build will never fail.")
+                .build();
+
         //This is an option group because it can be specified more then once.
         final OptionGroup og = new OptionGroup();
         og.addOption(path);
@@ -292,18 +330,22 @@ public final class CliParser {
                 .addOption(props)
                 .addOption(verboseLog)
                 .addOption(suppressionFile)
-                .addOption(cveValidForHours);
+                .addOption(hintsFile)
+                .addOption(cveValidForHours)
+                .addOption(experimentalEnabled)
+                .addOption(retiredEnabled)
+                .addOption(failOnCVSS);
     }
 
     /**
-     * Adds the advanced command line options to the given options collection. These are split out for purposes of being able to
-     * display two different help messages.
+     * Adds the advanced command line options to the given options collection.
+     * These are split out for purposes of being able to display two different
+     * help messages.
      *
      * @param options a collection of command line arguments
-     * @throws IllegalArgumentException thrown if there is an exception
      */
     @SuppressWarnings("static-access")
-    private void addAdvancedOptions(final Options options) throws IllegalArgumentException {
+    private void addAdvancedOptions(final Options options) {
 
         final Option cve12Base = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.CVE_BASE_12)
                 .desc("Base URL for each year’s CVE 1.2, the %d will be replaced with the year. ")
@@ -411,6 +453,11 @@ public final class CliParser {
         final Option disableCmakeAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CMAKE)
                 .desc("Disable the Cmake Analyzer.").build();
 
+        final Option cocoapodsAnalyzerEnabled = Option.builder().longOpt(ARGUMENT.DISABLE_COCOAPODS)
+                .desc("Disable the CocoaPods Analyzer.").build();
+        final Option swiftPackageManagerAnalyzerEnabled = Option.builder().longOpt(ARGUMENT.DISABLE_SWIFT)
+                .desc("Disable the swift package Analyzer.").build();
+
         final Option disableCentralAnalyzer = Option.builder().longOpt(ARGUMENT.DISABLE_CENTRAL)
                 .desc("Disable the Central Analyzer. If this analyzer is disabled it is likely you also want to disable "
                         + "the Nexus Analyzer.").build();
@@ -455,8 +502,12 @@ public final class CliParser {
                 .addOption(disableNuspecAnalyzer)
                 .addOption(disableCentralAnalyzer)
                 .addOption(disableNexusAnalyzer)
+                .addOption(cocoapodsAnalyzerEnabled)
+                .addOption(swiftPackageManagerAnalyzerEnabled)
                 .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NODE_JS)
                         .desc("Disable the Node.js Package Analyzer.").build())
+                .addOption(Option.builder().longOpt(ARGUMENT.DISABLE_NSP)
+                        .desc("Disable the NSP Package Analyzer.").build())
                 .addOption(nexusUrl)
                 .addOption(nexusUsesProxy)
                 .addOption(additionalZipExtensions)
@@ -466,14 +517,15 @@ public final class CliParser {
     }
 
     /**
-     * Adds the deprecated command line options to the given options collection. These are split out for purposes of not including
-     * them in the help message. We need to add the deprecated options so as not to break existing scripts.
+     * Adds the deprecated command line options to the given options collection.
+     * These are split out for purposes of not including them in the help
+     * message. We need to add the deprecated options so as not to break
+     * existing scripts.
      *
      * @param options a collection of command line arguments
-     * @throws IllegalArgumentException thrown if there is an exception
      */
     @SuppressWarnings({"static-access", "deprecation"})
-    private void addDeprecatedOptions(final Options options) throws IllegalArgumentException {
+    private void addDeprecatedOptions(final Options options) {
 
         final Option proxyServer = Option.builder().argName("url").hasArg().longOpt(ARGUMENT.PROXY_URL)
                 .desc("The proxy url argument is deprecated, use proxyserver instead.")
@@ -514,7 +566,8 @@ public final class CliParser {
     }
 
     /**
-     * Returns the symbolic link depth (how deeply symbolic links will be followed).
+     * Returns the symbolic link depth (how deeply symbolic links will be
+     * followed).
      *
      * @return the symbolic link depth
      */
@@ -531,145 +584,220 @@ public final class CliParser {
         return value;
     }
 
+    /**
+     * Utility method to determine if one of the disable options has been set.
+     * If not set, this method will check the currently configured settings for
+     * the current value to return.
+     *
+     * Example given `--disableArchive` on the command line would cause this
+     * method to return true for the disable archive setting.
+     *
+     * @param argument the command line argument
+     * @param setting the corresponding settings key
+     * @return true if the disable option was set, if not set the currently
+     * configured value will be returned
+     */
+    private boolean hasDisableOption(String argument, String setting) {
+        if (line == null || !line.hasOption(argument)) {
+            try {
+                return !settings.getBoolean(setting);
+            } catch (InvalidSettingException ise) {
+                LOGGER.warn("Invalid property setting '{}' defaulting to false", setting);
+                return false;
+            }
+        } else {
+            return true;
+        }
+    }
+
     /**
      * Returns true if the disableJar command line argument was specified.
      *
-     * @return true if the disableJar command line argument was specified; otherwise false
+     * @return true if the disableJar command line argument was specified;
+     * otherwise false
      */
     public boolean isJarDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_JAR);
+        return hasDisableOption(ARGUMENT.DISABLE_JAR, Settings.KEYS.ANALYZER_JAR_ENABLED);
     }
 
     /**
      * Returns true if the disableArchive command line argument was specified.
      *
-     * @return true if the disableArchive command line argument was specified; otherwise false
+     * @return true if the disableArchive command line argument was specified;
+     * otherwise false
      */
     public boolean isArchiveDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ARCHIVE);
+        return hasDisableOption(ARGUMENT.DISABLE_ARCHIVE, Settings.KEYS.ANALYZER_ARCHIVE_ENABLED);
     }
 
     /**
      * Returns true if the disableNuspec command line argument was specified.
      *
-     * @return true if the disableNuspec command line argument was specified; otherwise false
+     * @return true if the disableNuspec command line argument was specified;
+     * otherwise false
      */
     public boolean isNuspecDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NUSPEC);
+        return hasDisableOption(ARGUMENT.DISABLE_NUSPEC, Settings.KEYS.ANALYZER_NUSPEC_ENABLED);
     }
 
     /**
      * Returns true if the disableAssembly command line argument was specified.
      *
-     * @return true if the disableAssembly command line argument was specified; otherwise false
+     * @return true if the disableAssembly command line argument was specified;
+     * otherwise false
      */
     public boolean isAssemblyDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_ASSEMBLY);
+        return hasDisableOption(ARGUMENT.DISABLE_ASSEMBLY, Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED);
     }
 
     /**
-     * Returns true if the disableBundleAudit command line argument was specified.
+     * Returns true if the disableBundleAudit command line argument was
+     * specified.
      *
-     * @return true if the disableBundleAudit command line argument was specified; otherwise false
+     * @return true if the disableBundleAudit command line argument was
+     * specified; otherwise false
      */
     public boolean isBundleAuditDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_BUNDLE_AUDIT);
+        return hasDisableOption(ARGUMENT.DISABLE_BUNDLE_AUDIT, Settings.KEYS.ANALYZER_BUNDLE_AUDIT_ENABLED);
     }
 
     /**
      * Returns true if the disablePyDist command line argument was specified.
      *
-     * @return true if the disablePyDist command line argument was specified; otherwise false
+     * @return true if the disablePyDist command line argument was specified;
+     * otherwise false
      */
     public boolean isPythonDistributionDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_DIST);
+        return hasDisableOption(ARGUMENT.DISABLE_PY_DIST, Settings.KEYS.ANALYZER_PYTHON_DISTRIBUTION_ENABLED);
     }
 
     /**
      * Returns true if the disablePyPkg command line argument was specified.
      *
-     * @return true if the disablePyPkg command line argument was specified; otherwise false
+     * @return true if the disablePyPkg command line argument was specified;
+     * otherwise false
      */
     public boolean isPythonPackageDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_PY_PKG);
+        return hasDisableOption(ARGUMENT.DISABLE_PY_PKG, Settings.KEYS.ANALYZER_PYTHON_PACKAGE_ENABLED);
     }
 
     /**
      * Returns whether the Ruby gemspec analyzer is disabled.
      *
-     * @return true if the {@link ARGUMENT#DISABLE_RUBYGEMS} command line argument was specified; otherwise false
+     * @return true if the {@link ARGUMENT#DISABLE_RUBYGEMS} command line
+     * argument was specified; otherwise false
      */
     public boolean isRubyGemspecDisabled() {
-        return (null != line) && line.hasOption(ARGUMENT.DISABLE_RUBYGEMS);
+        return hasDisableOption(ARGUMENT.DISABLE_RUBYGEMS, Settings.KEYS.ANALYZER_RUBY_GEMSPEC_ENABLED);
     }
 
     /**
      * Returns true if the disableCmake command line argument was specified.
      *
-     * @return true if the disableCmake command line argument was specified; otherwise false
+     * @return true if the disableCmake command line argument was specified;
+     * otherwise false
      */
     public boolean isCmakeDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_CMAKE);
+        return hasDisableOption(ARGUMENT.DISABLE_CMAKE, Settings.KEYS.ANALYZER_CMAKE_ENABLED);
     }
 
     /**
      * Returns true if the disableAutoconf command line argument was specified.
      *
-     * @return true if the disableAutoconf command line argument was specified; otherwise false
+     * @return true if the disableAutoconf command line argument was specified;
+     * otherwise false
      */
     public boolean isAutoconfDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_AUTOCONF);
+        return hasDisableOption(ARGUMENT.DISABLE_AUTOCONF, Settings.KEYS.ANALYZER_AUTOCONF_ENABLED);
     }
 
     /**
      * Returns true if the disableComposer command line argument was specified.
      *
-     * @return true if the disableComposer command line argument was specified; otherwise false
+     * @return true if the disableComposer command line argument was specified;
+     * otherwise false
      */
     public boolean isComposerDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_COMPOSER);
+        return hasDisableOption(ARGUMENT.DISABLE_COMPOSER, Settings.KEYS.ANALYZER_COMPOSER_LOCK_ENABLED);
     }
 
     /**
      * Returns true if the disableNexus command line argument was specified.
      *
-     * @return true if the disableNexus command line argument was specified; otherwise false
+     * @return true if the disableNexus command line argument was specified;
+     * otherwise false
      */
     public boolean isNexusDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NEXUS);
+        return hasDisableOption(ARGUMENT.DISABLE_NEXUS, Settings.KEYS.ANALYZER_NEXUS_ENABLED);
     }
 
     /**
      * Returns true if the disableOpenSSL command line argument was specified.
      *
-     * @return true if the disableOpenSSL command line argument was specified; otherwise false
+     * @return true if the disableOpenSSL command line argument was specified;
+     * otherwise false
      */
     public boolean isOpenSSLDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_OPENSSL);
+        return hasDisableOption(ARGUMENT.DISABLE_OPENSSL, Settings.KEYS.ANALYZER_OPENSSL_ENABLED);
     }
 
     /**
      * Returns true if the disableNodeJS command line argument was specified.
      *
-     * @return true if the disableNodeJS command line argument was specified; otherwise false
+     * @return true if the disableNodeJS command line argument was specified;
+     * otherwise false
      */
     public boolean isNodeJsDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_NODE_JS);
+        return hasDisableOption(ARGUMENT.DISABLE_NODE_JS, Settings.KEYS.ANALYZER_NODE_PACKAGE_ENABLED);
+    }
+
+    /**
+     * Returns true if the disableNSP command line argument was specified.
+     *
+     * @return true if the disableNSP command line argument was specified;
+     * otherwise false
+     */
+    public boolean isNspDisabled() {
+        return hasDisableOption(ARGUMENT.DISABLE_NSP, Settings.KEYS.ANALYZER_NSP_PACKAGE_ENABLED);
+    }
+
+    /**
+     * Returns true if the disableCocoapodsAnalyzer command line argument was
+     * specified.
+     *
+     * @return true if the disableCocoapodsAnalyzer command line argument was
+     * specified; otherwise false
+     */
+    public boolean isCocoapodsAnalyzerDisabled() {
+        return hasDisableOption(ARGUMENT.DISABLE_COCOAPODS, Settings.KEYS.ANALYZER_COCOAPODS_ENABLED);
+    }
+
+    /**
+     * Returns true if the disableSwiftPackageManagerAnalyzer command line
+     * argument was specified.
+     *
+     * @return true if the disableSwiftPackageManagerAnalyzer command line
+     * argument was specified; otherwise false
+     */
+    public boolean isSwiftPackageAnalyzerDisabled() {
+        return hasDisableOption(ARGUMENT.DISABLE_SWIFT, Settings.KEYS.ANALYZER_SWIFT_PACKAGE_MANAGER_ENABLED);
     }
 
     /**
      * Returns true if the disableCentral command line argument was specified.
      *
-     * @return true if the disableCentral command line argument was specified; otherwise false
+     * @return true if the disableCentral command line argument was specified;
+     * otherwise false
      */
     public boolean isCentralDisabled() {
-        return (line != null) && line.hasOption(ARGUMENT.DISABLE_CENTRAL);
+        return hasDisableOption(ARGUMENT.DISABLE_CENTRAL, Settings.KEYS.ANALYZER_CENTRAL_ENABLED);
     }
 
     /**
      * Returns the url to the nexus server if one was specified.
      *
-     * @return the url to the nexus server; if none was specified this will return null;
+     * @return the url to the nexus server; if none was specified this will
+     * return null;
      */
     public String getNexusUrl() {
         if (line == null || !line.hasOption(ARGUMENT.NEXUS_URL)) {
@@ -680,16 +808,18 @@ public final class CliParser {
     }
 
     /**
-     * Returns true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false is returned.
+     * Returns true if the Nexus Analyzer should use the configured proxy to
+     * connect to Nexus; otherwise false is returned.
      *
-     * @return true if the Nexus Analyzer should use the configured proxy to connect to Nexus; otherwise false
+     * @return true if the Nexus Analyzer should use the configured proxy to
+     * connect to Nexus; otherwise false
      */
     public boolean isNexusUsesProxy() {
         // If they didn't specify whether Nexus needs to use the proxy, we should
         // still honor the property if it's set.
         if (line == null || !line.hasOption(ARGUMENT.NEXUS_USES_PROXY)) {
             try {
-                return Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
+                return settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY);
             } catch (InvalidSettingException ise) {
                 return true;
             }
@@ -711,10 +841,10 @@ public final class CliParser {
         final String helpMsg = String.format("%n%s"
                 + " can be used to identify if there are any known CVE vulnerabilities in libraries utilized by an application. "
                 + "%s will automatically update required data from the Internet, such as the CVE and CPE data files from nvd.nist.gov.%n%n",
-                Settings.getString("application.name", "DependencyCheck"),
-                Settings.getString("application.name", "DependencyCheck"));
+                settings.getString("application.name", "DependencyCheck"),
+                settings.getString("application.name", "DependencyCheck"));
 
-        formatter.printHelp(Settings.getString("application.name", "DependencyCheck"),
+        formatter.printHelp(settings.getString("application.name", "DependencyCheck"),
                 helpMsg,
                 options,
                 "",
@@ -722,7 +852,8 @@ public final class CliParser {
     }
 
     /**
-     * Retrieves the file command line parameter(s) specified for the 'scan' argument.
+     * Retrieves the file command line parameter(s) specified for the 'scan'
+     * argument.
      *
      * @return the file paths specified on the command line for scan
      */
@@ -731,7 +862,8 @@ public final class CliParser {
     }
 
     /**
-     * Retrieves the list of excluded file patterns specified by the 'exclude' argument.
+     * Retrieves the list of excluded file patterns specified by the 'exclude'
+     * argument.
      *
      * @return the excluded file patterns
      */
@@ -740,7 +872,8 @@ public final class CliParser {
     }
 
     /**
-     * Returns the directory to write the reports to specified on the command line.
+     * Returns the directory to write the reports to specified on the command
+     * line.
      *
      * @return the path to the reports directory.
      */
@@ -749,7 +882,8 @@ public final class CliParser {
     }
 
     /**
-     * Returns the path to Mono for .NET Assembly analysis on non-windows systems.
+     * Returns the path to Mono for .NET Assembly analysis on non-windows
+     * systems.
      *
      * @return the path to Mono
      */
@@ -767,7 +901,8 @@ public final class CliParser {
     }
 
     /**
-     * Returns the output format specified on the command line. Defaults to HTML if no format was specified.
+     * Returns the output format specified on the command line. Defaults to HTML
+     * if no format was specified.
      *
      * @return the output format name.
      */
@@ -785,7 +920,7 @@ public final class CliParser {
         String name = line.getOptionValue(ARGUMENT.PROJECT);
         if (name == null && appName != null) {
             name = appName;
-            LOGGER.warn("The '" + ARGUMENT.APP_NAME + "' argument should no longer be used; use '" + ARGUMENT.PROJECT + "' instead.");
+            LOGGER.warn("The '{}' argument should no longer be used; use '{}' instead.", ARGUMENT.APP_NAME, ARGUMENT.PROJECT);
         }
         return name;
     }
@@ -912,12 +1047,21 @@ public final class CliParser {
     }
 
     /**
-     * Returns the path to the suppression file.
+     * Returns the paths to the suppression files.
      *
-     * @return the path to the suppression file
+     * @return the paths to the suppression files.
      */
-    public String getSuppressionFile() {
-        return line.getOptionValue(ARGUMENT.SUPPRESSION_FILE);
+    public String[] getSuppressionFiles() {
+        return line.getOptionValues(ARGUMENT.SUPPRESSION_FILES);
+    }
+
+    /**
+     * Returns the path to the hints file.
+     *
+     * @return the path to the hints file
+     */
+    public String getHintsFile() {
+        return line.getOptionValue(ARGUMENT.HINTS_FILE);
     }
 
     /**
@@ -928,24 +1072,27 @@ public final class CliParser {
      */
     public void printVersionInfo() {
         final String version = String.format("%s version %s",
-                Settings.getString(Settings.KEYS.APPLICATION_VAME, "dependency-check"),
-                Settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
+                settings.getString(Settings.KEYS.APPLICATION_NAME, "dependency-check"),
+                settings.getString(Settings.KEYS.APPLICATION_VERSION, "Unknown"));
         System.out.println(version);
     }
 
     /**
-     * Checks if the auto update feature has been disabled. If it has been disabled via the command line this will return false.
+     * Checks if the auto update feature has been disabled. If it has been
+     * disabled via the command line this will return false.
      *
-     * @return <code>true</code> if auto-update is allowed; otherwise <code>false</code>
+     * @return <code>true</code> if auto-update is allowed; otherwise
+     * <code>null</code>
      */
-    public boolean isAutoUpdate() {
-        return line != null && !line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE);
+    public Boolean isAutoUpdate() {
+        return (line != null && line.hasOption(ARGUMENT.DISABLE_AUTO_UPDATE)) ? false : null;
     }
 
     /**
      * Checks if the update only flag has been set.
      *
-     * @return <code>true</code> if the update only flag has been set; otherwise <code>false</code>.
+     * @return <code>true</code> if the update only flag has been set; otherwise
+     * <code>false</code>.
      */
     public boolean isUpdateOnly() {
         return line != null && line.hasOption(ARGUMENT.UPDATE_ONLY);
@@ -954,14 +1101,16 @@ public final class CliParser {
     /**
      * Checks if the purge NVD flag has been set.
      *
-     * @return <code>true</code> if the purge nvd flag has been set; otherwise <code>false</code>.
+     * @return <code>true</code> if the purge nvd flag has been set; otherwise
+     * <code>false</code>.
      */
     public boolean isPurge() {
         return line != null && line.hasOption(ARGUMENT.PURGE_NVD);
     }
 
     /**
-     * Returns the database driver name if specified; otherwise null is returned.
+     * Returns the database driver name if specified; otherwise null is
+     * returned.
      *
      * @return the database driver name if specified; otherwise null is returned
      */
@@ -970,7 +1119,8 @@ public final class CliParser {
     }
 
     /**
-     * Returns the database driver path if specified; otherwise null is returned.
+     * Returns the database driver path if specified; otherwise null is
+     * returned.
      *
      * @return the database driver name if specified; otherwise null is returned
      */
@@ -979,34 +1129,41 @@ public final class CliParser {
     }
 
     /**
-     * Returns the database connection string if specified; otherwise null is returned.
+     * Returns the database connection string if specified; otherwise null is
+     * returned.
      *
-     * @return the database connection string if specified; otherwise null is returned
+     * @return the database connection string if specified; otherwise null is
+     * returned
      */
     public String getConnectionString() {
         return line.getOptionValue(ARGUMENT.CONNECTION_STRING);
     }
 
     /**
-     * Returns the database database user name if specified; otherwise null is returned.
+     * Returns the database database user name if specified; otherwise null is
+     * returned.
      *
-     * @return the database database user name if specified; otherwise null is returned
+     * @return the database database user name if specified; otherwise null is
+     * returned
      */
     public String getDatabaseUser() {
         return line.getOptionValue(ARGUMENT.DB_NAME);
     }
 
     /**
-     * Returns the database database password if specified; otherwise null is returned.
+     * Returns the database database password if specified; otherwise null is
+     * returned.
      *
-     * @return the database database password if specified; otherwise null is returned
+     * @return the database database password if specified; otherwise null is
+     * returned
      */
     public String getDatabasePassword() {
         return line.getOptionValue(ARGUMENT.DB_PASSWORD);
     }
 
     /**
-     * Returns the additional Extensions if specified; otherwise null is returned.
+     * Returns the additional Extensions if specified; otherwise null is
+     * returned.
      *
      * @return the additional Extensions; otherwise null is returned
      */
@@ -1028,7 +1185,45 @@ public final class CliParser {
     }
 
     /**
-     * A collection of static final strings that represent the possible command line arguments.
+     * Returns true if the experimental analyzers are enabled.
+     *
+     * @return true if the experimental analyzers are enabled; otherwise null
+     */
+    public Boolean isExperimentalEnabled() {
+        return (line != null && line.hasOption(ARGUMENT.EXPERIMENTAL)) ? true : null;
+    }
+
+    /**
+     * Returns true if the retired analyzers are enabled.
+     *
+     * @return true if the retired analyzers are enabled; otherwise null
+     */
+    public Boolean isRetiredEnabled() {
+        return (line != null && line.hasOption(ARGUMENT.RETIRED)) ? true : null;
+    }
+
+    /**
+     * Returns the CVSS value to fail on.
+     *
+     * @return 11 if nothing is set. Otherwise it returns the int passed from
+     * the command line arg
+     */
+    public int getFailOnCVSS() {
+        if (line.hasOption(ARGUMENT.FAIL_ON_CVSS)) {
+            final String value = line.getOptionValue(ARGUMENT.FAIL_ON_CVSS);
+            try {
+                return Integer.parseInt(value);
+            } catch (NumberFormatException nfe) {
+                return 11;
+            }
+        } else {
+            return 11;
+        }
+    }
+
+    /**
+     * A collection of static final strings that represent the possible command
+     * line arguments.
      */
     public static class ARGUMENT {
 
@@ -1041,50 +1236,61 @@ public final class CliParser {
          */
         public static final String SCAN_SHORT = "s";
         /**
-         * The long CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+         * The long CLI argument name specifying that the CPE/CVE/etc. data
+         * should not be automatically updated.
          */
         public static final String DISABLE_AUTO_UPDATE = "noupdate";
         /**
-         * The short CLI argument name specifying that the CPE/CVE/etc. data should not be automatically updated.
+         * The short CLI argument name specifying that the CPE/CVE/etc. data
+         * should not be automatically updated.
          */
         public static final String DISABLE_AUTO_UPDATE_SHORT = "n";
         /**
-         * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+         * The long CLI argument name specifying that only the update phase
+         * should be executed; no scan should be run.
          */
         public static final String UPDATE_ONLY = "updateonly";
         /**
-         * The long CLI argument name specifying that only the update phase should be executed; no scan should be run.
+         * The long CLI argument name specifying that only the update phase
+         * should be executed; no scan should be run.
          */
         public static final String PURGE_NVD = "purge";
         /**
-         * The long CLI argument name specifying the directory to write the reports to.
+         * The long CLI argument name specifying the directory to write the
+         * reports to.
          */
         public static final String OUT = "out";
         /**
-         * The short CLI argument name specifying the directory to write the reports to.
+         * The short CLI argument name specifying the directory to write the
+         * reports to.
          */
         public static final String OUT_SHORT = "o";
         /**
-         * The long CLI argument name specifying the output format to write the reports to.
+         * The long CLI argument name specifying the output format to write the
+         * reports to.
          */
         public static final String OUTPUT_FORMAT = "format";
         /**
-         * The short CLI argument name specifying the output format to write the reports to.
+         * The short CLI argument name specifying the output format to write the
+         * reports to.
          */
         public static final String OUTPUT_FORMAT_SHORT = "f";
         /**
-         * The long CLI argument name specifying the name of the project to be scanned.
+         * The long CLI argument name specifying the name of the project to be
+         * scanned.
          */
         public static final String PROJECT = "project";
         /**
-         * The long CLI argument name specifying the name of the application to be scanned.
+         * The long CLI argument name specifying the name of the application to
+         * be scanned.
          *
          * @deprecated project should be used instead
          */
         @Deprecated
         public static final String APP_NAME = "app";
         /**
-         * The short CLI argument name specifying the name of the application to be scanned.
+         * The short CLI argument name specifying the name of the application to
+         * be scanned.
          *
          * @deprecated project should be used instead
          */
@@ -1142,11 +1348,13 @@ public final class CliParser {
          */
         public static final String CONNECTION_TIMEOUT = "connectiontimeout";
         /**
-         * The short CLI argument name for setting the location of an additional properties file.
+         * The short CLI argument name for setting the location of an additional
+         * properties file.
          */
         public static final String PROP_SHORT = "P";
         /**
-         * The CLI argument name for setting the location of an additional properties file.
+         * The CLI argument name for setting the location of an additional
+         * properties file.
          */
         public static final String PROP = "propertyfile";
         /**
@@ -1170,7 +1378,8 @@ public final class CliParser {
          */
         public static final String CVE_BASE_20 = "cveUrl20Base";
         /**
-         * The short CLI argument name for setting the location of the data directory.
+         * The short CLI argument name for setting the location of the data
+         * directory.
          */
         public static final String DATA_DIRECTORY_SHORT = "d";
         /**
@@ -1178,20 +1387,28 @@ public final class CliParser {
          */
         public static final String VERBOSE_LOG = "log";
         /**
-         * The short CLI argument name for setting the location of the data directory.
+         * The short CLI argument name for setting the location of the data
+         * directory.
          */
         public static final String VERBOSE_LOG_SHORT = "l";
 
         /**
-         * The CLI argument name for setting the depth of symbolic links that will be followed.
+         * The CLI argument name for setting the depth of symbolic links that
+         * will be followed.
          */
         public static final String SYM_LINK_DEPTH = "symLink";
         /**
-         * The CLI argument name for setting the location of the suppression file.
+         * The CLI argument name for setting the location of the suppression
+         * file(s).
          */
-        public static final String SUPPRESSION_FILE = "suppression";
+        public static final String SUPPRESSION_FILES = "suppression";
         /**
-         * The CLI argument name for setting the location of the suppression file.
+         * The CLI argument name for setting the location of the hint file.
+         */
+        public static final String HINTS_FILE = "hints";
+        /**
+         * The CLI argument name for setting the number of hours to wait before
+         * checking for new updates from the NVD.
          */
         public static final String CVE_VALID_FOR_HOURS = "cveValidForHours";
         /**
@@ -1226,6 +1443,14 @@ public final class CliParser {
          * Disables the Cmake Analyzer.
          */
         public static final String DISABLE_CMAKE = "disableCmake";
+        /**
+         * Disables the cocoapods analyzer.
+         */
+        public static final String DISABLE_COCOAPODS = "disableCocoapodsAnalyzer";
+        /**
+         * Disables the swift package manager analyzer.
+         */
+        public static final String DISABLE_SWIFT = "disableSwiftPackageManagerAnalyzer";
         /**
          * Disables the Assembly Analyzer.
          */
@@ -1254,12 +1479,17 @@ public final class CliParser {
          * Disables the Node.js Package Analyzer.
          */
         public static final String DISABLE_NODE_JS = "disableNodeJS";
+        /**
+         * Disables the NSP Analyzer.
+         */
+        public static final String DISABLE_NSP = "disableNSP";
         /**
          * The URL of the nexus server.
          */
         public static final String NEXUS_URL = "nexus";
         /**
-         * Whether or not the defined proxy should be used when connecting to Nexus.
+         * Whether or not the defined proxy should be used when connecting to
+         * Nexus.
          */
         public static final String NEXUS_USES_PROXY = "nexusUsesProxy";
         /**
@@ -1279,11 +1509,13 @@ public final class CliParser {
          */
         public static final String DB_DRIVER = "dbDriverName";
         /**
-         * The CLI argument name for setting the path to the database driver; in case it is not on the class path.
+         * The CLI argument name for setting the path to the database driver; in
+         * case it is not on the class path.
          */
         public static final String DB_DRIVER_PATH = "dbDriverPath";
         /**
-         * The CLI argument name for setting the path to mono for .NET Assembly analysis on non-windows systems.
+         * The CLI argument name for setting the path to mono for .NET Assembly
+         * analysis on non-windows systems.
          */
         public static final String PATH_TO_MONO = "mono";
         /**
@@ -1295,8 +1527,21 @@ public final class CliParser {
          */
         public static final String EXCLUDE = "exclude";
         /**
-         * The CLI argument name for setting the path to bundle-audit for Ruby bundle analysis.
+         * The CLI argument name for setting the path to bundle-audit for Ruby
+         * bundle analysis.
          */
         public static final String PATH_TO_BUNDLE_AUDIT = "bundleAudit";
+        /**
+         * The CLI argument to enable the experimental analyzers.
+         */
+        private static final String EXPERIMENTAL = "enableExperimental";
+        /**
+         * The CLI argument to enable the retired analyzers.
+         */
+        private static final String RETIRED = "enableRetired";
+        /**
+         * The CLI argument to enable the experimental analyzers.
+         */
+        private static final String FAIL_ON_CVSS = "failOnCVSS";
     }
 }

cli/src/site/markdown/arguments.md

@@ -0,0 +1,69 @@
+Command Line Arguments
+======================
+
+The following table lists the command line arguments:
+
+Short  | Argument Name   | Parameter       | Description | Requirement
+-------|------------------------|-----------------|-------------|------------
+       | \-\-project            | \<name\>        | The name of the project being scanned. | Required
+ \-s   | \-\-scan               | \<path\>        | The path to scan \- this option can be specified multiple times. It is also possible to specify Ant style paths (e.g. directory/**/*.jar). | Required
+       | \-\-exclude            | \<pattern\>     | The path patterns to exclude from the scan \- this option can be specified multiple times. This accepts Ant style path patterns (e.g. **/exclude/**). | Optional
+       | \-\-symLink            | \<depth\>       | The depth that symbolic links will be followed; the default is 0 meaning symbolic links will not be followed. | Optional
+ \-o   | \-\-out                | \<path\>        | The folder to write reports to. This defaults to the current directory. If the format is not set to ALL one could specify a specific file name. | Optional
+ \-f   | \-\-format             | \<format\>      | The output format to write to (XML, HTML, CSV, JSON, VULN, ALL). The default is HTML. | Required
+       | \-\-failOnCVSS         | \<score\>       | If the score set between 0 and 10 the exit code from dependency-check will indicate if a vulnerability with a CVSS score equal to or higher was identified. | Optional
+ \-l   | \-\-log                | \<file\>        | The file path to write verbose logging information. | Optional
+ \-n   | \-\-noupdate           |                 | Disables the automatic updating of the CPE data. | Optional
+       | \-\-suppression        | \<files\>       | The file paths to the suppression XML files; used to suppress [false positives](../general/suppression.html). This can be specified more than once to utilize multiple suppression files. | Optional
+ \-h   | \-\-help               |                 | Print the help message. | Optional
+       | \-\-advancedHelp       |                 | Print the advanced help message. | Optional
+ \-v   | \-\-version            |                 | Print the version information. | Optional
+       | \-\-cveValidForHours   | \<hours\>       | The number of hours to wait before checking for new updates from the NVD. The default is 4 hours. | Optional
+       | \-\-enableExperimental |                 | Enable the [experimental analyzers](../analyzers/index.html). If not set the analyzers marked as experimental below will not be loaded or used. | Optional
+       | \-\-enableRetired      |                 | Enable the [retired analyzers](../analyzers/index.html). If not set the analyzers marked as retired below will not be loaded or used. | Optional
+
+Advanced Options
+================
+Short  | Argument&nbsp;Name&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; | Parameter | Description                                     | Default&nbsp;Value
+-------|------------------------|-----------------|----------------------------------------------------------------------------------|-------------------
+       | \-\-cveUrl12Modified   | \<url\>         | URL for the modified CVE 1.2                                                     | https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
+       | \-\-cveUrl20Modified   | \<url\>         | URL for the modified CVE 2.0                                                     | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
+       | \-\-cveUrl12Base       | \<url\>         | Base URL for each year's CVE 1.2, the %d will be replaced with the year          | https://nvd.nist.gov/download/nvdcve-%d.xml.gz
+       | \-\-cveUrl20Base       | \<url\>         | Base URL for each year's CVE 2.0, the %d will be replaced with the year          | https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
+ \-P   | \-\-propertyfile       | \<file\>        | Specifies a file that contains properties to use instead of applicaion defaults. | &nbsp;
+       | \-\-updateonly         |                 | If set only the update phase of dependency-check will be executed; no scan will be executed and no report will be generated. | &nbsp;
+       | \-\-disablePyDist      |                 | Sets whether the [experimental](../analyzers/index.html) Python Distribution Analyzer will be used.                      | false
+       | \-\-disablePyPkg       |                 | Sets whether the [experimental](../analyzers/index.html) Python Package Analyzer will be used.                           | false
+       | \-\-disableNodeJS      |                 | Sets whether the [retired](../analyzers/index.html) Node.js Package Analyzer will be used.                               | false
+       | \-\-disableNSP         |                 | Sets whether the NSP Analyzer will be used.                                                                              | false
+       | \-\-disableRubygems    |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Gemspec Analyzer will be used.                             | false
+       | \-\-disableBundleAudit |                 | Sets whether the [experimental](../analyzers/index.html) Ruby Bundler Audit Analyzer will be used.                       | false
+       | \-\-disableCocoapodsAnalyzer |           | Sets whether the [experimental](../analyzers/index.html) Cocoapods Analyzer will be used.                                | false
+       | \-\-disableSwiftPackageManagerAnalyzer | | Sets whether the [experimental](../analyzers/index.html) Swift Package Manager Analyzer will be used.                    | false
+       | \-\-disableAutoconf    |                 | Sets whether the [experimental](../analyzers/index.html) Autoconf Analyzer will be used.                                 | false
+       | \-\-disableOpenSSL     |                 | Sets whether the OpenSSL Analyzer will be used.                                                                          | false
+       | \-\-disableCmake       |                 | Sets whether the [experimental](../analyzers/index.html) Cmake Analyzer will be disabled.                                | false
+       | \-\-disableArchive     |                 | Sets whether the Archive Analyzer will be disabled.                                                                      | false
+       | \-\-zipExtensions      | \<strings\>     | A comma-separated list of additional file extensions to be treated like a ZIP file, the contents will be extracted and analyzed. | &nbsp;
+       | \-\-disableJar         |                 | Sets whether the Jar Analyzer will be disabled.                                                                          | false
+       | \-\-disableComposer    |                 | Sets whether the [experimental](../analyzers/index.html) PHP Composer Lock File Analyzer will be disabled.               | false
+       | \-\-disableCentral     |                 | Sets whether the Central Analyzer will be used. **Disabling this analyzer is not recommended as it could lead to false negatives (e.g. libraries that have vulnerabilities may not be reported correctly).** If this analyzer is being disabled there is a good chance you also want to disable the Nexus Analyzer. | false
+       | \-\-disableNexus       |                 | Sets whether the Nexus Analyzer will be used (requires Nexus Pro). Note, this has been superceded by the Central Analyzer. However, you can configure the Nexus URL to utilize an internally hosted Nexus Pro server. | false
+       | \-\-nexus              | \<url\>         | The url to the Nexus Server's web service end point (example: http://domain.enterprise/nexus/service/local/). If not set the Nexus Analyzer will be disabled. | &nbsp;
+       | \-\-nexusUsesProxy     | \<true\|false\> | Whether or not the defined proxy should be used when connecting to Nexus.        | true
+       | \-\-disableNuspec      |                 | Sets whether or not the .NET Nuget Nuspec Analyzer will be used.                 | false
+       | \-\-disableAssembly    |                 | Sets whether or not the .NET Assembly Analyzer should be used.                   | false
+       | \-\-mono               | \<path\>        | The path to Mono for .NET Assembly analysis on non-windows systems.              | &nbsp;
+       | \-\-bundleAudit        |                 | The path to the bundle-audit executable. | &nbsp;
+       | \-\-proxyserver        | \<server\>      | The proxy server to use when downloading resources; see the [proxy configuration](../data/proxy.html) page for more information. | &nbsp;
+       | \-\-proxyport          | \<port\>        | The proxy port to use when downloading resources.                                | &nbsp;
+       | \-\-connectiontimeout  | \<timeout\>     | The connection timeout (in milliseconds) to use when downloading resources.      | &nbsp;
+       | \-\-proxypass          | \<pass\>        | The proxy password to use when downloading resources.                            | &nbsp;
+       | \-\-proxyuser          | \<user\>        | The proxy username to use when downloading resources.                            | &nbsp;
+       | \-\-connectionString   | \<connStr\>     | The connection string to the database.                                           | &nbsp;
+       | \-\-dbDriverName       | \<driver\>      | The database driver name.                                                        | &nbsp;
+       | \-\-dbDriverPath       | \<path\>        | The path to the database driver; note, this does not need to be set unless the JAR is outside of the class path. | &nbsp;
+       | \-\-dbPassword         | \<password\>    | The password for connecting to the database.                                     | &nbsp;
+       | \-\-dbUser             | \<user\>        | The username used to connect to the database.                                    | &nbsp;
+ \-d   | \-\-data               | \<path\>        | The location of the data directory used to store persistent data. This option should generally not be set. | &nbsp;
+       | \-\-purge              |                 | Delete the local copy of the NVD. This is used to force a refresh of the data.   | &nbsp;

cli/src/site/markdown/index.md.vm

@@ -9,10 +9,7 @@ Installation & Usage
 ====================
 Download the dependency-check command line tool [here](http://dl.bintray.com/jeremy-long/owasp/dependency-check-${project.version}-release.zip).
 Extract the zip file to a location on your computer and put the 'bin' directory into the
-path environment variable. On \*nix systems you will likely need to make the shell
-script executable:
-
-    $ chmod +777 dependency-check.sh
+path environment variable.
 
 #set( $H = '#' )
 

cli/src/test/java/org/owasp/dependencycheck/AppTest.java

@@ -0,0 +1,194 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 The OWASP Foundation. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import static org.hamcrest.core.Is.is;
+import static org.junit.Assert.assertFalse;
+import static org.junit.Assert.assertThat;
+import static org.junit.Assert.assertTrue;
+
+import java.io.File;
+import java.io.FileNotFoundException;
+import java.net.URISyntaxException;
+import java.util.HashMap;
+import java.util.Map;
+
+import org.apache.commons.cli.ParseException;
+import org.apache.commons.cli.UnrecognizedOptionException;
+import org.junit.Rule;
+import org.junit.Test;
+import org.junit.rules.ExpectedException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import org.owasp.dependencycheck.utils.Settings.KEYS;
+
+/**
+ * Tests for the {@link AppTest} class.
+ */
+public class AppTest extends BaseTest {
+
+    /**
+     * Test rule for asserting exceptions and their contents.
+     */
+    @Rule
+    public ExpectedException expectedException = ExpectedException.none();
+
+    /**
+     * Test of ensureCanonicalPath method, of class App.
+     */
+    @Test
+    public void testEnsureCanonicalPath() {
+        String file = "../*.jar";
+        App instance = new App(getSettings());
+        String result = instance.ensureCanonicalPath(file);
+        assertFalse(result.contains(".."));
+        assertTrue(result.endsWith("*.jar"));
+
+        file = "../some/skip/../path/file.txt";
+        String expResult = "/some/path/file.txt";
+        result = instance.ensureCanonicalPath(file);
+        assertTrue("result=" + result, result.endsWith(expResult));
+    }
+
+    /**
+     * Assert that boolean properties can be set on the CLI and parsed into the
+     * {@link Settings}.
+     *
+     * @throws Exception the unexpected {@link Exception}.
+     */
+    @Test
+    public void testPopulateSettings() throws Exception {
+        File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
+        String[] args = {"-P", prop.getAbsolutePath()};
+        Map<String, Boolean> expected = new HashMap<>();
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE);
+
+        assertTrue(testBooleanProperties(args, expected));
+
+        String[] args2 = {"-n"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE);
+        assertTrue(testBooleanProperties(args2, expected));
+
+        String[] args3 = {"-h"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.TRUE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.TRUE);
+        assertTrue(testBooleanProperties(args3, expected));
+
+        String[] args4 = {"--disableArchive"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.TRUE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE);
+        assertTrue(testBooleanProperties(args4, expected));
+
+        String[] args5 = {"-P", prop.getAbsolutePath(), "--disableArchive"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE);
+        assertTrue(testBooleanProperties(args5, expected));
+
+        prop = new File(this.getClass().getClassLoader().getResource("sample2.properties").toURI().getPath());
+        String[] args6 = {"-P", prop.getAbsolutePath(), "--disableArchive"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.TRUE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE);
+        assertTrue(testBooleanProperties(args6, expected));
+
+        String[] args7 = {"-P", prop.getAbsolutePath(), "--noupdate"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE);
+        assertTrue(testBooleanProperties(args7, expected));
+
+        String[] args8 = {"-P", prop.getAbsolutePath(), "--noupdate", "--disableArchive"};
+        expected.put(Settings.KEYS.AUTO_UPDATE, Boolean.FALSE);
+        expected.put(Settings.KEYS.ANALYZER_ARCHIVE_ENABLED, Boolean.FALSE);
+        assertTrue(testBooleanProperties(args8, expected));
+    }
+
+    /**
+     * Assert that an {@link UnrecognizedOptionException} is thrown when a
+     * property that is not supported is specified on the CLI.
+     *
+     * @throws Exception the unexpected {@link Exception}.
+     */
+    @Test
+    public void testPopulateSettingsException() throws Exception {
+        String[] args = {"-invalidPROPERTY"};
+
+        expectedException.expect(UnrecognizedOptionException.class);
+        expectedException.expectMessage("Unrecognized option: -invalidPROPERTY");
+        testBooleanProperties(args, null);
+    }
+
+    /**
+     * Assert that a single suppression file can be set using the CLI.
+     *
+     * @throws Exception the unexpected {@link Exception}.
+     */
+    @Test
+    public void testPopulatingSuppressionSettingsWithASingleFile() throws Exception {
+        // GIVEN CLI properties with the mandatory arguments
+        File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
+
+        // AND a single suppression file
+        String[] args = {"-P", prop.getAbsolutePath(), "--suppression", "another-file.xml"};
+
+        // WHEN parsing the CLI arguments
+        final CliParser cli = new CliParser(getSettings());
+        cli.parse(args);
+        final App classUnderTest = new App(getSettings());
+        classUnderTest.populateSettings(cli);
+
+        // THEN the suppression file is set in the settings for use in the application core
+        assertThat("Expected the suppression file to be set in the Settings", getSettings().getString(KEYS.SUPPRESSION_FILE), is("another-file.xml"));
+    }
+
+    /**
+     * Assert that multiple suppression files can be set using the CLI.
+     *
+     * @throws Exception the unexpected {@link Exception}.
+     */
+    @Test
+    public void testPopulatingSuppressionSettingsWithMultipleFiles() throws Exception {
+        // GIVEN CLI properties with the mandatory arguments
+        File prop = new File(this.getClass().getClassLoader().getResource("sample.properties").toURI().getPath());
+
+        // AND a single suppression file
+        String[] args = {"-P", prop.getAbsolutePath(), "--suppression", "first-file.xml", "another-file.xml"};
+
+        // WHEN parsing the CLI arguments
+        final CliParser cli = new CliParser(getSettings());
+        cli.parse(args);
+        final App classUnderTest = new App(getSettings());
+        classUnderTest.populateSettings(cli);
+
+        // THEN the suppression file is set in the settings for use in the application core
+        assertThat("Expected the suppression files to be set in the Settings with a separator", getSettings().getString(KEYS.SUPPRESSION_FILE), is("first-file.xml,another-file.xml"));
+    }
+
+    private boolean testBooleanProperties(String[] args, Map<String, Boolean> expected) throws URISyntaxException, FileNotFoundException, ParseException, InvalidSettingException {
+        this.reloadSettings();
+        final CliParser cli = new CliParser(getSettings());
+        cli.parse(args);
+        App instance = new App(getSettings());
+        instance.populateSettings(cli);
+        boolean results = true;
+        for (Map.Entry<String, Boolean> entry : expected.entrySet()) {
+            results &= getSettings().getBoolean(entry.getKey()) == entry.getValue();
+        }
+        return results;
+    }
+}

cli/src/test/java/org/owasp/dependencycheck/BaseTest.java

@@ -0,0 +1,62 @@
+/*
+ * Copyright 2014 OWASP.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.owasp.dependencycheck;
+
+import org.junit.After;
+import org.junit.Before;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ *
+ * @author Jeremy Long
+ */
+public class BaseTest {
+
+    /**
+     * The configured settings.
+     */
+    private Settings settings;
+
+    /**
+     * Initialize the {@link Settings}.
+     */
+    @Before
+    public void setUp() {
+        settings = new Settings();
+    }
+
+    /**
+     * Clean the {@link Settings}.
+     */
+    @After
+    public void tearDown() {
+        settings.cleanup(true);
+    }
+
+    /**
+     * Returns the settings for the test cases.
+     *
+     * @return
+     */
+    protected Settings getSettings() {
+        return settings;
+    }
+
+    protected void reloadSettings() {
+        tearDown();
+        setUp();
+    }
+}

cli/src/test/java/org/owasp/dependencycheck/CliParserTest.java

@@ -17,17 +17,14 @@
  */
 package org.owasp.dependencycheck;
 
-import org.owasp.dependencycheck.CliParser;
 import java.io.ByteArrayOutputStream;
 import java.io.File;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.PrintStream;
 import org.apache.commons.cli.ParseException;
-import org.junit.After;
 import org.junit.AfterClass;
 import org.junit.Assert;
-import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.utils.Settings;
@@ -36,25 +33,7 @@ import org.owasp.dependencycheck.utils.Settings;
  *
  * @author Jeremy Long
  */
-public class CliParserTest {
-
-    @BeforeClass
-    public static void setUpClass() throws Exception {
-        Settings.initialize();
-    }
-
-    @AfterClass
-    public static void tearDownClass() throws Exception {
-        Settings.cleanup(true);
-    }
-
-    @Before
-    public void setUp() throws Exception {
-    }
-
-    @After
-    public void tearDown() throws Exception {
-    }
+public class CliParserTest extends BaseTest {
 
     /**
      * Test of parse method, of class CliParser.
@@ -70,7 +49,7 @@ public class CliParserTest {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         System.setOut(new PrintStream(baos));
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         instance.parse(args);
 
         Assert.assertFalse(instance.isGetVersion());
@@ -89,7 +68,7 @@ public class CliParserTest {
         String[] args = {"-help"};
         PrintStream out = System.out;
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         instance.parse(args);
 
         Assert.assertFalse(instance.isGetVersion());
@@ -107,7 +86,7 @@ public class CliParserTest {
 
         String[] args = {"-version"};
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         instance.parse(args);
         Assert.assertTrue(instance.isGetVersion());
         Assert.assertFalse(instance.isGetHelp());
@@ -115,6 +94,63 @@ public class CliParserTest {
 
     }
 
+    /**
+     * Test of parse method with failOnCVSS without an argument
+     *
+     * @throws Exception thrown when an exception occurs.
+     */
+    @Test
+    public void testParse_failOnCVSSNoArg() throws Exception {
+
+        String[] args = {"--failOnCVSS"};
+
+        CliParser instance = new CliParser(getSettings());
+        try {
+            instance.parse(args);
+        } catch (ParseException ex) {
+            Assert.assertTrue(ex.getMessage().contains("Missing argument"));
+        }
+        Assert.assertFalse(instance.isGetVersion());
+        Assert.assertFalse(instance.isGetHelp());
+        Assert.assertFalse(instance.isRunScan());
+    }
+
+    /**
+     * Test of parse method with failOnCVSS invalid argument. It should default to 11
+     *
+     * @throws Exception thrown when an exception occurs.
+     */
+    @Test
+    public void testParse_failOnCVSSInvalidArgument() throws Exception {
+
+        String[] args = {"--failOnCVSS","bad"};
+
+        CliParser instance = new CliParser(getSettings());
+        instance.parse(args);
+        Assert.assertEquals("Default should be 11", 11, instance.getFailOnCVSS());
+        Assert.assertFalse(instance.isGetVersion());
+        Assert.assertFalse(instance.isGetHelp());
+        Assert.assertFalse(instance.isRunScan());
+    }
+
+    /**
+     * Test of parse method with failOnCVSS invalid argument. It should default to 11
+     *
+     * @throws Exception thrown when an exception occurs.
+     */
+    @Test
+    public void testParse_failOnCVSSValidArgument() throws Exception {
+
+        String[] args = {"--failOnCVSS","6"};
+
+        CliParser instance = new CliParser(getSettings());
+        instance.parse(args);
+        Assert.assertEquals(6, instance.getFailOnCVSS());
+        Assert.assertFalse(instance.isGetVersion());
+        Assert.assertFalse(instance.isGetHelp());
+        Assert.assertFalse(instance.isRunScan());
+    }
+
     /**
      * Test of parse method with jar and cpe args, of class CliParser.
      *
@@ -132,7 +168,7 @@ public class CliParserTest {
         System.setOut(new PrintStream(baos_out));
         System.setErr(new PrintStream(baos_err));
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
 
         try {
             instance.parse(args);
@@ -154,7 +190,7 @@ public class CliParserTest {
 
         String[] args = {"-scan"};
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
 
         try {
             instance.parse(args);
@@ -177,7 +213,7 @@ public class CliParserTest {
 
         String[] args = {"-scan", "jar.that.does.not.exist", "-app", "test"};
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         try {
             instance.parse(args);
         } catch (FileNotFoundException ex) {
@@ -196,10 +232,10 @@ public class CliParserTest {
      */
     @Test
     public void testParse_scan_withFileExists() throws Exception {
-        File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").getPath());
+        File path = new File(this.getClass().getClassLoader().getResource("checkSumTest.file").toURI().getPath());
         String[] args = {"-scan", path.getCanonicalPath(), "-out", "./", "-app", "test"};
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         instance.parse(args);
 
         Assert.assertEquals(path.getCanonicalPath(), instance.getScanFiles()[0]);
@@ -221,7 +257,7 @@ public class CliParserTest {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         System.setOut(new PrintStream(baos));
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         instance.printVersionInfo();
         try {
             baos.flush();
@@ -250,7 +286,7 @@ public class CliParserTest {
         ByteArrayOutputStream baos = new ByteArrayOutputStream();
         System.setOut(new PrintStream(baos));
 
-        CliParser instance = new CliParser();
+        CliParser instance = new CliParser(getSettings());
         String[] args = {"-h"};
         instance.parse(args);
         instance.printHelp();

cli/src/test/resources/sample.properties

@@ -0,0 +1,33 @@
+autoupdate=false
+somethingmadeup=test
+analyzer.experimental.enabled=false
+analyzer.jar.enabled=true
+analyzer.archive.enabled=true
+analyzer.node.package.enabled=true
+analyzer.composer.lock.enabled=true
+analyzer.python.distribution.enabled=true
+analyzer.python.package.enabled=true
+analyzer.ruby.gemspec.enabled=true
+analyzer.autoconf.enabled=true
+analyzer.cmake.enabled=true
+analyzer.assembly.enabled=true
+analyzer.nuspec.enabled=true
+analyzer.openssl.enabled=true
+analyzer.central.enabled=true
+analyzer.nexus.enabled=false
+analyzer.cocoapods.enabled=true
+analyzer.swift.package.manager.enabled=true
+#whether the nexus analyzer uses the proxy
+analyzer.nexus.proxy=true
+analyzer.cpe.enabled=true
+analyzer.cpesuppression.enabled=true
+analyzer.dependencybundling.enabled=true
+analyzer.dependencymerging.enabled=true
+analyzer.falsepositive.enabled=true
+analyzer.filename.enabled=true
+analyzer.hint.enabled=true
+analyzer.nvdcve.enabled=true
+analyzer.vulnerabilitysuppression.enabled=true
+updater.nvdcve.enabled=true
+updater.versioncheck.enabled=true
+analyzer.versionfilter.enabled=true

cli/src/test/resources/sample2.properties

@@ -0,0 +1,33 @@
+autoupdate=true
+
+analyzer.experimental.enabled=true
+analyzer.jar.enabled=false
+analyzer.archive.enabled=false
+analyzer.node.package.enabled=false
+analyzer.composer.lock.enabled=false
+analyzer.python.distribution.enabled=false
+analyzer.python.package.enabled=false
+analyzer.ruby.gemspec.enabled=false
+analyzer.autoconf.enabled=false
+analyzer.cmake.enabled=false
+analyzer.assembly.enabled=false
+analyzer.nuspec.enabled=false
+analyzer.openssl.enabled=false
+analyzer.central.enabled=false
+analyzer.nexus.enabled=true
+analyzer.cocoapods.enabled=false
+analyzer.swift.package.manager.enabled=false
+#whether the nexus analyzer uses the proxy
+analyzer.nexus.proxy=false
+analyzer.cpe.enabled=false
+analyzer.cpesuppression.enabled=false
+analyzer.dependencybundling.enabled=false
+analyzer.dependencymerging.enabled=false
+analyzer.falsepositive.enabled=false
+analyzer.filename.enabled=false
+analyzer.hint.enabled=false
+analyzer.nvdcve.enabled=false
+analyzer.vulnerabilitysuppression.enabled=false
+updater.nvdcve.enabled=false
+updater.versioncheck.enabled=false
+analyzer.versionfilter.enabled=false

core/pom.xml

@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
     <parent>
         <groupId>org.owasp</groupId>
         <artifactId>dependency-check-parent</artifactId>
-        <version>1.3.5</version>
+        <version>3.1.2-SNAPSHOT</version>
     </parent>
 
     <artifactId>dependency-check-core</artifactId>
@@ -28,15 +28,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
 
     <name>Dependency-Check Core</name>
     <description>dependency-check-core is the engine and reporting tool used to identify and report if there are any known, publicly disclosed vulnerabilities in the scanned project's dependencies. The engine extracts meta-data from the dependencies and uses this to do fuzzy key-word matching against the Common Platfrom Enumeration (CPE), if any CPE identifiers are found the associated Common Vulnerability and Exposure (CVE) entries are added to the generated report.</description>
-    <!-- begin copy from http://minds.coremedia.com/2012/09/11/problem-solved-deploy-multi-module-maven-project-site-as-github-pages/ -->
-    <distributionManagement>
-        <site>
-            <id>github-pages-site</id>
-            <name>Deployment through GitHub's site deployment plugin</name>
-            <url>${basedir}/../target/site/${project.version}/dependency-check-core</url>
-        </site>
-    </distributionManagement>
-    <!-- end copy -->
     <build>
         <resources>
             <resource>
@@ -83,9 +74,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             </testResource>
             <testResource>
                 <directory>${basedir}/src/test/resources</directory>
-                <excludes>
-                    <exclude>**/mysql-connector-java-5.1.27-bin.jar</exclude>
-                </excludes>
                 <filtering>false</filtering>
             </testResource>
         </testResources>
@@ -102,6 +90,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                         <configuration>
                             <outputDirectory>${project.build.directory}/test-classes</outputDirectory>
                             <includeScope>test</includeScope>
+                            <excludeArtifactIds>dependency-check-utils</excludeArtifactIds>
                         </configuration>
                     </execution>
                 </executions>
@@ -124,145 +113,18 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     </execution>
                 </executions>
             </plugin>
-            <plugin>
-                <groupId>org.codehaus.mojo</groupId>
-                <artifactId>cobertura-maven-plugin</artifactId>
-                <configuration>
-                    <instrumentation>
-                        <!--ignoreTrivial>true</ignoreTrivial-->
-                        <ignores>
-                            <ignore>.*\$KEYS\.class</ignore>
-                            <ignore>.*\$Element\.class</ignore>
-                        </ignores>
-                        <excludes>
-                            <exclude>.*\$KEYS\.class</exclude>
-                            <exclude>.*\$Element\.class</exclude>
-                        </excludes>
-                    </instrumentation>
-                    <check>
-                        <branchRate>85</branchRate>
-                        <lineRate>85</lineRate>
-                        <haltOnFailure>false</haltOnFailure>
-                        <totalBranchRate>85</totalBranchRate>
-                        <totalLineRate>85</totalLineRate>
-                        <packageLineRate>85</packageLineRate>
-                        <packageBranchRate>85</packageBranchRate>
-                        <regexes>
-                            <regex>
-                                <pattern>.*\$.*</pattern>
-                                <branchRate>0</branchRate>
-                                <lineRate>0</lineRate>
-                            </regex>
-                            <regex>
-                                <pattern>org.owasp.dependencycheck.data.cpe.Fields</pattern>
-                                <branchRate>0</branchRate>
-                                <lineRate>0</lineRate>
-                            </regex>
-                            <regex>
-                                <pattern>org.owasp.dependencycheck.App</pattern>
-                                <branchRate>0</branchRate>
-                                <lineRate>0</lineRate>
-                            </regex>
-                        </regexes>
-                    </check>
-                </configuration>
-                <executions>
-                    <execution>
-                        <goals>
-                            <goal>clean</goal>
-                        </goals>
-                    </execution>
-                </executions>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-plugin</artifactId>
-                <configuration>
-                    <systemProperties>
-                        <property>
-                            <name>data.directory</name>
-                            <value>${project.build.directory}/data</value>
-                        </property>
-                        <property>
-                            <name>temp.directory</name>
-                            <value>${project.build.directory}/temp</value>
-                        </property>
-                    </systemProperties>
-                    <excludes>
-                        <exclude>**/*IntegrationTest.java</exclude>
-                        <exclude>**/*MySQLTest.java</exclude>
-                    </excludes>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-failsafe-plugin</artifactId>
-                <configuration>
-                    <systemProperties>
-                        <property>
-                            <name>data.directory</name>
-                            <value>${project.build.directory}/data</value>
-                        </property>
-                        <property>
-                            <name>temp.directory</name>
-                            <value>${project.build.directory}/temp</value>
-                        </property>
-                    </systemProperties>
-                </configuration>
-            </plugin>
         </plugins>
     </build>
-    <reporting>
-        <plugins>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-surefire-report-plugin</artifactId>
-                <reportSets>
-                    <reportSet>
-                        <id>integration-tests</id>
-                        <reports>
-                            <report>report-only</report>
-                            <report>failsafe-report-only</report>
-                        </reports>
-                    </reportSet>
-                </reportSets>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-checkstyle-plugin</artifactId>
-                <version>${reporting.checkstyle-plugin.version}</version>
-                <configuration>
-                    <enableRulesSummary>false</enableRulesSummary>
-                    <enableFilesSummary>false</enableFilesSummary>
-                    <configLocation>${basedir}/../src/main/config/checkstyle-checks.xml</configLocation>
-                    <headerLocation>${basedir}/../src/main/config/checkstyle-header.txt</headerLocation>
-                    <suppressionsLocation>${basedir}/../src/main/config/checkstyle-suppressions.xml</suppressionsLocation>
-                    <suppressionsFileExpression>checkstyle.suppressions.file</suppressionsFileExpression>
-                </configuration>
-            </plugin>
-            <plugin>
-                <groupId>org.apache.maven.plugins</groupId>
-                <artifactId>maven-pmd-plugin</artifactId>
-                <version>${reporting.pmd-plugin.version}</version>
-                <configuration>
-                    <targetJdk>1.6</targetJdk>
-                    <linkXref>true</linkXref>
-                    <sourceEncoding>utf-8</sourceEncoding>
-                    <excludes>
-                        <exclude>**/generated/*.java</exclude>
-                    </excludes>
-                    <rulesets>
-                        <ruleset>../src/main/config/dcrules.xml</ruleset>
-                        <ruleset>/rulesets/java/basic.xml</ruleset>
-                        <ruleset>/rulesets/java/imports.xml</ruleset>
-                        <ruleset>/rulesets/java/unusedcode.xml</ruleset>
-                    </rulesets>
-                </configuration>
-            </plugin>
-        </plugins>
-    </reporting>
     <dependencies>
+        <dependency>
+            <groupId>com.vdurmont</groupId>
+            <artifactId>semver4j</artifactId>
+        </dependency>
         <!-- Note, to stay compatible with Jenkins installations only JARs compiled to 1.6 can be used -->
+        <dependency>
+            <groupId>joda-time</groupId>
+            <artifactId>joda-time</artifactId>
+        </dependency>
         <dependency>
             <groupId>com.google.code.findbugs</groupId>
             <artifactId>annotations</artifactId>
@@ -338,7 +200,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <groupId>com.sun.mail</groupId>
             <artifactId>mailapi</artifactId>
         </dependency>
-        <!-- The following dependencies are only used during testing -->
+        <dependency>
+            <groupId>com.google.code.gson</groupId>
+            <artifactId>gson</artifactId>
+        </dependency>
+        <!-- The following dependencies are only used during testing 
+             and must not be converted to a properties based version number -->
         <dependency>
             <groupId>org.apache.maven.scm</groupId>
             <artifactId>maven-scm-provider-cvsexe</artifactId>
@@ -461,6 +328,14 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             <scope>test</scope>
             <optional>true</optional>
         </dependency>
+        <dependency>
+            <groupId>com.thoughtworks.xstream</groupId>
+            <artifactId>xstream</artifactId>
+            <version>1.4.8</version>
+            <scope>test</scope>
+            <optional>true</optional>
+        </dependency>
+
     </dependencies>
     <profiles>
         <profile>
@@ -472,13 +347,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             </activation>
             <build>
                 <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-surefire-plugin</artifactId>
-                        <configuration>
-                            <skip>true</skip>
-                        </configuration>
-                    </plugin>
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
@@ -498,7 +366,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                                 </property>
                             </systemProperties>
                             <includes>
-                                <include>**/*MySQLTest.java</include>
+                                <include>**/*MySqlIT.java</include>
                             </includes>
                         </configuration>
                         <executions>
@@ -529,13 +397,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
             </dependencies>
             <build>
                 <plugins>
-                    <plugin>
-                        <groupId>org.apache.maven.plugins</groupId>
-                        <artifactId>maven-surefire-plugin</artifactId>
-                        <configuration>
-                            <skip>true</skip>
-                        </configuration>
-                    </plugin>
                     <plugin>
                         <groupId>org.apache.maven.plugins</groupId>
                         <artifactId>maven-failsafe-plugin</artifactId>
@@ -555,7 +416,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                                 </property>
                             </systemProperties>
                             <includes>
-                                <include>**/*MySQLTest.java</include>
+                                <include>**/*MySqlIT.java</include>
                             </includes>
                         </configuration>
                         <executions>
@@ -570,15 +431,19 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                 </plugins>
             </build>
         </profile>
-        <profile>
-            <!-- The following profile adds additional
-            dependencies that are only used during testing.
-            Additionally, these are only added when using "allTests" to
-            make the build slightly faster in most cases. -->
+        <!-- 
+            The following profile adds additional dependencies that are only 
+            used during testing.
+        
+            TODO move the following FP tests to a seperate invoker test in the
+            maven plugin project. Add checks against the XML to validate that
+            these do not report FP.
+        -->
+        <!--profile>
             <id>False Positive Tests</id>
             <activation>
                 <property>
-                    <name>allTests</name>
+                    <name>releaseTesting</name>
                 </property>
             </activation>
             <dependencies>
@@ -589,13 +454,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <scope>test</scope>
                     <optional>true</optional>
                 </dependency>
-                <dependency>
-                    <groupId>com.thoughtworks.xstream</groupId>
-                    <artifactId>xstream</artifactId>
-                    <version>1.4.2</version>
-                    <scope>test</scope>
-                    <optional>true</optional>
-                </dependency>
                 <dependency>
                     <groupId>org.apache.ws.security</groupId>
                     <artifactId>wss4j</artifactId>
@@ -666,20 +524,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <scope>test</scope>
                     <optional>true</optional>
                 </dependency>
-                <dependency>
-                    <groupId>org.springframework</groupId>
-                    <artifactId>spring-webmvc</artifactId>
-                    <version>3.2.12.RELEASE</version>
-                    <scope>test</scope>
-                    <optional>true</optional>
-                </dependency>
-                <dependency>
-                    <groupId>com.google.code.gson</groupId>
-                    <artifactId>gson</artifactId>
-                    <version>2.3.1</version>
-                    <scope>test</scope>
-                    <optional>true</optional>
-                </dependency>
                 <dependency>
                     <groupId>com.google.gerrit</groupId>
                     <artifactId>gerrit-extension-api</artifactId>
@@ -730,6 +574,6 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
                     <optional>true</optional>
                 </dependency>
             </dependencies>
-        </profile>
+        </profile-->
     </profiles>
 </project>

core/src/main/java/org/owasp/dependencycheck/AnalysisTask.java

@@ -0,0 +1,115 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 Stefan Neuhaus. All Rights Reserved.
+ */
+package org.owasp.dependencycheck;
+
+import org.owasp.dependencycheck.analyzer.Analyzer;
+import org.owasp.dependencycheck.analyzer.FileTypeAnalyzer;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.util.List;
+import java.util.concurrent.Callable;
+import javax.annotation.concurrent.ThreadSafe;
+
+/**
+ * Task to support parallelism of dependency-check analysis. Analyses a single
+ * {@link Dependency} by a specific {@link Analyzer}.
+ *
+ * @author Stefan Neuhaus
+ */
+@ThreadSafe
+public class AnalysisTask implements Callable<Void> {
+
+    /**
+     * Instance of the logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AnalysisTask.class);
+
+    /**
+     * A reference to the analyzer.
+     */
+    private final Analyzer analyzer;
+    /**
+     * The dependency to analyze.
+     */
+    private final Dependency dependency;
+    /**
+     * A reference to the dependency-check engine.
+     */
+    private final Engine engine;
+    /**
+     * The list of exceptions that may occur during analysis.
+     */
+    private final List<Throwable> exceptions;
+
+    /**
+     * Creates a new analysis task.
+     *
+     * @param analyzer a reference of the analyzer to execute
+     * @param dependency the dependency to analyze
+     * @param engine the dependency-check engine
+     * @param exceptions exceptions that occur during analysis will be added to
+     * this collection of exceptions
+     */
+    AnalysisTask(Analyzer analyzer, Dependency dependency, Engine engine, List<Throwable> exceptions) {
+        this.analyzer = analyzer;
+        this.dependency = dependency;
+        this.engine = engine;
+        this.exceptions = exceptions;
+    }
+
+    /**
+     * Executes the analysis task.
+     *
+     * @return null
+     */
+    @Override
+    public Void call() {
+        if (shouldAnalyze()) {
+            LOGGER.debug("Begin Analysis of '{}' ({})", dependency.getActualFilePath(), analyzer.getName());
+            try {
+                analyzer.analyze(dependency, engine);
+            } catch (AnalysisException ex) {
+                LOGGER.warn("An error occurred while analyzing '{}' ({}).", dependency.getActualFilePath(), analyzer.getName());
+                LOGGER.debug("", ex);
+                exceptions.add(ex);
+            } catch (Throwable ex) {
+                LOGGER.warn("An unexpected error occurred during analysis of '{}' ({}): {}",
+                        dependency.getActualFilePath(), analyzer.getName(), ex.getMessage());
+                LOGGER.debug("", ex);
+                exceptions.add(ex);
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Determines if the analyzer can analyze the given dependency.
+     *
+     * @return whether or not the analyzer can analyze the dependency
+     */
+    protected boolean shouldAnalyze() {
+        if (analyzer instanceof FileTypeAnalyzer) {
+            final FileTypeAnalyzer fileTypeAnalyzer = (FileTypeAnalyzer) analyzer;
+            return fileTypeAnalyzer.accept(dependency.getActualFile());
+        }
+        return true;
+    }
+}

core/src/main/java/org/owasp/dependencycheck/agent/DependencyCheckScanAgent.java

@@ -20,13 +20,15 @@ package org.owasp.dependencycheck.agent;
 import java.io.File;
 import java.io.IOException;
 import java.util.List;
+import javax.annotation.concurrent.NotThreadSafe;
 import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
-import org.owasp.dependencycheck.data.nvdcve.DatabaseProperties;
+import org.owasp.dependencycheck.data.update.exception.UpdateException;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.Vulnerability;
+import org.owasp.dependencycheck.exception.ExceptionCollection;
+import org.owasp.dependencycheck.exception.ReportException;
 import org.owasp.dependencycheck.exception.ScanAgentException;
 import org.owasp.dependencycheck.reporting.ReportGenerator;
 import org.owasp.dependencycheck.utils.Settings;
@@ -34,18 +36,20 @@ import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * This class provides a way to easily conduct a scan solely based on existing evidence metadata rather than collecting evidence
- * from the files themselves. This class is based on the Ant task and Maven plugin with the exception that it takes a list of
- * dependencies that can be programmatically added from data in a spreadsheet, database or some other datasource and conduct a
- * scan based on this pre-defined evidence.
+ * This class provides a way to easily conduct a scan solely based on existing
+ * evidence metadata rather than collecting evidence from the files themselves.
+ * This class is based on the Ant task and Maven plugin with the exception that
+ * it takes a list of dependencies that can be programmatically added from data
+ * in a spreadsheet, database or some other datasource and conduct a scan based
+ * on this pre-defined evidence.
  *
  * <h2>Example:</h2>
  * <pre>
  * List&lt;Dependency&gt; dependencies = new ArrayList&lt;Dependency&gt;();
  * Dependency dependency = new Dependency(new File(FileUtils.getBitBucket()));
- * dependency.getProductEvidence().addEvidence("my-datasource", "name", "Jetty", Confidence.HIGH);
- * dependency.getVersionEvidence().addEvidence("my-datasource", "version", "5.1.10", Confidence.HIGH);
- * dependency.getVendorEvidence().addEvidence("my-datasource", "vendor", "mortbay", Confidence.HIGH);
+ * dependency.addEvidence(EvidenceType.PRODUCT, "my-datasource", "name", "Jetty", Confidence.HIGH);
+ * dependency.addEvidence(EvidenceType.VERSION, "my-datasource", "version", "5.1.10", Confidence.HIGH);
+ * dependency.addEvidence(EvidenceType.VENDOR, "my-datasource", "vendor", "mortbay", Confidence.HIGH);
  * dependencies.add(dependency);
  *
  * DependencyCheckScanAgent scan = new DependencyCheckScanAgent();
@@ -58,8 +62,10 @@ import org.slf4j.LoggerFactory;
  * @author Steve Springett
  */
 @SuppressWarnings("unused")
+@NotThreadSafe
 public class DependencyCheckScanAgent {
 
+    //<editor-fold defaultstate="collapsed" desc="private fields">
     /**
      * System specific new line character.
      */
@@ -72,6 +78,160 @@ public class DependencyCheckScanAgent {
      * The application name for the report.
      */
     private String applicationName = "Dependency-Check";
+    /**
+     * The pre-determined dependencies to scan
+     */
+    private List<Dependency> dependencies;
+    /**
+     * The location of the data directory that contains
+     */
+    private String dataDirectory = null;
+    /**
+     * Specifies the destination directory for the generated Dependency-Check
+     * report.
+     */
+    private String reportOutputDirectory;
+    /**
+     * Specifies if the build should be failed if a CVSS score above a specified
+     * level is identified. The default is 11 which means since the CVSS scores
+     * are 0-10, by default the build will never fail and the CVSS score is set
+     * to 11. The valid range for the fail build on CVSS is 0 to 11, where
+     * anything above 10 will not cause the build to fail.
+     */
+    private float failBuildOnCVSS = 11;
+    /**
+     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not
+     * recommended that this be turned to false. Default is true.
+     */
+    private boolean autoUpdate = true;
+    /**
+     * Sets whether the data directory should be updated without performing a
+     * scan. Default is false.
+     */
+    private boolean updateOnly = false;
+    /**
+     * flag indicating whether or not to generate a report of findings.
+     */
+    private boolean generateReport = true;
+    /**
+     * The report format to be generated (HTML, XML, VULN, ALL). This
+     * configuration option has no affect if using this within the Site plugin
+     * unless the externalReport is set to true. Default is HTML.
+     */
+    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
+    /**
+     * The Proxy Server.
+     */
+    private String proxyServer;
+    /**
+     * The Proxy Port.
+     */
+    private String proxyPort;
+    /**
+     * The Proxy username.
+     */
+    private String proxyUsername;
+    /**
+     * The Proxy password.
+     */
+    private String proxyPassword;
+    /**
+     * The Connection Timeout.
+     */
+    private String connectionTimeout;
+    /**
+     * The file path used for verbose logging.
+     */
+    private String logFile = null;
+    /**
+     * flag indicating whether or not to show a summary of findings.
+     */
+    private boolean showSummary = true;
+    /**
+     * The path to the suppression file.
+     */
+    private String suppressionFile;
+    /**
+     * The password to use when connecting to the database.
+     */
+    private String databasePassword;
+    /**
+     * The starting string that identifies CPEs that are qualified to be imported.
+     */
+    private String cpeStartsWithFilter;
+    /**
+     * Whether or not the Maven Central analyzer is enabled.
+     */
+    private boolean centralAnalyzerEnabled = true;
+    /**
+     * The URL of Maven Central.
+     */
+    private String centralUrl;
+    /**
+     * Whether or not the nexus analyzer is enabled.
+     */
+    private boolean nexusAnalyzerEnabled = true;
+    /**
+     * The URL of the Nexus server.
+     */
+    private String nexusUrl;
+    /**
+     * Whether or not the defined proxy should be used when connecting to Nexus.
+     */
+    private boolean nexusUsesProxy = true;
+    /**
+     * The database driver name; such as org.h2.Driver.
+     */
+    private String databaseDriverName;
+    /**
+     * The path to the database driver JAR file if it is not on the class path.
+     */
+    private String databaseDriverPath;
+    /**
+     * The database connection string.
+     */
+    private String connectionString;
+    /**
+     * The user name for connecting to the database.
+     */
+    private String databaseUser;
+    /**
+     * Additional ZIP File extensions to add analyze. This should be a
+     * comma-separated list of file extensions to treat like ZIP files.
+     */
+    private String zipExtensions;
+    /**
+     * The url for the modified NVD CVE (1.2 schema).
+     */
+    private String cveUrl12Modified;
+    /**
+     * The url for the modified NVD CVE (2.0 schema).
+     */
+    private String cveUrl20Modified;
+    /**
+     * Base Data Mirror URL for CVE 1.2.
+     */
+    private String cveUrl12Base;
+    /**
+     * Data Mirror URL for CVE 2.0.
+     */
+    private String cveUrl20Base;
+    /**
+     * The path to Mono for .NET assembly analysis on non-windows systems.
+     */
+    private String pathToMono;
+    /**
+     * The configured settings.
+     */
+    private Settings settings;
+    /**
+     * The path to optional dependency-check properties file. This will be used
+     * to side-load additional user-defined properties.
+     * {@link Settings#mergeProperties(String)}
+     */
+    private String propertiesFilePath;
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="getters/setters">
 
     /**
      * Get the value of applicationName.
@@ -91,11 +251,6 @@ public class DependencyCheckScanAgent {
         this.applicationName = applicationName;
     }
 
-    /**
-     * The pre-determined dependencies to scan
-     */
-    private List<Dependency> dependencies;
-
     /**
      * Returns a list of pre-determined dependencies.
      *
@@ -114,11 +269,6 @@ public class DependencyCheckScanAgent {
         this.dependencies = dependencies;
     }
 
-    /**
-     * The location of the data directory that contains
-     */
-    private String dataDirectory = null;
-
     /**
      * Get the value of dataDirectory.
      *
@@ -137,11 +287,6 @@ public class DependencyCheckScanAgent {
         this.dataDirectory = dataDirectory;
     }
 
-    /**
-     * Specifies the destination directory for the generated Dependency-Check report.
-     */
-    private String reportOutputDirectory;
-
     /**
      * Get the value of reportOutputDirectory.
      *
@@ -160,13 +305,6 @@ public class DependencyCheckScanAgent {
         this.reportOutputDirectory = reportOutputDirectory;
     }
 
-    /**
-     * Specifies if the build should be failed if a CVSS score above a specified level is identified. The default is 11 which
-     * means since the CVSS scores are 0-10, by default the build will never fail and the CVSS score is set to 11. The valid range
-     * for the fail build on CVSS is 0 to 11, where anything above 10 will not cause the build to fail.
-     */
-    private float failBuildOnCVSS = 11;
-
     /**
      * Get the value of failBuildOnCVSS.
      *
@@ -185,12 +323,6 @@ public class DependencyCheckScanAgent {
         this.failBuildOnCVSS = failBuildOnCVSS;
     }
 
-    /**
-     * Sets whether auto-updating of the NVD CVE/CPE data is enabled. It is not recommended that this be turned to false. Default
-     * is true.
-     */
-    private boolean autoUpdate = true;
-
     /**
      * Get the value of autoUpdate.
      *
@@ -210,9 +342,22 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * flag indicating whether or not to generate a report of findings.
+     * Get the value of updateOnly.
+     *
+     * @return the value of updateOnly
      */
-    private boolean generateReport = true;
+    public boolean isUpdateOnly() {
+        return updateOnly;
+    }
+
+    /**
+     * Set the value of updateOnly.
+     *
+     * @param updateOnly new value of updateOnly
+     */
+    public void setUpdateOnly(boolean updateOnly) {
+        this.updateOnly = updateOnly;
+    }
 
     /**
      * Get the value of generateReport.
@@ -232,12 +377,6 @@ public class DependencyCheckScanAgent {
         this.generateReport = generateReport;
     }
 
-    /**
-     * The report format to be generated (HTML, XML, VULN, ALL). This configuration option has no affect if using this within the
-     * Site plugin unless the externalReport is set to true. Default is HTML.
-     */
-    private ReportGenerator.Format reportFormat = ReportGenerator.Format.HTML;
-
     /**
      * Get the value of reportFormat.
      *
@@ -256,11 +395,6 @@ public class DependencyCheckScanAgent {
         this.reportFormat = reportFormat;
     }
 
-    /**
-     * The Proxy Server.
-     */
-    private String proxyServer;
-
     /**
      * Get the value of proxyServer.
      *
@@ -283,7 +417,9 @@ public class DependencyCheckScanAgent {
      * Get the value of proxyServer.
      *
      * @return the value of proxyServer
-     * @deprecated use {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()} instead
+     * @deprecated use
+     * {@link org.owasp.dependencycheck.agent.DependencyCheckScanAgent#getProxyServer()}
+     * instead
      */
     @Deprecated
     public String getProxyUrl() {
@@ -302,11 +438,6 @@ public class DependencyCheckScanAgent {
         this.proxyServer = proxyUrl;
     }
 
-    /**
-     * The Proxy Port.
-     */
-    private String proxyPort;
-
     /**
      * Get the value of proxyPort.
      *
@@ -325,11 +456,6 @@ public class DependencyCheckScanAgent {
         this.proxyPort = proxyPort;
     }
 
-    /**
-     * The Proxy username.
-     */
-    private String proxyUsername;
-
     /**
      * Get the value of proxyUsername.
      *
@@ -348,11 +474,6 @@ public class DependencyCheckScanAgent {
         this.proxyUsername = proxyUsername;
     }
 
-    /**
-     * The Proxy password.
-     */
-    private String proxyPassword;
-
     /**
      * Get the value of proxyPassword.
      *
@@ -371,11 +492,6 @@ public class DependencyCheckScanAgent {
         this.proxyPassword = proxyPassword;
     }
 
-    /**
-     * The Connection Timeout.
-     */
-    private String connectionTimeout;
-
     /**
      * Get the value of connectionTimeout.
      *
@@ -394,11 +510,6 @@ public class DependencyCheckScanAgent {
         this.connectionTimeout = connectionTimeout;
     }
 
-    /**
-     * The file path used for verbose logging.
-     */
-    private String logFile = null;
-
     /**
      * Get the value of logFile.
      *
@@ -417,11 +528,6 @@ public class DependencyCheckScanAgent {
         this.logFile = logFile;
     }
 
-    /**
-     * The path to the suppression file.
-     */
-    private String suppressionFile;
-
     /**
      * Get the value of suppressionFile.
      *
@@ -440,11 +546,6 @@ public class DependencyCheckScanAgent {
         this.suppressionFile = suppressionFile;
     }
 
-    /**
-     * flag indicating whether or not to show a summary of findings.
-     */
-    private boolean showSummary = true;
-
     /**
      * Get the value of showSummary.
      *
@@ -464,9 +565,20 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Whether or not the Maven Central analyzer is enabled.
+     * Sets starting string that identifies CPEs that are qualified to be imported.
+     * @param cpeStartsWithFilter filters CPEs based on this starting string (i.e. cpe:/a: )
      */
-    private boolean centralAnalyzerEnabled = true;
+    public void setCpeStartsWithFilter(String cpeStartsWithFilter) {
+        this.cpeStartsWithFilter = cpeStartsWithFilter;
+    }
+
+    /**
+     * Returns the starting string that identifies CPEs that are qualified to be imported.
+     * @return the CPE starting filter (i.e. cpe:/a: )
+     */
+    public String getCpeStartsWithFilter() {
+        return cpeStartsWithFilter;
+    }
 
     /**
      * Get the value of centralAnalyzerEnabled.
@@ -486,11 +598,6 @@ public class DependencyCheckScanAgent {
         this.centralAnalyzerEnabled = centralAnalyzerEnabled;
     }
 
-    /**
-     * The URL of Maven Central.
-     */
-    private String centralUrl;
-
     /**
      * Get the value of centralUrl.
      *
@@ -509,11 +616,6 @@ public class DependencyCheckScanAgent {
         this.centralUrl = centralUrl;
     }
 
-    /**
-     * Whether or not the nexus analyzer is enabled.
-     */
-    private boolean nexusAnalyzerEnabled = true;
-
     /**
      * Get the value of nexusAnalyzerEnabled.
      *
@@ -532,11 +634,6 @@ public class DependencyCheckScanAgent {
         this.nexusAnalyzerEnabled = nexusAnalyzerEnabled;
     }
 
-    /**
-     * The URL of the Nexus server.
-     */
-    private String nexusUrl;
-
     /**
      * Get the value of nexusUrl.
      *
@@ -555,11 +652,6 @@ public class DependencyCheckScanAgent {
         this.nexusUrl = nexusUrl;
     }
 
-    /**
-     * Whether or not the defined proxy should be used when connecting to Nexus.
-     */
-    private boolean nexusUsesProxy = true;
-
     /**
      * Get the value of nexusUsesProxy.
      *
@@ -578,11 +670,6 @@ public class DependencyCheckScanAgent {
         this.nexusUsesProxy = nexusUsesProxy;
     }
 
-    /**
-     * The database driver name; such as org.h2.Driver.
-     */
-    private String databaseDriverName;
-
     /**
      * Get the value of databaseDriverName.
      *
@@ -601,11 +688,6 @@ public class DependencyCheckScanAgent {
         this.databaseDriverName = databaseDriverName;
     }
 
-    /**
-     * The path to the database driver JAR file if it is not on the class path.
-     */
-    private String databaseDriverPath;
-
     /**
      * Get the value of databaseDriverPath.
      *
@@ -624,11 +706,6 @@ public class DependencyCheckScanAgent {
         this.databaseDriverPath = databaseDriverPath;
     }
 
-    /**
-     * The database connection string.
-     */
-    private String connectionString;
-
     /**
      * Get the value of connectionString.
      *
@@ -647,11 +724,6 @@ public class DependencyCheckScanAgent {
         this.connectionString = connectionString;
     }
 
-    /**
-     * The user name for connecting to the database.
-     */
-    private String databaseUser;
-
     /**
      * Get the value of databaseUser.
      *
@@ -670,11 +742,6 @@ public class DependencyCheckScanAgent {
         this.databaseUser = databaseUser;
     }
 
-    /**
-     * The password to use when connecting to the database.
-     */
-    private String databasePassword;
-
     /**
      * Get the value of databasePassword.
      *
@@ -693,12 +760,6 @@ public class DependencyCheckScanAgent {
         this.databasePassword = databasePassword;
     }
 
-    /**
-     * Additional ZIP File extensions to add analyze. This should be a comma-separated list of file extensions to treat like ZIP
-     * files.
-     */
-    private String zipExtensions;
-
     /**
      * Get the value of zipExtensions.
      *
@@ -717,11 +778,6 @@ public class DependencyCheckScanAgent {
         this.zipExtensions = zipExtensions;
     }
 
-    /**
-     * The url for the modified NVD CVE (1.2 schema).
-     */
-    private String cveUrl12Modified;
-
     /**
      * Get the value of cveUrl12Modified.
      *
@@ -740,11 +796,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl12Modified = cveUrl12Modified;
     }
 
-    /**
-     * The url for the modified NVD CVE (2.0 schema).
-     */
-    private String cveUrl20Modified;
-
     /**
      * Get the value of cveUrl20Modified.
      *
@@ -763,11 +814,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl20Modified = cveUrl20Modified;
     }
 
-    /**
-     * Base Data Mirror URL for CVE 1.2.
-     */
-    private String cveUrl12Base;
-
     /**
      * Get the value of cveUrl12Base.
      *
@@ -786,11 +832,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl12Base = cveUrl12Base;
     }
 
-    /**
-     * Data Mirror URL for CVE 2.0.
-     */
-    private String cveUrl20Base;
-
     /**
      * Get the value of cveUrl20Base.
      *
@@ -809,11 +850,6 @@ public class DependencyCheckScanAgent {
         this.cveUrl20Base = cveUrl20Base;
     }
 
-    /**
-     * The path to Mono for .NET assembly analysis on non-windows systems.
-     */
-    private String pathToMono;
-
     /**
      * Get the value of pathToMono.
      *
@@ -833,16 +869,52 @@ public class DependencyCheckScanAgent {
     }
 
     /**
-     * Executes the Dependency-Check on the dependent libraries.
+     * Get the value of propertiesFilePath.
+     *
+     * @return the value of propertiesFilePath
+     */
+    public String getPropertiesFilePath() {
+        return propertiesFilePath;
+    }
+
+    /**
+     * Set the value of propertiesFilePath.
+     *
+     * @param propertiesFilePath new value of propertiesFilePath
+     */
+    public void setPropertiesFilePath(String propertiesFilePath) {
+        this.propertiesFilePath = propertiesFilePath;
+    }
+    //</editor-fold>
+
+    /**
+     * Executes the Dependency-Check on the dependent libraries. <b>Note</b>, the engine
+     * object returned from this method must be closed by calling `close()`
      *
      * @return the Engine used to scan the dependencies.
-     * @throws org.owasp.dependencycheck.data.nvdcve.DatabaseException thrown if there is an exception connecting to the database
+     * @throws ExceptionCollection a collection of one or more exceptions that
+     * occurred during analysis.
      */
-    private Engine executeDependencyCheck() throws DatabaseException {
+    private Engine executeDependencyCheck() throws ExceptionCollection {
         populateSettings();
-        final Engine engine = new Engine();
-        engine.setDependencies(this.dependencies);
-        engine.analyzeDependencies();
+        final Engine engine;
+        try {
+            engine = new Engine(settings);
+        } catch (DatabaseException ex) {
+            throw new ExceptionCollection(ex, true);
+        }
+        if (this.updateOnly) {
+            try {
+                engine.doUpdates();
+            } catch (UpdateException ex) {
+                throw new ExceptionCollection("Unable to perform update", ex);
+            } finally {
+                engine.close();
+            }
+        } else {
+            engine.setDependencies(this.dependencies);
+            engine.analyzeDependencies();
+        }
         return engine;
     }
 
@@ -851,116 +923,116 @@ public class DependencyCheckScanAgent {
      *
      * @param engine a dependency-check engine
      * @param outDirectory the directory to write the reports to
+     * @throws ScanAgentException thrown if there is an error generating the
+     * report
      */
-    private void generateExternalReports(Engine engine, File outDirectory) {
-        DatabaseProperties prop = null;
-        CveDB cve = null;
+    private void generateExternalReports(Engine engine, File outDirectory) throws ScanAgentException {
         try {
-            cve = new CveDB();
-            cve.open();
-            prop = cve.getDatabaseProperties();
-        } catch (DatabaseException ex) {
-            LOGGER.debug("Unable to retrieve DB Properties", ex);
-        } finally {
-            if (cve != null) {
-                cve.close();
-            }
-        }
-        final ReportGenerator r = new ReportGenerator(this.applicationName, engine.getDependencies(), engine.getAnalyzers(), prop);
-        try {
-            r.generateReports(outDirectory.getCanonicalPath(), this.reportFormat.name());
-        } catch (IOException ex) {
-            LOGGER.error(
-                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
-            LOGGER.debug("", ex);
-        } catch (Throwable ex) {
-            LOGGER.error(
-                    "Unexpected exception occurred during analysis; please see the verbose error log for more details.");
-            LOGGER.debug("", ex);
+            engine.writeReports(applicationName, outDirectory, this.reportFormat.name());
+        } catch (ReportException ex) {
+            LOGGER.debug("Unexpected exception occurred during analysis; please see the verbose error log for more details.", ex);
+            throw new ScanAgentException("Error generating the report", ex);
         }
     }
 
     /**
-     * Takes the properties supplied and updates the dependency-check settings. Additionally, this sets the system properties
-     * required to change the proxy server, port, and connection timeout.
+     * Takes the properties supplied and updates the dependency-check settings.
+     * Additionally, this sets the system properties required to change the
+     * proxy server, port, and connection timeout.
      */
     private void populateSettings() {
-        Settings.initialize();
+        settings = new Settings();
         if (dataDirectory != null) {
-            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDirectory);
         } else {
             final File jarPath = new File(DependencyCheckScanAgent.class.getProtectionDomain().getCodeSource().getLocation().getPath());
             final File base = jarPath.getParentFile();
-            final String sub = Settings.getString(Settings.KEYS.DATA_DIRECTORY);
+            final String sub = settings.getString(Settings.KEYS.DATA_DIRECTORY);
             final File dataDir = new File(base, sub);
-            Settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+            settings.setString(Settings.KEYS.DATA_DIRECTORY, dataDir.getAbsolutePath());
+        }
+        if (propertiesFilePath != null) {
+            try {
+                settings.mergeProperties(propertiesFilePath);
+                LOGGER.info("Successfully loaded user-defined properties");
+            } catch (IOException e) {
+                LOGGER.error("Unable to merge user-defined properties", e);
+                LOGGER.error("Continuing execution");
+            }
         }
 
-        Settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
-        Settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
-        Settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
-        Settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
-        Settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
-        Settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
-        Settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
+        settings.setBoolean(Settings.KEYS.AUTO_UPDATE, autoUpdate);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_SERVER, proxyServer);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PORT, proxyPort);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_USERNAME, proxyUsername);
+        settings.setStringIfNotEmpty(Settings.KEYS.PROXY_PASSWORD, proxyPassword);
+        settings.setStringIfNotEmpty(Settings.KEYS.CONNECTION_TIMEOUT, connectionTimeout);
+        settings.setStringIfNotEmpty(Settings.KEYS.SUPPRESSION_FILE, suppressionFile);
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_CPE_STARTS_WITH_FILTER, cpeStartsWithFilter);
+        settings.setBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED, centralAnalyzerEnabled);
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_CENTRAL_URL, centralUrl);
+        settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED, nexusAnalyzerEnabled);
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_NEXUS_URL, nexusUrl);
+        settings.setBoolean(Settings.KEYS.ANALYZER_NEXUS_USES_PROXY, nexusUsesProxy);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_NAME, databaseDriverName);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_DRIVER_PATH, databaseDriverPath);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_CONNECTION_STRING, connectionString);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_USER, databaseUser);
+        settings.setStringIfNotEmpty(Settings.KEYS.DB_PASSWORD, databasePassword);
+        settings.setStringIfNotEmpty(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS, zipExtensions);
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_12_URL, cveUrl12Modified);
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_MODIFIED_20_URL, cveUrl20Modified);
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_1_2, cveUrl12Base);
+        settings.setStringIfNotEmpty(Settings.KEYS.CVE_SCHEMA_2_0, cveUrl20Base);
+        settings.setStringIfNotEmpty(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH, pathToMono);
     }
 
     /**
      * Executes the dependency-check and generates the report.
      *
      * @return a reference to the engine used to perform the scan.
-     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the scan.
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if
+     * there is an exception executing the scan.
      */
     public Engine execute() throws ScanAgentException {
         Engine engine = null;
         try {
             engine = executeDependencyCheck();
-            if (this.generateReport) {
-                generateExternalReports(engine, new File(this.reportOutputDirectory));
+            if (!this.updateOnly) {
+                if (this.generateReport) {
+                    generateExternalReports(engine, new File(this.reportOutputDirectory));
+                }
+                if (this.showSummary) {
+                    showSummary(engine.getDependencies());
+                }
+                if (this.failBuildOnCVSS <= 10) {
+                    checkForFailure(engine.getDependencies());
+                }
             }
-            if (this.showSummary) {
-                showSummary(engine.getDependencies());
+        } catch (ExceptionCollection ex) {
+            if (ex.isFatal()) {
+                LOGGER.error("A fatal exception occurred during analysis; analysis has stopped. Please see the debug log for more details.");
+                LOGGER.debug("", ex);
             }
-            if (this.failBuildOnCVSS <= 10) {
-                checkForFailure(engine.getDependencies());
-            }
-        } catch (DatabaseException ex) {
-            LOGGER.error(
-                    "Unable to connect to the dependency-check database; analysis has stopped");
-            LOGGER.debug("", ex);
+            throw new ScanAgentException("One or more exceptions occurred during analysis; please see the debug log for more details.", ex);
         } finally {
-            Settings.cleanup(true);
+            settings.cleanup(true);
             if (engine != null) {
-                engine.cleanup();
+                engine.close();
             }
         }
         return engine;
     }
 
     /**
-     * Checks to see if a vulnerability has been identified with a CVSS score that is above the threshold set in the
-     * configuration.
+     * Checks to see if a vulnerability has been identified with a CVSS score
+     * that is above the threshold set in the configuration.
      *
      * @param dependencies the list of dependency objects
-     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if there is an exception executing the scan.
+     * @throws org.owasp.dependencycheck.exception.ScanAgentException thrown if
+     * there is an exception executing the scan.
      */
-    private void checkForFailure(List<Dependency> dependencies) throws ScanAgentException {
+    private void checkForFailure(Dependency[] dependencies) throws ScanAgentException {
         final StringBuilder ids = new StringBuilder();
         for (Dependency d : dependencies) {
             boolean addName = true;
@@ -977,25 +1049,32 @@ public class DependencyCheckScanAgent {
             }
         }
         if (ids.length() > 0) {
-            final String msg = String.format("%n%nDependency-Check Failure:%n"
-                    + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater then '%.1f': %s%n"
-                    + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
-
+            final String msg;
+            if (showSummary) {
+                msg = String.format("%n%nDependency-Check Failure:%n"
+                        + "One or more dependencies were identified with vulnerabilities that have a CVSS score greater than or equal to '%.1f': %s%n"
+                        + "See the dependency-check report for more details.%n%n", failBuildOnCVSS, ids.toString());
+            } else {
+                msg = String.format("%n%nDependency-Check Failure:%n"
+                        + "One or more dependencies were identified with vulnerabilities.%n%n"
+                        + "See the dependency-check report for more details.%n%n");
+            }
             throw new ScanAgentException(msg);
         }
     }
 
     /**
-     * Generates a warning message listing a summary of dependencies and their associated CPE and CVE entries.
+     * Generates a warning message listing a summary of dependencies and their
+     * associated CPE and CVE entries.
      *
      * @param dependencies a list of dependency objects
      */
-    private void showSummary(List<Dependency> dependencies) {
+    private void showSummary(Dependency[] dependencies) {
         final StringBuilder summary = new StringBuilder();
         for (Dependency d : dependencies) {
             boolean firstEntry = true;
             final StringBuilder ids = new StringBuilder();
-            for (Vulnerability v : d.getVulnerabilities()) {
+            for (Vulnerability v : d.getVulnerabilities(true)) {
                 if (firstEntry) {
                     firstEntry = false;
                 } else {
@@ -1023,5 +1102,4 @@ public class DependencyCheckScanAgent {
                     summary.toString());
         }
     }
-
 }

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractAnalyzer.java

@@ -0,0 +1,191 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+import javax.annotation.concurrent.ThreadSafe;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * Base class for analyzers to avoid code duplication of prepare and close as
+ * most analyzers do not need these methods.
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public abstract class AbstractAnalyzer implements Analyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractAnalyzer.class);
+    /**
+     * A flag indicating whether or not the analyzer is enabled.
+     */
+    private volatile boolean enabled = true;
+    /**
+     * The configured settings.
+     */
+    private Settings settings;
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    @Override
+    public boolean isEnabled() {
+        return enabled;
+    }
+
+    /**
+     * Set the value of enabled.
+     *
+     * @param enabled new value of enabled
+     */
+    public void setEnabled(boolean enabled) {
+        this.enabled = enabled;
+    }
+
+    /**
+     * Returns the configured settings.
+     *
+     * @return the configured settings
+     */
+    protected Settings getSettings() {
+        return settings;
+    }
+
+    /**
+     * Initializes the analyzer with the configured settings.
+     *
+     * @param settings the configured settings to use
+     */
+    @Override
+    public void initialize(Settings settings) {
+        this.settings = settings;
+        final String key = getAnalyzerEnabledSettingKey();
+        try {
+            this.setEnabled(settings.getBoolean(key, true));
+        } catch (InvalidSettingException ex) {
+            final String msg = String.format("Invalid setting for property '%s'", key);
+            LOGGER.warn(msg);
+            LOGGER.debug(msg, ex);
+        }
+    }
+
+    /**
+     * Initialize the abstract analyzer.
+     *
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if there is an exception
+     */
+    @Override
+    public final void prepare(Engine engine) throws InitializationException {
+        if (isEnabled()) {
+            prepareAnalyzer(engine);
+        } else {
+            LOGGER.debug("{} has been disabled", getName());
+        }
+    }
+
+    /**
+     * Prepares a given Analyzer. This will be skipped if the analyzer is
+     * disabled.
+     *
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if there is an exception
+     */
+    protected void prepareAnalyzer(Engine engine) throws InitializationException {
+        // Intentionally empty, analyzer will override this if they must prepare anything.
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    @Override
+    public final void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+        if (this.isEnabled()) {
+            analyzeDependency(dependency, engine);
+        }
+    }
+
+    /**
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
+     *
+     * @param dependency the dependency to analyze
+     * @param engine the engine scanning
+     * @throws AnalysisException thrown if there is an analysis exception
+     */
+    protected abstract void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * The close method does nothing for this Analyzer.
+     *
+     * @throws Exception thrown if there is an exception
+     */
+    @Override
+    public final void close() throws Exception {
+        if (isEnabled()) {
+            closeAnalyzer();
+        }
+    }
+
+    /**
+     * Closes a given Analyzer. This will be skipped if the analyzer is
+     * disabled.
+     *
+     * @throws Exception thrown if there is an exception
+     */
+    protected void closeAnalyzer() throws Exception {
+        // Intentionally empty, analyzer will override this if they must close a resource.
+    }
+
+    /**
+     * The default is to support parallel processing.
+     *
+     * @return true
+     */
+    @Override
+    public boolean supportsParallelProcessing() {
+        return true;
+    }
+
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    protected abstract String getAnalyzerEnabledSettingKey();
+
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractDependencyComparingAnalyzer.java

@@ -0,0 +1,125 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.HashSet;
+import java.util.Set;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+/**
+ * <p>
+ * This analyzer ensures dependencies that should be grouped together, to remove
+ * excess noise from the report, are grouped. An example would be Spring, Spring
+ * Beans, Spring MVC, etc. If they are all for the same version and have the
+ * same relative path then these should be grouped into a single dependency
+ * under the core/main library.</p>
+ * <p>
+ * Note, this grouping only works on dependencies with identified CVE
+ * entries</p>
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public abstract class AbstractDependencyComparingAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractDependencyComparingAnalyzer.class);
+
+    /**
+     * a flag indicating if this analyzer has run. This analyzer only runs once.
+     */
+    private boolean analyzed = false;
+
+    /**
+     * Returns a flag indicating if this analyzer has run. This analyzer only
+     * runs once. Note this is currently only used in the unit tests.
+     *
+     * @return a flag indicating if this analyzer has run. This analyzer only
+     * runs once
+     */
+    protected synchronized boolean getAnalyzed() {
+        return analyzed;
+    }
+
+    /**
+     * Does not support parallel processing as it only runs once and then
+     * operates on <em>all</em> dependencies.
+     *
+     * @return whether or not parallel processing is enabled
+     * @see #analyze(Dependency, Engine)
+     */
+    @Override
+    public final boolean supportsParallelProcessing() {
+        return false;
+    }
+
+    /**
+     * Analyzes a set of dependencies. If they have been found to have the same
+     * base path and the same set of identifiers they are likely related. The
+     * related dependencies are bundled into a single reportable item.
+     *
+     * @param ignore this analyzer ignores the dependency being analyzed
+     * @param engine the engine that is scanning the dependencies
+     * @throws AnalysisException is thrown if there is an error reading the JAR
+     * file.
+     */
+    @Override
+    protected synchronized void analyzeDependency(Dependency ignore, Engine engine) throws AnalysisException {
+        if (!analyzed) {
+            analyzed = true;
+            final Set<Dependency> dependenciesToRemove = new HashSet<>();
+
+            final Dependency[] dependencies = engine.getDependencies();
+            if (dependencies.length < 2) {
+                return;
+            }
+            for (int x = 0; x < dependencies.length - 1; x++) {
+                final Dependency dependency = dependencies[x];
+                if (!dependenciesToRemove.contains(dependency)) {
+                    for (int y = x + 1; y < dependencies.length; y++) {
+                        final Dependency nextDependency = dependencies[y];
+                        if (evaluateDependencies(dependency, nextDependency, dependenciesToRemove)) {
+                            break;
+                        }
+                    }
+                }
+            }
+            for (Dependency d : dependenciesToRemove) {
+                engine.removeDependency(d);
+            }
+        }
+    }
+
+    /**
+     * Evaluates the dependencies
+     *
+     * @param dependency a dependency to compare
+     * @param nextDependency a dependency to compare
+     * @param dependenciesToRemove a set of dependencies that will be removed
+     * @return true if a dependency is removed; otherwise false
+     */
+    protected abstract boolean evaluateDependencies(final Dependency dependency,
+            final Dependency nextDependency, final Set<Dependency> dependenciesToRemove);
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractFileTypeAnalyzer.java

@@ -0,0 +1,143 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.exception.InitializationException;
+
+/**
+ * The base FileTypeAnalyzer that all analyzers that have specific file types
+ * they analyze should extend.
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public abstract class AbstractFileTypeAnalyzer extends AbstractAnalyzer implements FileTypeAnalyzer {
+
+    //<editor-fold defaultstate="collapsed" desc="Field definitions, getters, and setters ">
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractFileTypeAnalyzer.class);
+    /**
+     * Whether the file type analyzer detected any files it needs to analyze.
+     */
+    private boolean filesMatched = false;
+
+    /**
+     * Set the value of filesMatched. A flag indicating whether the scan
+     * included any file types this analyzer supports.
+     *
+     * @param filesMatched new value of filesMatched
+     */
+    protected void setFilesMatched(boolean filesMatched) {
+        this.filesMatched = filesMatched;
+    }
+
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Final implementations for the Analyzer interface">
+    /**
+     * Initializes the analyzer.
+     *
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if there is an exception during
+     * initialization
+     */
+    @Override
+    protected final void prepareAnalyzer(Engine engine) throws InitializationException {
+        if (filesMatched) {
+            prepareFileTypeAnalyzer(engine);
+        } else {
+            this.setEnabled(false);
+        }
+    }
+
+    //</editor-fold>
+    //<editor-fold defaultstate="collapsed" desc="Abstract methods children must implement">
+    /**
+     * <p>
+     * Returns the {@link java.io.FileFilter} used to determine which files are
+     * to be analyzed. An example would be an analyzer that inspected Java jar
+     * files. Implementors may use
+     * {@link org.owasp.dependencycheck.utils.FileFilterBuilder}.</p>
+     * <p>
+     * If the analyzer returns null it will not cause additional files to be
+     * analyzed, but will be executed against every file loaded.</p>
+     *
+     * @return the file filter used to determine which files are to be analyzed
+     */
+    protected abstract FileFilter getFileFilter();
+
+    /**
+     * Prepares the file type analyzer for dependency analysis.
+     *
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if there is an exception during
+     * initialization
+     */
+    protected abstract void prepareFileTypeAnalyzer(Engine engine) throws InitializationException;
+
+    //</editor-fold>
+    /**
+     * Determines if the file can be analyzed by the analyzer.
+     *
+     * @param pathname the path to the file
+     * @return true if the file can be analyzed by the given analyzer; otherwise
+     * false
+     */
+    @Override
+    public boolean accept(File pathname) {
+        final FileFilter filter = getFileFilter();
+        boolean accepted = false;
+        if (null == filter) {
+            LOGGER.error("The '{}' analyzer is misconfigured and does not have a file filter; it will be disabled", getName());
+        } else if (this.isEnabled()) {
+            accepted = filter.accept(pathname);
+            if (accepted) {
+                filesMatched = true;
+            }
+        }
+        return accepted;
+    }
+
+    /**
+     * <p>
+     * Utility method to help in the creation of the extensions set. This
+     * constructs a new Set that can be used in a final static declaration.</p>
+     * <p>
+     * This implementation was copied from
+     * http://stackoverflow.com/questions/2041778/prepare-java-hashset-values-by-construction</p>
+     *
+     * @param strings a list of strings to add to the set.
+     * @return a Set of strings.
+     */
+    protected static Set<String> newHashSet(String... strings) {
+        final Set<String> set = new HashSet<>(strings.length);
+        Collections.addAll(set, strings);
+        return set;
+    }
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractNpmAnalyzer.java

@@ -0,0 +1,291 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2017 Steve Springett. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import java.io.File;
+import java.io.IOException;
+import java.util.Map;
+import javax.annotation.concurrent.ThreadSafe;
+import javax.json.Json;
+import javax.json.JsonArray;
+import javax.json.JsonObject;
+import javax.json.JsonObjectBuilder;
+import javax.json.JsonString;
+import javax.json.JsonValue;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.utils.Checksum;
+
+/**
+ * An abstract NPM analyzer that contains common methods for concrete
+ * implementations.
+ *
+ * @author Steve Springett
+ */
+@ThreadSafe
+public abstract class AbstractNpmAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * The logger.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractNpmAnalyzer.class);
+
+    /**
+     * A descriptor for the type of dependencies processed or added by this
+     * analyzer.
+     */
+    public static final String NPM_DEPENDENCY_ECOSYSTEM = "npm";
+    /**
+     * The file name to scan.
+     */
+    private static final String PACKAGE_JSON = "package.json";
+
+    /**
+     * Determines if the file can be analyzed by the analyzer.
+     *
+     * @param pathname the path to the file
+     * @return true if the file can be analyzed by the given analyzer; otherwise
+     * false
+     */
+    @Override
+    public boolean accept(File pathname) {
+        boolean accept = super.accept(pathname);
+        if (accept) {
+            try {
+                accept |= shouldProcess(pathname);
+            } catch (AnalysisException ex) {
+                throw new RuntimeException(ex.getMessage(), ex.getCause());
+            }
+        }
+
+        return accept;
+    }
+
+    /**
+     * Determines if the path contains "/node_modules/" (i.e. it is a child
+     * module. This analyzer does not scan child modules.
+     *
+     * @param pathname the path to test
+     * @return <code>true</code> if the path does not contain "/node_modules/"
+     * @throws AnalysisException thrown if the canonical path cannot be obtained
+     * from the given file
+     */
+    protected boolean shouldProcess(File pathname) throws AnalysisException {
+        try {
+            // Do not scan the node_modules directory
+            if (pathname.getCanonicalPath().contains(File.separator + "node_modules" + File.separator)) {
+                LOGGER.debug("Skipping analysis of node module: " + pathname.getCanonicalPath());
+                return false;
+            }
+        } catch (IOException ex) {
+            throw new AnalysisException("Unable to process dependency", ex);
+        }
+        return true;
+    }
+
+    /**
+     * Construct a dependency object.
+     *
+     * @param dependency the parent dependency
+     * @param name the name of the dependency to create
+     * @param version the version of the dependency to create
+     * @param scope the scope of the dependency being created
+     * @return the generated dependency
+     */
+    protected Dependency createDependency(Dependency dependency, String name, String version, String scope) {
+        final Dependency nodeModule = new Dependency(new File(dependency.getActualFile() + "?" + name), true);
+        nodeModule.setEcosystem(NPM_DEPENDENCY_ECOSYSTEM);
+        //this is virtual - the sha1 is purely for the hyperlink in the final html report
+        nodeModule.setSha1sum(Checksum.getSHA1Checksum(String.format("%s:%s", name, version)));
+        nodeModule.setMd5sum(Checksum.getMD5Checksum(String.format("%s:%s", name, version)));
+        nodeModule.addEvidence(EvidenceType.PRODUCT, "package.json", "name", name, Confidence.HIGHEST);
+        nodeModule.addEvidence(EvidenceType.VENDOR, "package.json", "name", name, Confidence.HIGH);
+        nodeModule.addEvidence(EvidenceType.VERSION, "package.json", "version", version, Confidence.HIGHEST);
+        nodeModule.addProjectReference(dependency.getName() + ": " + scope);
+        nodeModule.setName(name);
+        nodeModule.setVersion(version);
+        nodeModule.addIdentifier("npm", String.format("%s:%s", name, version), null, Confidence.HIGHEST);
+        return nodeModule;
+    }
+
+    /**
+     * Processes a part of package.json (as defined by JsonArray) and update the
+     * specified dependency with relevant info.
+     *
+     * @param engine the dependency-check engine
+     * @param dependency the Dependency to update
+     * @param jsonArray the jsonArray to parse
+     * @param depType the dependency type
+     */
+    protected void processPackage(Engine engine, Dependency dependency, JsonArray jsonArray, String depType) {
+        final JsonObjectBuilder builder = Json.createObjectBuilder();
+        for (JsonString str : jsonArray.getValuesAs(JsonString.class)) {
+            builder.add(str.toString(), "");
+        }
+        final JsonObject jsonObject = builder.build();
+        processPackage(engine, dependency, jsonObject, depType);
+    }
+
+    /**
+     * Processes a part of package.json (as defined by JsonObject) and update
+     * the specified dependency with relevant info.
+     *
+     * @param engine the dependency-check engine
+     * @param dependency the Dependency to update
+     * @param jsonObject the jsonObject to parse
+     * @param depType the dependency type
+     */
+    protected void processPackage(Engine engine, Dependency dependency, JsonObject jsonObject, String depType) {
+        for (int i = 0; i < jsonObject.size(); i++) {
+            for (Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
+
+                final String name = entry.getKey();
+                String version = "";
+                if (entry.getValue() != null && entry.getValue().getValueType() == JsonValue.ValueType.STRING) {
+                    version = ((JsonString) entry.getValue()).getString();
+                }
+                final Dependency existing = findDependency(engine, name, version);
+                if (existing == null) {
+                    final Dependency nodeModule = createDependency(dependency, name, version, depType);
+                    engine.addDependency(nodeModule);
+                } else {
+                    existing.addProjectReference(dependency.getName() + ": " + depType);
+                }
+            }
+        }
+    }
+
+    /**
+     * Adds information to an evidence collection from the node json
+     * configuration.
+     *
+     * @param dep the dependency to add the evidence
+     * @param t the type of evidence to add
+     * @param json information from node.js
+     * @return the actual string set into evidence
+     * @param key the key to obtain the data from the json information
+     */
+    private static String addToEvidence(Dependency dep, EvidenceType t, JsonObject json, String key) {
+        String evidenceStr = null;
+        if (json.containsKey(key)) {
+            final JsonValue value = json.get(key);
+            if (value instanceof JsonString) {
+                evidenceStr = ((JsonString) value).getString();
+                dep.addEvidence(t, PACKAGE_JSON, key, evidenceStr, Confidence.HIGHEST);
+            } else if (value instanceof JsonObject) {
+                final JsonObject jsonObject = (JsonObject) value;
+                for (final Map.Entry<String, JsonValue> entry : jsonObject.entrySet()) {
+                    final String property = entry.getKey();
+                    final JsonValue subValue = entry.getValue();
+                    if (subValue instanceof JsonString) {
+                        evidenceStr = ((JsonString) subValue).getString();
+                        dep.addEvidence(t, PACKAGE_JSON,
+                                String.format("%s.%s", key, property),
+                                evidenceStr,
+                                Confidence.HIGHEST);
+                    } else {
+                        LOGGER.warn("JSON sub-value not string as expected: {}", subValue);
+                    }
+                }
+            } else {
+                LOGGER.warn("JSON value not string or JSON object as expected: {}", value);
+            }
+        }
+        return evidenceStr;
+    }
+
+    /**
+     * Locates the dependency from the list of dependencies that have been
+     * scanned by the engine.
+     *
+     * @param engine the dependency-check engine
+     * @param name the name of the dependency to find
+     * @param version the version of the dependency to find
+     * @return the identified dependency; otherwise null
+     */
+    protected Dependency findDependency(Engine engine, String name, String version) {
+        for (Dependency d : engine.getDependencies()) {
+            if (NPM_DEPENDENCY_ECOSYSTEM.equals(d.getEcosystem()) && name.equals(d.getName()) && version != null && d.getVersion() != null) {
+                final String dependencyVersion = d.getVersion();
+                if (DependencyBundlingAnalyzer.npmVersionsMatch(version, dependencyVersion)) {
+                    return d;
+                }
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Collects evidence from the given JSON for the associated dependency.
+     *
+     * @param json the JSON that contains the evidence to collect
+     * @param dependency the dependency to add the evidence too
+     */
+    public void gatherEvidence(final JsonObject json, Dependency dependency) {
+        if (json.containsKey("name")) {
+            final Object value = json.get("name");
+            if (value instanceof JsonString) {
+                final String valueString = ((JsonString) value).getString();
+                dependency.setName(valueString);
+                dependency.setPackagePath(valueString);
+                dependency.addEvidence(EvidenceType.PRODUCT, PACKAGE_JSON, "name", valueString, Confidence.HIGHEST);
+                dependency.addEvidence(EvidenceType.VENDOR, PACKAGE_JSON, "name", valueString, Confidence.HIGH);
+            } else {
+                LOGGER.warn("JSON value not string as expected: {}", value);
+            }
+        }
+        final String desc = addToEvidence(dependency, EvidenceType.PRODUCT, json, "description");
+        dependency.setDescription(desc);
+        addToEvidence(dependency, EvidenceType.VENDOR, json, "author");
+        final String version = addToEvidence(dependency, EvidenceType.VERSION, json, "version");
+        if (version != null) {
+            dependency.setVersion(version);
+            dependency.addIdentifier("npm", String.format("%s:%s", dependency.getName(), version), null, Confidence.HIGHEST);
+        }
+
+        // Adds the license if defined in package.json
+        if (json.containsKey("license")) {
+            final Object value = json.get("license");
+            if (value instanceof JsonString) {
+                dependency.setLicense(json.getString("license"));
+            } else if (value instanceof JsonArray) {
+                final JsonArray array = (JsonArray) value;
+                final StringBuilder sb = new StringBuilder();
+                boolean addComma = false;
+                for (int x = 0; x < array.size(); x++) {
+                    if (!array.isNull(x)) {
+                        if (addComma) {
+                            sb.append(", ");
+                        } else {
+                            addComma = true;
+                        }
+                        sb.append(array.getString(x));
+                    }
+                }
+                dependency.setLicense(sb.toString());
+            } else {
+                dependency.setLicense(json.getJsonObject("license").getString("type"));
+            }
+        }
+    }
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/AbstractSuppressionAnalyzer.java

@@ -0,0 +1,254 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2013 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.IOException;
+import java.io.InputStream;
+import java.net.MalformedURLException;
+import java.net.URL;
+import java.util.ArrayList;
+import java.util.List;
+import java.util.Set;
+import java.util.regex.Pattern;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParseException;
+import org.owasp.dependencycheck.xml.suppression.SuppressionParser;
+import org.owasp.dependencycheck.xml.suppression.SuppressionRule;
+import org.owasp.dependencycheck.utils.DownloadFailedException;
+import org.owasp.dependencycheck.utils.Downloader;
+import org.owasp.dependencycheck.utils.FileUtils;
+import org.owasp.dependencycheck.utils.Settings;
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+import org.xml.sax.SAXException;
+
+/**
+ * Abstract base suppression analyzer that contains methods for parsing the
+ * suppression XML file.
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public abstract class AbstractSuppressionAnalyzer extends AbstractAnalyzer {
+
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractSuppressionAnalyzer.class);
+    /**
+     * The list of suppression rules.
+     */
+    private List<SuppressionRule> rules = new ArrayList<>();
+
+    /**
+     * Get the number of suppression rules.
+     *
+     * @return the number of suppression rules
+     */
+    protected int getRuleCount() {
+        return rules.size();
+    }
+
+    /**
+     * Returns a list of file EXTENSIONS supported by this analyzer.
+     *
+     * @return a list of file EXTENSIONS supported by this analyzer.
+     */
+    public Set<String> getSupportedExtensions() {
+        return null;
+    }
+
+    /**
+     * The prepare method loads the suppression XML file.
+     *
+     * @param engine a reference the dependency-check engine
+     * @throws InitializationException thrown if there is an exception
+     */
+    @Override
+    public synchronized void prepareAnalyzer(Engine engine) throws InitializationException {
+        if (rules.isEmpty()) {
+            try {
+                loadSuppressionBaseData();
+            } catch (SuppressionParseException ex) {
+                throw new InitializationException("Error initializing the suppression analyzer: " + ex.getLocalizedMessage(), ex, true);
+            }
+
+            try {
+                loadSuppressionData();
+            } catch (SuppressionParseException ex) {
+                throw new InitializationException("Warn initializing the suppression analyzer: " + ex.getLocalizedMessage(), ex, false);
+            }
+        }
+    }
+
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        if (rules.isEmpty()) {
+            return;
+        }
+        for (final SuppressionRule rule : rules) {
+            rule.process(dependency);
+        }
+    }
+
+    /**
+     * Loads all the suppression rules files configured in the {@link Settings}.
+     *
+     * @throws SuppressionParseException thrown if the XML cannot be parsed.
+     */
+    private void loadSuppressionData() throws SuppressionParseException {
+        final List<SuppressionRule> ruleList = new ArrayList<>();
+        final SuppressionParser parser = new SuppressionParser();
+        final String[] suppressionFilePaths = getSettings().getArray(Settings.KEYS.SUPPRESSION_FILE);
+        final List<String> failedLoadingFiles = new ArrayList<>();
+        if (suppressionFilePaths != null && suppressionFilePaths.length > 0) {
+            // Load all the suppression file paths
+            for (final String suppressionFilePath : suppressionFilePaths) {
+                try {
+                    ruleList.addAll(loadSuppressionFile(parser, suppressionFilePath));
+                } catch (SuppressionParseException ex) {
+                    final String msg = String.format("Failed to load %s, caused by %s. ", suppressionFilePath, ex.getMessage());
+                    failedLoadingFiles.add(msg);
+                }
+            }
+        }
+        LOGGER.debug("{} suppression rules were loaded.", ruleList.size());
+        rules.addAll(ruleList);
+        if (!failedLoadingFiles.isEmpty()) {
+            LOGGER.debug("{} suppression files failed to load.", failedLoadingFiles.size());
+            final StringBuilder sb = new StringBuilder();
+            for (String item : failedLoadingFiles) {
+                sb.append(item);
+            }
+            throw new SuppressionParseException(sb.toString());
+        }
+    }
+
+    /**
+     * Loads all the base suppression rules files.
+     *
+     * @throws SuppressionParseException thrown if the XML cannot be parsed.
+     */
+    private void loadSuppressionBaseData() throws SuppressionParseException {
+        final SuppressionParser parser = new SuppressionParser();
+        List<SuppressionRule> ruleList;
+        try {
+            final InputStream in = FileUtils.getResourceAsStream("dependencycheck-base-suppression.xml");
+            ruleList = parser.parseSuppressionRules(in);
+        } catch (SAXException ex) {
+            throw new SuppressionParseException("Unable to parse the base suppression data file", ex);
+        }
+        rules.addAll(ruleList);
+    }
+
+    /**
+     * Load a single suppression rules file from the path provided using the
+     * parser provided.
+     *
+     * @param parser the parser to use for loading the file
+     * @param suppressionFilePath the path to load
+     * @return the list of loaded suppression rules
+     * @throws SuppressionParseException thrown if the suppression file cannot
+     * be loaded and parsed.
+     */
+    private List<SuppressionRule> loadSuppressionFile(final SuppressionParser parser,
+            final String suppressionFilePath) throws SuppressionParseException {
+        LOGGER.debug("Loading suppression rules from '{}'", suppressionFilePath);
+        final List<SuppressionRule> list = new ArrayList<>();
+        File file = null;
+        boolean deleteTempFile = false;
+        try {
+            final Pattern uriRx = Pattern.compile("^(https?|file)\\:.*", Pattern.CASE_INSENSITIVE);
+            if (uriRx.matcher(suppressionFilePath).matches()) {
+                deleteTempFile = true;
+                file = getSettings().getTempFile("suppression", "xml");
+                final URL url = new URL(suppressionFilePath);
+                final Downloader downloader = new Downloader(getSettings());
+                try {
+                    downloader.fetchFile(url, file, false);
+                } catch (DownloadFailedException ex) {
+                    LOGGER.trace("Failed download - first attempt", ex);
+                    downloader.fetchFile(url, file, true);
+                }
+            } else {
+                file = new File(suppressionFilePath);
+
+                if (!file.exists()) {
+                    try (InputStream suppressionsFromClasspath = FileUtils.getResourceAsStream(suppressionFilePath)) {
+                        if (suppressionsFromClasspath != null) {
+                            deleteTempFile = true;
+                            file = getSettings().getTempFile("suppression", "xml");
+                            try {
+                                org.apache.commons.io.FileUtils.copyInputStreamToFile(suppressionsFromClasspath, file);
+                            } catch (IOException ex) {
+                                throwSuppressionParseException("Unable to locate suppressions file in classpath", ex, suppressionFilePath);
+                            }
+                        }
+                    }
+                }
+            }
+            if (file != null) {
+                if (!file.exists()) {
+                    final String msg = String.format("Suppression file '%s' does not exist", file.getPath());
+                    LOGGER.warn(msg);
+                    throw new SuppressionParseException(msg);
+                }
+                try {
+                    list.addAll(parser.parseSuppressionRules(file));
+                } catch (SuppressionParseException ex) {
+                    LOGGER.warn("Unable to parse suppression xml file '{}'", file.getPath());
+                    LOGGER.warn(ex.getMessage());
+                    throw ex;
+                }
+            }
+        } catch (DownloadFailedException ex) {
+            throwSuppressionParseException("Unable to fetch the configured suppression file", ex, suppressionFilePath);
+        } catch (MalformedURLException ex) {
+            throwSuppressionParseException("Configured suppression file has an invalid URL", ex, suppressionFilePath);
+        } catch (SuppressionParseException ex) {
+            throw ex;
+        } catch (IOException ex) {
+            throwSuppressionParseException("Unable to create temp file for suppressions", ex, suppressionFilePath);
+        } finally {
+            if (deleteTempFile && file != null) {
+                FileUtils.delete(file);
+            }
+        }
+        return list;
+    }
+
+    /**
+     * Utility method to throw parse exceptions.
+     *
+     * @param message the exception message
+     * @param exception the cause of the exception
+     * @param suppressionFilePath the path file
+     * @throws SuppressionParseException throws the generated
+     * SuppressionParseException
+     */
+    private void throwSuppressionParseException(String message, Exception exception, String suppressionFilePath) throws SuppressionParseException {
+        LOGGER.warn(String.format(message + "'%s'", suppressionFilePath));
+        LOGGER.debug("", exception);
+        throw new SuppressionParseException(message, exception);
+    }
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/AnalysisPhase.java

@@ -36,6 +36,10 @@ public enum AnalysisPhase {
      * Information collection phase.
      */
     INFORMATION_COLLECTION,
+    /**
+     * Post information collection phase.
+     */
+    POST_INFORMATION_COLLECTION,
     /**
      * Pre identifier analysis phase.
      */

core/src/main/java/org/owasp/dependencycheck/analyzer/Analyzer.java

@@ -0,0 +1,115 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * <p>
+ * An interface that defines an Analyzer that is used to identify Dependencies.
+ * An analyzer will collect information about the dependency in the form of
+ * Evidence.</p>
+ * <p>
+ * When the {@link org.owasp.dependencycheck.Engine} executes it will load the
+ * analyzers and call the methods in the following order:</p>
+ * <ol>
+ * <li>{@link #initialize(org.owasp.dependencycheck.utils.Settings)}</li>
+ * <li>{@link #prepare(org.owasp.dependencycheck.Engine)}</li>
+ * <li>{@link #analyze(org.owasp.dependencycheck.dependency.Dependency, org.owasp.dependencycheck.Engine)}</li>
+ * <li>{@link #close()}</li>
+ * </ol>
+ *
+ * @author Jeremy Long
+ */
+public interface Analyzer {
+
+    /**
+     * Analyzes the given dependency. The analysis could be anything from
+     * identifying an Identifier for the dependency, to finding vulnerabilities,
+     * etc. Additionally, if the analyzer collects enough information to add a
+     * description or license information for the dependency it should be added.
+     *
+     * @param dependency a dependency to analyze.
+     * @param engine the engine that is scanning the dependencies - this is
+     * useful if we need to check other dependencies
+     * @throws AnalysisException is thrown if there is an error analyzing the
+     * dependency file
+     */
+    void analyze(Dependency dependency, Engine engine) throws AnalysisException;
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    String getName();
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    AnalysisPhase getAnalysisPhase();
+
+    /**
+     * Initializes the analyzer with the configured settings.
+     *
+     * @param settings the configured settings
+     */
+    void initialize(Settings settings);
+
+    /**
+     * The prepare method is called (once) prior to the analyze method being
+     * called on all of the dependencies.
+     *
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException is thrown if an exception occurs
+     * initializing the analyzer.
+     */
+    void prepare(Engine engine) throws InitializationException;
+
+    /**
+     * The close method is called after all of the dependencies have been
+     * analyzed.
+     *
+     * @throws Exception is thrown if an exception occurs closing the analyzer.
+     */
+    void close() throws Exception;
+
+    /**
+     * Returns whether multiple instances of the same type of analyzer can run
+     * in parallel. Note that running analyzers of different types in parallel
+     * is not supported at all.
+     *
+     * @return {@code true} if the analyzer supports parallel processing,
+     * {@code false} else
+     */
+    boolean supportsParallelProcessing();
+
+    /**
+     * Get the value of enabled.
+     *
+     * @return the value of enabled
+     */
+    boolean isEnabled();
+
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/AnalyzerService.java

@@ -0,0 +1,120 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2012 Jeremy Long. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.util.ArrayList;
+import org.slf4j.LoggerFactory;
+
+import static java.util.Arrays.asList;
+import java.util.Iterator;
+import java.util.List;
+import java.util.ServiceLoader;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.utils.InvalidSettingException;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * The Analyzer Service Loader. This class loads all services that implement
+ * {@link org.owasp.dependencycheck.analyzer.Analyzer}.
+ *
+ * @author Jeremy Long
+ */
+@ThreadSafe
+public class AnalyzerService {
+
+    /**
+     * The Logger for use throughout the class.
+     */
+    private static final org.slf4j.Logger LOGGER = LoggerFactory.getLogger(AnalyzerService.class);
+
+    /**
+     * The service loader for analyzers.
+     */
+    private final ServiceLoader<Analyzer> service;
+    /**
+     * The configured settings.
+     */
+    private final Settings settings;
+
+    /**
+     * Creates a new instance of AnalyzerService.
+     *
+     * @param classLoader the ClassLoader to use when dynamically loading
+     * Analyzer and Update services
+     * @param settings the configured settings
+     */
+    public AnalyzerService(ClassLoader classLoader, Settings settings) {
+        service = ServiceLoader.load(Analyzer.class, classLoader);
+        this.settings = settings;
+    }
+
+    /**
+     * Returns a list of all instances of the Analyzer interface.
+     *
+     * @return a list of Analyzers.
+     */
+    public List<Analyzer> getAnalyzers() {
+        return getAnalyzers(AnalysisPhase.values());
+    }
+
+    /**
+     * Returns a list of all instances of the Analyzer interface that are bound
+     * to one of the given phases.
+     *
+     * @param phases the phases to obtain analyzers for
+     * @return a list of Analyzers.
+     */
+    public List<Analyzer> getAnalyzers(AnalysisPhase... phases) {
+        return getAnalyzers(asList(phases));
+    }
+
+    /**
+     * Returns a list of all instances of the Analyzer interface that are bound
+     * to one of the given phases.
+     *
+     * @param phases the phases to obtain analyzers for
+     * @return a list of Analyzers
+     */
+    private List<Analyzer> getAnalyzers(List<AnalysisPhase> phases) {
+        final List<Analyzer> analyzers = new ArrayList<>();
+        final Iterator<Analyzer> iterator = service.iterator();
+        boolean experimentalEnabled = false;
+        boolean retiredEnabled = false;
+        try {
+            experimentalEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_EXPERIMENTAL_ENABLED, false);
+            retiredEnabled = settings.getBoolean(Settings.KEYS.ANALYZER_RETIRED_ENABLED, false);
+        } catch (InvalidSettingException ex) {
+            LOGGER.error("invalid experimental or retired setting", ex);
+        }
+        while (iterator.hasNext()) {
+            final Analyzer a = iterator.next();
+            if (!phases.contains(a.getAnalysisPhase())) {
+                continue;
+            }
+            if (!experimentalEnabled && a.getClass().isAnnotationPresent(Experimental.class)) {
+                continue;
+            }
+            if (!retiredEnabled && a.getClass().isAnnotationPresent(Retired.class)) {
+                continue;
+            }
+            LOGGER.debug("Loaded Analyzer {}", a.getName());
+            analyzers.add(a);
+        }
+        return analyzers;
+    }
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzer.java

@@ -18,19 +18,18 @@
 package org.owasp.dependencycheck.analyzer;
 
 import java.io.BufferedInputStream;
-import java.io.Closeable;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
-import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Enumeration;
-import java.util.HashSet;
 import java.util.List;
 import java.util.Set;
+import java.util.concurrent.atomic.AtomicInteger;
+import javax.annotation.concurrent.ThreadSafe;
 
 import org.apache.commons.compress.archivers.ArchiveEntry;
 import org.apache.commons.compress.archivers.ArchiveInputStream;
@@ -49,6 +48,7 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.analyzer.exception.ArchiveExtractionException;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
@@ -58,11 +58,12 @@ import org.slf4j.LoggerFactory;
 
 /**
  * <p>
- * An analyzer that extracts files from archives and ensures any supported files contained within the archive are added to the
- * dependency list.</p>
+ * An analyzer that extracts files from archives and ensures any supported files
+ * contained within the archive are added to the dependency list.</p>
  *
  * @author Jeremy Long
  */
+@ThreadSafe
 public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
@@ -70,21 +71,44 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static final Logger LOGGER = LoggerFactory.getLogger(ArchiveAnalyzer.class);
     /**
-     * The count of directories created during analysis. This is used for creating temporary directories.
+     * The count of directories created during analysis. This is used for
+     * creating temporary directories.
      */
-    private static int dirCount = 0;
+    private static final AtomicInteger DIRECTORY_COUNT = new AtomicInteger(0);
     /**
      * The parent directory for the individual directories per archive.
      */
     private File tempFileLocation = null;
     /**
-     * The max scan depth that the analyzer will recursively extract nested archives.
+     * The max scan depth that the analyzer will recursively extract nested
+     * archives.
      */
-    private static final int MAX_SCAN_DEPTH = Settings.getInt("archive.scan.depth", 3);
+    private int maxScanDepth;
     /**
-     * Tracks the current scan/extraction depth for nested archives.
+     * The file filter used to filter supported files.
      */
-    private int scanDepth = 0;
+    private FileFilter fileFilter = null;
+    /**
+     * The set of things we can handle with Zip methods
+     */
+    private static final Set<String> KNOWN_ZIP_EXT = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
+    /**
+     * The set of file extensions supported by this analyzer. Note for
+     * developers, any additions to this list will need to be explicitly handled
+     * in {@link #extractFiles(File, File, Engine)}.
+     */
+    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
+
+    /**
+     * Detects files with extensions to remove from the engine's collection of
+     * dependencies.
+     */
+    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance()
+            .addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2").build();
+    /**
+     * Detects files with .zip extension.
+     */
+    private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
 
     //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
@@ -95,46 +119,23 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * The phase that this analyzer is intended to run in.
      */
     private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INITIAL;
-    /**
-     * The set of things we can handle with Zip methods
-     */
-    private static final Set<String> ZIPPABLES = newHashSet("zip", "ear", "war", "jar", "sar", "apk", "nupkg");
-    /**
-     * The set of file extensions supported by this analyzer. Note for developers, any additions to this list will need to be
-     * explicitly handled in {@link #extractFiles(File, File, Engine)}.
-     */
-    private static final Set<String> EXTENSIONS = newHashSet("tar", "gz", "tgz", "bz2", "tbz2");
 
     /**
-     * Detects files with extensions to remove from the engine's collection of dependencies.
+     * Initializes the analyzer with the configured settings.
+     *
+     * @param settings the configured settings to use
      */
-    private static final FileFilter REMOVE_FROM_ANALYSIS = FileFilterBuilder.newInstance().addExtensions("zip", "tar", "gz", "tgz", "bz2", "tbz2")
-            .build();
-
-    static {
-        final String additionalZipExt = Settings.getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
-        if (additionalZipExt != null) {
-            final String[] ext = additionalZipExt.split("\\s*,\\s*");
-            Collections.addAll(ZIPPABLES, ext);
-        }
-        EXTENSIONS.addAll(ZIPPABLES);
+    @Override
+    public void initialize(Settings settings) {
+        super.initialize(settings);
+        initializeSettings();
     }
 
-    /**
-     * The file filter used to filter supported files.
-     */
-    private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
-
     @Override
     protected FileFilter getFileFilter() {
-        return FILTER;
+        return fileFilter;
     }
 
-    /**
-     * Detects files with .zip extension.
-     */
-    private static final FileFilter ZIP_FILTER = FileFilterBuilder.newInstance().addExtensions("zip").build();
-
     /**
      * Returns the name of the analyzer.
      *
@@ -157,7 +158,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     //</editor-fold>
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -167,89 +169,133 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * The initialize method does nothing for this Analyzer.
+     * The prepare method does nothing for this Analyzer.
      *
-     * @throws Exception is thrown if there is an exception deleting or creating temporary files
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException is thrown if there is an exception
+     * deleting or creating temporary files
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
-        final File baseDir = Settings.getTempDirectory();
-        tempFileLocation = File.createTempFile("check", "tmp", baseDir);
-        if (!tempFileLocation.delete()) {
-            final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
-        }
-        if (!tempFileLocation.mkdirs()) {
-            final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
-            throw new AnalysisException(msg);
+    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
+        try {
+            final File baseDir = getSettings().getTempDirectory();
+            tempFileLocation = File.createTempFile("check", "tmp", baseDir);
+            if (!tempFileLocation.delete()) {
+                setEnabled(false);
+                final String msg = String.format("Unable to delete temporary file '%s'.", tempFileLocation.getAbsolutePath());
+                throw new InitializationException(msg);
+            }
+            if (!tempFileLocation.mkdirs()) {
+                setEnabled(false);
+                final String msg = String.format("Unable to create directory '%s'.", tempFileLocation.getAbsolutePath());
+                throw new InitializationException(msg);
+            }
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create a temporary file", ex);
         }
     }
 
     /**
-     * The close method deletes any temporary files and directories created during analysis.
+     * The close method deletes any temporary files and directories created
+     * during analysis.
      *
-     * @throws Exception thrown if there is an exception deleting temporary files
+     * @throws Exception thrown if there is an exception deleting temporary
+     * files
      */
     @Override
-    public void close() throws Exception {
+    public void closeAnalyzer() throws Exception {
         if (tempFileLocation != null && tempFileLocation.exists()) {
-            LOGGER.debug("Attempting to delete temporary files");
+            LOGGER.debug("Attempting to delete temporary files from `{}`", tempFileLocation.toString());
             final boolean success = FileUtils.delete(tempFileLocation);
             if (!success && tempFileLocation.exists()) {
                 final String[] l = tempFileLocation.list();
                 if (l != null && l.length > 0) {
-                    LOGGER.warn("Failed to delete some temporary files, see the log for more details");
+                    LOGGER.warn("Failed to delete the Archive Analyzer's temporary files from `{}`, "
+                            + "see the log for more details", tempFileLocation.toString());
                 }
             }
         }
     }
 
     /**
-     * Analyzes a given dependency. If the dependency is an archive, such as a WAR or EAR, the contents are extracted, scanned,
-     * and added to the list of dependencies within the engine.
+     * Analyzes a given dependency. If the dependency is an archive, such as a
+     * WAR or EAR, the contents are extracted, scanned, and added to the list of
+     * dependencies within the engine.
      *
      * @param dependency the dependency to analyze
      * @param engine the engine scanning
      * @throws AnalysisException thrown if there is an analysis exception
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        extractAndAnalyze(dependency, engine, 0);
+        engine.sortDependencies();
+    }
+
+    /**
+     * Extracts the contents of the archive dependency and scans for additional
+     * dependencies.
+     *
+     * @param dependency the dependency being analyzed
+     * @param engine the engine doing the analysis
+     * @param scanDepth the current scan depth; extracctAndAnalyze is recursive
+     * and will, be default, only go 3 levels deep
+     * @throws AnalysisException thrown if there is a problem analyzing the
+     * dependencies
+     */
+    private void extractAndAnalyze(Dependency dependency, Engine engine, int scanDepth) throws AnalysisException {
         final File f = new File(dependency.getActualFilePath());
         final File tmpDir = getNextTempDirectory();
         extractFiles(f, tmpDir, engine);
 
         //make a copy
-        final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
-        if (!dependencySet.isEmpty()) {
-            for (Dependency d : dependencySet) {
-                //fix the dependency's display name and path
-                final String displayPath = String.format("%s%s",
-                        dependency.getFilePath(),
-                        d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
-                final String displayName = String.format("%s: %s",
-                        dependency.getFileName(),
-                        d.getFileName());
-                d.setFilePath(displayPath);
-                d.setFileName(displayName);
+        final List<Dependency> dependencySet = findMoreDependencies(engine, tmpDir);
 
-                //TODO - can we get more evidence from the parent? EAR contains module name, etc.
-                //analyze the dependency (i.e. extract files) if it is a supported type.
-                if (this.accept(d.getActualFile()) && scanDepth < MAX_SCAN_DEPTH) {
-                    scanDepth += 1;
-                    analyze(d, engine);
-                    scanDepth -= 1;
+        if (dependencySet != null && !dependencySet.isEmpty()) {
+            for (Dependency d : dependencySet) {
+                if (d.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
+                    //fix the dependency's display name and path
+                    final String displayPath = String.format("%s%s",
+                            dependency.getFilePath(),
+                            d.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
+                    final String displayName = String.format("%s: %s",
+                            dependency.getFileName(),
+                            d.getFileName());
+                    d.setFilePath(displayPath);
+                    d.setFileName(displayName);
+                    d.addAllProjectReferences(dependency.getProjectReferences());
+
+                    //TODO - can we get more evidence from the parent? EAR contains module name, etc.
+                    //analyze the dependency (i.e. extract files) if it is a supported type.
+                    if (this.accept(d.getActualFile()) && scanDepth < maxScanDepth) {
+                        extractAndAnalyze(d, engine, scanDepth + 1);
+                    }
+                } else {
+                    for (Dependency sub : dependencySet) {
+                        if (sub.getFilePath().startsWith(tmpDir.getAbsolutePath())) {
+                            final String displayPath = String.format("%s%s",
+                                    dependency.getFilePath(),
+                                    sub.getActualFilePath().substring(tmpDir.getAbsolutePath().length()));
+                            final String displayName = String.format("%s: %s",
+                                    dependency.getFileName(),
+                                    sub.getFileName());
+                            sub.setFilePath(displayPath);
+                            sub.setFileName(displayName);
+                        }
+                    }
                 }
             }
         }
         if (REMOVE_FROM_ANALYSIS.accept(dependency.getActualFile())) {
             addDisguisedJarsToDependencies(dependency, engine);
-            engine.getDependencies().remove(dependency);
+            engine.removeDependency(dependency);
         }
-        Collections.sort(engine.getDependencies());
     }
 
     /**
-     * If a zip file was identified as a possible JAR, this method will add the zip to the list of dependencies.
+     * If a zip file was identified as a possible JAR, this method will add the
+     * zip to the list of dependencies.
      *
      * @param dependency the zip file
      * @param engine the engine
@@ -257,34 +303,41 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private void addDisguisedJarsToDependencies(Dependency dependency, Engine engine) throws AnalysisException {
         if (ZIP_FILTER.accept(dependency.getActualFile()) && isZipFileActuallyJarFile(dependency)) {
-            final File tdir = getNextTempDirectory();
+            final File tempDir = getNextTempDirectory();
             final String fileName = dependency.getFileName();
 
             LOGGER.info("The zip file '{}' appears to be a JAR file, making a copy and analyzing it as a JAR.", fileName);
-
-            final File tmpLoc = new File(tdir, fileName.substring(0, fileName.length() - 3) + "jar");
+            final File tmpLoc = new File(tempDir, fileName.substring(0, fileName.length() - 3) + "jar");
+            //store the archives sha1 and change it so that the engine doesn't think the zip and jar file are the same
+            // and add it is a related dependency.
+            final String archiveSha1 = dependency.getSha1sum();
             try {
-                org.apache.commons.io.FileUtils.copyFile(tdir, tmpLoc);
-                final Set<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
-                if (!dependencySet.isEmpty()) {
-                    if (dependencySet.size() != 1) {
-                        LOGGER.info("Deep copy of ZIP to JAR file resulted in more than one dependency?");
-                    }
+                dependency.setSha1sum("");
+                org.apache.commons.io.FileUtils.copyFile(dependency.getActualFile(), tmpLoc);
+                final List<Dependency> dependencySet = findMoreDependencies(engine, tmpLoc);
+                if (dependencySet != null && !dependencySet.isEmpty()) {
                     for (Dependency d : dependencySet) {
                         //fix the dependency's display name and path
-                        d.setFilePath(dependency.getFilePath());
-                        d.setDisplayFileName(dependency.getFileName());
+                        if (d.getActualFile().equals(tmpLoc)) {
+                            d.setFilePath(dependency.getFilePath());
+                            d.setDisplayFileName(dependency.getFileName());
+                        } else {
+                            for (Dependency sub : d.getRelatedDependencies()) {
+                                if (sub.getActualFile().equals(tmpLoc)) {
+                                    sub.setFilePath(dependency.getFilePath());
+                                    sub.setDisplayFileName(dependency.getFileName());
+                                }
+                            }
+                        }
                     }
                 }
             } catch (IOException ex) {
                 LOGGER.debug("Unable to perform deep copy on '{}'", dependency.getActualFile().getPath(), ex);
+            } finally {
+                dependency.setSha1sum(archiveSha1);
             }
         }
     }
-    /**
-     * An empty dependency set.
-     */
-    private static final Set<Dependency> EMPTY_DEPENDENCY_SET = Collections.emptySet();
 
     /**
      * Scan the given file/folder, and return any new dependencies found.
@@ -293,20 +346,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * @param file target of scanning
      * @return any dependencies that weren't known to the engine before
      */
-    private static Set<Dependency> findMoreDependencies(Engine engine, File file) {
-        final List<Dependency> before = new ArrayList<Dependency>(engine.getDependencies());
-        engine.scan(file);
-        final List<Dependency> after = engine.getDependencies();
-        final boolean sizeChanged = before.size() != after.size();
-        final Set<Dependency> newDependencies;
-        if (sizeChanged) {
-            //get the new dependencies
-            newDependencies = new HashSet<Dependency>(after);
-            newDependencies.removeAll(before);
-        } else {
-            newDependencies = EMPTY_DEPENDENCY_SET;
-        }
-        return newDependencies;
+    private static List<Dependency> findMoreDependencies(Engine engine, File file) {
+        return engine.scan(file);
     }
 
     /**
@@ -316,8 +357,7 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException thrown if unable to create temporary directory
      */
     private File getNextTempDirectory() throws AnalysisException {
-        dirCount += 1;
-        final File directory = new File(tempFileLocation, String.valueOf(dirCount));
+        final File directory = new File(tempFileLocation, String.valueOf(DIRECTORY_COUNT.incrementAndGet()));
         //getting an exception for some directories not being able to be created; might be because the directory already exists?
         if (directory.exists()) {
             return getNextTempDirectory();
@@ -339,30 +379,50 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private void extractFiles(File archive, File destination, Engine engine) throws AnalysisException {
         if (archive != null && destination != null) {
-            FileInputStream fis;
+            String archiveExt = FileUtils.getFileExtension(archive.getName());
+            if (archiveExt == null) {
+                return;
+            }
+            archiveExt = archiveExt.toLowerCase();
+
+            final FileInputStream fis;
             try {
                 fis = new FileInputStream(archive);
             } catch (FileNotFoundException ex) {
-                LOGGER.debug("", ex);
-                throw new AnalysisException("Archive file was not found.", ex);
+                final String msg = String.format("Error extracting file `%s`: %s", archive.getAbsolutePath(), ex.getMessage());
+                LOGGER.debug(msg, ex);
+                throw new AnalysisException(msg);
             }
-            final String archiveExt = FileUtils.getFileExtension(archive.getName()).toLowerCase();
+            BufferedInputStream in = null;
+            ZipArchiveInputStream zin = null;
+            TarArchiveInputStream tin = null;
+            GzipCompressorInputStream gin = null;
+            BZip2CompressorInputStream bzin = null;
             try {
-                if (ZIPPABLES.contains(archiveExt)) {
-                    extractArchive(new ZipArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+                if (KNOWN_ZIP_EXT.contains(archiveExt)) {
+                    in = new BufferedInputStream(fis);
+                    ensureReadableJar(archiveExt, in);
+                    zin = new ZipArchiveInputStream(in);
+                    extractArchive(zin, destination, engine);
                 } else if ("tar".equals(archiveExt)) {
-                    extractArchive(new TarArchiveInputStream(new BufferedInputStream(fis)), destination, engine);
+                    in = new BufferedInputStream(fis);
+                    tin = new TarArchiveInputStream(in);
+                    extractArchive(tin, destination, engine);
                 } else if ("gz".equals(archiveExt) || "tgz".equals(archiveExt)) {
                     final String uncompressedName = GzipUtils.getUncompressedFilename(archive.getName());
                     final File f = new File(destination, uncompressedName);
                     if (engine.accept(f)) {
-                        decompressFile(new GzipCompressorInputStream(new BufferedInputStream(fis)), f);
+                        in = new BufferedInputStream(fis);
+                        gin = new GzipCompressorInputStream(in);
+                        decompressFile(gin, f);
                     }
                 } else if ("bz2".equals(archiveExt) || "tbz2".equals(archiveExt)) {
                     final String uncompressedName = BZip2Utils.getUncompressedFilename(archive.getName());
                     final File f = new File(destination, uncompressedName);
                     if (engine.accept(f)) {
-                        decompressFile(new BZip2CompressorInputStream(new BufferedInputStream(fis)), f);
+                        in = new BufferedInputStream(fis);
+                        bzin = new BZip2CompressorInputStream(in);
+                        decompressFile(bzin, f);
                     }
                 }
             } catch (ArchiveExtractionException ex) {
@@ -372,7 +432,70 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                 LOGGER.warn("Exception reading archive '{}'.", archive.getName());
                 LOGGER.debug("", ex);
             } finally {
-                close(fis);
+                //overly verbose and not needed... but keeping it anyway due to
+                //having issue with file handles being left open
+                FileUtils.close(fis);
+                FileUtils.close(in);
+                FileUtils.close(zin);
+                FileUtils.close(tin);
+                FileUtils.close(gin);
+                FileUtils.close(bzin);
+            }
+        }
+    }
+
+    /**
+     * Checks if the file being scanned is a JAR that begins with '#!/bin' which
+     * indicates it is a fully executable jar. If a fully executable JAR is
+     * identified the input stream will be advanced to the start of the actual
+     * JAR file ( skipping the script).
+     *
+     * @see
+     * <a href="http://docs.spring.io/spring-boot/docs/1.3.0.BUILD-SNAPSHOT/reference/htmlsingle/#deployment-install">Installing
+     * Spring Boot Applications</a>
+     * @param archiveExt the file extension
+     * @param in the input stream
+     * @throws IOException thrown if there is an error reading the stream
+     */
+    private void ensureReadableJar(final String archiveExt, BufferedInputStream in) throws IOException {
+        if ("jar".equals(archiveExt) && in.markSupported()) {
+            in.mark(7);
+            final byte[] b = new byte[7];
+            final int read = in.read(b);
+            if (read == 7
+                    && b[0] == '#'
+                    && b[1] == '!'
+                    && b[2] == '/'
+                    && b[3] == 'b'
+                    && b[4] == 'i'
+                    && b[5] == 'n'
+                    && b[6] == '/') {
+                boolean stillLooking = true;
+                int chr;
+                int nxtChr;
+                //CSOFF: InnerAssignment
+                //CSOFF: NestedIfDepth
+                while (stillLooking && (chr = in.read()) != -1) {
+                    if (chr == '\n' || chr == '\r') {
+                        in.mark(4);
+                        if ((chr = in.read()) != -1) {
+                            if (chr == 'P' && (chr = in.read()) != -1) {
+                                if (chr == 'K' && (chr = in.read()) != -1) {
+                                    if ((chr == 3 || chr == 5 || chr == 7) && (nxtChr = in.read()) != -1) {
+                                        if (nxtChr == chr + 1) {
+                                            stillLooking = false;
+                                            in.reset();
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                //CSON: InnerAssignment
+                //CSON: NestedIfDepth
+            } else {
+                in.reset();
             }
         }
     }
@@ -383,7 +506,8 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      * @param input the archive to extract files from
      * @param destination the location to write the files too
      * @param engine the dependency-check engine
-     * @throws ArchiveExtractionException thrown if there is an exception extracting files from the archive
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * extracting files from the archive
      */
     private void extractArchive(ArchiveInputStream input, File destination, Engine engine) throws ArchiveExtractionException {
         ArchiveEntry entry;
@@ -399,10 +523,10 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
                     extractAcceptedFile(input, file);
                 }
             }
-        } catch (Throwable ex) {
+        } catch (IOException | AnalysisException ex) {
             throw new ArchiveExtractionException(ex);
         } finally {
-            close(input);
+            FileUtils.close(input);
         }
     }
 
@@ -415,14 +539,12 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private static void extractAcceptedFile(ArchiveInputStream input, File file) throws AnalysisException {
         LOGGER.debug("Extracting '{}'", file.getPath());
-        FileOutputStream fos = null;
-        try {
-            final File parent = file.getParentFile();
-            if (!parent.isDirectory() && !parent.mkdirs()) {
-                final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
-                throw new AnalysisException(msg);
-            }
-            fos = new FileOutputStream(file);
+        final File parent = file.getParentFile();
+        if (!parent.isDirectory() && !parent.mkdirs()) {
+            final String msg = String.format("Unable to build directory '%s'.", parent.getAbsolutePath());
+            throw new AnalysisException(msg);
+        }
+        try (FileOutputStream fos = new FileOutputStream(file)) {
             IOUtils.copy(input, fos);
         } catch (FileNotFoundException ex) {
             LOGGER.debug("", ex);
@@ -432,8 +554,6 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
             LOGGER.debug("", ex);
             final String msg = String.format("IO Exception while parsing file '%s'.", file.getName());
             throw new AnalysisException(msg, ex);
-        } finally {
-            close(fos);
         }
     }
 
@@ -442,37 +562,16 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @param inputStream the compressed file
      * @param outputFile the location to write the decompressed file
-     * @throws ArchiveExtractionException thrown if there is an exception decompressing the file
+     * @throws ArchiveExtractionException thrown if there is an exception
+     * decompressing the file
      */
     private void decompressFile(CompressorInputStream inputStream, File outputFile) throws ArchiveExtractionException {
         LOGGER.debug("Decompressing '{}'", outputFile.getPath());
-        FileOutputStream out = null;
-        try {
-            out = new FileOutputStream(outputFile);
+        try (FileOutputStream out = new FileOutputStream(outputFile)) {
             IOUtils.copy(inputStream, out);
-        } catch (FileNotFoundException ex) {
-            LOGGER.debug("", ex);
-            throw new ArchiveExtractionException(ex);
         } catch (IOException ex) {
             LOGGER.debug("", ex);
             throw new ArchiveExtractionException(ex);
-        } finally {
-            close(out);
-        }
-    }
-
-    /**
-     * Close the given {@link Closeable} instance, ignoring nulls, and logging any thrown {@link IOException}.
-     *
-     * @param closeable to be closed
-     */
-    private static void close(Closeable closeable) {
-        if (null != closeable) {
-            try {
-                closeable.close();
-            } catch (IOException ex) {
-                LOGGER.trace("", ex);
-            }
         }
     }
 
@@ -506,7 +605,21 @@ public class ArchiveAnalyzer extends AbstractFileTypeAnalyzer {
         } finally {
             ZipFile.closeQuietly(zip);
         }
-
         return isJar;
     }
+
+    /**
+     * Initializes settings used by the scanning functions of the archive
+     * analyzer.
+     */
+    private void initializeSettings() {
+        maxScanDepth = getSettings().getInt("archive.scan.depth", 3);
+        final String additionalZipExt = getSettings().getString(Settings.KEYS.ADDITIONAL_ZIP_EXTENSIONS);
+        if (additionalZipExt != null) {
+            final String[] ext = additionalZipExt.split("\\s*,\\s*");
+            Collections.addAll(KNOWN_ZIP_EXT, ext);
+        }
+        EXTENSIONS.addAll(KNOWN_ZIP_EXT);
+        fileFilter = FileFilterBuilder.newInstance().addExtensions(EXTENSIONS).build();
+    }
 }

core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java

@@ -28,8 +28,8 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.Evidence;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.FileUtils;
 import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
@@ -37,19 +37,26 @@ import org.w3c.dom.Document;
 import org.xml.sax.SAXException;
 
 import javax.xml.parsers.DocumentBuilder;
-import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathExpressionException;
 import javax.xml.xpath.XPathFactory;
 import java.util.ArrayList;
 import java.util.List;
+import javax.annotation.concurrent.ThreadSafe;
+import javax.xml.parsers.ParserConfigurationException;
+import org.owasp.dependencycheck.exception.InitializationException;
+import org.apache.commons.lang3.SystemUtils;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.utils.XmlUtils;
 
 /**
- * Analyzer for getting company, product, and version information from a .NET assembly.
+ * Analyzer for getting company, product, and version information from a .NET
+ * assembly.
  *
  * @author colezlaw
  *
  */
+@ThreadSafe
 public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
@@ -69,9 +76,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private File grokAssemblyExe = null;
     /**
-     * The DocumentBuilder for parsing the XML
+     * The temp value for GrokAssembly.exe.config
      */
-    private DocumentBuilder builder;
+    private File grokAssemblyConfig = null;
     /**
      * Logger
      */
@@ -82,18 +89,19 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @return the list of arguments to begin populating the ProcessBuilder
      */
-    private List<String> buildArgumentList() {
+    protected List<String> buildArgumentList() {
         // Use file.separator as a wild guess as to whether this is Windows
-        final List<String> args = new ArrayList<String>();
-        if (!"\\".equals(System.getProperty("file.separator"))) {
-            if (Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
-                args.add(Settings.getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
-            } else {
+        final List<String> args = new ArrayList<>();
+        if (!SystemUtils.IS_OS_WINDOWS) {
+            if (getSettings().getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH) != null) {
+                args.add(getSettings().getString(Settings.KEYS.ANALYZER_ASSEMBLY_MONO_PATH));
+            } else if (isInPath("mono")) {
                 args.add("mono");
+            } else {
+                return null;
             }
         }
         args.add(grokAssemblyExe.getPath());
-
         return args;
     }
 
@@ -105,19 +113,27 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException if anything goes sideways
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine)
-            throws AnalysisException {
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        final File test = new File(dependency.getActualFilePath());
+        if (!test.isFile()) {
+            throw new AnalysisException(String.format("%s does not exist and cannot be analyzed by dependency-check",
+                    dependency.getActualFilePath()));
+        }
         if (grokAssemblyExe == null) {
             LOGGER.warn("GrokAssembly didn't get deployed");
             return;
         }
-
         final List<String> args = buildArgumentList();
+        if (args == null) {
+            LOGGER.warn("Assembly Analyzer was unable to execute");
+            return;
+        }
         args.add(dependency.getActualFilePath());
         final ProcessBuilder pb = new ProcessBuilder(args);
         Document doc = null;
         try {
             final Process proc = pb.start();
+            final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
 
             doc = builder.parse(proc.getInputStream());
 
@@ -131,6 +147,7 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
             try {
                 rc = proc.waitFor();
             } catch (InterruptedException ie) {
+                Thread.currentThread().interrupt();
                 return;
             }
             if (rc == 3) {
@@ -138,7 +155,9 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
                         dependency.getActualFilePath());
                 return;
             } else if (rc != 0) {
-                LOGGER.warn("Return code {} from GrokAssembly", rc);
+                LOGGER.debug("Return code {} from GrokAssembly; dependency-check is unable to analyze the library: {}",
+                        rc, dependency.getActualFilePath());
+                return;
             }
 
             final XPath xpath = XPathFactory.newInstance().newXPath();
@@ -151,100 +170,112 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
 
             final String version = xpath.evaluate("/assembly/version", doc);
             if (version != null) {
-                dependency.getVersionEvidence().addEvidence(new Evidence("grokassembly", "version",
-                        version, Confidence.HIGHEST));
+                dependency.addEvidence(EvidenceType.VERSION, "grokassembly", "version", version, Confidence.HIGHEST);
             }
 
             final String vendor = xpath.evaluate("/assembly/company", doc);
             if (vendor != null) {
-                dependency.getVendorEvidence().addEvidence(new Evidence("grokassembly", "vendor",
-                        vendor, Confidence.HIGH));
+                dependency.addEvidence(EvidenceType.VENDOR, "grokassembly", "vendor", vendor, Confidence.HIGH);
             }
 
             final String product = xpath.evaluate("/assembly/product", doc);
             if (product != null) {
-                dependency.getProductEvidence().addEvidence(new Evidence("grokassembly", "product",
-                        product, Confidence.HIGH));
+                dependency.addEvidence(EvidenceType.PRODUCT, "grokassembly", "product", product, Confidence.HIGH);
             }
 
-        } catch (IOException ioe) {
+        } catch (ParserConfigurationException pce) {
+            throw new AnalysisException("Error initializing the assembly analyzer", pce);
+        } catch (IOException | XPathExpressionException ioe) {
             throw new AnalysisException(ioe);
         } catch (SAXException saxe) {
-            throw new AnalysisException("Couldn't parse GrokAssembly result", saxe);
-        } catch (XPathExpressionException xpe) {
-            // This shouldn't happen
-            throw new AnalysisException(xpe);
+            LOGGER.error("----------------------------------------------------");
+            LOGGER.error("Failed to read the Assembly Analyzer results. "
+                    + "On some systems mono-runtime and mono-devel need to be installed.");
+            LOGGER.error("----------------------------------------------------");
+            throw new AnalysisException("Couldn't parse Assembly Analyzer results (GrokAssembly)", saxe);
         }
     }
 
     /**
-     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a temporary location.
+     * Initialize the analyzer. In this case, extract GrokAssembly.exe to a
+     * temporary location.
      *
-     * @throws Exception if anything goes wrong
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if anything goes wrong
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
-        final File tempFile = File.createTempFile("GKA", ".exe", Settings.getTempDirectory());
-        FileOutputStream fos = null;
-        InputStream is = null;
+    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
+        final File tempFile;
+        final File cfgFile;
         try {
-            fos = new FileOutputStream(tempFile);
-            is = AssemblyAnalyzer.class.getClassLoader().getResourceAsStream("GrokAssembly.exe");
+            tempFile = File.createTempFile("GKA", ".exe", getSettings().getTempDirectory());
+            cfgFile = new File(tempFile.getPath() + ".config");
+        } catch (IOException ex) {
+            setEnabled(false);
+            throw new InitializationException("Unable to create temporary file for the assembly analyzer", ex);
+        }
+        try (FileOutputStream fos = new FileOutputStream(tempFile);
+                InputStream is = FileUtils.getResourceAsStream("GrokAssembly.exe");
+                FileOutputStream fosCfg = new FileOutputStream(cfgFile);
+                InputStream isCfg = FileUtils.getResourceAsStream("GrokAssembly.exe.config")) {
             IOUtils.copy(is, fos);
-
             grokAssemblyExe = tempFile;
-            // Set the temp file to get deleted when we're done
-            grokAssemblyExe.deleteOnExit();
             LOGGER.debug("Extracted GrokAssembly.exe to {}", grokAssemblyExe.getPath());
+            IOUtils.copy(isCfg, fosCfg);
+            grokAssemblyConfig = cfgFile;
+            LOGGER.debug("Extracted GrokAssembly.exe.config to {}", cfgFile);
         } catch (IOException ioe) {
             this.setEnabled(false);
             LOGGER.warn("Could not extract GrokAssembly.exe: {}", ioe.getMessage());
-            throw new AnalysisException("Could not extract GrokAssembly.exe", ioe);
-        } finally {
-            if (fos != null) {
-                try {
-                    fos.close();
-                } catch (Throwable e) {
-                    LOGGER.debug("Error closing output stream");
-                }
-            }
-            if (is != null) {
-                try {
-                    is.close();
-                } catch (Throwable e) {
-                    LOGGER.debug("Error closing input stream");
-                }
-            }
+            throw new InitializationException("Could not extract GrokAssembly.exe", ioe);
         }
 
         // Now, need to see if GrokAssembly actually runs from this location.
         final List<String> args = buildArgumentList();
+        //TODO this creates an "unreported" error - if someone doesn't look
+        // at the command output this could easily be missed (especially in an
+        // Ant or Maven build.
+        //
+        // We need to create a non-fatal warning error type that will
+        // get added to the report.
+        //TODO this idea needs to get replicated to the bundle audit analyzer.
+        if (args == null) {
+            setEnabled(false);
+            LOGGER.error("----------------------------------------------------");
+            LOGGER.error(".NET Assembly Analyzer could not be initialized and at least one "
+                    + "'exe' or 'dll' was scanned. The 'mono' executable could not be found on "
+                    + "the path; either disable the Assembly Analyzer or configure the path mono. "
+                    + "On some systems mono-runtime and mono-devel need to be installed.");
+            LOGGER.error("----------------------------------------------------");
+            return;
+        }
         try {
             final ProcessBuilder pb = new ProcessBuilder(args);
             final Process p = pb.start();
             // Try evacuating the error stream
             IOUtils.copy(p.getErrorStream(), NullOutputStream.NULL_OUTPUT_STREAM);
 
-            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
+            final DocumentBuilder builder = XmlUtils.buildSecureDocumentBuilder();
+            final Document doc = builder.parse(p.getInputStream());
             final XPath xpath = XPathFactory.newInstance().newXPath();
             final String error = xpath.evaluate("/assembly/error", doc);
             if (p.waitFor() != 1 || error == null || error.isEmpty()) {
                 LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer, please see the log for more details.");
                 LOGGER.debug("GrokAssembly.exe is not working properly");
                 grokAssemblyExe = null;
-                this.setEnabled(false);
-                throw new AnalysisException("Could not execute .NET AssemblyAnalyzer");
+                setEnabled(false);
+                throw new InitializationException("Could not execute .NET AssemblyAnalyzer");
             }
-        } catch (AnalysisException e) {
+        } catch (InitializationException e) {
+            setEnabled(false);
             throw e;
-        } catch (Throwable e) {
+        } catch (IOException | ParserConfigurationException | SAXException | XPathExpressionException | InterruptedException e) {
             LOGGER.warn("An error occurred with the .NET AssemblyAnalyzer;\n"
                     + "this can be ignored unless you are scanning .NET DLLs. Please see the log for more details.");
             LOGGER.debug("Could not execute GrokAssembly {}", e.getMessage());
-            this.setEnabled(false);
-            throw new AnalysisException("An error occurred with the .NET AssemblyAnalyzer", e);
+            setEnabled(false);
+            throw new InitializationException("An error occurred with the .NET AssemblyAnalyzer", e);
         }
-        builder = DocumentBuilderFactory.newInstance().newDocumentBuilder();
     }
 
     /**
@@ -253,14 +284,24 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws Exception thrown if there is a problem closing the analyzer
      */
     @Override
-    public void close() throws Exception {
-        super.close();
+    public void closeAnalyzer() throws Exception {
         try {
             if (grokAssemblyExe != null && !grokAssemblyExe.delete()) {
+                LOGGER.debug("Unable to delete temporary GrokAssembly.exe; attempting delete on exit");
                 grokAssemblyExe.deleteOnExit();
             }
         } catch (SecurityException se) {
             LOGGER.debug("Can't delete temporary GrokAssembly.exe");
+            grokAssemblyExe.deleteOnExit();
+        }
+        try {
+            if (grokAssemblyConfig != null && !grokAssemblyConfig.delete()) {
+                LOGGER.debug("Unable to delete temporary GrokAssembly.exe.config; attempting delete on exit");
+                grokAssemblyConfig.deleteOnExit();
+            }
+        } catch (SecurityException se) {
+            LOGGER.debug("Can't delete temporary GrokAssembly.exe.config");
+            grokAssemblyConfig.deleteOnExit();
         }
     }
 
@@ -296,7 +337,8 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -304,4 +346,27 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
     protected String getAnalyzerEnabledSettingKey() {
         return Settings.KEYS.ANALYZER_ASSEMBLY_ENABLED;
     }
+
+    /**
+     * Tests to see if a file is in the system path. <b>Note</b> - the current
+     * implementation only works on non-windows platforms. For purposes of the
+     * AssemblyAnalyzer this is okay as this is only needed on Mac/*nix.
+     *
+     * @param file the executable to look for
+     * @return <code>true</code> if the file exists; otherwise
+     * <code>false</code>
+     */
+    private boolean isInPath(String file) {
+        final ProcessBuilder pb = new ProcessBuilder("which", file);
+        try {
+            final Process proc = pb.start();
+            final int retCode = proc.waitFor();
+            if (retCode == 0) {
+                return true;
+            }
+        } catch (IOException | InterruptedException ex) {
+            LOGGER.debug("Path search failed for " + file, ex);
+        }
+        return false;
+    }
 }

core/src/main/java/org/owasp/dependencycheck/analyzer/AutoconfAnalyzer.java

@@ -22,7 +22,6 @@ import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.dependency.EvidenceCollection;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.UrlStringUtils;
@@ -30,18 +29,22 @@ import org.owasp.dependencycheck.utils.UrlStringUtils;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
-import java.util.ArrayList;
-import java.util.List;
+import java.nio.charset.Charset;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
- * Used to analyze Autoconf input files named configure.ac or configure.in. Files simply named "configure" are also analyzed,
- * assuming they are generated by Autoconf, and contain certain special package descriptor variables.
+ * Used to analyze Autoconf input files named configure.ac or configure.in.
+ * Files simply named "configure" are also analyzed, assuming they are generated
+ * by Autoconf, and contain certain special package descriptor variables.
  *
  * @author Dale Visser
- * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project - Free Software Foundation (FSF)</a>
+ * @see <a href="https://www.gnu.org/software/autoconf/">Autoconf - GNU Project
+ * - Free Software Foundation (FSF)</a>
  */
+@Experimental
 public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
@@ -140,7 +143,8 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
      *
      * @return the analyzer's enabled property setting key
      */
@@ -150,7 +154,7 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
+    protected void analyzeDependency(Dependency dependency, Engine engine)
             throws AnalysisException {
         final File actualFile = dependency.getActualFile();
         final String name = actualFile.getName();
@@ -164,19 +168,14 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
                 final String contents = getFileContents(actualFile);
                 if (!contents.isEmpty()) {
                     if (isOutputScript) {
-                        extractConfigureScriptEvidence(dependency, name,
-                                contents);
+                        extractConfigureScriptEvidence(dependency, name, contents);
                     } else {
                         gatherEvidence(dependency, name, contents);
                     }
                 }
             }
         } else {
-            // copy, alter and set in case some other thread is iterating over
-            final List<Dependency> dependencies = new ArrayList<Dependency>(
-                    engine.getDependencies());
-            dependencies.remove(dependency);
-            engine.setDependencies(dependencies);
+            engine.removeDependency(dependency);
         }
     }
 
@@ -195,17 +194,13 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
             final String value = matcher.group(2);
             if (!value.isEmpty()) {
                 if (variable.endsWith("NAME")) {
-                    dependency.getProductEvidence().addEvidence(name, variable,
-                            value, Confidence.HIGHEST);
+                    dependency.addEvidence(EvidenceType.PRODUCT, name, variable, value, Confidence.HIGHEST);
                 } else if ("VERSION".equals(variable)) {
-                    dependency.getVersionEvidence().addEvidence(name, variable,
-                            value, Confidence.HIGHEST);
+                    dependency.addEvidence(EvidenceType.VERSION, name, variable, value, Confidence.HIGHEST);
                 } else if ("BUGREPORT".equals(variable)) {
-                    dependency.getVendorEvidence().addEvidence(name, variable,
-                            value, Confidence.HIGH);
+                    dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);
                 } else if ("URL".equals(variable)) {
-                    dependency.getVendorEvidence().addEvidence(name, variable,
-                            value, Confidence.HIGH);
+                    dependency.addEvidence(EvidenceType.VENDOR, name, variable, value, Confidence.HIGH);
                 }
             }
         }
@@ -220,14 +215,12 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
      */
     private String getFileContents(final File actualFile)
             throws AnalysisException {
-        String contents = "";
         try {
-            contents = FileUtils.readFileToString(actualFile).trim();
+            return FileUtils.readFileToString(actualFile, Charset.defaultCharset()).trim();
         } catch (IOException e) {
             throw new AnalysisException(
                     "Problem occurred while reading dependency file.", e);
         }
-        return contents;
     }
 
     /**
@@ -241,27 +234,19 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
             String contents) {
         final Matcher matcher = AC_INIT_PATTERN.matcher(contents);
         if (matcher.find()) {
-            final EvidenceCollection productEvidence = dependency
-                    .getProductEvidence();
-            productEvidence.addEvidence(name, "Package", matcher.group(1),
-                    Confidence.HIGHEST);
-            dependency.getVersionEvidence().addEvidence(name,
-                    "Package Version", matcher.group(2), Confidence.HIGHEST);
-            final EvidenceCollection vendorEvidence = dependency
-                    .getVendorEvidence();
+            dependency.addEvidence(EvidenceType.PRODUCT, name, "Package", matcher.group(1), Confidence.HIGHEST);
+            dependency.addEvidence(EvidenceType.VERSION, name, "Package Version", matcher.group(2), Confidence.HIGHEST);
+
             if (null != matcher.group(3)) {
-                vendorEvidence.addEvidence(name, "Bug report address",
-                        matcher.group(4), Confidence.HIGH);
+                dependency.addEvidence(EvidenceType.VENDOR, name, "Bug report address", matcher.group(4), Confidence.HIGH);
             }
             if (null != matcher.group(5)) {
-                productEvidence.addEvidence(name, "Tarname", matcher.group(6),
-                        Confidence.HIGH);
+                dependency.addEvidence(EvidenceType.PRODUCT, name, "Tarname", matcher.group(6), Confidence.HIGH);
             }
             if (null != matcher.group(7)) {
                 final String url = matcher.group(8);
                 if (UrlStringUtils.isUrl(url)) {
-                    vendorEvidence.addEvidence(name, "URL", url,
-                            Confidence.HIGH);
+                    dependency.addEvidence(EvidenceType.VENDOR, name, "URL", url, Confidence.HIGH);
                 }
             }
         }
@@ -270,10 +255,12 @@ public class AutoconfAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the file type analyzer.
      *
-     * @throws Exception thrown if there is an exception during initialization
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if there is an exception during
+     * initialization
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
+    protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
         // No initialization needed.
     }
 }

core/src/main/java/org/owasp/dependencycheck/analyzer/CMakeAnalyzer.java

@@ -32,25 +32,35 @@ import org.slf4j.LoggerFactory;
 import java.io.File;
 import java.io.FileFilter;
 import java.io.IOException;
-import java.io.UnsupportedEncodingException;
-import java.security.MessageDigest;
-import java.security.NoSuchAlgorithmException;
+import java.nio.charset.Charset;
 import java.util.regex.Matcher;
 import java.util.regex.Pattern;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.exception.InitializationException;
 
 /**
  * <p>
- * Used to analyze CMake build files, and collect information that can be used to determine the associated CPE.</p>
+ * Used to analyze CMake build files, and collect information that can be used
+ * to determine the associated CPE.</p>
  * <p>
- * Note: This analyzer catches straightforward invocations of the project command, plus some other observed patterns of version
- * inclusion in real CMake projects. Many projects make use of older versions of CMake and/or use custom "homebrew" ways to insert
- * version information. Hopefully as the newer CMake call pattern grows in usage, this analyzer allow more CPEs to be
+ * Note: This analyzer catches straightforward invocations of the project
+ * command, plus some other observed patterns of version inclusion in real CMake
+ * projects. Many projects make use of older versions of CMake and/or use custom
+ * "homebrew" ways to insert version information. Hopefully as the newer CMake
+ * call pattern grows in usage, this analyzer allow more CPEs to be
  * identified.</p>
  *
  * @author Dale Visser
  */
+@Experimental
 public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
 
+    /**
+     * A descriptor for the type of dependencies processed or added by this
+     * analyzer.
+     */
+    public static final String DEPENDENCY_ECOSYSTEM = "CMAKE";
+
     /**
      * The logger.
      */
@@ -59,8 +69,7 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Used when compiling file scanning regex patterns.
      */
-    private static final int REGEX_OPTIONS = Pattern.DOTALL
-            | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
+    private static final int REGEX_OPTIONS = Pattern.DOTALL | Pattern.CASE_INSENSITIVE | Pattern.MULTILINE;
 
     /**
      * Regex to extract the product information.
@@ -75,10 +84,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * Group 2: Version
      */
-    private static final Pattern SET_VERSION = Pattern
-            .compile(
-                    "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)",
-                    REGEX_OPTIONS);
+    private static final Pattern SET_VERSION = Pattern.compile(
+            "^ *set\\s*\\(\\s*(\\w+)_version\\s+\"?(\\d+(?:\\.\\d+)+)[\\s\"]?\\)", REGEX_OPTIONS);
 
     /**
      * Detects files that can be analyzed.
@@ -86,24 +93,10 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     private static final FileFilter FILTER = FileFilterBuilder.newInstance().addExtensions(".cmake")
             .addFilenames("CMakeLists.txt").build();
 
-    /**
-     * A reference to SHA1 message digest.
-     */
-    private static MessageDigest sha1 = null;
-
-    static {
-        try {
-            sha1 = MessageDigest.getInstance("SHA1");
-        } catch (NoSuchAlgorithmException e) {
-            LOGGER.error(e.getMessage());
-        }
-    }
-
     /**
      * Returns the name of the CMake analyzer.
      *
      * @return the name of the analyzer
-     *
      */
     @Override
     public String getName() {
@@ -131,13 +124,15 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * No-op initializer implementation.
+     * Initializes the analyzer.
      *
-     * @throws Exception never thrown
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if an exception occurs getting an
+     * instance of SHA1
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
-        // Nothing to do here.
+    protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
+        //do nothing
     }
 
     /**
@@ -145,23 +140,21 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
      *
      * @param dependency the dependency being analyzed
      * @param engine the engine being used to perform the scan
-     * @throws AnalysisException thrown if there is an unrecoverable error analyzing the dependency
+     * @throws AnalysisException thrown if there is an unrecoverable error
+     * analyzing the dependency
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine)
-            throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        dependency.setEcosystem(DEPENDENCY_ECOSYSTEM);
         final File file = dependency.getActualFile();
-        final String parentName = file.getParentFile().getName();
         final String name = file.getName();
-        dependency.setDisplayFileName(String.format("%s%c%s", parentName, File.separatorChar, name));
         String contents;
         try {
-            contents = FileUtils.readFileToString(file).trim();
+            contents = FileUtils.readFileToString(file, Charset.defaultCharset()).trim();
         } catch (IOException e) {
             throw new AnalysisException(
                     "Problem occurred while reading dependency file.", e);
         }
-
         if (StringUtils.isNotBlank(contents)) {
             final Matcher m = PROJECT.matcher(contents);
             int count = 0;
@@ -171,9 +164,10 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                         "Found project command match with %d groups: %s",
                         m.groupCount(), m.group(0)));
                 final String group = m.group(1);
-                LOGGER.debug("Group 1: " + group);
-                dependency.getProductEvidence().addEvidence(name, "Project",
-                        group, Confidence.HIGH);
+                LOGGER.debug("Group 1: {}", group);
+                dependency.addEvidence(EvidenceType.PRODUCT, name, "Project", group, Confidence.HIGH);
+                dependency.addEvidence(EvidenceType.VENDOR, name, "Project", group, Confidence.HIGH);
+                dependency.setName(group);
             }
             LOGGER.debug("Found {} matches.", count);
             analyzeSetVersionCommand(dependency, engine, contents);
@@ -181,8 +175,9 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Extracts the version information from the contents. If more then one version is found additional dependencies are added to
-     * the dependency list.
+     * Extracts the version information from the contents. If more then one
+     * version is found additional dependencies are added to the dependency
+     * list.
      *
      * @param dependency the dependency being analyzed
      * @param engine the dependency-check engine
@@ -199,8 +194,8 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
                     m.groupCount(), m.group(0));
             String product = m.group(1);
             final String version = m.group(2);
-            LOGGER.debug("Group 1: " + product);
-            LOGGER.debug("Group 2: " + version);
+            LOGGER.debug("Group 1: {}", product);
+            LOGGER.debug("Group 2: {}", version);
             final String aliasPrefix = "ALIASOF_";
             if (product.startsWith(aliasPrefix)) {
                 product = product.replaceFirst(aliasPrefix, "");
@@ -208,26 +203,22 @@ public class CMakeAnalyzer extends AbstractFileTypeAnalyzer {
             if (count > 1) {
                 //TODO - refactor so we do not assign to the parameter (checkstyle)
                 currentDep = new Dependency(dependency.getActualFile());
-                currentDep.setDisplayFileName(String.format("%s:%s", dependency.getDisplayFileName(), product));
+                currentDep.setEcosystem(DEPENDENCY_ECOSYSTEM);
                 final String filePath = String.format("%s:%s", dependency.getFilePath(), product);
                 currentDep.setFilePath(filePath);
 
-                byte[] path;
-                try {
-                    path = filePath.getBytes("UTF-8");
-                } catch (UnsupportedEncodingException ex) {
-                    path = filePath.getBytes();
-                }
-                currentDep.setSha1sum(Checksum.getHex(sha1.digest(path)));
-                engine.getDependencies().add(currentDep);
+                currentDep.setSha1sum(Checksum.getSHA1Checksum(filePath));
+                currentDep.setMd5sum(Checksum.getMD5Checksum(filePath));
+                engine.addDependency(currentDep);
             }
-            final String source = currentDep.getDisplayFileName();
-            currentDep.getProductEvidence().addEvidence(source, "Product",
-                    product, Confidence.MEDIUM);
-            currentDep.getVersionEvidence().addEvidence(source, "Version",
-                    version, Confidence.MEDIUM);
+            final String source = currentDep.getFileName();
+            currentDep.addEvidence(EvidenceType.PRODUCT, source, "Product", product, Confidence.MEDIUM);
+            currentDep.addEvidence(EvidenceType.VENDOR, source, "Vendor", product, Confidence.MEDIUM);
+            currentDep.addEvidence(EvidenceType.VERSION, source, "Version", version, Confidence.MEDIUM);
+            currentDep.setName(product);
+            currentDep.setVersion(version);
         }
-        LOGGER.debug(String.format("Found %d matches.", count));
+        LOGGER.debug("Found {} matches.", count);
     }
 
     @Override

core/src/main/java/org/owasp/dependencycheck/analyzer/CPEAnalyzer.java

@@ -21,10 +21,15 @@ import java.io.IOException;
 import java.io.UnsupportedEncodingException;
 import java.net.URLEncoder;
 import java.util.ArrayList;
+import java.util.Arrays;
 import java.util.Collections;
 import java.util.List;
 import java.util.Set;
 import java.util.StringTokenizer;
+import java.util.concurrent.TimeUnit;
+import javax.annotation.concurrent.ThreadSafe;
+import org.apache.commons.lang3.builder.CompareToBuilder;
+import org.apache.lucene.analysis.util.CharArraySet;
 import org.apache.lucene.document.Document;
 import org.apache.lucene.index.CorruptIndexException;
 import org.apache.lucene.queryparser.classic.ParseException;
@@ -37,26 +42,31 @@ import org.owasp.dependencycheck.data.cpe.Fields;
 import org.owasp.dependencycheck.data.cpe.IndexEntry;
 import org.owasp.dependencycheck.data.cpe.IndexException;
 import org.owasp.dependencycheck.data.lucene.LuceneUtils;
+import org.owasp.dependencycheck.data.lucene.SearchFieldAnalyzer;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.nvdcve.DatabaseException;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.dependency.Evidence;
-import org.owasp.dependencycheck.dependency.EvidenceCollection;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 import org.owasp.dependencycheck.dependency.Identifier;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 import org.owasp.dependencycheck.utils.DependencyVersionUtil;
+import org.owasp.dependencycheck.utils.Settings;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
 /**
- * CPEAnalyzer is a utility class that takes a project dependency and attempts to discern if there is an associated CPE. It uses
- * the evidence contained within the dependency to search the Lucene index.
+ * CPEAnalyzer is a utility class that takes a project dependency and attempts
+ * to discern if there is an associated CPE. It uses the evidence contained
+ * within the dependency to search the Lucene index.
  *
  * @author Jeremy Long
  */
-public class CPEAnalyzer implements Analyzer {
+@ThreadSafe
+public class CPEAnalyzer extends AbstractAnalyzer {
 
     /**
      * The Logger.
@@ -65,23 +75,32 @@ public class CPEAnalyzer implements Analyzer {
     /**
      * The maximum number of query results to return.
      */
-    static final int MAX_QUERY_RESULTS = 25;
+    private static final int MAX_QUERY_RESULTS = 25;
     /**
      * The weighting boost to give terms when constructing the Lucene query.
      */
-    static final String WEIGHTING_BOOST = "^5";
+    private static final String WEIGHTING_BOOST = "^5";
     /**
-     * A string representation of a regular expression defining characters utilized within the CPE Names.
+     * A string representation of a regular expression defining characters
+     * utilized within the CPE Names. Note, the :/ are included so URLs are
+     * passed into the Lucene query so that the specialized tokenizer can parse
+     * them.
      */
-    static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._-]";
+    private static final String CLEANSE_CHARACTER_RX = "[^A-Za-z0-9 ._:/-]";
     /**
-     * A string representation of a regular expression used to remove all but alpha characters.
+     * A string representation of a regular expression used to remove all but
+     * alpha characters.
      */
-    static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
+    private static final String CLEANSE_NONALPHA_RX = "[^A-Za-z]*";
     /**
-     * The additional size to add to a new StringBuilder to account for extra data that will be written into the string.
+     * The additional size to add to a new StringBuilder to account for extra
+     * data that will be written into the string.
      */
-    static final int STRING_BUILDER_BUFFER = 20;
+    private static final int STRING_BUILDER_BUFFER = 20;
+    /**
+     * The URL to perform a search of the NVD CVE data at NIST.
+     */
+    public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
     /**
      * The CPE in memory index.
      */
@@ -90,11 +109,12 @@ public class CPEAnalyzer implements Analyzer {
      * The CVE Database.
      */
     private CveDB cve;
-
     /**
-     * The URL to perform a search of the NVD CVE data at NIST.
+     * The list of ecosystems to skip during analysis. These are skipped because
+     * there is generally a more accurate vulnerability analyzer in the
+     * pipeline.
      */
-    public static final String NVD_SEARCH_URL = "https://web.nvd.nist.gov/view/vuln/search-results?adv_search=true&cves=on&cpe_version=%s";
+    private List<String> skipEcosystems;
 
     /**
      * Returns the name of this analyzer.
@@ -119,34 +139,51 @@ public class CPEAnalyzer implements Analyzer {
     /**
      * Creates the CPE Lucene Index.
      *
-     * @throws Exception is thrown if there is an issue opening the index.
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException is thrown if there is an issue opening
+     * the index.
      */
     @Override
-    public void initialize() throws Exception {
-        this.open();
+    public void prepareAnalyzer(Engine engine) throws InitializationException {
+        super.prepareAnalyzer(engine);
+        try {
+            this.open(engine.getDatabase());
+        } catch (IOException ex) {
+            LOGGER.debug("Exception initializing the Lucene Index", ex);
+            throw new InitializationException("An exception occurred initializing the Lucene Index", ex);
+        } catch (DatabaseException ex) {
+            LOGGER.debug("Exception accessing the database", ex);
+            throw new InitializationException("An exception occurred accessing the database", ex);
+        }
+        final String[] tmp = engine.getSettings().getArray(Settings.KEYS.ECOSYSTEM_SKIP_CPEANALYZER);
+        if (tmp == null) {
+            skipEcosystems = new ArrayList<>();
+        } else {
+            LOGGER.info("Skipping CPE Analysis for {}", tmp);
+            skipEcosystems = Arrays.asList(tmp);
+        }
     }
 
     /**
      * Opens the data source.
      *
-     * @throws IOException when the Lucene directory to be queried does not exist or is corrupt.
-     * @throws DatabaseException when the database throws an exception. This usually occurs when the database is in use by another
-     * process.
+     * @param cve a reference to the NVD CVE database
+     * @throws IOException when the Lucene directory to be queried does not
+     * exist or is corrupt.
+     * @throws DatabaseException when the database throws an exception. This
+     * usually occurs when the database is in use by another process.
      */
-    public void open() throws IOException, DatabaseException {
-        if (!isOpen()) {
-            cve = new CveDB();
-            cve.open();
-            cpe = CpeMemoryIndex.getInstance();
-            try {
-                LOGGER.info("Creating the CPE Index");
-                final long creationStart = System.currentTimeMillis();
-                cpe.open(cve);
-                LOGGER.info("CPE Index Created ({} ms)", System.currentTimeMillis() - creationStart);
-            } catch (IndexException ex) {
-                LOGGER.debug("IndexException", ex);
-                throw new DatabaseException(ex);
-            }
+    public void open(CveDB cve) throws IOException, DatabaseException {
+        this.cve = cve;
+        this.cpe = CpeMemoryIndex.getInstance();
+        try {
+            final long creationStart = System.currentTimeMillis();
+            cpe.open(cve);
+            final long creationSeconds = TimeUnit.MILLISECONDS.toSeconds(System.currentTimeMillis() - creationStart);
+            LOGGER.info("Created CPE Index ({} seconds)", creationSeconds);
+        } catch (IndexException ex) {
+            LOGGER.debug("IndexException", ex);
+            throw new DatabaseException(ex);
         }
     }
 
@@ -154,24 +191,17 @@ public class CPEAnalyzer implements Analyzer {
      * Closes the data sources.
      */
     @Override
-    public void close() {
+    public void closeAnalyzer() {
         if (cpe != null) {
             cpe.close();
             cpe = null;
         }
-        if (cve != null) {
-            cve.close();
-            cve = null;
-        }
-    }
-
-    public boolean isOpen() {
-        return cpe != null && cpe.isOpen();
     }
 
     /**
-     * Searches the data store of CPE entries, trying to identify the CPE for the given dependency based on the evidence contained
-     * within. The dependency passed in is updated with any identified CPE values.
+     * Searches the data store of CPE entries, trying to identify the CPE for
+     * the given dependency based on the evidence contained within. The
+     * dependency passed in is updated with any identified CPE values.
      *
      * @param dependency the dependency to search for CPE entries on.
      * @throws CorruptIndexException is thrown when the Lucene index is corrupt.
@@ -179,21 +209,20 @@ public class CPEAnalyzer implements Analyzer {
      * @throws ParseException is thrown when the Lucene query cannot be parsed.
      */
     protected void determineCPE(Dependency dependency) throws CorruptIndexException, IOException, ParseException {
-        //TODO test dojo-war against this. we shold get dojo-toolkit:dojo-toolkit AND dojo-toolkit:toolkit
         String vendors = "";
         String products = "";
         for (Confidence confidence : Confidence.values()) {
-            if (dependency.getVendorEvidence().contains(confidence)) {
-                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getVendorEvidence(), confidence);
+            if (dependency.contains(EvidenceType.VENDOR, confidence)) {
+                vendors = addEvidenceWithoutDuplicateTerms(vendors, dependency.getIterator(EvidenceType.VENDOR, confidence));
                 LOGGER.debug("vendor search: {}", vendors);
             }
-            if (dependency.getProductEvidence().contains(confidence)) {
-                products = addEvidenceWithoutDuplicateTerms(products, dependency.getProductEvidence(), confidence);
+            if (dependency.contains(EvidenceType.PRODUCT, confidence)) {
+                products = addEvidenceWithoutDuplicateTerms(products, dependency.getIterator(EvidenceType.PRODUCT, confidence));
                 LOGGER.debug("product search: {}", products);
             }
             if (!vendors.isEmpty() && !products.isEmpty()) {
-                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getProductEvidence().getWeighting(),
-                        dependency.getVendorEvidence().getWeighting());
+                final List<IndexEntry> entries = searchCPE(vendors, products, dependency.getVendorWeightings(),
+                        dependency.getProductWeightings());
                 if (entries == null) {
                     continue;
                 }
@@ -215,29 +244,31 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Returns the text created by concatenating the text and the values from the EvidenceCollection (filtered for a specific
-     * confidence). This attempts to prevent duplicate terms from being added.<br/<br/> Note, if the evidence is longer then 200
-     * characters it will be truncated.
+     * <p>
+     * Returns the text created by concatenating the text and the values from
+     * the EvidenceCollection (filtered for a specific confidence). This
+     * attempts to prevent duplicate terms from being added.</p>
+     * <p>
+     * Note, if the evidence is longer then 200 characters it will be
+     * truncated.</p>
      *
-     * @param text the base text.
-     * @param ec an EvidenceCollection
-     * @param confidenceFilter a Confidence level to filter the evidence by.
+     * @param text the base text
+     * @param evidence an iterable set of evidence to concatenate
      * @return the new evidence text
      */
-    private String addEvidenceWithoutDuplicateTerms(final String text, final EvidenceCollection ec, Confidence confidenceFilter) {
+    @SuppressWarnings("null")
+    protected String addEvidenceWithoutDuplicateTerms(final String text, final Iterable<Evidence> evidence) {
         final String txt = (text == null) ? "" : text;
-        final StringBuilder sb = new StringBuilder(txt.length() + (20 * ec.size()));
+        final StringBuilder sb = new StringBuilder(txt.length() * 2);
         sb.append(' ').append(txt).append(' ');
-        for (Evidence e : ec.iterator(confidenceFilter)) {
+        for (Evidence e : evidence) {
             String value = e.getValue();
-
-            //hack to get around the fact that lucene does a really good job of recognizing domains and not
-            // splitting them. TODO - put together a better lucene analyzer specific to the domain.
-            if (value.startsWith("http://")) {
-                value = value.substring(7).replaceAll("\\.", " ");
-            }
-            if (value.startsWith("https://")) {
-                value = value.substring(8).replaceAll("\\.", " ");
+            if (value.length() > 1000) {
+                value = value.substring(0, 1000);
+                final int pos = value.lastIndexOf(" ");
+                if (pos > 0) {
+                    value = value.substring(0, pos);
+                }
             }
             if (sb.indexOf(" " + value + " ") < 0) {
                 sb.append(value).append(' ');
@@ -248,23 +279,25 @@ public class CPEAnalyzer implements Analyzer {
 
     /**
      * <p>
-     * Searches the Lucene CPE index to identify possible CPE entries associated with the supplied vendor, product, and
-     * version.</p>
+     * Searches the Lucene CPE index to identify possible CPE entries associated
+     * with the supplied vendor, product, and version.</p>
      *
      * <p>
-     * If either the vendorWeightings or productWeightings lists have been populated this data is used to add weighting factors to
-     * the search.</p>
+     * If either the vendorWeightings or productWeightings lists have been
+     * populated this data is used to add weighting factors to the search.</p>
      *
      * @param vendor the text used to search the vendor field
      * @param product the text used to search the product field
-     * @param vendorWeightings a list of strings to use to add weighting factors to the vendor field
-     * @param productWeightings Adds a list of strings that will be used to add weighting factors to the product search
+     * @param vendorWeightings a list of strings to use to add weighting factors
+     * to the vendor field
+     * @param productWeightings Adds a list of strings that will be used to add
+     * weighting factors to the product search
      * @return a list of possible CPE values
      */
     protected List<IndexEntry> searchCPE(String vendor, String product,
             Set<String> vendorWeightings, Set<String> productWeightings) {
 
-        final List<IndexEntry> ret = new ArrayList<IndexEntry>(MAX_QUERY_RESULTS);
+        final List<IndexEntry> ret = new ArrayList<>(MAX_QUERY_RESULTS);
 
         final String searchString = buildSearch(vendor, product, vendorWeightings, productWeightings);
         if (searchString == null) {
@@ -297,16 +330,20 @@ public class CPEAnalyzer implements Analyzer {
 
     /**
      * <p>
-     * Builds a Lucene search string by properly escaping data and constructing a valid search query.</p>
+     * Builds a Lucene search string by properly escaping data and constructing
+     * a valid search query.</p>
      *
      * <p>
-     * If either the possibleVendor or possibleProducts lists have been populated this data is used to add weighting factors to
-     * the search string generated.</p>
+     * If either the possibleVendor or possibleProducts lists have been
+     * populated this data is used to add weighting factors to the search string
+     * generated.</p>
      *
      * @param vendor text to search the vendor field
      * @param product text to search the product field
-     * @param vendorWeighting a list of strings to apply to the vendor to boost the terms weight
-     * @param productWeightings a list of strings to apply to the product to boost the terms weight
+     * @param vendorWeighting a list of strings to apply to the vendor to boost
+     * the terms weight
+     * @param productWeightings a list of strings to apply to the product to
+     * boost the terms weight
      * @return the Lucene query
      */
     protected String buildSearch(String vendor, String product,
@@ -327,17 +364,21 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * This method constructs a Lucene query for a given field. The searchText is split into separate words and if the word is
-     * within the list of weighted words then an additional weighting is applied to the term as it is appended into the query.
+     * This method constructs a Lucene query for a given field. The searchText
+     * is split into separate words and if the word is within the list of
+     * weighted words then an additional weighting is applied to the term as it
+     * is appended into the query.
      *
      * @param sb a StringBuilder that the query text will be appended to.
-     * @param field the field within the Lucene index that the query is searching.
+     * @param field the field within the Lucene index that the query is
+     * searching.
      * @param searchText text used to construct the query.
-     * @param weightedText a list of terms that will be considered higher importance when searching.
+     * @param weightedText a list of terms that will be considered higher
+     * importance when searching.
      * @return if the append was successful.
      */
     private boolean appendWeightedSearch(StringBuilder sb, String field, String searchText, Set<String> weightedText) {
-        sb.append(' ').append(field).append(":( ");
+        sb.append(field).append(":(");
 
         final String cleanText = cleanseText(searchText);
 
@@ -348,6 +389,7 @@ public class CPEAnalyzer implements Analyzer {
         if (weightedText == null || weightedText.isEmpty()) {
             LuceneUtils.appendEscapedLuceneQuery(sb, cleanText);
         } else {
+            boolean addSpace = false;
             final StringTokenizer tokens = new StringTokenizer(cleanText);
             while (tokens.hasMoreElements()) {
                 final String word = tokens.nextToken();
@@ -359,14 +401,20 @@ public class CPEAnalyzer implements Analyzer {
                         LuceneUtils.appendEscapedLuceneQuery(temp, word);
                         temp.append(WEIGHTING_BOOST);
                         if (!word.equalsIgnoreCase(weightedStr)) {
-                            temp.append(' ');
+                            if (temp.length() > 0) {
+                                temp.append(' ');
+                            }
                             LuceneUtils.appendEscapedLuceneQuery(temp, weightedStr);
                             temp.append(WEIGHTING_BOOST);
                         }
                         break;
                     }
                 }
-                sb.append(' ');
+                if (addSpace) {
+                    sb.append(' ');
+                } else {
+                    addSpace = true;
+                }
                 if (temp == null) {
                     LuceneUtils.appendEscapedLuceneQuery(sb, word);
                 } else {
@@ -374,12 +422,13 @@ public class CPEAnalyzer implements Analyzer {
                 }
             }
         }
-        sb.append(" ) ");
+        sb.append(")");
         return true;
     }
 
     /**
-     * Removes characters from the input text that are not used within the CPE index.
+     * Removes characters from the input text that are not used within the CPE
+     * index.
      *
      * @param text is the text to remove the characters from.
      * @return the text having removed some characters.
@@ -389,7 +438,8 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Compares two strings after lower casing them and removing the non-alpha characters.
+     * Compares two strings after lower casing them and removing the non-alpha
+     * characters.
      *
      * @param l string one to compare.
      * @param r string two to compare.
@@ -406,8 +456,9 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Ensures that the CPE Identified matches the dependency. This validates that the product, vendor, and version information
-     * for the CPE are contained within the dependencies evidence.
+     * Ensures that the CPE Identified matches the dependency. This validates
+     * that the product, vendor, and version information for the CPE are
+     * contained within the dependencies evidence.
      *
      * @param entry a CPE entry.
      * @param dependency the dependency that the CPE entries could be for.
@@ -418,8 +469,8 @@ public class CPEAnalyzer implements Analyzer {
 
         //TODO - does this nullify some of the fuzzy matching that happens in the lucene search?
         // for instance CPE some-component and in the evidence we have SomeComponent.
-        if (collectionContainsString(dependency.getProductEvidence(), entry.getProduct())
-                && collectionContainsString(dependency.getVendorEvidence(), entry.getVendor())) {
+        if (collectionContainsString(dependency.getEvidence(EvidenceType.PRODUCT), entry.getProduct())
+                && collectionContainsString(dependency.getEvidence(EvidenceType.VENDOR), entry.getVendor())) {
             //&& collectionContainsVersion(dependency.getVersionEvidence(), entry.getVersion())
             isValid = true;
         }
@@ -429,19 +480,23 @@ public class CPEAnalyzer implements Analyzer {
     /**
      * Used to determine if the EvidenceCollection contains a specific string.
      *
-     * @param ec an EvidenceCollection
+     * @param evidence an of evidence object to check
      * @param text the text to search for
      * @return whether or not the EvidenceCollection contains the string
      */
-    private boolean collectionContainsString(EvidenceCollection ec, String text) {
+    private boolean collectionContainsString(Set<Evidence> evidence, String text) {
         //TODO - likely need to change the split... not sure if this will work for CPE with special chars
         if (text == null) {
             return false;
         }
         final String[] words = text.split("[\\s_-]");
-        final List<String> list = new ArrayList<String>();
+        final List<String> list = new ArrayList<>();
         String tempWord = null;
+        final CharArraySet stopWords = SearchFieldAnalyzer.getStopWords();
         for (String word : words) {
+            if (stopWords.contains(word)) {
+                continue;
+            }
             /*
              single letter words should be concatenated with the next word.
              so { "m", "core", "sample" } -> { "mcore", "sample" }
@@ -466,22 +521,40 @@ public class CPEAnalyzer implements Analyzer {
         if (list.isEmpty()) {
             return false;
         }
-        boolean contains = true;
+        boolean isValid = true;
         for (String word : list) {
-            contains &= ec.containsUsedString(word);
+            boolean found = false;
+            for (Evidence e : evidence) {
+                if (e.getValue().toLowerCase().contains(word.toLowerCase())) {
+                    if ("http".equals(word) && e.getValue().contains("http:")) {
+                        continue;
+                    }
+                    found = true;
+                    break;
+                }
+            }
+            isValid &= found;
+            if (!isValid) {
+                break;
+            }
         }
-        return contains;
+        return isValid;
     }
 
     /**
-     * Analyzes a dependency and attempts to determine if there are any CPE identifiers for this dependency.
+     * Analyzes a dependency and attempts to determine if there are any CPE
+     * identifiers for this dependency.
      *
      * @param dependency The Dependency to analyze.
      * @param engine The analysis engine
-     * @throws AnalysisException is thrown if there is an issue analyzing the dependency.
+     * @throws AnalysisException is thrown if there is an issue analyzing the
+     * dependency.
      */
     @Override
-    public synchronized void analyze(Dependency dependency, Engine engine) throws AnalysisException {
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        if (skipEcosystems.contains(dependency.getEcosystem())) {
+            return;
+        }
         try {
             determineCPE(dependency);
         } catch (CorruptIndexException ex) {
@@ -494,29 +567,37 @@ public class CPEAnalyzer implements Analyzer {
     }
 
     /**
-     * Retrieves a list of CPE values from the CveDB based on the vendor and product passed in. The list is then validated to find
-     * only CPEs that are valid for the given dependency. It is possible that the CPE identified is a best effort "guess" based on
-     * the vendor, product, and version information.
+     * Retrieves a list of CPE values from the CveDB based on the vendor and
+     * product passed in. The list is then validated to find only CPEs that are
+     * valid for the given dependency. It is possible that the CPE identified is
+     * a best effort "guess" based on the vendor, product, and version
+     * information.
      *
      * @param dependency the Dependency being analyzed
      * @param vendor the vendor for the CPE being analyzed
      * @param product the product for the CPE being analyzed
-     * @param currentConfidence the current confidence being used during analysis
-     * @return <code>true</code> if an identifier was added to the dependency; otherwise <code>false</code>
+     * @param currentConfidence the current confidence being used during
+     * analysis
+     * @return <code>true</code> if an identifier was added to the dependency;
+     * otherwise <code>false</code>
      * @throws UnsupportedEncodingException is thrown if UTF-8 is not supported
      */
     protected boolean determineIdentifiers(Dependency dependency, String vendor, String product,
             Confidence currentConfidence) throws UnsupportedEncodingException {
         final Set<VulnerableSoftware> cpes = cve.getCPEs(vendor, product);
+        if (cpes.isEmpty()) {
+            return false;
+        }
         DependencyVersion bestGuess = new DependencyVersion("-");
         Confidence bestGuessConf = null;
         boolean hasBroadMatch = false;
-        final List<IdentifierMatch> collected = new ArrayList<IdentifierMatch>();
+        final List<IdentifierMatch> collected = new ArrayList<>();
+
+        //TODO the following algorithm incorrectly identifies things as a lower version
+        // if there lower confidence evidence when the current (highest) version number
+        // is newer then anything in the NVD.
         for (Confidence conf : Confidence.values()) {
-//            if (conf.compareTo(currentConfidence) > 0) {
-//                break;
-//            }
-            for (Evidence evidence : dependency.getVersionEvidence().iterator(conf)) {
+            for (Evidence evidence : dependency.getIterator(EvidenceType.VERSION, conf)) {
                 final DependencyVersion evVer = DependencyVersionUtil.parseVersion(evidence.getValue());
                 if (evVer == null) {
                     continue;
@@ -537,24 +618,22 @@ public class CPEAnalyzer implements Analyzer {
                         final String url = String.format(NVD_SEARCH_URL, URLEncoder.encode(vs.getName(), "UTF-8"));
                         final IdentifierMatch match = new IdentifierMatch("cpe", vs.getName(), url, IdentifierConfidence.EXACT_MATCH, conf);
                         collected.add(match);
-                    } else {
+
                         //TODO the following isn't quite right is it? need to think about this guessing game a bit more.
-                        if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
-                                && evVer.matchesAtLeastThreeLevels(dbVer)) {
-                            if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
-                                if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
-                                    bestGuess = dbVer;
-                                    bestGuessConf = conf;
-                                }
+                    } else if (evVer.getVersionParts().size() <= dbVer.getVersionParts().size()
+                            && evVer.matchesAtLeastThreeLevels(dbVer)) {
+                        if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
+                            if (bestGuess.getVersionParts().size() < dbVer.getVersionParts().size()) {
+                                bestGuess = dbVer;
+                                bestGuessConf = conf;
                             }
                         }
                     }
                 }
-                if (bestGuessConf == null || bestGuessConf.compareTo(conf) > 0) {
-                    if (bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
-                        bestGuess = evVer;
-                        bestGuessConf = conf;
-                    }
+                if ((bestGuessConf == null || bestGuessConf.compareTo(conf) > 0)
+                        && bestGuess.getVersionParts().size() < evVer.getVersionParts().size()) {
+                    bestGuess = evVer;
+                    bestGuessConf = conf;
                 }
             }
         }
@@ -564,10 +643,12 @@ public class CPEAnalyzer implements Analyzer {
             final String cpeUrlName = String.format("cpe:/a:%s:%s", vendor, product);
             url = String.format(NVD_SEARCH_URL, URLEncoder.encode(cpeUrlName, "UTF-8"));
         }
-        if (bestGuessConf == null) {
+        if (bestGuessConf
+                == null) {
             bestGuessConf = Confidence.LOW;
         }
         final IdentifierMatch match = new IdentifierMatch("cpe", cpeName, url, IdentifierConfidence.BEST_GUESS, bestGuessConf);
+
         collected.add(match);
 
         Collections.sort(collected);
@@ -590,6 +671,18 @@ public class CPEAnalyzer implements Analyzer {
         return identifierAdded;
     }
 
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_CPE_ENABLED;
+
+    }
+
     /**
      * The confidence whether the identifier is an exact match, or a best guess.
      */
@@ -604,37 +697,50 @@ public class CPEAnalyzer implements Analyzer {
          */
         BEST_GUESS,
         /**
-         * The entire vendor/product group must be added (without a guess at version) because there is a CVE with a VS that only
-         * specifies vendor/product.
+         * The entire vendor/product group must be added (without a guess at
+         * version) because there is a CVE with a VS that only specifies
+         * vendor/product.
          */
         BROAD_MATCH
     }
 
     /**
-     * A simple object to hold an identifier and carry information about the confidence in the identifier.
+     * A simple object to hold an identifier and carry information about the
+     * confidence in the identifier.
      */
     private static class IdentifierMatch implements Comparable<IdentifierMatch> {
 
+        /**
+         * The confidence in the evidence used to identify this match.
+         */
+        private Confidence evidenceConfidence;
+        /**
+         * The confidence whether this is an exact match, or a best guess.
+         */
+        private IdentifierConfidence confidence;
+        /**
+         * The CPE identifier.
+         */
+        private Identifier identifier;
+
         /**
          * Constructs an IdentifierMatch.
          *
          * @param type the type of identifier (such as CPE)
          * @param value the value of the identifier
          * @param url the URL of the identifier
-         * @param identifierConfidence the confidence in the identifier: best guess or exact match
-         * @param evidenceConfidence the confidence of the evidence used to find the identifier
+         * @param identifierConfidence the confidence in the identifier: best
+         * guess or exact match
+         * @param evidenceConfidence the confidence of the evidence used to find
+         * the identifier
          */
         IdentifierMatch(String type, String value, String url, IdentifierConfidence identifierConfidence, Confidence evidenceConfidence) {
             this.identifier = new Identifier(type, value, url);
             this.confidence = identifierConfidence;
             this.evidenceConfidence = evidenceConfidence;
         }
-        //<editor-fold defaultstate="collapsed" desc="Property implementations: evidenceConfidence, confidence, identifier">
-        /**
-         * The confidence in the evidence used to identify this match.
-         */
-        private Confidence evidenceConfidence;
 
+        //<editor-fold defaultstate="collapsed" desc="Property implementations: evidenceConfidence, confidence, identifier">
         /**
          * Get the value of evidenceConfidence
          *
@@ -652,10 +758,6 @@ public class CPEAnalyzer implements Analyzer {
         public void setEvidenceConfidence(Confidence evidenceConfidence) {
             this.evidenceConfidence = evidenceConfidence;
         }
-        /**
-         * The confidence whether this is an exact match, or a best guess.
-         */
-        private IdentifierConfidence confidence;
 
         /**
          * Get the value of confidence.
@@ -674,10 +776,6 @@ public class CPEAnalyzer implements Analyzer {
         public void setConfidence(IdentifierConfidence confidence) {
             this.confidence = confidence;
         }
-        /**
-         * The CPE identifier.
-         */
-        private Identifier identifier;
 
         /**
          * Get the value of identifier.
@@ -745,29 +843,24 @@ public class CPEAnalyzer implements Analyzer {
             if (this.confidence != other.confidence) {
                 return false;
             }
-            if (this.identifier != other.identifier && (this.identifier == null || !this.identifier.equals(other.identifier))) {
-                return false;
-            }
-            return true;
+            return !(this.identifier != other.identifier && (this.identifier == null || !this.identifier.equals(other.identifier)));
         }
         //</editor-fold>
 
         /**
-         * Standard implementation of compareTo that compares identifier confidence, evidence confidence, and then the identifier.
+         * Standard implementation of compareTo that compares identifier
+         * confidence, evidence confidence, and then the identifier.
          *
          * @param o the IdentifierMatch to compare to
          * @return the natural ordering of IdentifierMatch
          */
         @Override
         public int compareTo(IdentifierMatch o) {
-            int conf = this.confidence.compareTo(o.confidence);
-            if (conf == 0) {
-                conf = this.evidenceConfidence.compareTo(o.evidenceConfidence);
-                if (conf == 0) {
-                    conf = identifier.compareTo(o.identifier);
-                }
-            }
-            return conf;
+            return new CompareToBuilder()
+                    .append(confidence, o.confidence)
+                    .append(evidenceConfidence, o.evidenceConfidence)
+                    .append(identifier, o.identifier)
+                    .toComparison();
         }
     }
 }

core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java

@@ -33,8 +33,12 @@ import java.io.File;
 import java.io.FileFilter;
 import java.io.FileNotFoundException;
 import java.io.IOException;
+import java.net.MalformedURLException;
 import java.net.URL;
 import java.util.List;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.DownloadFailedException;
 import org.owasp.dependencycheck.utils.Downloader;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
@@ -42,11 +46,12 @@ import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's SHA-1
- * digest.
+ * Analyzer which will attempt to locate a dependency, and the GAV information,
+ * by querying Central for the dependency's SHA-1 digest.
  *
  * @author colezlaw
  */
+@ThreadSafe
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
 
     /**
@@ -70,43 +75,43 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     private static final String SUPPORTED_EXTENSIONS = "jar";
 
     /**
-     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has occurred.
+     * There may be temporary issues when connecting to MavenCentral. In order
+     * to compensate for 99% of the issues, we perform a retry before finally
+     * failing the analysis.
      */
-    private boolean errorFlag = false;
+    private static final int NUMBER_OF_TRIES = 5;
 
     /**
      * The searcher itself.
      */
     private CentralSearch searcher;
-    /**
-     * Field indicating if the analyzer is enabled.
-     */
-    private final boolean enabled = checkEnabled();
 
     /**
-     * Determine whether to enable this analyzer or not.
+     * Initializes the analyzer with the configured settings.
      *
-     * @return whether the analyzer should be enabled
+     * @param settings the configured settings to use
      */
     @Override
-    public boolean isEnabled() {
-        return enabled;
+    public void initialize(Settings settings) {
+        super.initialize(settings);
+        setEnabled(checkEnabled());
     }
 
     /**
      * Determines if this analyzer is enabled.
      *
-     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
+     * @return <code>true</code> if the analyzer is enabled; otherwise
+     * <code>false</code>
      */
     private boolean checkEnabled() {
-        boolean retval = false;
+        boolean retVal = false;
 
         try {
-            if (Settings.getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
-                if (!Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
-                        || NexusAnalyzer.DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
+            if (getSettings().getBoolean(Settings.KEYS.ANALYZER_CENTRAL_ENABLED)) {
+                if (!getSettings().getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)
+                        || NexusAnalyzer.DEFAULT_URL.equals(getSettings().getString(Settings.KEYS.ANALYZER_NEXUS_URL))) {
                     LOGGER.debug("Enabling the Central analyzer");
-                    retval = true;
+                    retVal = true;
                 } else {
                     LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                 }
@@ -116,22 +121,26 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (InvalidSettingException ise) {
             LOGGER.warn("Invalid setting. Disabling the Central analyzer");
         }
-        return retval;
+        return retVal;
     }
 
     /**
      * Initializes the analyzer once before any analysis is performed.
      *
-     * @throws Exception if there's an error during initialization
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException if there's an error during initialization
      */
     @Override
-    public void initializeFileTypeAnalyzer() throws Exception {
+    public void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
         LOGGER.debug("Initializing Central analyzer");
         LOGGER.debug("Central analyzer enabled: {}", isEnabled());
         if (isEnabled()) {
-            final String searchUrl = Settings.getString(Settings.KEYS.ANALYZER_CENTRAL_URL);
-            LOGGER.debug("Central Analyzer URL: {}", searchUrl);
-            searcher = new CentralSearch(new URL(searchUrl));
+            try {
+                searcher = new CentralSearch(getSettings());
+            } catch (MalformedURLException ex) {
+                setEnabled(false);
+                throw new InitializationException("The configured URL to Maven Central is malformed", ex);
+            }
         }
     }
 
@@ -146,7 +155,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     }
 
     /**
-     * Returns the key used in the properties file to to reference the analyzer's enabled property.
+     * Returns the key used in the properties file to to reference the
+     * analyzer's enabled property.
      *
      * @return the analyzer's enabled property setting key.
      */
@@ -183,19 +193,15 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException when there's an exception during analysis
      */
     @Override
-    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        if (errorFlag || !isEnabled()) {
-            return;
-        }
-
+    public void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
         try {
-            final List<MavenArtifact> mas = searcher.searchSha1(dependency.getSha1sum());
+            final List<MavenArtifact> mas = fetchMavenArtifacts(dependency);
             final Confidence confidence = mas.size() > 1 ? Confidence.HIGH : Confidence.HIGHEST;
             for (MavenArtifact ma : mas) {
                 LOGGER.debug("Central analyzer found artifact ({}) for dependency ({})", ma, dependency.getFileName());
                 dependency.addAsEvidence("central", ma, confidence);
                 boolean pomAnalyzed = false;
-                for (Evidence e : dependency.getVendorEvidence()) {
+                for (Evidence e : dependency.getEvidence(EvidenceType.VENDOR)) {
                     if ("pom".equals(e.getSource())) {
                         pomAnalyzed = true;
                         break;
@@ -204,7 +210,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
                 if (!pomAnalyzed && ma.getPomUrl() != null) {
                     File pomFile = null;
                     try {
-                        final File baseDir = Settings.getTempDirectory();
+                        final File baseDir = getSettings().getTempDirectory();
                         pomFile = File.createTempFile("pom", ".xml", baseDir);
                         if (!pomFile.delete()) {
                             LOGGER.warn("Unable to fetch pom.xml for {} from Central; "
@@ -212,14 +218,16 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
                             LOGGER.debug("Unable to delete temp file");
                         }
                         LOGGER.debug("Downloading {}", ma.getPomUrl());
-                        Downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
+                        final Downloader downloader = new Downloader(getSettings());
+                        downloader.fetchFile(new URL(ma.getPomUrl()), pomFile);
                         PomUtils.analyzePOM(dependency, pomFile);
 
                     } catch (DownloadFailedException ex) {
                         LOGGER.warn("Unable to download pom.xml for {} from Central; "
                                 + "this could result in undetected CPE/CVEs.", dependency.getFileName());
                     } finally {
-                        if (pomFile != null && !FileUtils.deleteQuietly(pomFile)) {
+                        if (pomFile != null && pomFile.exists() && !FileUtils.deleteQuietly(pomFile)) {
+                            LOGGER.debug("Failed to delete temporary pom file {}", pomFile.toString());
                             pomFile.deleteOnExit();
                         }
                     }
@@ -231,8 +239,61 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
         } catch (FileNotFoundException fnfe) {
             LOGGER.debug("Artifact not found in repository: '{}", dependency.getFileName());
         } catch (IOException ioe) {
-            LOGGER.debug("Could not connect to Central search", ioe);
-            errorFlag = true;
+            final String message = "Could not connect to Central search. Analysis failed.";
+            LOGGER.error(message, ioe);
+            throw new AnalysisException(message, ioe);
         }
     }
+
+    /**
+     * Downloads the corresponding list of MavenArtifacts of the given
+     * dependency from MavenCentral.
+     * <p>
+     * As the connection to MavenCentral is known to be unreliable, we implement
+     * a simple retry logic in order to compensate for 99% of the issues.
+     *
+     * @param dependency the dependency to analyze
+     * @return the downloaded list of MavenArtifacts
+     * @throws FileNotFoundException if the specified artifact is not found
+     * @throws IOException if connecting to MavenCentral finally failed
+     */
+    protected List<MavenArtifact> fetchMavenArtifacts(Dependency dependency) throws IOException {
+        IOException lastException = null;
+        long sleepingTimeBetweenRetriesInMillis = 1000;
+        int triesLeft = NUMBER_OF_TRIES;
+        while (triesLeft-- > 0) {
+            try {
+                return searcher.searchSha1(dependency.getSha1sum());
+            } catch (FileNotFoundException fnfe) {
+                // retry does not make sense, just throw the exception
+                throw fnfe;
+            } catch (IOException ioe) {
+                LOGGER.debug("Could not connect to Central search (tries left: {}): {}",
+                        triesLeft, ioe.getMessage());
+                lastException = ioe;
+
+                if (triesLeft > 0) {
+                    try {
+                        Thread.sleep(sleepingTimeBetweenRetriesInMillis);
+                        sleepingTimeBetweenRetriesInMillis *= 2;
+                    } catch (InterruptedException e) {
+                        Thread.currentThread().interrupt();
+                    }
+                }
+            }
+        }
+
+        final String message = "Finally failed connecting to Central search."
+                + " Giving up after " + NUMBER_OF_TRIES + " tries.";
+        throw new IOException(message, lastException);
+    }
+
+    /**
+     * Method used by unit tests to setup the analyzer.
+     *
+     * @param searcher the Central Search object to use.
+     */
+    protected void setCentralSearch(CentralSearch searcher) {
+        this.searcher = searcher;
+    }
 }

core/src/main/java/org/owasp/dependencycheck/analyzer/CocoaPodsAnalyzer.java

@@ -0,0 +1,221 @@
+/*
+ * This file is part of dependency-check-core.
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * Copyright (c) 2016 IBM Corporation. All Rights Reserved.
+ */
+package org.owasp.dependencycheck.analyzer;
+
+import java.io.File;
+import java.io.FileFilter;
+import java.io.IOException;
+import java.nio.charset.Charset;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
+import javax.annotation.concurrent.ThreadSafe;
+
+import org.apache.commons.io.FileUtils;
+import org.owasp.dependencycheck.Engine;
+import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
+import org.owasp.dependencycheck.dependency.Confidence;
+import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.dependency.EvidenceType;
+import org.owasp.dependencycheck.utils.FileFilterBuilder;
+import org.owasp.dependencycheck.utils.Settings;
+
+/**
+ * This analyzer is used to analyze SWIFT and Objective-C packages by collecting
+ * information from .podspec files. CocoaPods dependency manager see
+ * https://cocoapods.org/.
+ *
+ * @author Bianca Jiang (https://twitter.com/biancajiang)
+ */
+@Experimental
+@ThreadSafe
+public class CocoaPodsAnalyzer extends AbstractFileTypeAnalyzer {
+
+    /**
+     * A descriptor for the type of dependencies processed or added by this
+     * analyzer.
+     */
+    public static final String DEPENDENCY_ECOSYSTEM = "CocoaPod";
+
+    /**
+     * The logger.
+     */
+//    private static final Logger LOGGER = LoggerFactory.getLogger(CocoaPodsAnalyzer.class);
+    /**
+     * The name of the analyzer.
+     */
+    private static final String ANALYZER_NAME = "CocoaPods Package Analyzer";
+
+    /**
+     * The phase that this analyzer is intended to run in.
+     */
+    private static final AnalysisPhase ANALYSIS_PHASE = AnalysisPhase.INFORMATION_COLLECTION;
+
+    /**
+     * The file name to scan.
+     */
+    public static final String PODSPEC = "podspec";
+    /**
+     * Filter that detects files named "*.podspec".
+     */
+    private static final FileFilter PODSPEC_FILTER = FileFilterBuilder.newInstance().addExtensions(PODSPEC).build();
+
+    /**
+     * The capture group #1 is the block variable. e.g. "Pod::Spec.new do
+     * |spec|"
+     */
+    private static final Pattern PODSPEC_BLOCK_PATTERN = Pattern.compile("Pod::Spec\\.new\\s+?do\\s+?\\|(.+?)\\|");
+
+    /**
+     * Returns the FileFilter
+     *
+     * @return the FileFilter
+     */
+    @Override
+    protected FileFilter getFileFilter() {
+        return PODSPEC_FILTER;
+    }
+
+    @Override
+    protected void prepareFileTypeAnalyzer(Engine engine) {
+        // NO-OP
+    }
+
+    /**
+     * Returns the name of the analyzer.
+     *
+     * @return the name of the analyzer.
+     */
+    @Override
+    public String getName() {
+        return ANALYZER_NAME;
+    }
+
+    /**
+     * Returns the phase that the analyzer is intended to run in.
+     *
+     * @return the phase that the analyzer is intended to run in.
+     */
+    @Override
+    public AnalysisPhase getAnalysisPhase() {
+        return ANALYSIS_PHASE;
+    }
+
+    /**
+     * Returns the key used in the properties file to reference the analyzer's
+     * enabled property.
+     *
+     * @return the analyzer's enabled property setting key
+     */
+    @Override
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_COCOAPODS_ENABLED;
+    }
+
+    @Override
+    protected void analyzeDependency(Dependency dependency, Engine engine)
+            throws AnalysisException {
+
+        dependency.setEcosystem(DEPENDENCY_ECOSYSTEM);
+        String contents;
+        try {
+            contents = FileUtils.readFileToString(dependency.getActualFile(), Charset.defaultCharset());
+        } catch (IOException e) {
+            throw new AnalysisException(
+                    "Problem occurred while reading dependency file.", e);
+        }
+        final Matcher matcher = PODSPEC_BLOCK_PATTERN.matcher(contents);
+        if (matcher.find()) {
+            contents = contents.substring(matcher.end());
+            final String blockVariable = matcher.group(1);
+
+            final String name = determineEvidence(contents, blockVariable, "name");
+            if (!name.isEmpty()) {
+                dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "name_project", name, Confidence.HIGHEST);
+                dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "name_project", name, Confidence.HIGHEST);
+                dependency.setName(name);
+            }
+            final String summary = determineEvidence(contents, blockVariable, "summary");
+            if (!summary.isEmpty()) {
+                dependency.addEvidence(EvidenceType.PRODUCT, PODSPEC, "summary", summary, Confidence.HIGHEST);
+            }
+
+            final String author = determineEvidence(contents, blockVariable, "authors?");
+            if (!author.isEmpty()) {
+                dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "author", author, Confidence.HIGHEST);
+            }
+            final String homepage = determineEvidence(contents, blockVariable, "homepage");
+            if (!homepage.isEmpty()) {
+                dependency.addEvidence(EvidenceType.VENDOR, PODSPEC, "homepage", homepage, Confidence.HIGHEST);
+            }
+            final String license = determineEvidence(contents, blockVariable, "licen[cs]es?");
+            if (!license.isEmpty()) {
+                dependency.setLicense(license);
+            }
+
+            final String version = determineEvidence(contents, blockVariable, "version");
+            if (!version.isEmpty()) {
+                dependency.addEvidence(EvidenceType.VERSION, PODSPEC, "version", version, Confidence.HIGHEST);
+                dependency.setVersion(version);
+            }
+        }
+
+        setPackagePath(dependency);
+    }
+
+    /**
+     * Extracts evidence from the contents and adds it to the given evidence
+     * collection.
+     *
+     * @param contents the text to extract evidence from
+     * @param blockVariable the block variable within the content to search for
+     * @param fieldPattern the field pattern within the contents to search for
+     * @return the evidence
+     */
+    private String determineEvidence(String contents, String blockVariable, String fieldPattern) {
+        String value = "";
+
+        //capture array value between [ ]
+        final Matcher arrayMatcher = Pattern.compile(
+                String.format("\\s*?%s\\.%s\\s*?=\\s*?\\{\\s*?(.*?)\\s*?\\}", blockVariable, fieldPattern),
+                Pattern.CASE_INSENSITIVE).matcher(contents);
+        if (arrayMatcher.find()) {
+            value = arrayMatcher.group(1);
+        } else { //capture single value between quotes
+            final Matcher matcher = Pattern.compile(
+                    String.format("\\s*?%s\\.%s\\s*?=\\s*?(['\"])(.*?)\\1", blockVariable, fieldPattern),
+                    Pattern.CASE_INSENSITIVE).matcher(contents);
+            if (matcher.find()) {
+                value = matcher.group(2);
+            }
+        }
+        return value;
+    }
+
+    /**
+     * Sets the package path on the given dependency.
+     *
+     * @param dep the dependency to update
+     */
+    private void setPackagePath(Dependency dep) {
+        final File file = new File(dep.getFilePath());
+        final String parent = file.getParent();
+        if (parent != null) {
+            dep.setPackagePath(parent);
+        }
+    }
+}

core/src/main/java/org/owasp/dependencycheck/analyzer/ComposerLockAnalyzer.java

@@ -24,6 +24,7 @@ import org.owasp.dependencycheck.data.composer.ComposerException;
 import org.owasp.dependencycheck.data.composer.ComposerLockParser;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
+import org.owasp.dependencycheck.exception.InitializationException;
 import org.owasp.dependencycheck.utils.Checksum;
 import org.owasp.dependencycheck.utils.FileFilterBuilder;
 import org.owasp.dependencycheck.utils.Settings;
@@ -32,17 +33,23 @@ import org.slf4j.LoggerFactory;
 
 import java.io.FileFilter;
 import java.io.FileInputStream;
-import java.io.FileNotFoundException;
-import java.nio.charset.Charset;
-import java.security.MessageDigest;
+import java.io.IOException;
+import org.owasp.dependencycheck.dependency.EvidenceType;
 
 /**
  * Used to analyze a composer.lock file for a composer PHP app.
  *
  * @author colezlaw
  */
+@Experimental
 public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
 
+    /**
+     * A descriptor for the type of dependencies processed or added by this
+     * analyzer.
+     */
+    public static final String DEPENDENCY_ECOSYSTEM = "Composer";
+
     /**
      * The logger.
      */
@@ -76,18 +83,15 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
     /**
      * Initializes the analyzer.
      *
-     * @throws Exception thrown if an exception occurs getting an instance of SHA1
+     * @param engine a reference to the dependency-check engine
+     * @throws InitializationException thrown if an exception occurs getting an
+     * instance of SHA1
      */
     @Override
-    protected void initializeFileTypeAnalyzer() throws Exception {
-        sha1 = MessageDigest.getInstance("SHA1");
+    protected void prepareFileTypeAnalyzer(Engine engine) throws InitializationException {
+        // do nothing
     }
 
-    /**
-     * The MessageDigest for calculating a new digest for the new dependencies added.
-     */
-    private MessageDigest sha1 = null;
-
     /**
      * Entry point for the analyzer.
      *
@@ -96,37 +100,41 @@ public class ComposerLockAnalyzer extends AbstractFileTypeAnalyzer {
      * @throws AnalysisException if there's a failure during analysis
      */
     @Override
-    protected void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        FileInputStream fis = null;
-        try {
-            fis = new FileInputStream(dependency.getActualFile());
+    protected void analyzeDependency(Dependency dependency, Engine engine) throws AnalysisException {
+        try (FileInputStream fis = new FileInputStream(dependency.getActualFile())) {
             final ComposerLockParser clp = new ComposerLockParser(fis);
-            LOGGER.info("Checking composer.lock file {}", dependency.getActualFilePath());
+            LOGGER.debug("Checking composer.lock file {}", dependency.getActualFilePath());
             clp.process();
+            //if dependencies are found in the lock, then there is always an empty shell dependency left behind for the
+            //composer.lock. The first pass through, reuse the top level dependency, and add new ones for the rest.
+            boolean processedAtLeastOneDep = false;
             for (ComposerDependency dep : clp.getDependencies()) {
                 final Dependency d = new Dependency(dependency.getActualFile());
-                d.setDisplayFileName(String.format("%s:%s/%s", dependency.getDisplayFileName(), dep.getGroup(), dep.getProject()));
-                final String filePath = String.format("%s:%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject());
+                final String filePath = String.format("%s:%s/%s/%s", dependency.getFilePath(), dep.getGroup(), dep.getProject(), dep.getVersion());
+                d.setName(dep.getProject());
+                d.setVersion(dep.getVersion());
+                d.setEcosystem(DEPENDENCY_ECOSYSTEM);
                 d.setFilePath(filePath);
-                d.setSha1sum(Checksum.getHex(sha1.digest(filePath.getBytes(Charset.defaultCharset()))));
-                d.getVendorEvidence().addEvidence(COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
-                d.getProductEvidence().addEvidence(COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
-                d.getVersionEvidence().addEvidence(COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
-                LOGGER.info("Adding dependency {}", d);
-                engine.getDependencies().add(d);
+                d.setSha1sum(Checksum.getSHA1Checksum(filePath));
+                d.setMd5sum(Checksum.getMD5Checksum(filePath));
+                d.addEvidence(EvidenceType.VENDOR, COMPOSER_LOCK, "vendor", dep.getGroup(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.PRODUCT, COMPOSER_LOCK, "product", dep.getProject(), Confidence.HIGHEST);
+                d.addEvidence(EvidenceType.VERSION, COMPOSER_LOCK, "version", dep.getVersion(), Confidence.HIGHEST);
+                LOGGER.debug("Adding dependency {}", d.getDisplayFileName());
+                engine.addDependency(d);
+                //make sure we only remove the main dependency if we went through this loop at least once.
+                processedAtLeastOneDep = true;
             }
-        } catch (FileNotFoundException fnfe) {
+            // remove the dependency at the end because it's referenced in the loop itself.
+            // double check the name to be sure we only remove the generic entry.
+            if (processedAtLeastOneDep && dependency.getDisplayFileName().equalsIgnoreCase("composer.lock")) {
+                LOGGER.debug("Removing main redundant dependency {}", dependency.getDisplayFileName());
+                engine.removeDependency(dependency);
+            }
+        } catch (IOException ex) {
             LOGGER.warn("Error opening dependency {}", dependency.getActualFilePath());
         } catch (ComposerException ce) {
             LOGGER.warn("Error parsing composer.json {}", dependency.getActualFilePath(), ce);
-        } finally {
-            if (fis != null) {
-                try {
-                    fis.close();
-                } catch (Exception e) {
-                    LOGGER.debug("Unable to close file", e);
-                }
-            }
         }
     }
 

core/src/main/java/org/owasp/dependencycheck/analyzer/CpeSuppressionAnalyzer.java

@@ -17,20 +17,19 @@
  */
 package org.owasp.dependencycheck.analyzer;
 
-import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
-import org.owasp.dependencycheck.Engine;
-import org.owasp.dependencycheck.dependency.Dependency;
-import org.owasp.dependencycheck.suppression.SuppressionRule;
+import javax.annotation.concurrent.ThreadSafe;
+import org.owasp.dependencycheck.utils.Settings;
 
 /**
- * The suppression analyzer processes an externally defined XML document that complies with the suppressions.xsd schema.
- * Any identified CPE entries within the dependencies that match will be removed.
+ * The suppression analyzer processes an externally defined XML document that
+ * complies with the suppressions.xsd schema. Any identified CPE entries within
+ * the dependencies that match will be removed.
  *
  * @author Jeremy Long
  */
+@ThreadSafe
 public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
 
-    //<editor-fold defaultstate="collapsed" desc="All standard implementation details of Analyzer">
     /**
      * The name of the analyzer.
      */
@@ -59,17 +58,15 @@ public class CpeSuppressionAnalyzer extends AbstractSuppressionAnalyzer {
     public AnalysisPhase getAnalysisPhase() {
         return ANALYSIS_PHASE;
     }
-    //</editor-fold>
 
+    /**
+     * <p>
+     * Returns the setting key to determine if the analyzer is enabled.</p>
+     *
+     * @return the key for the analyzer's enabled property
+     */
     @Override
-    public void analyze(final Dependency dependency, final Engine engine) throws AnalysisException {
-
-        if (getRules() == null || getRules().size() <= 0) {
-            return;
-        }
-
-        for (final SuppressionRule rule : getRules()) {
-            rule.process(dependency);
-        }
+    protected String getAnalyzerEnabledSettingKey() {
+        return Settings.KEYS.ANALYZER_CPE_SUPPRESSION_ENABLED;
     }
 }